Input validation: Finding input locations

For Java (and all other languages), a static analysis system that performs data flow analysis (e.g., IBM’s AppScan Source) can identify all input locations. In particular, any static analysis system that performs taint tracking or taint analysis can identify all input locations. For a free, academic example, see Andromeda: Accurate and scalable security analysis of web applications by Marco Pistoia, Patrick Cousot, Radhia Cousot, and Salvatore Guarnieri.

Another way of finding input is through a source code review or white-box testing. Any source code that includes any classes in java.io obviously performs some kind of I/O. Similarly, network I/O occurs through classes in java.net.

You can use a dynamic analysis system or debugger to watch for calls to classes that do I/O. For a dynamic analysis system example, you could use Chord from Georgia Tech, but doing so would require some work on your part.

Published by

Kenneth Ingham

Kenneth has been working with security since the early 1980s. He was a system administrator when the Morris Worm was released, and one of his work areas was helping secure the systems. Since then, Kenneth has studied network and computer security, and spent many, many hours looking at how software fails. With knowledge about failures, he can help you produce software that is less likely to suffer a security breach. Kenneth has a Ph.D. in Computer Science, and his research topic was on computer security. Kenneth has helped developers creating systems for financial services institutions, telecommunications companies, and embedded system and process control.

Leave a Reply

Your email address will not be published. Required fields are marked *