Research and Practice of IAST/RASP: Instrumentation, Taint Analysis, and Integration with SkyWalking

IAST (Interactive Application Security Testing) and RASP (Runtime Application Self‑Protection) are security approaches that operate during program execution by instrumenting bytecode to collect runtime state, enabling more accurate security testing and intrusion detection.

This series introduces research and practice of IAST/RASP for Java applications, covering product surveys, key technology analysis, and engineering implementation.

IAST can be realized in three modes: proxy (passive black‑box), active instrumentation (probe‑driven traffic generation), and passive instrumentation (monitoring without generating traffic). The article focuses on the passive instrumentation mode.

Instrumentation inserts probes into the program while preserving original logic. Probes must be non‑intrusive and collect runtime features for analysis. In Java, bytecode enhancement is performed via Java agents (premain or attach) using tools such as ASM, Byte‑Buddy, or Javassist. Example code shows a simple method before and after instrumentation:

package com.test;

public void a(Object o){
  //业务逻辑
  System.out.println(o);
}

After enhancement, additional bytecode is inserted to check for null values:

public void print(java.lang.Object);

  Code:
  0:getstatic #2 //Field java/lang/System.out:Ljava/io/PrintStream;
  3:aload_1
  4:ifnonnull 11
  7:iconst_18
  12:invokevirtual #3//Method java/io/PrintStream.println:(Z)V
  15:getstatic #2//Field java/lang/System.out:Ljava/io/PrintStream;
  18:aload_1
  19:invokevirtual #4//Method java/io/PrintStream.println:(Ljava/lang/Object;)V
  22:return

Taint analysis is implemented by inserting tracking logic at four stages: source, propagate, sanitizer, and sink. A simplified SQL‑injection example demonstrates how taint is marked at the source (e.g., request.getParameter), propagated through string concatenation, and reported at the sink (e.g., executeQuery). Relevant code snippets illustrate the inserted taint‑tracking calls:

//String id = request.getParameter("id");
String getParameter(String var1){
  // ... original logic ...
  // insert taint tracking logic
  // int taintedHash = System.identityHashCode(s);
  // TaintedPool.add(taintedHash);
  return s;
}

//String sql1 = sql.concat(id);
public String concat(String str){
  // ... original logic ...
  // insert taint tracking logic
  // int strHash = System.identityHashCode(str);
  // if(TaintedPool.contain(strHash)){
  //   int sHash = System.identityHashCode(s);
  //   TaintedPool.add(sHash);
  // }
  return result;
}

//ResultSet rs = st.executeQuery(sql);
ResultSet executeQuery(String sql) throws SQLException{
  // insert taint tracking logic
  // int sqlHash = System.identityHashCode(sql);
  // if(TaintedPool.contain(sqlHash)){
  //   Vul.Report(sqlHash,...);
  // }
  // ... original logic ...
  return rs;
}

Rule abstraction defines the enhanced function signature, taint input (object or parameter), taint output (object, parameter, or return), depth (class, subclass, etc.), type (source/propagate/sanitizer/sink), and associated vulnerability type.

SCA (Software Composition Analysis) collection is achieved via a Java agent that scans the application classpath for dependent JARs, enriching security detection with dependency information.

SkyWalking, an Apache‑hosted APM system, provides tracing based on OpenTracing. Its trace context can carry taint‑analysis data across processes, enabling cross‑application taint tracking. The article discusses plugin annotation support, cross‑process trace propagation, and engineering challenges such as performance impact and JRE class modification.

Comparison of IAST, SAST, and DAST across dimensions (control‑flow coverage, dirty data, dynamic features, active vs. passive scanning, runtime information collection, false‑positive/negative rates) shows how the techniques complement each other and can be combined to improve overall security testing.

Specific implementation details cover Javaagent technology (premain and attach loading mechanisms) and bytecode enhancement tools (ASM, Byte‑Buddy, Javassist) required for building a Java‑based IAST solution.

In conclusion, the research extracts valuable design patterns from existing IAST products and SkyWalking, providing a technical foundation for future IAST development and integration in complex enterprise environments.