Scaling Static Taint Analysis to Industrial SOA Applications: A Case Study at Alibaba
In Alibaba, we have seen a growing demand for tracing data flow for scenarios such as data leak detection, change governance, and data consistency checking. Static taint analysis is a technique for such problems, and many approaches are proposed for high scalability and precision. This paper shares our experience in applying taint analysis in Alibaba. In particular, we find that the state-of-the-art taint analysis tool, FlowDroid, does not work well in our cases because our applications make heavy use of libraries, native methods and enterprise-specific frameworks, which impose two major challenges, scalability and implicit dependency, to FlowDroid. This paper presents ANTaint to address these problems. ANTaint improves scalability by expanding the call graph and applying taint propagation on demand for libraries, which account for majority of the program execution but only a small fraction propagates taints. To improve accuracy, we ensure to build a sound call graph with its core part having certain accuracy, and providing a more precise taint propagation model. The practice of applying ANTaint in the company workload validates the idea. According to an experiment on 60 production cases, ANTaint is correct for 95% of the cases (precision: 95%, recall: 98%) while FlowDroid is 13%. ANTaint takes 65% less time and none of the cases run out of memory with 32 GB limitation.
Wed 11 NovDisplayed time zone: (UTC) Coordinated Universal Time change
01:30 - 02:00 | |||
01:30 2mTalk | A Principled Approach to GraphQL Query Cost AnalysisACM SIGSOFT Distinguished Paper Award Research Papers Alan Cha IBM Research, USA, Erik Wittern IBM, USA, Guillaume Baudart IBM Research, USA, James C. Davis Purdue University, USA, Louis Mandel IBM Research, USA, Jim A. Laredo IBM Research, USA DOI Pre-print Media Attached | ||
01:33 1mTalk | Block Public Access: Trust Safety Verification of Access Control Policies Research Papers Malik Bouchet Amazon, USA, Byron Cook Amazon, Bryant Cutler Amazon, USA, Anna Druzkina Amazon, USA, Andrew Gacek Amazon, USA, Liana Hadarean Amazon, Ranjit Jhala Amazon, USA, Brad Marshall Amazon, USA, Dan Peebles Amazon, USA, Neha Rungta Amazon Web Services, Cole Schlesinger Amazon, USA, Chriss Stephens Amazon, USA, Carsten Varming Amazon, USA, Andy Warfield Amazon, USA DOI | ||
01:35 1mTalk | Efficient Incident Identification from Multi-dimensional Issue Reports via Meta-heuristic Search Research Papers Jiazhen Gu Fudan University, China, Chuan Luo Microsoft Research, China, Si Qin Microsoft Research, n.n., Bo Qiao Microsoft Research, China, Qingwei Lin Microsoft Research, China, Hongyu Zhang University of Newcastle, Australia, Ze Li Microsoft, USA, Yingnong Dang Microsoft, USA, Shaowei Cai Institute of Software at Chinese Academy of Sciences, China, Wei-Cheng Wu University of Southern California, USA, Yangfan Zhou Fudan University, China, Murali Chintalapati Microsoft, n.n., Dongmei Zhang Microsoft Research, China DOI | ||
01:37 1mTalk | Graph-Based Trace Analysis for Microservice Architecture Understanding and Problem Diagnosis Industry Papers Xiaofeng Guo Fudan University, China, Xin Peng Fudan University, China, Hanzhang Wang eBay, Wanxue Li eBay, USA, Huai Jiang eBay, USA, Dan Ding Fudan University, China, Tao Xie Peking University, Liangfei Su eBay, USA DOI | ||
01:39 1mTalk | Real-Time Incident Prediction for Online Service Systems Research Papers Nengwen Zhao Tsinghua University, Junjie Chen Tianjin University, China, Zhou Wang BizSeer, China, Xiao Peng Beijing University of Posts and Telecommunications, China, Gang Wang China EverBright Bank, Yong Wu China EverBright Bank, Fang Zhou China EverBright Bank, Zhen Feng EverBright Bank, China, Xiaohui Nie EverBright Bank, China, Wenchi Zhang Tsinghua University, China, Kaixin Sui BizSeer, Dan Pei BizSeer, China DOI | ||
01:41 1mTalk | Scaling Static Taint Analysis to Industrial SOA Applications: A Case Study at Alibaba Industry Papers Jie Wang Peking University, China / Ant Group, China / Alibaba Group, China, Yunguang Wu Ant Group, China, Gang Zhou Ant Group, China, Yiming Yu Ant Group, China, Zhenyu Guo Ant Group, China, Yingfei Xiong Peking University DOI | ||
01:43 17mTalk | Conversations on Cloud / Services 2 Paper Presentations Alan Cha IBM Research, USA, Andrew Gacek , Jiazhen Gu , Jie Wang Institute of Software, Chinese Academy of Sciences, Nengwen Zhao Tsinghua University, Xiaofeng Guo Fudan University, China, M: Satish Chandra Facebook, USA | ||