http://shivasurya.me/categories/static-analysis/Recent content in Static-Analysis on ShivasuryaHugoen-usFri, 08 Mar 2024 00:00:00 +0000http://shivasurya.me/2024/03/08/building-inter-procedural-source-sink-analysis-from-scratch-part-3/Fri, 08 Mar 2024 00:00:00 +0000http://shivasurya.me/2024/03/08/building-inter-procedural-source-sink-analysis-from-scratch-part-3/<p>This is the third part of the blog post series on building inter-procedural source sink analysis from scratch. In the first part, we have built the <a href="https://shivasurya.me/static-analysis/sast/2023/08/27/building-simple-source-sink-analysis-from-scratch-part-1.html">intra-procedural source sink analysis</a>. In this blog post, I&rsquo;ll discuss about defining boundaries, configs and sinks for inter-procedural analysis. ✨ This idea of defining boundaries and sinks is inspired from the <a href="https://codeql.github.com/">CodeQL</a> library and while discussing with my colleague at <a href="https://www.swag.uwaterloo.ca/">SWAG lab @ uwaterloo</a>.</p> <h3 id="plan">Plan</h3> <p>While tools like CodeQL has well-defined support for libraries and framework such as <a href="https://codeql.github.com/codeql-standard-libraries/java/semmle/code/java/frameworks/android/Android.qll/module.Android.html">Android CodeQL</a> these libraries has predefined boundaries and sinks. But, start from scratch, we need to define our own boundaries and sinks. The boundaries are the entry points and sinks are the exit points.</p>http://shivasurya.me/2023/09/01/building-inter-procedural-source-sink-analysis-from-scratch-part-2/Fri, 01 Sep 2023 00:00:00 +0000http://shivasurya.me/2023/09/01/building-inter-procedural-source-sink-analysis-from-scratch-part-2/<p>This is the second part of the blog post series on building inter-procedural source sink analysis from scratch. In the first part, we have built the <a href="https://shivasurya.me/static-analysis/sast/2023/08/27/building-simple-source-sink-analysis-from-scratch-part-1.html">intra-procedural source sink analysis</a>. In this blog post, we will be building the inter-procedural source sink analysis.</p> <h3 id="plan">Plan</h3> <p>We&rsquo;ll be parsing whole java project source code and generate AST using JavaParser. While traversing the AST, we will be collecting the method declaration and method invocation. We will be using graph theory algorithm to find the path from source to sink. The source is the method declaration and the sink is the method invocation. The method declaration is the node and the method invocation is the edge. While classes may contain duplicate method names with different signatures, we will be using the fully qualified method name to uniquely identify the method. The fully qualified method name is the class name + method name + method arguments. The method arguments are used to differentiate the method overloading. The method declaration is the key and method invocation is the value in the hashmap. The hashmap is used to build the graph and find the path from source to sink.</p>http://shivasurya.me/2023/08/27/building-simple-source-sink-analysis-from-scratch-part-1/Sun, 27 Aug 2023 00:00:00 +0000http://shivasurya.me/2023/08/27/building-simple-source-sink-analysis-from-scratch-part-1/<h3 id="overview-of-source-sink-analysis">Overview of Source Sink Analysis</h3> <p>Source Sink Analysis is a type of basic static analysis that detects the flow of information from a source to a sink. A source is a place where the information is coming from and a sink is a place where the information is going to. For example, a source can be a user input and a sink can be a database query. If the user input is not sanitized, it can lead to SQL Injection. Apart from source sink techniques, there are other techniques like taint analysis, control flow graph, data flow analysis, etc. which are used to detect vulnerabilities in the code. In this blog post, we will be building a simple source sink analysis in Java from scratch.</p>