Presentation is loading. Please wait.

Presentation is loading. Please wait.

Benjamin Davis Hao Chen University of California, Davis.

Published byMilton Potter Modified over 8 years ago

Similar presentations

Presentation on theme: "Benjamin Davis Hao Chen University of California, Davis."— Presentation transcript:

1 Benjamin Davis Hao Chen University of California, Davis

2  Web services are highly attractive targets  Over 60% of attacks target Web applications  Over 80% of vulnerabilities found are in Web applications (From SANS 2009 Top Cyber Security Risks) 2

3 3 Latest Comment Latest Comment {User Content}

4 4 Latest Comment This is great! Latest Comment This is great!

5 5 Latest Comment steal(document.cookie); Latest Comment steal(document.cookie);

6 6 Application ? ? ? ? ? ? ? ? ? ?

7 Information Flow Tracking System 7 Application Input !!

8 Information Flow Tracking System 8 Application !!

9 Information Flow Tracking System 9 Application !!

10 Information Flow Tracking System 10 Application !! Output !!

11 Information Flow Tracking System 11 Application !! Output X

12  Language-based “taint mode” ◦ Perl ◦ Ruby  Adding support to language structures ◦ Java [Chin, Wagner 09] ◦ PHP [Venema] 12

13 Information Flow Tracking System 13 Web Application Output Input Database Interface Database

14 Information Flow Tracking System Web Application 14 Output Input Database Interface Database !!

15 Information Flow Tracking System Web Application 15 Output Input Database Interface Database !!

16 Information Flow Tracking System Web Application 16 Output Input Database Interface Database !!

17 Information Flow Tracking System Web Application 17 Output Input Database Interface Database !!

18 Information Flow Tracking System Web Application 18 Output Input Database Interface Database ? ?

19 Information Flow Tracking System Web Application 19 Output Input Database Interface Database ? ?

20 Information Flow Tracking System Web Application 20 Output Input Database Interface Database ? ?

21  What if you have multiple applications?  How to treat data from the database? ◦ All tainted -> false positives ◦ All untainted -> false negatives ◦ Require manual annotation? ◦ Application-specific decisions? 21

22  Taint tracking through the entire system ◦ [Asbestos, 05] ◦ [HiStar, 06]  Implemented in ◦ Hardware ◦ OS ◦ VMM/emulator 22

23 Web Application 23 Output Input Database Interface Database !!

24 Web Application 24 Output Input Database Interface Database

25 Web Application 25 Output Input Database Interface Database !!

26 Web Application 26 Output Input Database Interface Database

27  Low level/fine granularity ◦ Hardware mechanism [Suh, Lee, Devadas 04] ◦ Minos [Crandall, Chong, 04]  Lacks high-level database semantics ◦ Aggregate functions ◦ Comparisons, SELECT DISTINCT 27

28  End-to-end taint tracking ◦ Across Web applications and databases  Leverage existing single-application information flow tracking engines  Compatible with existing Web services ◦ Require no changes to Web applications  Taint propagation through database functions 28

29 29 DB Interface Web Application Database Engine SQL

30 30 DB Interface Web Application Database Engine SQL Single-application information flow DBTaint

31  Store taint data in database composite types ◦ Tuple of form: (, )  Store/retrieve taint values via SQL ◦ No additional mechanisms needed in the database ◦ No change to underlying database data structures 31 IdStatus (19, 0)(‘closed’, 1) (27, 0)(‘open’, 1) (32, 0)(‘pending, 1) IdStatus 19‘closed’ 27‘open’ 32‘pending’ Before DBTaintWith DBTaint

32  Create functions that operate on composite types ◦ Comparison operators (=, !=, <, …) ◦ Arithmetic operations (+, -, …) ◦ Text operations (upper, lower, …) ◦ Aggregate functions (MAX, MIN, SUM, …)  Functions implemented in SQL ◦ CREATE FUNCTION ◦ CREATE OPERATOR ◦ CREATE AGGREGATE 32

33  Arithmetic operations (4, 0) + (5, 1) = (9, ?) 33

34  Arithmetic operations (4, 0) + (5, 1) = (9, ?) 34 untainted tainted

35  Arithmetic operations (4, 0) + (5, 1) = (9, 1) 35 untainted tainted

36  MAX {(2, 0), (3, 1), (5, 0)} = (5, ?) 36

37  MAX {(2, 0), (3, 1), (5, 0)} = (5, ?) 37 untainted tainted untainted

38  Untainted: trusted source ◦ Web application defaults ◦ Values generated entirely by the Web application  Tainted: from untrusted source, or unknown ◦ User input  Explicit information flow  Database returns untainted value only if database has received that value untainted 38

39  MAX {(2, 0), (3, 1), (5, 0)} = (5, ?) 39 untainted tainted untainted

40  MAX {(2, 0), (3, 1), (5, 0)} = (5, 0) 40 untainted tainted untainted

41  Equality (3, 0) = (3, 1) 41 untainted tainted ?

42  Equality 3 == 3 42

43  Equality (3, 0) == (3, 1)  Adopt notion of backwards-compatibility [Chin, Wagner 09] 43 untainted tainted

44  MAX {(5, 1), (5, 0)} = (5, ?) 44 untainted tainted

45  MAX {5, 5} = 5 45

46  MAX {5, 5} = 5 46 OR

47  MAX {(5, 1), (5, 0)} = (5, ?) 47 OR

48  MAX {(5, 1), (5, 0)} = (5, 0)  When possible, prefer to return untainted values 48 untainted tainted untainted

49 49 WebApp DB Interface Database Table IdStatus 19‘closed’ 27‘open’ 32‘pending’

50 50 WebApp DB Interface Database Table x = DB.get(id=27) IdStatus 19‘closed’ 27‘open’ 32‘pending’

51 51 WebApp DB Interface Database Table x = DB.get(id=27) IdStatus 19‘closed’ 27‘open’ 32‘pending’

52 52 WebApp DB Interface Database Table x = DB.get(id=27) IdStatus 19‘closed’ 27‘open’ 32‘pending’

53 53 WebApp DB Interface Database Table x = “open” IdStatus 19‘closed’ 27‘open’ 32‘pending’

54 54 WebApp DB Interface Database Table IdStatus (19, 0)(‘closed’, 1) (27, 0)(‘open’, 1) (32, 0)(‘pending, 1) DBTaint

55 55 WebApp Database Table IdStatus (19, 0)(‘closed’, 1) (27, 0)(‘open’, 1) (32, 0)(‘pending, 1) x = DB.get(id=27) DB Interface DBTaint

56 56 WebApp Database Table Rewritten query IdStatus (19, 0)(‘closed’, 1) (27, 0)(‘open’, 1) (32, 0)(‘pending, 1) DB Interface DBTaint

57 57 WebApp Database Table Result tuples IdStatus (19, 0)(‘closed’, 1) (27, 0)(‘open’, 1) (32, 0)(‘pending, 1) DB Interface DBTaint

58 58 WebApp Database Table IdStatus (19, 0)(‘closed’, 1) (27, 0)(‘open’, 1) (32, 0)(‘pending, 1) DB Interface DBTaint Collapse tuples and taint appropriately

59 59 WebApp Database Table x = “open” // x is tainted x = “open” // x is tainted IdStatus (19, 0)(‘closed’, 1) (27, 0)(‘open’, 1) (32, 0)(‘pending, 1) DB Interface DBTaint

60  Account for composite types in SQL queries  Collapse and taint result tuples as needed  These changes are: ◦ Transparent to web application ◦ High-level, portable 60 unchanged DB DB Interface DBTaint

61 61  Parameterized queries  Prepare: ◦ INSERT … (id, status) VALUES (?, ?) ◦ Execute ◦ (27, ‘open’)

62 62  Parameterized queries  Prepare: ◦ INSERT … (id, status) VALUES (?, ?) ◦ // with DBTaint: ◦ INSERT … (id, status) VALUES (ROW(?, ?), ROW(?, ?))

63 63  Parameterized queries  Prepare: ◦ INSERT … (id, status) VALUES (?, ?) ◦ // with DBTaint: ◦ INSERT … (id, status) VALUES (ROW(?, ?), ROW(?, ?)) ◦ Execute ◦ (27, ‘open’) // 27 is untainted, ‘open’ is tainted ◦ // with DBTaint: ◦ (27, 0, ‘open’, 1)

64  Prepare phase: ◦ Queries are passed with placeholders for data  Execute phase: ◦ Data values are passed separately, independently  Taint tracking engine requirement: ◦ Only need to track taint values per variable  We handle non-parameterized queries too ◦ See paper for details 64

65  Leverage existing single-application information flow tracking systems  No changes to Web application 65 DB Interface Web Application Single-application information flow DBTaint

66  Languages ◦ Perl ◦ Java  Database Interfaces ◦ Perl DataBase Interface (DBI) ◦ Java Database Connectivity (JDBC)  Database ◦ PostgreSQL 66

67  RT: Request Tracker (ticket tracking system) ◦ 60,000+ lines of Perl ◦ Perl DBI (DataBase Interface) API ◦ Perl taint mode  JForum (discussion board system) ◦ 30,000+ lines of Java ◦ Java Database Connectivity (JDBC) API ◦ Character-level taint engine [Chin, Wagner ’09] 67

68 68

69  Cross-application information flow tracking  Persistent taint tracking  Multiple Web applications, multiple Databases 69

70  End-to-end information flow through Web services  Compatible with existing Web services ◦ Requires no changes to Web applications  Taint propagation through database functions 70

Download ppt "Benjamin Davis Hao Chen University of California, Davis."

Similar presentations

PHP I.

PHP I.
Connecting to Databases. relational databases tables and relations accessed using SQL database -specific functionality –transaction processing commit.

Connecting to Databases. relational databases tables and relations accessed using SQL database -specific functionality –transaction processing commit.
The Relational Model and Relational Algebra Nothing is so practical as a good theory Kurt Lewin, 1945.

The Relational Model and Relational Algebra Nothing is so practical as a good theory Kurt Lewin, 1945.
PHP Hypertext Preprocessor Information Systems 337 Prof. Harry Plantinga.

PHP Hypertext Preprocessor Information Systems 337 Prof. Harry Plantinga.
Keys, Referential Integrity and PHP One to Many on the Web.

Keys, Referential Integrity and PHP One to Many on the Web.
CIT 613: Relational Database Development using SQL Introduction to SQL.

CIT 613: Relational Database Development using SQL Introduction to SQL.
Copyright © 2011 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Chapter 13 Introduction to SQL Programming Techniques.

Copyright © 2011 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Chapter 13 Introduction to SQL Programming Techniques.
15 Chapter 15 Web Database Development Database Systems: Design, Implementation, and Management, Fifth Edition, Rob and Coronel.

15 Chapter 15 Web Database Development Database Systems: Design, Implementation, and Management, Fifth Edition, Rob and Coronel.
SQL (Structured Query Language) X/OPEN Call Level Interface For SQL ODBC (Open DataBase Connectivity) API JDBC (Java DataBase Connectivity) API SQL (Structured.

SQL (Structured Query Language) X/OPEN Call Level Interface For SQL ODBC (Open DataBase Connectivity) API JDBC (Java DataBase Connectivity) API SQL (Structured.
DT228/3 Web Development Databases. Database Almost all web application on the net access a database e.g. shopping sites, message boards, search engines.

DT228/3 Web Development Databases. Database Almost all web application on the net access a database e.g. shopping sites, message boards, search engines.
1 CS6320 – Why Servlets? L. Grewe 2 What is a Servlet? Servlets are Java programs that can be run dynamically from a Web Server Servlets are Java programs.

1 CS6320 – Why Servlets? L. Grewe 2 What is a Servlet? Servlets are Java programs that can be run dynamically from a Web Server Servlets are Java programs.
Scripting Languages CS 351 – Programming Paradigms.

Scripting Languages CS 351 – Programming Paradigms.
Database Systems More SQL Database Design -- More SQL1.

Database Systems More SQL Database Design -- More SQL1.
1 Detecting Logic Vulnerabilities in E- Commerce Applications Presenter: Liu Yin Slides Adapted from Fangqi Sun Computer Science Department College of.

1 Detecting Logic Vulnerabilities in E- Commerce Applications Presenter: Liu Yin Slides Adapted from Fangqi Sun Computer Science Department College of.
1 Foundations of Software Design Lecture 27: Java Database Programming Marti Hearst Fall 2002.

1 Foundations of Software Design Lecture 27: Java Database Programming Marti Hearst Fall 2002.
Chapter 7 Managing Data Sources. ASP.NET 2.0, Third Edition2.

Chapter 7 Managing Data Sources. ASP.NET 2.0, Third Edition2.
Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.

Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.
Web to Database Connectivity Tools Frank Cervone Assistant Director for Systems DePaul University Libraries Access ‘98 October 3, 1998.

Web to Database Connectivity Tools Frank Cervone Assistant Director for Systems DePaul University Libraries Access ‘98 October 3, 1998.
October 30, 2008 Extensible Workflow Management for Simmod ESUG32, Frankfurt, Oct 30, 2008 Alexander Scharnweber (DLR) October 30, 2008 Slide 1 > Extensible.

October 30, 2008 Extensible Workflow Management for Simmod ESUG32, Frankfurt, Oct 30, 2008 Alexander Scharnweber (DLR) October 30, 2008 Slide 1 > Extensible.
M. Taimoor Khan * Java Server Pages (JSP) is a server-side programming technology that enables the creation of dynamic,

M. Taimoor Khan * Java Server Pages (JSP) is a server-side programming technology that enables the creation of dynamic,

Similar presentations

Ads by Google