efficient character-level taint tracking for java
DESCRIPTION
Efficient Character-level Taint Tracking for Java. Erika Chin David Wagner UC Berkeley. Web Applications. 80% of all web applications are vulnerable to attack [1] Most are command injection attacks (mixed control and data channel): SQL injection XSS HTTP response splitting - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Efficient Character-level Taint Tracking for Java](https://reader035.vdocuments.us/reader035/viewer/2022062306/56816762550346895ddc3c7e/html5/thumbnails/1.jpg)
EFFICIENT CHARACTER-LEVEL TAINT TRACKING FOR JAVAErika ChinDavid WagnerUC Berkeley
![Page 2: Efficient Character-level Taint Tracking for Java](https://reader035.vdocuments.us/reader035/viewer/2022062306/56816762550346895ddc3c7e/html5/thumbnails/2.jpg)
2
WEB APPLICATIONS 80% of all web applications are
vulnerable to attack [1] Most are command injection attacks
(mixed control and data channel):SQL injectionXSSHTTP response splittingPath traversalShell command injection
[1] J. Grossman. WhiteHat website security statistics report, Aug 2008.
![Page 3: Efficient Character-level Taint Tracking for Java](https://reader035.vdocuments.us/reader035/viewer/2022062306/56816762550346895ddc3c7e/html5/thumbnails/3.jpg)
3
EXAMPLE – SQL INJECTIONQuery = “SELECT * FROM students WHERE name =
‘ ” + studentName + “ ’ ”;
What if: studentName = Bobby“SELECT * FROM students WHERE name = ‘Bobby’ ”
studentName = Bobby’; DROP TABLE students; --“SELECT * FROM students WHERE name = ‘Bobby’;
DROP TABLE students; --’ ”
Inspired by XKCD: http://xkcd.com/327/
![Page 4: Efficient Character-level Taint Tracking for Java](https://reader035.vdocuments.us/reader035/viewer/2022062306/56816762550346895ddc3c7e/html5/thumbnails/4.jpg)
4
COMMAND INJECTION ATTACKS
Command Injection Attack Command ElementsSQL injection attack SQL keywords and operatorsXSS JavaScriptHTTP response splitting Newlines (CR, LF)Path traversal ‘/’ , “..”Shell command injection Shell keywords and operators,
meta-characters
![Page 5: Efficient Character-level Taint Tracking for Java](https://reader035.vdocuments.us/reader035/viewer/2022062306/56816762550346895ddc3c7e/html5/thumbnails/5.jpg)
5
A NATURAL APPROACH – TAINT TRACKING AT THE CHARACTER LEVEL Others have argued that taint tracking
aids the detection of command injection attacksTaint tracking reveals what data gets
touched by user input Attacks are injected into web
applications in the form of strings, so we can limit the scope of tracking to strings
Character-level information narrows the focus to specific portions of the string
![Page 6: Efficient Character-level Taint Tracking for Java](https://reader035.vdocuments.us/reader035/viewer/2022062306/56816762550346895ddc3c7e/html5/thumbnails/6.jpg)
6
OUR FOCUS We focus on taint tracking for Java web
applications Many commercial enterprises use Java
for their web services
![Page 7: Efficient Character-level Taint Tracking for Java](https://reader035.vdocuments.us/reader035/viewer/2022062306/56816762550346895ddc3c7e/html5/thumbnails/7.jpg)
7
CHARACTER-LEVELTAINT TRACKING FOR JAVA1. Source Tainting: Augment the Java
Servlets implementation to mark user input as tainted (Tomcat 6)
2. Taint Propagation: Replace the string-related classes in the Java library with augmented classes that track taint status (IBM JDK6)
3. Sink Checking: At each sink, use the taint information to detect attacks by checking that control data is not tainted
![Page 8: Efficient Character-level Taint Tracking for Java](https://reader035.vdocuments.us/reader035/viewer/2022062306/56816762550346895ddc3c7e/html5/thumbnails/8.jpg)
8
We mark all information from the HTTP request as untrusted
http://www.youtube.com/results?search_query=rick+roll…GET /results?search_query=rick+roll&search_type=&aq…Host: www.youtube.com…Referrer: http://www.youtube.com/Cookie: use_hitbox=72c46ff6cddcb7c5585…
SOURCE TAINTING
Form ParametersProtocol
Path
HTTP Headers: Cookies,Session Id, etc.
![Page 9: Efficient Character-level Taint Tracking for Java](https://reader035.vdocuments.us/reader035/viewer/2022062306/56816762550346895ddc3c7e/html5/thumbnails/9.jpg)
9
SOURCE TAINTING: AUGMENTED CLASSES Replace the Tomcat Servlet classes with
our own modified classesjavax.servlet.http.HttpServletRequestjavax.servlet.http.Cookiejavax.servlet.http.HttpSessionorg.apache.catalina.connector.CoyoteReade
r
![Page 10: Efficient Character-level Taint Tracking for Java](https://reader035.vdocuments.us/reader035/viewer/2022062306/56816762550346895ddc3c7e/html5/thumbnails/10.jpg)
10
BASIC TAINT PROPAGATIONExample code snippet:
String city = request.GetParameter(“city”);
String punctuation = “, ”;String state = “CA”;
String temp = punctuation.concat(state);
String location = city.concat(temp);
![Page 11: Efficient Character-level Taint Tracking for Java](https://reader035.vdocuments.us/reader035/viewer/2022062306/56816762550346895ddc3c7e/html5/thumbnails/11.jpg)
11
TAINT PROPAGATION:ORIGINAL STRING CLASScity
char[]
punctuation
state
temp = punctuation.concat(state)
city.concat(temp)
B e r k e l e y
,
C A
, C A
B e r k e l e y , C A
![Page 12: Efficient Character-level Taint Tracking for Java](https://reader035.vdocuments.us/reader035/viewer/2022062306/56816762550346895ddc3c7e/html5/thumbnails/12.jpg)
12
TAINT PROPAGATION:MODIFIED STRING CLASScity char[]
boolean[]punctuation
state
temp = punctuation.concat(state)
city.concat(temp)
B e r k e l e y
,
C A
, C A
B e r k e l e y , C A
T T T T T T T T
F F
F F
F F F F
T T T T T T T T F F F F
![Page 13: Efficient Character-level Taint Tracking for Java](https://reader035.vdocuments.us/reader035/viewer/2022062306/56816762550346895ddc3c7e/html5/thumbnails/13.jpg)
13
OPTIMIZED TAINT PROPAGATION To reduce the overhead of taint
tracking, only track taint when necessary
Only allocate boolean taint array once the String contains a tainted character
Reduces overhead by eliminating array copies for operations on fully untainted strings
![Page 14: Efficient Character-level Taint Tracking for Java](https://reader035.vdocuments.us/reader035/viewer/2022062306/56816762550346895ddc3c7e/html5/thumbnails/14.jpg)
14
F F
F F
F F F F
OPTIMIZED TAINT PROPAGATIONcity
punctuation
state
temp = punctuation.concat(state)
city.concat(temp)
B e r k e l e y
,
C A
, C A
T T T T T T T T
null
null
null
B e r k e l e y , C AT T T T T T T T F F F F
![Page 15: Efficient Character-level Taint Tracking for Java](https://reader035.vdocuments.us/reader035/viewer/2022062306/56816762550346895ddc3c7e/html5/thumbnails/15.jpg)
15
TAINT PROPAGATION:AUGMENTED CLASSES java.lang.String java.lang.StringBuffer java.lang.StringBuilder
![Page 16: Efficient Character-level Taint Tracking for Java](https://reader035.vdocuments.us/reader035/viewer/2022062306/56816762550346895ddc3c7e/html5/thumbnails/16.jpg)
16
SINK CHECKING Sinks can use taint information to
detect commands in user-supplied dataSQL – instrument the JDBC to parse the
SQL queries and check for SQL keywords and operators that contain tainted characters
XSS – examine HTML for tainted JavaScript Details of how to do this are well-
documented in the previous literature and not the focus of this work [2]
[2] Su and Wassermann. The essence of command injection attacks in web applications. POPL ’06.
![Page 17: Efficient Character-level Taint Tracking for Java](https://reader035.vdocuments.us/reader035/viewer/2022062306/56816762550346895ddc3c7e/html5/thumbnails/17.jpg)
17
BENEFITS Provides a basis to protect from
command injection attacks Simple, easy to adopt and deploy
Server-side changeOne-time modificationNo change to web application byte codeNo need for web application source codeWorks immediately with Java legacy
applications Efficient
![Page 18: Efficient Character-level Taint Tracking for Java](https://reader035.vdocuments.us/reader035/viewer/2022062306/56816762550346895ddc3c7e/html5/thumbnails/18.jpg)
18
BENEFITS CON’T Handles web applications that call
string methods reflectivelyJava reflection allows calls to methods
selected at runtimeOur approach can track the taint for
these reflected calls
![Page 19: Efficient Character-level Taint Tracking for Java](https://reader035.vdocuments.us/reader035/viewer/2022062306/56816762550346895ddc3c7e/html5/thumbnails/19.jpg)
19
LIMITATIONS For backwards compatibility we do not
record taint status in the serialized form
May lose taint status via string operations with chars and char arraysCannot hold taint status in primitives
Does not defend against malicious web developers
![Page 20: Efficient Character-level Taint Tracking for Java](https://reader035.vdocuments.us/reader035/viewer/2022062306/56816762550346895ddc3c7e/html5/thumbnails/20.jpg)
20
PERFORMANCE OVERHEAD: 0-15%
![Page 21: Efficient Character-level Taint Tracking for Java](https://reader035.vdocuments.us/reader035/viewer/2022062306/56816762550346895ddc3c7e/html5/thumbnails/21.jpg)
21
CONTRIBUTIONS Efficient character-level taint tracking Runtime overhead <15% Works immediately for Java legacy
code Easy to adopt and deploy
![Page 22: Efficient Character-level Taint Tracking for Java](https://reader035.vdocuments.us/reader035/viewer/2022062306/56816762550346895ddc3c7e/html5/thumbnails/22.jpg)
22
Thank you!
Any questions?