We present the first systematic approach to static and dynamic taint analysis for Graph APIs focusing on broken access control. The approach comprises the following. We taint nodes of the Graph API if they represent data requiring specific privileges in order to be retrieved or manipulated, and identify API calls which are related to sources and sinks. Then, we statically analyze whether a tainted information flow between API source and sink calls occurs. To this end, we model the API calls using graph transformation rules. We subsequently use Critical Pair Analysis to automatically analyze potential dependencies between rules representing source calls and rules representing sink calls. We distinguish direct from indirect tainted information flow and argue under which conditions the Critical Pair Analysis is able to detect not only direct, but also indirect tainted flow. The static taint analysis (i) identifies flows that need to be further reviewed, since tainted nodes may be created by an API call and used or manipulated by another API call later without having the necessary privileges, and (ii) can be used to systematically design dynamic security tests for broken access control. The dynamic taint analysis checks if potential broken access control risks detected during the static taint analysis really occur. We apply the approach to a part of the GitHub GraphQL API. The application illustrates that our analysis supports the detection of two types of broken access control systematically: the case where users of the API may not be able to access or manipulate information, although they should be able to do so; and the case where users (or attackers) of the API may be able to access/manipulate information that they should not.

翻译：我们提出了首个针对Graph API的静态与动态污点分析系统化方法，重点关注访问控制缺陷。该方法包含以下内容：若Graph API中的节点代表需要特定权限才能检索或操作的数据，则将其标记为污点节点，并识别与源和汇相关的API调用。随后，我们静态分析API源调用与汇调用之间是否存在污点信息流。为此，我们使用图转换规则对API调用进行建模，并利用关键对分析自动解析代表源调用的规则与代表汇调用的规则之间的潜在依赖关系。我们区分直接与间接污点信息流，并论证关键对分析在何种条件下不仅能检测直接污点流，还能检测间接污点流。静态污点分析（i）识别需要进一步审查的信息流，因为污点节点可能由某个API调用创建，并在后续被另一个API调用使用或操作，而缺乏必要权限；（ii）可用于系统化设计针对访问控制缺陷的动态安全测试。动态污点分析则验证静态分析中检测到的潜在访问控制缺陷风险是否实际发生。我们将该方法应用于GitHub GraphQL API的部分接口。实践表明，我们的分析能系统化支持检测两类访问控制缺陷：一是API用户本应有权访问或操作信息却无法实现；二是API用户（或攻击者）可能访问或操作了本不应有权触及的信息。