Presentation is loading. Please wait.

Presentation is loading. Please wait.

Finding Security Errors in Java Applications Using Lightweight Static Analysis Benjamin Livshits Computer Science Lab Stanford University.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Finding Security Errors in Java Applications Using Lightweight Static Analysis Benjamin Livshits Computer Science Lab Stanford University."— Presentation transcript:

1 Finding Security Errors in Java Applications Using Lightweight Static Analysis Benjamin Livshits Computer Science Lab Stanford University

2 Vulnerability Research Focus Static analysis for vulnerability detection Until recently, a large portion of server- side software was written in C/C++ Vulnerabilities come from poor language and API design: Buffer overruns Buffer overruns Format string violations Format string violations More profound: Time-of-check-time-of-use errors (TOCTOU) Time-of-check-time-of-use errors (TOCTOU)

3 Security Errors in Java are Emerging Situation is changing… More and more Web-based applications are written in Java Web-based applications are good vulnerability targets New categories of errors in this domain SQL Injections Cross-site scripting HTTP response splitting Forceful browsing LDAP injection Bad session stores

4 Finding Errors with Static Analysis Our approach: Static Analysis has been proven useful for finding security errors in C programs Static Analysis has been proven useful for finding security errors in C programs Apply to Java to find new categories of errors Apply to Java to find new categories of errors What we did: Created user-friendly code analysis tools Created user-friendly code analysis tools Based on Eclipse, an open-source Java IDE Based on Eclipse, an open-source Java IDE Easy to run on your own code Easy to run on your own code Focused on two types of errors so far Focused on two types of errors so far Bad session stores SQL injections We look at these two error patterns next… We look at these two error patterns next…

5 Focus on Two Error Patterns Object o = … HttpSession s = … s.setAttribute(“name”, o); Unchecked input passed to backend database Carefully crafted input containing SQL will be interpreted by database Can be used by the malicious user to read unauthorized info, delete data, even execute commands, etc. Bad session storeSQL injection A common pattern in servlets leading to errors HttpSessions need to be saved to disk Object o must implement java.io.Serializable Bad API design Can lead to crashes and DOS attacks String query = request.getParameter(“name”); java.sql.Statement stmt = … stmt.executeQuery(query);

6 Our Tools… Identify all sources of user information Identify all sinks where sensitive data can flow Filter out sinks that take constant strings Help to follow data from sources to sinks Report errors Bad session storesSQL Injections Look at the type of the 2 nd argument of setAttribute: setAttribute(…, expr); setAttribute(…, expr); Do a type check for expr that don’t implement java.io.Serializable Report errors

7 Screen shot Potential Error Error in the source

8 Benchmarks 10 Web-based applications Widely deployed and vulnerable to attacks Most blogging tools Quite large – 10s of KLOC Rely on very large J2EE libs

9 Results for Bad Session Stores Found 14 errors 8 false posititives 37% false pos rate Why false positives? Declared types are too wide Declared types are too wide Can improve with better type info from pointer analysis Can improve with better type info from pointer analysis

10 Results for SQL Injections Found 6 errors Can find “low- hanging” errors Easy when sources and sinks are “close” Often they are very far apart Many require more elaborate analysis

11 Summary Created lightweight interactive tools for finding security errors in Java Found a total of 20 errors However, there are false positives and false positives and “unknowns” – potential errors our tools can’t address “unknowns” – potential errors our tools can’t addressConclusion: Our tools are good for finding simpler errors Our tools are good for finding simpler errors Hard errors often require a stronger analysis of data propagation Hard errors often require a stronger analysis of data propagation Working on a pointer analysis-based approach Working on a pointer analysis-based approach

Download ppt "Finding Security Errors in Java Applications Using Lightweight Static Analysis Benjamin Livshits Computer Science Lab Stanford University."

Similar presentations

Runtime Prevention & Recovery Protect existing applications Advantages: Prevents vulnerabilities from doing harm Safe mode for Web application execution.

Runtime Prevention & Recovery Protect existing applications Advantages: Prevents vulnerabilities from doing harm Safe mode for Web application execution.
Finding Application Errors and Security Flaws Using PQL: a Program Query Language MICHAEL MARTIN, BENJAMIN LIVSHITS, MONICA S. LAM PRESENTED BY SATHISHKUMAR.

Finding Application Errors and Security Flaws Using PQL: a Program Query Language MICHAEL MARTIN, BENJAMIN LIVSHITS, MONICA S. LAM PRESENTED BY SATHISHKUMAR.
Type-based Taint Analysis for Java Web Applications Wei Huang, Yao Dong and Ana Milanova Rensselaer Polytechnic Institute 1.

Type-based Taint Analysis for Java Web Applications Wei Huang, Yao Dong and Ana Milanova Rensselaer Polytechnic Institute 1.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
Static code check – Klocwork

Static code check – Klocwork
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Servlets and a little bit of Web Services Russell Beale.

Servlets and a little bit of Web Services Russell Beale.
ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.

ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.
Turning Eclipse Against Itself: Finding Errors in Eclipse Sources Benjamin Livshits Stanford University.

Turning Eclipse Against Itself: Finding Errors in Eclipse Sources Benjamin Livshits Stanford University.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Introduction to Web Based Application. Web-based application TCP/IP (HTTP) protocol Using WWW technology & software Distributed environment.

Introduction to Web Based Application. Web-based application TCP/IP (HTTP) protocol Using WWW technology & software Distributed environment.
CS 290C: Formal Models for Web Software Lecture 1: Introduction Instructor: Tevfik Bultan.

CS 290C: Formal Models for Web Software Lecture 1: Introduction Instructor: Tevfik Bultan.
© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 14 Implementation Flaws Part 2: Malicious Input and Data Validation Issues.

© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 14 Implementation Flaws Part 2: Malicious Input and Data Validation Issues.
1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.

1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.
Testing Static Analysis Tools using Exploitable Buffer Overflows from Open Source Code Zitser, Lippmann & Leek Presented by: José Troche.

Testing Static Analysis Tools using Exploitable Buffer Overflows from Open Source Code Zitser, Lippmann & Leek Presented by: José Troche.
Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.

Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Object Oriented Databases by Adam Stevenson. Object Databases Became commercially popular in mid 1990’s Became commercially popular in mid 1990’s You.

Object Oriented Databases by Adam Stevenson. Object Databases Became commercially popular in mid 1990’s Became commercially popular in mid 1990’s You.

Similar presentations

Ads by Google