Scalable Language Agnostic Taint Tracking using Explicit Data Dependencies (SOAP 2025 - State Of the Art in Program Analysis)

Mon 16 - Fri 20 June 2025 Seoul, South Korea

Who

Sedick David Baker Effendi, Xavier Pinho, Andrei Michael Dreyer, Fabian Yamaguchi

Track

SOAP 2025 State Of the Art in Program Analysis

This program is tentative and subject to change.

Time Zone

The program is currently displayed in (GMT+09:00) Seoul.

Use conference time zone: (GMT+09:00) SeoulSelect other time zone

The GMT offsets shown reflect the offsets at the moment of the conference.

Time Band

By setting a time band, the program will dim events that are outside this time window. This is useful for (virtual) conferences with a continuous program (with repeated sessions).
The time band will also limit the events that are included in the personal iCalendar subscription service.

Display full programSpecify a time band

Save

When

Mon 16 Jun 2025 10:30 - 10:50 at Orchid - SOAP 2 Chair(s): Michael Schwarz

Abstract

Taint analysis using explicit whole-program data-dependence graphs is powerful for vulnerability discovery but faces two major challenges. First, accurately modeling taint propagation through calls to external library procedures requires extensive manual annotations, which becomes impractical for large ecosystems. Second, the sheer size of whole-program graph representations leads to serious scalability and performance issues, particularly when quick analysis is needed in continuous development pipelines.

This paper presents the design and implementation of a system for a language-agnostic data-dependence representation. The system accommodates missing annotations describing the behavior of library procedures by over-approximating data flows, allowing annotations to be added later without recalculation. We contribute this data-flow analysis system to the open-source code analysis platform \textsc{Joern}, making it available to the community.

Link to Preprint

https://arxiv.org/abs/2506.06247

DOI

https://doi.org/10.1145/3735544.3735586

File attachments

Presentation Slides (SOAP'25PresentationBakerEffendi.pdf)	1.58MiB

Sedick David Baker Effendi

Stellenbosch University

South Africa

Xavier Pinho

StackGen

United States

Andrei Michael Dreyer

Whirly Labs

South Africa

Fabian Yamaguchi

Whirly Labs

South Africa

This program is tentative and subject to change.

Time Zone

The program is currently displayed in (GMT+09:00) Seoul.

Use conference time zone: (GMT+09:00) SeoulSelect other time zone

The GMT offsets shown reflect the offsets at the moment of the conference.

Time Band

Display full programSpecify a time band

Save

Session Program

Mon 16 Jun
Displayed time zone: Seoul change

10:30 - 12:00	SOAP 2SOAP at Orchid Chair(s): Michael Schwarz TU Munich

10:30 20m Talk		Scalable Language Agnostic Taint Tracking using Explicit Data Dependencies SOAP Sedick David Baker Effendi Stellenbosch University, Xavier Pinho StackGen, Andrei Michael Dreyer Whirly Labs, Fabian Yamaguchi Whirly Labs DOI Pre-print File Attached
10:50 20m Talk		Pick Your Call Graphs Well: On Scaling IFDS-Based Data-Flow Analyses SOAP Kadiray Karakaya Heinz Nixdorf Institute at Paderborn University, Palaniappan Muthuraman Heinz Nixdorf Institute at Paderborn University, Eric Bodden Heinz Nixdorf Institute at Paderborn University; Fraunhofer IEM DOI
11:10 20m Talk		Universal High-Performance CFL-Reachability via Matrix Multiplication SOAP Ilia Muravev Saint-Petersburg State University, Semyon Grigorev Saint-Petersburg State University DOI
11:30 20m Talk		Beyond Affine Loops: A Geometric Approach to Program SynthesisRecorded SOAP Erdenebayar Bayarmagnai KU Leuven, Fatemeh Mohammadi KU Leuven, Rémi Prébet Inria DOI

Hide past events