Presentation is loading. Please wait.

Presentation is loading. Please wait.

Finding Security Vulnerabilities in Java Applications with Static Analysis Reviewed by Roy Ford.

Published byJanel Mabel Bradford Modified over 8 years ago

Similar presentations

Presentation on theme: "Finding Security Vulnerabilities in Java Applications with Static Analysis Reviewed by Roy Ford."— Presentation transcript:

1 Finding Security Vulnerabilities in Java Applications with Static Analysis Reviewed by Roy Ford

2 Me Graduated University of Waterloo with a B Math in 1985 Worked 23 years with Procter & Gamble  Telecom, Networking, Mainframe, App Development, ACF2, Voice and Video Hope to graduate this year

3 Static Analysis Scanning of Source code to identify potential security problems Like a spell checker, except we are looking for potential security weaknesses in code Focus of paper was the development of a Static Analysis tool that tested for Java Servlets with unchecked input

4 Reason for doing Static Analysis A review of 250 Web Applications showed that 92% were vulnerable to a hacker attack 75% of all attacks target web based applications  Firewalls lock out everything else but Port 80

5 Methods of Injecting Malicious Data Parameter tampering  in a HTML Form URL Manipulation Hidden Field manipulation HTTP Header tampering  Referrer field Cookie poisoning

6 And what you can do when you inject malicious data SQL Injection Cross-site scripting HTTP Response splitting  Forcing the server to send back 2 responses to one Get or Put Path Traversal  Controlling files outside of the normal path Command Injection

7 Static Analysis Architecture Parse Source Analyze Parse Tables Report Results Source Security Rules Static Analysis Tool usually works with source code The Source code is parsed like a compiler Rules are then applied to the parse tree to validate Results are reported back to the user

8 Papers Static Analysis Architecture Pointer Analysis Datalog Queries bddbddb Analyzer Java Byte Codes PQL System reads in Java Byte Codes Pointer Analysis is done on Byte Codes PQL rules are converted to Datalog queries and fed into a bddbddb Analyzer bddbddb generates warnings and feed the results into Eclipse for reporting Eclipse UI

9 Pointer Analysis Focus of the tool is track any tainted object propagation through the system A tainted source is anything that the user can modify  Input forms, URL’s, Cookies A sink is a place were tainted source can cause a bad result  SQL statements, command shells A derivation is modification to the source  Usually a String method The information takes a path through the system, from source, through derivations to a sink

10 Descriptors Source & Sink Descriptor  (Method, parameter #, path)‏ Derivation Descriptor  (Method, source parameter #, source path, dest parameter #, dest path)‏ Parameter number of -1 implies a return result from a method

11 Pointer Analysis (From the Paper) ‏ Source Descriptor (HttpServletRequest.getParameter(String),−1, e)‏ Sink Descriptor (Connection.executeQuery(String), 1, e)‏ Derivation Descriptor (StringBuffer.append(String), 1, e,−1, e)‏

12 Program Query language (PQL) ‏ A language that allows the user to specify the source, sink and path of a potential security violation PQL rules work like Regular Expressions, if they match a potential security violation has been identified

13 PQL Example (From the paper) ‏ query main()‏ returns object Object sourceObj, sinkObj; matches { sourceObj := source(); sinkObj := derived*(sourceObj); sinkObj := sink(); } derived*(object Object x)‏ returns object Object y; uses object Object temp; matches { y := x | temp := derived(x); y := derived*(temp); }

14 PQL Example (From the Paper) ‏ query source()‏ returns object Object sourceObj; uses object String[] sourceArray; object HttpServletRequest req; matches { sourceObj = req.getParameter(_)‏ | sourceObj = req.getHeader(_)‏ | sourceArray = req.getParameterValues(_); sourceObj = sourceArray[] |... } query sink()‏ returns object Object sinkObj; uses object java.sql.Statement stmt; object java.sql.Connection con; matches { stmt.executeQuery(sinkObj)‏ | stmt.execute(sinkObj)‏ | con.prepareStatement(sinkObj)‏ |... }

15 PQL Example (From the paper) ‏ query derived(object Object x)‏ returns object Object y; matches { y.append(x)‏ | y = _.append(x)‏ | y = new String(x)‏ | y = new StringBuffer(x)‏ | y = x.toString()‏ | y = x.substring(_,_)‏ | y = x.toString(_)‏ |... }

16 Test Results Tool tested on 9 open source Java systems Total of 392 sources and 393 sinks 41 potential security violations  12 false positives  29 security errors

17 Questions What problem does this work attempt to solve What are the most important novel contributions Are the conclusions supported What other explanation exists What modification would improve the research Is the analysis sound

18 Useful Links Benjamin Livshits old Stanford Website  http://suif.stanford.edu/~livshits/ http://suif.stanford.edu/~livshits/ Benjamin Livshits Paper Presentation  http://research.microsoft.com/~livshits/papers/ppt/ssec05.ppt#1 http://research.microsoft.com/~livshits/papers/ppt/ssec05.ppt#1 Technical Report  http://suif.stanford.edu/~livshits/papers/tr/webappsec_tr.pdf SecuriBench Benchmark Test Samples  http://suif.stanford.edu/~livshits/securibench/intro.html http://suif.stanford.edu/~livshits/securibench/intro.html Bddbddb  http://bddbddb.sourceforge.net/index.html

Download ppt "Finding Security Vulnerabilities in Java Applications with Static Analysis Reviewed by Roy Ford."

Similar presentations

PHP Form and File Handling

PHP Form and File Handling
Runtime Prevention & Recovery Protect existing applications Advantages: Prevents vulnerabilities from doing harm Safe mode for Web application execution.

Runtime Prevention & Recovery Protect existing applications Advantages: Prevents vulnerabilities from doing harm Safe mode for Web application execution.
Webgoat.

Webgoat.
Finding Application Errors and Security Flaws Using PQL: a Program Query Language MICHAEL MARTIN, BENJAMIN LIVSHITS, MONICA S. LAM PRESENTED BY SATHISHKUMAR.

Finding Application Errors and Security Flaws Using PQL: a Program Query Language MICHAEL MARTIN, BENJAMIN LIVSHITS, MONICA S. LAM PRESENTED BY SATHISHKUMAR.
Type-based Taint Analysis for Java Web Applications Wei Huang, Yao Dong and Ana Milanova Rensselaer Polytechnic Institute 1.

Type-based Taint Analysis for Java Web Applications Wei Huang, Yao Dong and Ana Milanova Rensselaer Polytechnic Institute 1.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.

Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.
E FFICIENT C HARACTER - LEVEL T AINT T RACKING FOR J AVA Erika Chin David Wagner UC Berkeley.

E FFICIENT C HARACTER - LEVEL T AINT T RACKING FOR J AVA Erika Chin David Wagner UC Berkeley.
Finding Security Errors in Java Applications Using Lightweight Static Analysis Benjamin Livshits Computer Science Lab Stanford University.

Finding Security Errors in Java Applications Using Lightweight Static Analysis Benjamin Livshits Computer Science Lab Stanford University.
Application Security: What Does it Take to Build and Test a “Trusted” App? John Dickson, CISSP Denim Group.

Application Security: What Does it Take to Build and Test a “Trusted” App? John Dickson, CISSP Denim Group.
Michael Martin, Ben Livshits, Monica S. Lam Stanford University First presented at OOPSLA 2005.

Michael Martin, Ben Livshits, Monica S. Lam Stanford University First presented at OOPSLA 2005.
Securing Web Applications Static and Dynamic Information Flow Tracking Jason Ganzhorn 4/12/2010.

Securing Web Applications Static and Dynamic Information Flow Tracking Jason Ganzhorn 4/12/2010.
Program Analysis for Web Application Security Presented by Justin Samuel For UW CSE 504, Spring ‘10 Instructor: Ben Livshits.

Program Analysis for Web Application Security Presented by Justin Samuel For UW CSE 504, Spring ‘10 Instructor: Ben Livshits.
ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.

ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.
1 Static Analysis for Bug Finding Benjamin Livshits.

1 Static Analysis for Bug Finding Benjamin Livshits.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.

W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.

Similar presentations

Ads by Google