This git repository has been made for maintaining the project work of Program Analysis. The code here contains the taint analysis study for the PL/SQL database codebase.
This file contains
- Summary of project
- Project Structure
- Execution Instructions to reproduce the result
- Acknowledgement for all resources consulted (discussions, texts, urls, etc.) while working on the project.
plsql-program-analysis folder :
src
java
cfg
: This module contains control-flow-graph creation for PL/SQL stored proceduretaintchecker
: This module coontains the core logic for taint analysis on the Intermediate Representation created
resource
: contains the various types of input example that has been given to the source code.
visualization
: This folder contains the control flow graph in .dot file format for visualization on Gephi tool.
report: cotnains final paper
Following are the steps to run the project and produce results for any project.
- java 8 to be installed in the machine where the code is ran
- IDE like Intellij or Eclipse
- For dependency management Maven needs to be there (apache-maven-3.8.3 used)
From the above code structure resource folder contains various types examples for PL/SQL stored procedure which has be to ran one after the other to reproduce the evaluations and results.
Following are the examples to be ran from resource folder:
- tainted-example.txt -> Example for simple PL/SQL stored procedure for one tainted value
- sanitized-example.txt -> Example for santitized input where no taints gets propogated
- tainted-high-loc-example.txt -> Example for tainted input with Stored Procedure for higher number of lines fo code
- two-taint-present-example.txt -> Example that detects 2 taints present for the given code
- multiple-taint-present-example.txt -> Example for more than 2 taints present for gven code
- dos-attack-without-sanitization.txt -> Example for producing taint which leads to denial of service (DoS) attack
- dos-attack-wit-sanitization.txt -> Example that checks sanitization for denio of service (Dos) attack
In order to run each example follow below steps -
- Go to file
src
->main
->java
->com.demo.plsqlprogramanalysis.cfg
->InputCodeReader.java
- On line number 18 for InputStream object, put the name of the example source code file
- Run PlsqlProgramAnalysisApplication.java file, which has the main method for spring boot application
- Install Gephi tool from https://gephi.org/users/install/
- On line number 78 in PlsqlProgramAnalysisApplication.java, need to provide the filename for .dot file
visualization
folder will contain the saved .dot file, open them into Gephi to view the
- Consulted with Professor and TA to discuss the project idea, motivation and methodology planned
- Discussed about the real-time problem with my previous colleague at JPMorgan to get more insight of the problem
- SonarSource Tool
- PMD Analzer
- SQL Enlight tool
- PL/SQL Advisor