Title :
Hybrid Information Flow Analysis for Python Bytecode
Author :
Zhifei Chen ; Lin Chen ; Baowen Xu
Author_Institution :
State Key Lab. of Novel Software Technol., Nanjing Univ., Nanjing, China
Abstract :
Python is widely used to create and manage complex, database-driven websites. However, due to dynamic features such as dynamic typing of variables, Python programs pose a serious security risk to web applications. Most security vulnerabilities result from the fact that unsafe data input reaches security-sensitive operations. To address this problem, information flow analysis for Python programs is proposed to enforce this property. Information flow can capture the fact that a particular value affects another value in the program. In this paper, we present a novel approach for analyzing information flow in Python byte code which is a low-level language and is more widely broadcast. Our approach performs a hybrid of static and dynamic control/data flow analysis. Static analysis is used to study implicit flow, while dynamic analysis efficiently tracks execution information and determines definition-use pair. To the best of our knowledge, it is the first one for Python byte code.
Keywords :
authoring languages; data flow analysis; security of data; Python bytecode; Python programs; data flow analysis; dynamic analysis; hybrid information flow analysis; low-level language; security risk; static analysis; Buildings; Educational institutions; Loading; Performance analysis; Runtime; Security; Upper bound; Python; information flow; security vulnerabilities; web applications;
Conference_Titel :
Web Information System and Application Conference (WISA), 2014 11th
Print_ISBN :
978-1-4799-5726-2
DOI :
10.1109/WISA.2014.26
