220 likes | 417 Views
Efficient Character-level Taint Tracking for Java . Erika Chin David Wagner UC Berkeley. Web Applications. 80% of all web applications are vulnerable to attack [1] Most are command injection attacks (mixed control and data channel): SQL injection XSS HTTP response splitting
E N D
Efficient Character-level Taint Tracking for Java Erika Chin David Wagner UC Berkeley
Web Applications • 80% of all web applications are vulnerable to attack [1] • Most are command injection attacks (mixed control and data channel): • SQL injection • XSS • HTTP response splitting • Path traversal • Shell command injection [1] J. Grossman. WhiteHat website security statistics report, Aug 2008.
Example – SQL injection Query = “SELECT * FROM students WHERE name = ‘ ” + studentName + “ ’ ”; What if: • studentName = Bobby “SELECT * FROM students WHERE name = ‘Bobby’ ” • studentName = Bobby’; DROP TABLE students; -- “SELECT * FROM students WHERE name = ‘Bobby’; DROP TABLE students; --’ ” Inspired by XKCD: http://xkcd.com/327/
A Natural Approach – Taint Tracking at the Character level • Others have argued that taint tracking aids the detection of command injection attacks • Taint tracking reveals what data gets touched by user input • Attacks are injected into web applications in the form of strings, so we can limit the scope of tracking to strings • Character-level information narrows the focus to specific portions of the string
Our Focus • We focus on taint tracking for Java web applications • Many commercial enterprises use Java for their web services
Character-levelTaint Tracking For Java • Source Tainting: Augment the Java Servlets implementation to mark user input as tainted (Tomcat 6) • Taint Propagation: Replace the string-related classes in the Java library with augmented classes that track taint status (IBM JDK6) • Sink Checking: At each sink, use the taint information to detect attacks by checking that control data is not tainted
Source Tainting • We mark all information from the HTTP request as untrusted Path Form Parameters Protocol http://www.youtube.com/results?search_query=rick+roll… GET /results?search_query=rick+roll&search_type=&aq… Host: www.youtube.com … Referrer: http://www.youtube.com/ Cookie: use_hitbox=72c46ff6cddcb7c5585… HTTP Headers: Cookies, Session Id, etc.
Source Tainting: Augmented Classes • Replace the Tomcat Servlet classes with our own modified classes • javax.servlet.http.HttpServletRequest • javax.servlet.http.Cookie • javax.servlet.http.HttpSession • org.apache.catalina.connector.CoyoteReader
Basic Taint Propagation Example code snippet: String city = request.GetParameter(“city”); String punctuation = “, ”; String state = “CA”; String temp = punctuation.concat(state); String location = city.concat(temp);
Taint Propagation:Original String Class city char[] punctuation state temp = punctuation.concat(state) city.concat(temp)
Taint Propagation:Modified String Class city char[] boolean[] punctuation state temp = punctuation.concat(state) city.concat(temp)
Optimized Taint Propagation • To reduce the overhead of taint tracking, only track taint when necessary • Only allocate boolean taint array once the String contains a tainted character • Reduces overhead by eliminating array copies for operations on fully untainted strings
Optimized Taint Propagation city punctuation state temp = punctuation.concat(state) city.concat(temp) null null null
Taint Propagation:Augmented Classes • java.lang.String • java.lang.StringBuffer • java.lang.StringBuilder
Sink Checking • Sinks can use taint information to detect commands in user-supplied data • SQL – instrument the JDBC to parse the SQL queries and check for SQL keywords and operators that contain tainted characters • XSS – examine HTML for tainted JavaScript • Details of how to do this are well-documented in the previous literature and not the focus of this work [2] [2] Su and Wassermann. The essence of command injection attacks in web applications. POPL ’06.
Benefits • Provides a basis to protect from command injection attacks • Simple, easy to adopt and deploy • Server-side change • One-time modification • No change to web application byte code • No need for web application source code • Works immediately with Java legacy applications • Efficient
Benefits Con’t • Handles web applications that call string methods reflectively • Java reflection allows calls to methods selected at runtime • Our approach can track the taint for these reflected calls
Limitations • For backwards compatibility we do not record taint status in the serialized form • May lose taint status via string operations with chars and char arrays • Cannot hold taint status in primitives • Does not defend against malicious web developers
Contributions • Efficient character-level taint tracking • Runtime overhead <15% • Works immediately for Java legacy code • Easy to adopt and deploy
Thank you! Any questions?