SecureFlow

Overview

SecureFlow is a research-oriented static taint-analysis tool that detects insecure data flows in Java applications. It identifies how user-controlled input (sources) can reach dangerous operations (sinks), producing a detailed report with severity levels and rule identifiers.

SecureFlow in Action 🚀

Below is a live demonstration of SecureFlow running in the terminal and printing analysis results in real time.

Why SecureFlow?

Demonstrates core static analysis and taint tracking concepts.
Lightweight and easy to understand for educational and research purposes.
Extensible via JSON rule configuration without modifying the core engine.
Ideal for showcasing research-level thinking for MS/PhD applications.

Architecture

Java Source File ↓ JavaParser AST Generation ↓ TaintAnalyzer (AST Visitor) ↓ Issue Collection ↓ Report Generation

Key components:

AST Parser: JavaParser generates an abstract syntax tree.
TaintAnalyzer: Tracks tainted variables, object fields, and method calls.
RuleConfig: JSON-based rules for dangerous methods, sanitizers, and severity levels.
Report: Generates human-readable output highlighting detected security issues.

Folder Structure

SecureFlow/
├── docs/
│   ├── index.html
│   ├── design.md
│   └── limitations.md
├── examples/
│   └── Test1.java
│
├── src/
│   └── main/java/secureflow/...
│
├── config/
│   └── rules.json
├── evaluation/
│   ├── false_positive/FP1.java
│   └── true_positive/TP1.java
│
├── README.md
└── LICENSE

Getting Started

Clone the repository:

git clone https://github.com/MANISH-K-07/SecureFlow.git
cd SecureFlow

Compile:

javac -cp "lib/*" $(Get-ChildItem -Recurse src/main/java -Filter *.java | ForEach-Object { $_.FullName })

compile.ps1 is a plain text file in project root, containing the above PowerShell monster script, allowing simpler compilation via a single command:

.\compile.ps1

Run SecureFlow:

java -cp "lib/*;src/main/java" secureflow.Main examples/Test1.java

Future Extensions

Interprocedural taint analysis to track data across methods and classes.
Control-flow and path-sensitive analysis for more precise detection.
Support for collections, arrays, and complex expressions.
Machine-readable output formats (JSON, SARIF) for integration with CI/CD.
Visualization of data flows for educational purposes.

Documentation

Explore detailed docs:

Academic & Research Relevance

Illustrates intraprocedural taint analysis techniques used in software security research.
Highlights rule-based static analysis and modular design for extendability.
Supports field-sensitive tracking and method call propagation within a file.
Serves as a prototype for research discussions, demonstrating understanding of real-world trade-offs in static analysis.

Evaluation

Evaluated SecureFlow on a small benchmark suite consisting of manually crafted Java programs representing common security patterns.

True Positives:

```
TP1.java
```
: Command execution with untrusted input (Detected)

False Positives:

```
FP1.java
```
: Sanitized input passed to command execution (Not detected)

These results demonstrate that SecureFlow can detect real vulnerabilities while avoiding false positives in common sanitization patterns.

License

This project is licensed under the MIT License.