1 / 70

DBTaint : Cross-Application Information Flow Tracking via Databases

This paper discusses the limitations of single-application systems in tracking information flow and presents a system-wide approach called DBTaint that can track information flow across web applications and databases without requiring changes to existing applications.

scottsmith
Download Presentation

DBTaint : Cross-Application Information Flow Tracking via Databases

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. DBTaint: Cross-Application Information Flow Tracking via Databases Benjamin Davis Hao Chen University of California, Davis

  2. Introduction • Web services are highly attractive targets • Over 60% of attacks target Web applications • Over 80% of vulnerabilities found are in Web applications (From SANS 2009 Top Cyber Security Risks)

  3. Cross-Site Scripting <h1>Latest Comment</h1> <p> </p> {User Content}

  4. Cross-Site Scripting <h1>Latest Comment</h1> <p> This is <b>great!</b> </p>

  5. Cross-Site Scripting <h1>Latest Comment</h1> <p> <script> steal(document.cookie); </script> </p>

  6. Information Flow Tracking Application ? ? ? ? ?

  7. Information Flow Tracking Information Flow Tracking System Application   !! Input  

  8. Information Flow Tracking Information Flow Tracking System Application   !!  

  9. Information Flow Tracking Information Flow Tracking System Application   !! !!  

  10. Information Flow Tracking Information Flow Tracking System Application   !! !!  Output 

  11. Information Flow Tracking Information Flow Tracking System Application   X !! !!  Output 

  12. Examples • Language-based “taint mode” • Perl • Ruby • Adding support to language structures • Java [Chin, Wagner 09] • PHP [Venema]

  13. Limitations of Single-Application Systems Information Flow Tracking System Database Database Interface Input Web Application Output

  14. Limitations of Single-Application Systems Information Flow Tracking System Database Database Interface !! Input Web Application    Output 

  15. Limitations of Single-Application Systems Information Flow Tracking System Database Database Interface Input Web Application   !!  Output 

  16. Limitations of Single-Application Systems Information Flow Tracking System Database !! Database Interface Input Web Application    Output 

  17. Limitations of Single-Application Systems Information Flow Tracking System !! Database Database Interface Input Web Application    Output 

  18. Limitations of Single-Application Systems Information Flow Tracking System ? Database Database Interface Input Web Application    Output 

  19. Limitations of Single-Application Systems Information Flow Tracking System Database Database Interface ? Input Web Application    Output 

  20. Limitations of Single-Application Systems Information Flow Tracking System Database Database Interface ? Input Web Application    Output 

  21. Limitations of Single-Application Systems • What if you have multiple applications? • How to treat data from the database? • All tainted -> false positives • All untainted -> false negatives • Require manual annotation? • Application-specific decisions?

  22. System-Wide Approaches • Taint tracking through the entire system • [Asbestos, 05] • [HiStar, 06] • Implemented in • Hardware • OS • VMM/emulator

  23. Process-level System-Wide Tracking Database Database Interface !! Input Web Application Output

  24. Process-level System-Wide Tracking Database Database Interface Input Web Application Output

  25. Process-level System-Wide Tracking !! Database Database Interface Input Web Application Output

  26. Process-level System-Wide Tracking Database Database Interface Input Web Application Output

  27. Low-level System-Wide Systems • Low level/fine granularity • Hardware mechanism [Suh, Lee, Devadas 04] • Minos [Crandall, Chong, 04] • Lacks high-level database semantics • Aggregate functions • Comparisons, SELECT DISTINCT

  28. DBTaint Design Goals • End-to-end taint tracking • Across Web applications and databases • Leverage existing single-application information flow tracking engines • Compatible with existing Web services • Require no changes to Web applications • Taint propagation through database functions

  29. Web Service Database Engine DB Interface SQL Web Application

  30. DBTaint Web Service Database Engine DBTaint DB Interface SQL Web Application Single-application information flow

  31. Information Flow in the Database • Store taint data in database composite types • Tuple of form: (<value>, <taint_value>) • Store/retrieve taint values via SQL • No additional mechanisms needed in the database • No change to underlying database data structures Before DBTaint With DBTaint

  32. Information Flow in the Database • Create functions that operate on composite types • Comparison operators (=, !=, <, …) • Arithmetic operations (+, -, …) • Text operations (upper, lower, …) • Aggregate functions (MAX, MIN, SUM, …) • Functions implemented in SQL • CREATE FUNCTION • CREATE OPERATOR • CREATE AGGREGATE

  33. Database Taint Behavior • Arithmetic operations (4, 0) + (5, 1) = (9, ?)

  34. Database Taint Behavior • Arithmetic operations (4, 0) + (5, 1) = (9, ?) untainted tainted

  35. Database Taint Behavior • Arithmetic operations (4, 0) + (5, 1) = (9, 1) untainted tainted tainted

  36. Database Taint Behavior • MAX {(2, 0), (3, 1), (5, 0)} = (5, ?)

  37. Database Taint Behavior • MAX {(2, 0), (3, 1), (5, 0)} = (5, ?) untainted tainted untainted

  38. Taint Philosophy • Untainted: trusted source • Web application defaults • Values generated entirely by the Web application • Tainted: from untrusted source, or unknown • User input • Explicit information flow • Database returns untainted value only if database has received that value untainted

  39. Database Taint Behavior • MAX {(2, 0), (3, 1), (5, 0)} = (5, ?) untainted tainted untainted

  40. Database Taint Behavior • MAX {(2, 0), (3, 1), (5, 0)} = (5, 0) untainted tainted untainted untainted

  41. Database Taint Behavior • Equality (3, 0) = (3, 1) ? untainted tainted

  42. Database Taint Behavior • Equality 3 == 3

  43. Database Taint Behavior • Equality (3, 0) == (3, 1) • Adopt notion of backwards-compatibility [Chin, Wagner 09] untainted tainted

  44. Database Taint Behavior • MAX {(5, 1), (5, 0)} = (5, ?) tainted untainted

  45. Database Taint Behavior • MAX {5, 5} = 5

  46. Database Taint Behavior • MAX {5, 5} = 5 OR

  47. Database Taint Behavior • MAX {(5, 1), (5, 0)} = (5, ?) OR

  48. Database Taint Behavior • MAX {(5, 1), (5, 0)} = (5, 0) • When possible, prefer to return untainted values tainted untainted untainted

  49. Web Service Information Flow DB Interface Database Table WebApp

  50. Web Service Information Flow DB Interface Database Table x = DB.get(id=27) WebApp

More Related