180 likes | 361 Views
Reviewed by Roy Ford. Finding Security Vulnerabilities in Java Applications with Static Analysis. Me. Graduated University of Waterloo with a B Math in 1985 Worked 23 years with Procter & Gamble Telecom, Networking, Mainframe, App Development, ACF2, Voice and Video
E N D
Reviewed by Roy Ford Finding Security Vulnerabilities in Java Applications with Static Analysis
Me Graduated University of Waterloo with a BMath in 1985 Worked 23 years with Procter & Gamble Telecom, Networking, Mainframe, App Development, ACF2, Voice and Video Hope to graduate this year
Static Analysis Scanning of Source code to identify potential security problems Like a spell checker, except we are looking for potential security weaknesses in code Focus of paper was the development of a Static Analysis tool that tested for Java Servlets with unchecked input
Reason for doing Static Analysis A review of 250 Web Applications showed that 92% were vulnerable to a hacker attack 75% of all attacks target web based applications Firewalls lock out everything else but Port 80
Methods of Injecting Malicious Data Parameter tampering in a HTML Form URL Manipulation Hidden Field manipulation HTTP Header tampering Referrer field Cookie poisoning
And what you can do when you inject malicious data SQL Injection Cross-site scripting HTTP Response splitting Forcing the server to send back 2 responses to one Get or Put Path Traversal Controlling files outside of the normal path Command Injection
Static Analysis Architecture Source Parse Source Analyze Parse Tables Report Results Security Rules • Static Analysis Tool usually works with source code • The Source code is parsed like a compiler • Rules are then applied to the parse tree to validate • Results are reported back to the user
Papers Static Analysis Architecture Pointer Analysis Java Byte Codes bddbddb Analyzer Datalog Queries PQL Eclipse UI • System reads in Java Byte Codes • Pointer Analysis is done on Byte Codes • PQL rules are converted to Datalog queries and fed into a bddbddb Analyzer • bddbddb generates warnings and feed the results into Eclipse for reporting
Pointer Analysis Focus of the tool is track any tainted object propagation through the system A tainted source is anything that the user can modify Input forms, URL’s, Cookies A sink is a place were tainted source can cause a bad result SQL statements, command shells A derivation is modification to the source Usually a String method The information takes a path through the system, from source, through derivations to a sink
Descriptors Source & Sink Descriptor (Method, parameter #, path) Derivation Descriptor (Method, source parameter #, source path, dest parameter #, dest path) Parameter number of -1 implies a return result from a method
Pointer Analysis (From the Paper) Source Descriptor (HttpServletRequest.getParameter(String),−1, e) Sink Descriptor (Connection.executeQuery(String), 1, e) Derivation Descriptor (StringBuffer.append(String), 1, e ,−1, e)
Program Query language (PQL) A language that allows the user to specify the source, sink and path of a potential security violation PQL rules work like Regular Expressions, if they match a potential security violation has been identified
PQL Example (From the paper) query main() returns object Object sourceObj, sinkObj; matches { sourceObj := source(); sinkObj := derived*(sourceObj); sinkObj := sink(); } derived*(object Object x) returns object Object y; uses object Object temp; matches { y := x | temp := derived(x); y := derived*(temp); }
PQL Example (From the Paper) query source() returns object Object sourceObj; uses object String[] sourceArray; object HttpServletRequest req; matches { sourceObj = req.getParameter(_) | sourceObj = req.getHeader(_) | sourceArray = req.getParameterValues(_); sourceObj = sourceArray[] | ... } query sink() returns object Object sinkObj; uses object java.sql.Statement stmt; object java.sql.Connection con; matches { stmt.executeQuery(sinkObj) | stmt.execute(sinkObj) | con.prepareStatement(sinkObj) | ... }
PQL Example (From the paper) query derived(object Object x) returns object Object y; matches { y.append(x) | y = _.append(x) | y = new String(x) | y = new StringBuffer(x) | y = x.toString() | y = x.substring(_ ,_) | y = x.toString(_) | ... }
Test Results Tool tested on 9 open source Java systems Total of 392 sources and 393 sinks 41 potential security violations 12 false positives 29 security errors
Questions What problem does this work attempt to solve What are the most important novel contributions Are the conclusions supported What other explanation exists What modification would improve the research Is the analysis sound
Useful Links Benjamin Livshits old Stanford Website http://suif.stanford.edu/~livshits/ Benjamin Livshits Paper Presentation http://research.microsoft.com/~livshits/papers/ppt/ssec05.ppt#1 Technical Report http://suif.stanford.edu/~livshits/papers/tr/webappsec_tr.pdf SecuriBench Benchmark Test Samples http://suif.stanford.edu/~livshits/securibench/intro.html Bddbddb http://bddbddb.sourceforge.net/index.html