Presentation is loading. Please wait.

Presentation is loading. Please wait.

E FFICIENT C HARACTER - LEVEL T AINT T RACKING FOR J AVA Erika Chin David Wagner UC Berkeley.

Published byLionel Terry Modified over 9 years ago

Similar presentations

Presentation on theme: "E FFICIENT C HARACTER - LEVEL T AINT T RACKING FOR J AVA Erika Chin David Wagner UC Berkeley."— Presentation transcript:

1 E FFICIENT C HARACTER - LEVEL T AINT T RACKING FOR J AVA Erika Chin David Wagner UC Berkeley

2 W EB A PPLICATIONS 80% of all web applications are vulnerable to attack [1] Most are command injection attacks (mixed control and data channel): SQL injection XSS HTTP response splitting Path traversal Shell command injection [1] J. Grossman. WhiteHat website security statistics report, Aug 2008. 2

3 E XAMPLE – SQL INJECTION Query = “SELECT * FROM students WHERE name = ‘ ” + studentName + “ ’ ”; What if: studentName = Bobby “SELECT * FROM students WHERE name = ‘Bobby’ ” studentName = Bobby’; DROP TABLE students; -- “SELECT * FROM students WHERE name = ‘Bobby’; DROP TABLE students; --’ ” Inspired by XKCD: http://xkcd.com/327/ 3

4 C OMMAND I NJECTION A TTACKS Command Injection AttackCommand Elements SQL injection attackSQL keywords and operators XSSJavaScript HTTP response splittingNewlines (CR, LF) Path traversal‘/’, “..” Shell command injectionShell keywords and operators, meta-characters 4

5 A N ATURAL A PPROACH – T AINT T RACKING AT THE C HARACTER LEVEL Others have argued that taint tracking aids the detection of command injection attacks Taint tracking reveals what data gets touched by user input Attacks are injected into web applications in the form of strings, so we can limit the scope of tracking to strings Character-level information narrows the focus to specific portions of the string 5

6 O UR F OCUS We focus on taint tracking for Java web applications Many commercial enterprises use Java for their web services 6

7 C HARACTER - LEVEL T AINT T RACKING F OR J AVA 1. Source Tainting: Augment the Java Servlets implementation to mark user input as tainted (Tomcat 6) 2. Taint Propagation: Replace the string- related classes in the Java library with augmented classes that track taint status (IBM JDK6) 3. Sink Checking: At each sink, use the taint information to detect attacks by checking that control data is not tainted 7

8 We mark all information from the HTTP request as untrusted http://www.youtube.com/results?search_query=rick+roll… GET /results?search_query=rick+roll&search_type=&aq… Host: www.youtube.com … Referrer: http://www.youtube.com/ Cookie: use_hitbox=72c46ff6cddcb7c5585… S OURCE T AINTING Form Parameters Protocol Path HTTP Headers: Cookies, Session Id, etc. 8

9 S OURCE T AINTING : A UGMENTED C LASSES Replace the Tomcat Servlet classes with our own modified classes javax.servlet.http.HttpServletRequest javax.servlet.http.Cookie javax.servlet.http.HttpSession org.apache.catalina.connector.CoyoteReader 9

10 B ASIC T AINT P ROPAGATION Example code snippet: String city = request.GetParameter(“city”); String punctuation = “, ”; String state = “CA”; String temp = punctuation.concat( state ); String location = city.concat( temp ); 10

11 T AINT P ROPAGATION : O RIGINAL S TRING C LASS city char[] punctuation state temp = punctuation.concat( state ) city.concat( temp ) Berkeley, CA,CA 11 Berkeley,CA

12 12 T AINT P ROPAGATION : M ODIFIED S TRING C LASS city char[] boolean[] punctuation state temp = punctuation.concat( state ) city.concat( temp ) Berkeley, CA,CA Berkeley,CA TTTTTTTT FF FF FFFF TTTTTTTTFFFF

13 O PTIMIZED T AINT P ROPAGATION To reduce the overhead of taint tracking, only track taint when necessary Only allocate boolean taint array once the String contains a tainted character Reduces overhead by eliminating array copies for operations on fully untainted strings 13

14 FF FF FFFF O PTIMIZED T AINT P ROPAGATION city punctuation state temp = punctuation.concat( state ) city.concat( temp ) Berkeley, CA,CA TTTTTTTT null 14 Berkeley,CA TTTTTTTTFFFF

15 T AINT P ROPAGATION : A UGMENTED C LASSES java.lang.String java.lang.StringBuffer java.lang.StringBuilder 15

16 S INK C HECKING Sinks can use taint information to detect commands in user-supplied data SQL – instrument the JDBC to parse the SQL queries and check for SQL keywords and operators that contain tainted characters XSS – examine HTML for tainted JavaScript Details of how to do this are well- documented in the previous literature and not the focus of this work [2] [2] Su and Wassermann. The essence of command injection attacks in web applications. POPL ’06. 16

17 B ENEFITS Provides a basis to protect from command injection attacks Simple, easy to adopt and deploy Server-side change One-time modification No change to web application byte code No need for web application source code Works immediately with Java legacy applications Efficient 17

18 B ENEFITS C ON ’ T Handles web applications that call string methods reflectively Java reflection allows calls to methods selected at runtime Our approach can track the taint for these reflected calls 18

19 L IMITATIONS For backwards compatibility we do not record taint status in the serialized form May lose taint status via string operations with chars and char arrays Cannot hold taint status in primitives Does not defend against malicious web developers 19

20 P ERFORMANCE O VERHEAD : 0-15% 20

21 C ONTRIBUTIONS Efficient character-level taint tracking Runtime overhead <15% Works immediately for Java legacy code Easy to adopt and deploy 21

22 Thank you! Any questions? 22

Download ppt "E FFICIENT C HARACTER - LEVEL T AINT T RACKING FOR J AVA Erika Chin David Wagner UC Berkeley."

Similar presentations

© 2008 Security Compass inc. 1 Firefox Plug-ins for Application Penetration Testing Exploit-Me.

© 2008 Security Compass inc. 1 Firefox Plug-ins for Application Penetration Testing Exploit-Me.
Type-based Taint Analysis for Java Web Applications Wei Huang, Yao Dong and Ana Milanova Rensselaer Polytechnic Institute 1.

Type-based Taint Analysis for Java Web Applications Wei Huang, Yao Dong and Ana Milanova Rensselaer Polytechnic Institute 1.
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
Technology Overview JAVA Servlets CS-611 S. Witherspoon.

Technology Overview JAVA Servlets CS-611 S. Witherspoon.
Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.

Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.

ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Gary Wassermann and Zhendong Su UC Davis Slides from

Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Gary Wassermann and Zhendong Su UC Davis Slides from
Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.

Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
The 10 Most Critical Web Application Security Vulnerabilities

The 10 Most Critical Web Application Security Vulnerabilities
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
ASHIMA KALRA.  INTRODUCTION TO JSP INTRODUCTION TO JSP  IMPLICIT OBJECTS IMPLICIT OBJECTS  COOKIES COOKIES.

ASHIMA KALRA.  INTRODUCTION TO JSP INTRODUCTION TO JSP  IMPLICIT OBJECTS IMPLICIT OBJECTS  COOKIES COOKIES.
Www.dwteam.com 1 Forms for the Web Tom Muck www.dwteam.com.

1 Forms for the Web Tom Muck
Secure Software Engineering: Input Vulnerabilities

Secure Software Engineering: Input Vulnerabilities
CSCI 6962: Server-side Design and Programming Course Introduction and Overview.

CSCI 6962: Server-side Design and Programming Course Introduction and Overview.
Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.

Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.
Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.

Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.

Similar presentations

Ads by Google