1 / 22

Efficient Character-level Taint Tracking for Java

Efficient Character-level Taint Tracking for Java . Erika Chin David Wagner UC Berkeley. Web Applications. 80% of all web applications are vulnerable to attack [1] Most are command injection attacks (mixed control and data channel): SQL injection XSS HTTP response splitting

kaelem
Download Presentation

Efficient Character-level Taint Tracking for Java

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Efficient Character-level Taint Tracking for Java Erika Chin David Wagner UC Berkeley

  2. Web Applications • 80% of all web applications are vulnerable to attack [1] • Most are command injection attacks (mixed control and data channel): • SQL injection • XSS • HTTP response splitting • Path traversal • Shell command injection [1] J. Grossman. WhiteHat website security statistics report, Aug 2008.

  3. Example – SQL injection Query = “SELECT * FROM students WHERE name = ‘ ” + studentName + “ ’ ”; What if: • studentName = Bobby “SELECT * FROM students WHERE name = ‘Bobby’ ” • studentName = Bobby’; DROP TABLE students; -- “SELECT * FROM students WHERE name = ‘Bobby’; DROP TABLE students; --’ ” Inspired by XKCD: http://xkcd.com/327/

  4. Command Injection Attacks

  5. A Natural Approach – Taint Tracking at the Character level • Others have argued that taint tracking aids the detection of command injection attacks • Taint tracking reveals what data gets touched by user input • Attacks are injected into web applications in the form of strings, so we can limit the scope of tracking to strings • Character-level information narrows the focus to specific portions of the string

  6. Our Focus • We focus on taint tracking for Java web applications • Many commercial enterprises use Java for their web services

  7. Character-levelTaint Tracking For Java • Source Tainting: Augment the Java Servlets implementation to mark user input as tainted (Tomcat 6) • Taint Propagation: Replace the string-related classes in the Java library with augmented classes that track taint status (IBM JDK6) • Sink Checking: At each sink, use the taint information to detect attacks by checking that control data is not tainted

  8. Source Tainting • We mark all information from the HTTP request as untrusted Path Form Parameters Protocol http://www.youtube.com/results?search_query=rick+roll… GET /results?search_query=rick+roll&search_type=&aq… Host: www.youtube.com … Referrer: http://www.youtube.com/ Cookie: use_hitbox=72c46ff6cddcb7c5585… HTTP Headers: Cookies, Session Id, etc.

  9. Source Tainting: Augmented Classes • Replace the Tomcat Servlet classes with our own modified classes • javax.servlet.http.HttpServletRequest • javax.servlet.http.Cookie • javax.servlet.http.HttpSession • org.apache.catalina.connector.CoyoteReader

  10. Basic Taint Propagation Example code snippet: String city = request.GetParameter(“city”); String punctuation = “, ”; String state = “CA”; String temp = punctuation.concat(state); String location = city.concat(temp);

  11. Taint Propagation:Original String Class city char[] punctuation state temp = punctuation.concat(state) city.concat(temp)

  12. Taint Propagation:Modified String Class city char[] boolean[] punctuation state temp = punctuation.concat(state) city.concat(temp)

  13. Optimized Taint Propagation • To reduce the overhead of taint tracking, only track taint when necessary • Only allocate boolean taint array once the String contains a tainted character • Reduces overhead by eliminating array copies for operations on fully untainted strings

  14. Optimized Taint Propagation city punctuation state temp = punctuation.concat(state) city.concat(temp) null null null

  15. Taint Propagation:Augmented Classes • java.lang.String • java.lang.StringBuffer • java.lang.StringBuilder

  16. Sink Checking • Sinks can use taint information to detect commands in user-supplied data • SQL – instrument the JDBC to parse the SQL queries and check for SQL keywords and operators that contain tainted characters • XSS – examine HTML for tainted JavaScript • Details of how to do this are well-documented in the previous literature and not the focus of this work [2] [2] Su and Wassermann. The essence of command injection attacks in web applications. POPL ’06.

  17. Benefits • Provides a basis to protect from command injection attacks • Simple, easy to adopt and deploy • Server-side change • One-time modification • No change to web application byte code • No need for web application source code • Works immediately with Java legacy applications • Efficient

  18. Benefits Con’t • Handles web applications that call string methods reflectively • Java reflection allows calls to methods selected at runtime • Our approach can track the taint for these reflected calls

  19. Limitations • For backwards compatibility we do not record taint status in the serialized form • May lose taint status via string operations with chars and char arrays • Cannot hold taint status in primitives • Does not defend against malicious web developers

  20. Performance Overhead: 0-15%

  21. Contributions • Efficient character-level taint tracking • Runtime overhead <15% • Works immediately for Java legacy code • Easy to adopt and deploy

  22. Thank you! Any questions?

More Related