A Method for Detecting Java Injection Vulnerabilities Based on Interprocedure Constant String Analysis

doi:10.3969/j.issn.1671-1122.2026.02.010

Abstract

Abstract:

Static analysis includes control flow analysis, data flow analysis, pointer analysis, and taint analysis. Grounded in abstract interpretation theory, these methods analyze programs across different abstract domains to extract program information for tasks such as compilation optimization and program comprehension, as well as vulnerability detection. Injection vulnerabilities, such as command injection and SQL injection, arise when external inputs reach sensitive functions. For detecting injection vulnerabilities, static analysis primarily employs two approaches: rule matching and taint analysis. The rule matching approach uses pattern-based templates to identify vulnerabilities, which tends to yield a high false positive rate. The taint analysis approach detects vulnerabilities by tracking the flow of tainted data from sources to sensitive sinks, though its effectiveness depends on the completeness of both taint sources and propagation rules. This paper employed a string constant propagation algorithm to analyze variable-referenced string information within programs, followed by a dangerous function parameter analysis algorithm based on the string information to detect injection vulnerabilities. The proposed method which named ConstStringDetect, was implemented on the open-source Java static analysis framework Tai-e. Experiments were conducted on the Juliet Java v1.3 and OWASP v1.2 benchmark suites, covering three types of injection vulnerabilities: CWE-078 (OS command injection), CWE-089 (SQL injection), and CWE-090 (LDAP injection). Compared to state-of-the-art static vulnerability detection tools such as SpotBugs and CodeQL, the method proposed in this paper achieves a higher recall rate than CodeQL and a significantly lower false positive rate than SpotBugs, even without relying on specific function rules.

Key words: static analysis, abstract interpretation, vulnerability detection

CLC Number:

TP309

XU Pu, SUN Xinyi, ZHU Yonggen. A Method for Detecting Java Injection Vulnerabilities Based on Interprocedure Constant String Analysis[J]. Netinfo Security, 2026, 26(2): 304-314.

Figures/Tables 7

References 22

[1]	QU Zhenqing, LING Xiang, WANG Ting, et al. AdvSQLi: Generating Adversarial SQL Injections against Real-World WAF-as-a-Service[J]. IEEE Transactions on Information Forensics and Security, 2024, 19: 2623-2638. doi: 10.1109/TIFS.2024.3350911 URL
[2]	ERIK, FABIO, ZHU Chang, et al. Toss a Fault to Your Witcher: Applying Grey-box Coverage-Guided Mutational Fuzzing to Detect SQL and Command Injection Vulnerabilities[C]// IEEE. 2023 IEEE Symposium on Security and Privacy (SP). New York: IEEE, 2023: 2658-2675.
[3]	YIN Xiaokang, CAI Ruijie, ZHANG Yizheng, et al. Accelerating Command Injection Vulnerability Discovery in Embedded Firmware with Static Backtracking Analysis[C]// ACM. The 12th International Conference on the Internet of Things (IoT ’22). New York: ACM, 2023: 65-72.
[4]	CHEN Libo, WANG Yanhao, CAI Quanpu, et al. Sharing More and Checking Less: Leveraging Common Input Keywords to Detect Bugs in Embedded Systems[C]// USENIX. The 30th USENIX Security Symposium. Berkeley: USENIX, 2021: 303-319.
[5]	BENJAMIN, EUGENE, QIN Zhiguang. SQL Injection Attack Detection Using Fingerprints and Pattern Matching Technique[C]// IEEE. 2017 8th IEEE International Conference on Software Engineering and Service Science (ICSESS). New York: IEEE, 2017: 583-587.
[6]	CHENG Kai, LI Qiang, WANG Lei, et al. DTaint: Detecting the Taint-Style Vulnerability in Embedded Device Firmware[C]// IEEE. The 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). New York: IEEE, 2018: 430-441.
[7]	TAN Tian, LI Yue. Tai-E: A Developer-Friendly Static Analysis Framework for Java by Harnessing the Good Designs of Classics[C]// ACM. The 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA 2023). New York: ACM, 2023: 1093-1105.
[8]	BODDEN E. Soot: A Framework for Analyzing and Transforming Java and Android Applications[EB/OL]. [2024-4-15]. http://soot-oss.github.io/soot/.
[9]	SMARAGDAKIS Y, BALATSOURAS G. Pointer Analysis[J]. Foundations and Trends in Programming Languages, 2015, 2(1): 1-69. doi: 10.1561/PGL URL
[10]	ANDERSEN L O. Program Analysis and Specialization for the C Programming Language[D]. Copenhagen: University of Copenhagen, DIKU, 1994.
[11]	BEN, CALVIN. Flow-Sensitive Pointer Analysis for Millions of Lines of Code[C]// IEEE. International Symposium on Code Generation and Optimization (CGO 2011). New York: IEEE, 2011: 289-298.
[12]	TAN Tian, MA Xiaoxing, XU Chang, et al. Survey on Java Pointer Analysis[J]. Journal of Computer Research and Development, 2023, 60(2): 274-293.
	谭添, 马晓星, 许畅, 等. Java指针分析综述[J]. 计算机研究与发展, 2023, 60(2): 274-293.
[13]	LIU Jie, LI Yue, TAN Tian, et al. Reflection Analysis for Java: Uncovering More Reflective Targets Precisely[C]// IEEE. 2017 IEEE 28th International Symposium on Software Reliability Engineering (ISSRE). New York: IEEE, 2017: 12-23.
[14]	The University of Maryland. SpotBugs[EB/OL]. [2024-04-15]. https://spotbugs.github.io/.
[15]	FABIAN, NICO, DANIEL, et al. Modeling and Discovering Vulnerabilities with Code Property Graphs[C]// IEEE. 2014 IEEE Symposium on Security and Privacy. New York: IEEE, 2014: 590-604.
[16]	OEGE, MATHIEU, ELNAR, et al. Keynote Address:.QL for Source Code Analysis[C]// IEEE. Seventh IEEE International Working Conference on Source Code Analysis and Manipulation (SCAM 2007). New York: IEEE, 2007: 3-16.
[17]	Gary A. Kildall. A Unified Approach To Global Program Optimization[C]// IEEE. The 1st annual ACM SIGACT-SIGPLAN symposium on Principles of programming languages (POPL ’73). New York: ACM, 1973: 194-206.
[18]	Kam, John B. and Jeffrey D. Ullman. Monotone Data Flow Analysis Frameworks[J]. Acta Informatica, 1977, 7: 305-317.
[19]	CHEN Liqian, FAN Guangsheng, YIN Banghu, et al. Research Progress on Abstract Interpretation and Its Application[J]. Journal of Computer Research and Development, 2023, 60(2): 227-247.
	陈立前, 范广生, 尹帮虎, 等. 抽象解释及其应用研究进展[J]. 计算机研究与发展, 2023, 60(2): 227-247.
[20]	COUSOT P, COUSOT R. Abstract Interpretation: A Unified Lattice Model for Static Analysis of Programs By Construction Or Approximation of Fixpoints[C]// ACM. The 4th ACM SIGACT-SIGPLAN Symposium on Principles of Programming Languages. New York: ACM, 1977: 238-252.
[21]	NIST. Juliet Java[EB/OL]. [2024-04-15]. https://samate.nist.gov/SARD/test-suites/111.
[22]	OWASP Foundation. OWASP Benchmark[EB/OL]. [2024-04-15]. https://owasp.org/www-project-benchmark/.

分析对象	Java变量类型
String类及其父类	java.lang.String
String类及其父类	java.lang.Object
构建、组成字符串的类	java.lang.StringBuffer
	java.lang.StringBuilder
	java.lang.Character
	byte[]
包含字符串的数据结构	java.lang.String[]
	java.util.LinkedList
	java.util.Vector
	java.util.HashMap
	java.util.ArrayList

语句种类	语句示例	字符串传播规则
对象创建	l : lvar = new T()	$\frac{\text{type(lvar)}~\in \text{ }\!\!~\!\!\text{ typeset}}{\text{out(l, }\!\!~\!\!\text{ lvar)}~=\text{ }\!\!~\!\!\text{ UNDEF}}$
字符串创建	l : lvar = “abc”	$\frac{\text{type(lvar)}~==\text{ }\!\!~\!\!\text{ java}\text{.lang}\text{.String}}{\text{outfact(l, }\!\!~\!\!\text{ lvar)}~=\text{ }\!\!~\!\!\text{ CONSTANT}}$
变量复制	l : lvar = rvar	$\frac{\text{t }\!\!~\!\!\text{ = }\!\!~\!\!\text{ infact(l, }\!\!~\!\!\text{ rvar)}~}{\text{outfact(l, }\!\!~\!\!\text{ lvar)}~=\text{ }\!\!~\!\!\text{ t}}$
方法调用	l : lvar = rvar.k(a₁,…, a_n)	$\frac{\begin{matrix} \text{t }\!\!\_\!\!\text{ lvar }\!\!~\!\!\text{ = }\!\!~\!\!\text{ infer }\!\!\_\!\!\text{ lvar(rvar, }\!\!~\!\!\text{ }k\text{, }\!\!~\!\!\text{ }{{a}_{1}},\cdots,{{a}_{n}}) \\ \text{ }\!\!~\!\!\text{ }\!\!~\!\!\text{ }\!\!~\!\!\text{ t }\!\!\_\!\!\text{ rvar }\!\!~\!\!\text{ = }\!\!~\!\!\text{ infer }\!\!\_\!\!\text{ rvar(rvar, }\!\!~\!\!\text{ }k\text{, }\!\!~\!\!\text{ }{{a}_{1}},\cdots,{{a}_{n}})\text{ }\!\!~\!\!\text{ }\!\!~\!\!\text{ } \\ \end{matrix}}{\begin{matrix} \text{outfact(l, }\!\!~\!\!\text{ lvar)}~=\text{ }\!\!~\!\!\text{ t }\!\!\_\!\!\text{ lvar} \\ \text{outfact(l, }\!\!~\!\!\text{ rvar)}~=\text{ }\!\!~\!\!\text{ t }\!\!\_\!\!\text{ rvar} \\ \end{matrix}}$

漏洞类型	类	危险函数	参数位置
CWE-078 命令注入	java.lang.Runtime	exec	all
	java.lang.ProcessBuilder	command	0
	java.lang.ProcessBuilder	<init>	0
CWE-089 SQL注入	java.sql.Statement	execute	0
		addBatch	0
		executeQuery	0
		executeUpdate	0
	java.sql.Connection	prepareCall	0
	java.sql.Connection	prepareStatement	0
	org.springframework.jdbc.core.JdbcTemplate	queryForObject	0
		queryForRowSet	0
		queryForMap	0
		queryForList	0
		query	0
		execute	0
		batchUpdate	0
CWE-090 LDAP 注入	javax.naming.directory.DirContext	search	1
CWE-090 LDAP 注入	javax.naming.directory.InitialDirContext	search	1

软硬件名称	硬件配置/软件版本
CPU	Core(TM) i5-1240P
内存	16 GB
操作系统	Windows 11
Java	17.0.9
Tai-e	0.5.1
CodeQL	2.15.5
SpotBugs	4.8.3
FindSecBugs	1.12.0
Juliet Java测试集	1.3
OWASP测试集	1.2

测试工具	测试对象	TP	FN	TN	FP	Total	TPR	FPR	Score
ConstStringDetect	Juliet Java CWE-078	444	0	600	24	1068	100%	3.85%	96.15%
SpotBugs+FindSecBugs	Juliet Java CWE-078	444	0	0	624	1068	100%	100.00%	0
CodeQL(ExecTainted.ql+ ExecTaintedLocal.ql)	Juliet Java CWE-078	444	0	612	12	1068	100%	1.92%	98.08%
CodeQL(ExecUnescaped.ql)	Juliet Java CWE-078	222	222	390	234	1068	50%	37.50%	12.50%
ConstStringDetect	OWASP CWE-078	126	0	57	68	251	100%	54.40%	45.60%
SpotBugs+FindSecBugs	OWASP CWE-078	126	0	14	111	251	100%	88.80%	11.20%
CodeQL(ExecTainted.ql+ ExecTaintedLocal.ql)	OWASP CWE-078	98	28	64	61	251	77.78%	48.80%	28.98%
CodeQL(ExecUnescaped.ql)	OWASP CWE-078	0	126	106	19	251	0	15.20%	-15.20%
ConstStringDetect	Juliet Java CWE-089	592	0	784	32	1408	100%	3.92%	96.08%
SpotBugs+FindSecBugs	Juliet Java CWE-089	592	0	0	816	1408	100%	100%	0
CodeQL(SqlTainted.ql+ SqlTaintedLocal.ql)	Juliet Java CWE-089	592	0	800	16	1408	100%	1.96%	98.04%
CodeQL(SqlConcatenated.ql)	Juliet Java CWE-089	407	185	485	331	1408	68.75%	40.56%	28.19%
ConstStringDetect	OWASP CWE-089	272	0	127	105	504	100%	45.26%	54.74%
SpotBugs+FindSecBugs	OWASP CWE-089	272	0	43	189	504	100%	81.47%	18.53%
CodeQL(SqlTainted.ql+ SqlTaintedLocal.ql)	OWASP CWE-089	272	0	145	87	504	100%	37.50%	62.50%
CodeQL(SqlConcatenated.ql)	OWASP CWE-089	0	272	112	120	504	0	51.72%	-51.72%
ConstStringDetect	Juliet Java CWE-090	444	0	600	24	1068	100%	3.85%	96.15%
SpotBugs+FindSecBugs	Juliet Java CWE-090	444	0	0	624	1068	100%	100%	0
CodeQL(Ldapinjection.ql)	Juliet Java CWE-090	222	222	618	6	1068	50%	0.96%	49.04%
ConstStringDetect	OWASP CWE-090	27	0	18	14	59	100%	43.75%	56.25%
SpotBugs+FindSecBugs	OWASP CWE-090	27	0	5	27	59	100%	100%	0
CodeQL(Ldapinjection.ql)	OWASP CWE-090	27	0	19	13	59	100%	40.63%	59.37%