Jaint: A Framework for User-Defined Dynamic Taint-Analyses Based on Dynamic Symbolic Execution of Java Programs

We present Jaint, a generic security analysis for Java Web-applications that combines concolic execution and dynamic taint analysis in a modular way. Jaint executes user-defined taint analyses that are formally specified in a domain-specific language for expressing taint-flow analyses. We demonstrate how dynamic taint analysis can be integrated into JDart, a dynamic symbolic execution engine for the Java virtual machine in Java PathFinder. The integration of the two methods is modular in the sense that it traces taint independently of symbolic annotations. Therefore, Jaint is capable of sanitizing taint information (if specified by a taint analysis) and using multi-colored taint for running multiple taint analyses in parallel. We design a domain-specific language that enables users to define specific taint-based security analyses for Java Web-applications. Specifications in this domain-specific language serve as a basis for the automated generation of corresponding taint injectors, sanitization points and taint-flow monitors that implement taint analyses in Jaint. We demonstrate the generality and effectiveness of the approach by analyzing the OWASP benchmark set, using generated taint analyses for all 11 classes of CVEs in the benchmark set.