| 主权项 |
1. A method, comprising:
instantiating, in response to a request by an executing application, an input data object with one or more uninitialized fields; traversing a path toward a sink in the executing application to a branching point of the executing application; providing, in response to reaching the branching point, one or more parameters for some or all of the one or more uninitialized fields of the input data object, wherein the one or more parameters were determined prior to beginning of execution of the executing application to cause a branch to be taken by the executing application toward the sink; continuing to traverse the path toward the sink at least by following the branch in the executing application; consulting, upon reaching a specific statement of one or more statements in the executing application that references at least one uninitialized field of the one or more uninitialized fields, a set of rules determined prior to beginning execution of the application, selecting a rule that corresponds to the specific statement and instantiating the at least one uninitialized field based on the selected rule to create at least one initialized field; applying the at least one initialized field to the specific statement; and continuing to traverse the path toward the sink, wherein the at least one initialized field comprises a certain initialized field that is a token that was chosen prior to beginning execution of the application to cause a particular vulnerability when sinks are reached; and the method further comprises:
determining, upon reaching the sink via a path where the certain initialized field is an input to a source in the path, whether a vulnerability exists in response to the sink being reached with a payload provided by the executing application to the sink; andoutputting an indication the sink is vulnerable in response to a vulnerability being determined to exist for the sink. |
