Taint Analysis for Graph APIs Focusing on Broken Access Control

• URL: http://arxiv.org/abs/2501.08947v1
• Date: Wed, 15 Jan 2025 16:49:32 GMT
• Title: Taint Analysis for Graph APIs Focusing on Broken Access Control
• Authors: Leen Lambers, Lucas Sakizloglou, Taisiya Khakharova, Fernando Orejas,
• Abstract summary: We present a first systematic approach to static and dynamic taint analysis for Graph APIs focusing on broken access control.<n>We taint nodes in the Graph API if they represent data requiring specific privileges in order to be retrieved or manipulated.<n>We then analyze whether tainted information flow between API source and sink calls occurs.
• Score: 42.28549294272344
• License: http://creativecommons.org/licenses/by/4.0/
• Abstract: Graph APIs are capable of flexibly retrieving or manipulating graph-structured data over the web. This rather novel type of APIs presents new challenges when it comes to properly securing the APIs against the usual web application security risks, e.g., broken access control. A prominent security testing approach is taint analysis, which traces tainted, i.e., security-relevant, data from sources (where tainted data is inserted) to sinks (where the use of tainted data may lead to a security risk), over the information flow in an application. We present a first systematic approach to static and dynamic taint analysis for Graph APIs focusing on broken access control. The approach comprises the following. We taint nodes in the Graph API if they represent data requiring specific privileges in order to be retrieved or manipulated, and identify API calls which are related to sources and sinks. Then, we statically analyze whether tainted information flow between API source and sink calls occurs. To this end, we model the API calls using graph transformation rules. We subsequently use critical pair analysis to automatically analyze potential dependencies between rules representing source calls and rules representing sink calls. We distinguish direct from indirect tainted information flow and argue under which conditions the CPA is able to detect not only direct, but also indirect tainted flow. The static taint analysis (i) identifies flows that need to be further reviewed, since tainted nodes may be created by an API call and used or manipulated by another API call later without having the necessary privileges, and (ii) can be used to systematically design dynamic security tests for broken access control. The dynamic taint analysis checks if potential broken access control risks detected during the static taint analysis really occur. We apply the approach to a part of the GitHub GraphQL API.

Related papers

• GraphQLer: Enhancing GraphQL Security with Context-Aware API Testing [12.862760373064342]
  API is an open-source query and manipulation language for web applications, offering a flexible alternative to APIs. It exposes it to vulnerabilities such as unauthorized data access, denial-of-service (DoS) attacks, and injections. Existing testing tools focus on functional correctness, overlooking security risks stemming from interdependencies and execution context. This paper presentser, the first context-aware security escalation testing framework for APIs.
  arXiv  Detail & Related papers  (2025-04-17T21:58:15Z)
• Are You Getting What You Pay For? Auditing Model Substitution in LLM APIs [60.881609323604685]
  Large Language Models (LLMs) accessed via black-box APIs introduce a trust challenge. Users pay for services based on advertised model capabilities. providers may covertly substitute the specified model with a cheaper, lower-quality alternative to reduce operational costs. This lack of transparency undermines fairness, erodes trust, and complicates reliable benchmarking.
  arXiv  Detail & Related papers  (2025-04-07T03:57:41Z)
• DISINFOX: an open-source threat exchange platform serving intelligence on disinformation and influence operations [0.7373617024876725]
  This paper introduces DISINFOX, an open-source threat intelligence exchange platform for structured collection, management, and influence operations. DISINFOX is fully containerized using Docker, comprising a web-based backend for user interaction, a REST API for managing core functionalities, and a public API for structured data retrieval. As an open-source solution, DISINFOX provides a reproducible and hub for researchers, analysts, and policymakers seeking to enhance the detection, investigation, and mitigation of disinformation threats.
  arXiv  Detail & Related papers  (2025-04-02T15:11:43Z)
• PARIS: A Practical, Adaptive Trace-Fetching and Real-Time Malicious Behavior Detection System [6.068607290592521]
  We propose adaptive trace fetching, lightweight, real-time malicious behavior detection system. Specifically, we monitor malicious behavior with Event Tracing for Windows (ETW) and learn to selectively collect maliciousness-related APIs or call stacks. As a result, we can monitor a wider range of APIs and detect more intricate attack behavior.
  arXiv  Detail & Related papers  (2024-11-02T14:52:04Z)
• A Classification-by-Retrieval Framework for Few-Shot Anomaly Detection to Detect API Injection Attacks [9.693391036125908]
  We propose a novel unsupervised few-shot anomaly detection framework composed of two main parts. First, we train a dedicated generic language model for API based on FastText embedding. Next, we use Approximate Nearest Neighbor search in a classification-by-retrieval approach.
  arXiv  Detail & Related papers  (2024-05-18T10:15:31Z)
• Model X-ray:Detecting Backdoored Models via Decision Boundary [62.675297418960355]
  Backdoor attacks pose a significant security vulnerability for deep neural networks (DNNs) We propose Model X-ray, a novel backdoor detection approach based on the analysis of illustrated two-dimensional (2D) decision boundaries. Our approach includes two strategies focused on the decision areas dominated by clean samples and the concentration of label distribution.
  arXiv  Detail & Related papers  (2024-02-27T12:42:07Z)
• Prompt Engineering-assisted Malware Dynamic Analysis Using GPT-4 [45.935748395725206]
  We introduce a prompt engineering-assisted malware dynamic analysis using GPT-4. In this method, GPT-4 is employed to create explanatory text for each API call within the API sequence. BERT is used to obtain the representation of the text, from which we derive the representation of the API sequence.
  arXiv  Detail & Related papers  (2023-12-13T17:39:44Z)
• Finding Vulnerabilities in Mobile Application APIs: A Modular Programmatic Approach [0.0]
  Application Programming Interfaces (APIs) are becoming increasingly popular to transfer data in a variety of mobile applications. These APIs often process sensitive user information through their endpoints, which are potentially exploitable due to developer mis implementation. This paper created a custom, modular endpoint vulnerability detection tool to analyze information leakage in various mobile Android applications.
  arXiv  Detail & Related papers  (2023-10-22T00:08:51Z)
• GLAD: Content-aware Dynamic Graphs For Log Anomaly Detection [49.9884374409624]
  GLAD is a Graph-based Log Anomaly Detection framework designed to detect anomalies in system logs. We introduce GLAD, a Graph-based Log Anomaly Detection framework designed to detect anomalies in system logs.
  arXiv  Detail & Related papers  (2023-09-12T04:21:30Z)
• Using sequential drift detection to test the API economy [4.056434158960926]
  API economy refers to the widespread integration of API (advanced programming interface) It is desirable to monitor the usage patterns and identify when the system is used in a way that was never used before. In this work we analyze both histograms and call graph of API usage to determine if the usage patterns of the system has shifted.
  arXiv  Detail & Related papers  (2021-11-09T13:24:19Z)
• D2A: A Dataset Built for AI-Based Vulnerability Detection Methods Using Differential Analysis [55.15995704119158]
  We propose D2A, a differential analysis based approach to label issues reported by static analysis tools. We use D2A to generate a large labeled dataset to train models for vulnerability identification.
  arXiv  Detail & Related papers  (2021-02-16T07:46:53Z)
• Learning to map source code to software vulnerability using code-as-a-graph [67.62847721118142]
  We explore the applicability of Graph Neural Networks in learning the nuances of source code from a security perspective. We show that a code-as-graph encoding is more meaningful for vulnerability detection than existing code-as-photo and linear sequence encoding approaches.
  arXiv  Detail & Related papers  (2020-06-15T16:05:27Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.