1 / 18

Finding Security Vulnerabilities in Java Applications with Static Analysis

Reviewed by Roy Ford. Finding Security Vulnerabilities in Java Applications with Static Analysis. Me. Graduated University of Waterloo with a B Math in 1985 Worked 23 years with Procter & Gamble Telecom, Networking, Mainframe, App Development, ACF2, Voice and Video

emilia
Download Presentation

Finding Security Vulnerabilities in Java Applications with Static Analysis

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Reviewed by Roy Ford Finding Security Vulnerabilities in Java Applications with Static Analysis

  2. Me Graduated University of Waterloo with a BMath in 1985 Worked 23 years with Procter & Gamble Telecom, Networking, Mainframe, App Development, ACF2, Voice and Video Hope to graduate this year

  3. Static Analysis Scanning of Source code to identify potential security problems Like a spell checker, except we are looking for potential security weaknesses in code Focus of paper was the development of a Static Analysis tool that tested for Java Servlets with unchecked input

  4. Reason for doing Static Analysis A review of 250 Web Applications showed that 92% were vulnerable to a hacker attack 75% of all attacks target web based applications Firewalls lock out everything else but Port 80

  5. Methods of Injecting Malicious Data Parameter tampering in a HTML Form URL Manipulation Hidden Field manipulation HTTP Header tampering Referrer field Cookie poisoning

  6. And what you can do when you inject malicious data SQL Injection Cross-site scripting HTTP Response splitting Forcing the server to send back 2 responses to one Get or Put Path Traversal Controlling files outside of the normal path Command Injection

  7. Static Analysis Architecture Source Parse Source Analyze Parse Tables Report Results Security Rules • Static Analysis Tool usually works with source code • The Source code is parsed like a compiler • Rules are then applied to the parse tree to validate • Results are reported back to the user

  8. Papers Static Analysis Architecture Pointer Analysis Java Byte Codes bddbddb Analyzer Datalog Queries PQL Eclipse UI • System reads in Java Byte Codes • Pointer Analysis is done on Byte Codes • PQL rules are converted to Datalog queries and fed into a bddbddb Analyzer • bddbddb generates warnings and feed the results into Eclipse for reporting

  9. Pointer Analysis Focus of the tool is track any tainted object propagation through the system A tainted source is anything that the user can modify Input forms, URL’s, Cookies A sink is a place were tainted source can cause a bad result SQL statements, command shells A derivation is modification to the source Usually a String method The information takes a path through the system, from source, through derivations to a sink

  10. Descriptors Source & Sink Descriptor (Method, parameter #, path)‏ Derivation Descriptor (Method, source parameter #, source path, dest parameter #, dest path)‏ Parameter number of -1 implies a return result from a method

  11. Pointer Analysis (From the Paper)‏ Source Descriptor (HttpServletRequest.getParameter(String),−1, e)‏ Sink Descriptor (Connection.executeQuery(String), 1, e)‏ Derivation Descriptor (StringBuffer.append(String), 1, e ,−1, e)‏

  12. Program Query language (PQL)‏ A language that allows the user to specify the source, sink and path of a potential security violation PQL rules work like Regular Expressions, if they match a potential security violation has been identified

  13. PQL Example (From the paper)‏ query main()‏ returns object Object sourceObj, sinkObj; matches { sourceObj := source(); sinkObj := derived*(sourceObj); sinkObj := sink(); } derived*(object Object x)‏ returns object Object y; uses object Object temp; matches { y := x | temp := derived(x); y := derived*(temp); }

  14. PQL Example (From the Paper)‏ query source()‏ returns object Object sourceObj; uses object String[] sourceArray; object HttpServletRequest req; matches { sourceObj = req.getParameter(_)‏ | sourceObj = req.getHeader(_)‏ | sourceArray = req.getParameterValues(_); sourceObj = sourceArray[] | ... } query sink()‏ returns object Object sinkObj; uses object java.sql.Statement stmt; object java.sql.Connection con; matches { stmt.executeQuery(sinkObj)‏ | stmt.execute(sinkObj)‏ | con.prepareStatement(sinkObj)‏ | ... }

  15. PQL Example (From the paper)‏ query derived(object Object x)‏ returns object Object y; matches { y.append(x)‏ | y = _.append(x)‏ | y = new String(x)‏ | y = new StringBuffer(x)‏ | y = x.toString()‏ | y = x.substring(_ ,_)‏ | y = x.toString(_)‏ | ... }

  16. Test Results Tool tested on 9 open source Java systems Total of 392 sources and 393 sinks 41 potential security violations 12 false positives 29 security errors

  17. Questions What problem does this work attempt to solve What are the most important novel contributions Are the conclusions supported What other explanation exists What modification would improve the research Is the analysis sound

  18. Useful Links Benjamin Livshits old Stanford Website http://suif.stanford.edu/~livshits/ Benjamin Livshits Paper Presentation http://research.microsoft.com/~livshits/papers/ppt/ssec05.ppt#1 Technical Report http://suif.stanford.edu/~livshits/papers/tr/webappsec_tr.pdf SecuriBench Benchmark Test Samples http://suif.stanford.edu/~livshits/securibench/intro.html Bddbddb http://bddbddb.sourceforge.net/index.html

More Related