Table of Contents
Fetching ...

SAGA: Detecting Security Vulnerabilities Using Static Aspect Analysis

Yoann Marquer, Domenico Bianculli, Lionel C. Briand

TL;DR

SAGA addresses the need for versatile vulnerability detection in Python by introducing a static-aspect analysis framework that combines a Python SCFG representation with the SABLE domain-specific language. Security experts specify static aspects (e.g., taint sources, sinks, and complex flow properties) and annotations, enabling modular, cross-cutting analyses that detect multiple vulnerability types beyond traditional information-flow checks. The approach is evaluated on a dataset of 108 vulnerabilities, achieving 100% sensitivity and 99.15% specificity with only one false positive, and it runs substantially faster than four baselines. Findings show that a small library of static aspects can cover the majority of vulnerabilities, and the framework scales efficiently, offering practical utility for developers and security engineers. The work also provides a rich replication package and discusses directions to integrate DL techniques to reduce annotation burden and broaden coverage.

Abstract

Python is one of the most popular programming languages; as such, projects written in Python involve an increasing number of diverse security vulnerabilities. However, existing state-of-the-art analysis tools for Python only support a few vulnerability types. Hence, there is a need to detect a large variety of vulnerabilities in Python projects. In this paper, we propose the SAGA approach to detect and locate vulnerabilities in Python source code in a versatile way. SAGA includes a source code parser able to extract control- and data-flow information and to represent it as a symbolic control-flow graph, as well as a domain-specific language defining static aspects of the source code and their evolution during graph traversals. We have leveraged this language to define a library of static aspects for integrity, confidentiality, and other security-related properties. We have evaluated SAGA on a dataset of 108 vulnerabilities, obtaining 100% sensitivity and 99.15% specificity, with only one false positive, while outperforming four common security analysis tools. This analysis was performed in less than 31 seconds, i.e., between 2.5 and 512.1 times faster than the baseline tools.

SAGA: Detecting Security Vulnerabilities Using Static Aspect Analysis

TL;DR

SAGA addresses the need for versatile vulnerability detection in Python by introducing a static-aspect analysis framework that combines a Python SCFG representation with the SABLE domain-specific language. Security experts specify static aspects (e.g., taint sources, sinks, and complex flow properties) and annotations, enabling modular, cross-cutting analyses that detect multiple vulnerability types beyond traditional information-flow checks. The approach is evaluated on a dataset of 108 vulnerabilities, achieving 100% sensitivity and 99.15% specificity with only one false positive, and it runs substantially faster than four baselines. Findings show that a small library of static aspects can cover the majority of vulnerabilities, and the framework scales efficiently, offering practical utility for developers and security engineers. The work also provides a rich replication package and discusses directions to integrate DL techniques to reduce annotation burden and broaden coverage.

Abstract

Python is one of the most popular programming languages; as such, projects written in Python involve an increasing number of diverse security vulnerabilities. However, existing state-of-the-art analysis tools for Python only support a few vulnerability types. Hence, there is a need to detect a large variety of vulnerabilities in Python projects. In this paper, we propose the SAGA approach to detect and locate vulnerabilities in Python source code in a versatile way. SAGA includes a source code parser able to extract control- and data-flow information and to represent it as a symbolic control-flow graph, as well as a domain-specific language defining static aspects of the source code and their evolution during graph traversals. We have leveraged this language to define a library of static aspects for integrity, confidentiality, and other security-related properties. We have evaluated SAGA on a dataset of 108 vulnerabilities, obtaining 100% sensitivity and 99.15% specificity, with only one false positive, while outperforming four common security analysis tools. This analysis was performed in less than 31 seconds, i.e., between 2.5 and 512.1 times faster than the baseline tools.
Paper Structure (55 sections, 22 equations, 23 figures, 11 tables, 2 algorithms)

This paper contains 55 sections, 22 equations, 23 figures, 11 tables, 2 algorithms.

Figures (23)

  • Figure 1: Examples of information flows.
  • Figure 2: Source code of the running example.
  • Figure 3: Toolflow of the Static Aspect General Analyzer(SAGA).
  • Figure 4: Inductive definition of function $\mathop{\mathrm{Edges}}\nolimits$
  • Figure 5: SCFG of the source code example from \ref{['fig:runningExample']} (the yellow vertices are detailed in the text).
  • ...and 18 more figures