ASHOURY.NET

This paper introduces a practical approach to identify input sanitization errors in Java applications. Our introduced technique analyzes the bytecode of given Java applications based on a successful combination of call graph backward slicing and dynamic taint tracking. As a result, our analysis technique allows overcoming common restrictions in previous work such as unexpected runtime errors in the Java Virtual Machine (JVM) or applications altering the normal behavior of target programs under analysis and the lack of source code. Our approach can be deployed without special firmware modifications or root privileges on different standard operating systems supporting the JVM, e.g., Linux, Windows, Mac OS. Moreover, we evaluated our technique with a new Java benchmark suite called Orbitz Security Benchmark Suite. Orbitz includes 8 programs written in modern Java compilers (e.g., Java SE 9, 11, 14, and 16), comprises 1,201,934 lines of code with different workloads for various application..