DEVELOPMENT OF INJECTION VULNERABILITY DETECTION IN STATIC ANALYSIS TOOL FOR MULTI- PROGRAMMING LANGUAGE
In the software development process, vulnerabilities often emerge predominantly during the implementation phase. However, these vulnerabilities are frequently only identified when testing takes place. The longer it takes to detect vulnerabilities, the greater their potential impact becomes, both...
Saved in:
| Main Author: | |
|---|---|
| Format: | Final Project |
| Language: | Indonesia |
| Online Access: | https://digilib.itb.ac.id/gdl/view/76889 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Institut Teknologi Bandung |
| Language: | Indonesia |
| Summary: | In the software development process, vulnerabilities often emerge predominantly
during the implementation phase. However, these vulnerabilities are frequently
only identified when testing takes place. The longer it takes to detect
vulnerabilities, the greater their potential impact becomes, both from a business
and technological perspective. Hence, code reviews are commonly employed as a
form of static analysis to swiftly capture vulnerabilities and errors.
Nevertheless, in some cases, code review alone falls short, necessitating the
assistance of automated static analysis methods using specialized tools. With such
tools, developers can perform static analysis more rapidly and comprehensively,
thereby significantly increasing the likelihood of promptly identifying
vulnerabilities.
This research aims to develop a static analysis tool focusing on the detection of
injection vulnerabilities across four programming languages: Python, PHP, Java,
and Javascript. The chosen approach involves employing abstract syntax trees
(AST) and data flow graphs (DFG) generated from source code as intermediate
representations and performing taint analysis to uncover vulnerabilities within
these representations.
Upon evaluating the tool's performance, it is revealed that the tool built upon the
AST and DFG intermediate representations effectively detects injection
vulnerabilities. The evaluation also uncovers the causes behind false positives and
false negatives, accompanied by recommendations for mitigating these
occurrences. |
|---|