1 / 16

Taint 2.0 (taint analysis on steroids)

Taint 2.0 (taint analysis on steroids). Dr. Yinnon Haviv IBM, Watchfire yinnonh@il.ibm.com. 10.9.2009. BB. WB. Web Application Security Scanners. Taint Analysis. Many injection issues: SQLi, XSS, LogForging, PathTraversal, Remote code execution … Information leakage issues.

zaynah
Download Presentation

Taint 2.0 (taint analysis on steroids)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Taint 2.0(taint analysis on steroids) Dr. Yinnon Haviv IBM, Watchfire yinnonh@il.ibm.com 10.9.2009

  2. BB WB Web Application Security Scanners

  3. Taint Analysis Many injection issues: SQLi, XSS, LogForging, PathTraversal, Remote code execution … Information leakage issues Sources: Sanitizers: Sinks:

  4. What users want Run tool Get accurateresults

  5. String Analysis solves thisby “understanding” whatsanitizers do, withoutconfiguration What users often get… Top complaints from users of static analysis tools: #1: Lots of false positives #2: Configuration of sanitizers is time consuming Run tool Get accurateresults Get lots offalse positives Defineuser-definedsanitizers

  6. input  .* output [^;’]* String Analysis Technology • The next generation of static analyzer technology • Detects range of possible values a string can get at point of use

  7. There’s more!

  8. String Analysis can do MORE ! Validation methods Inline validation Inline Sanitization

  9. Summary of Customer Value • User defined sanitizers? • Validation methods? • Inline sanitization / validation? • The bottom line • Greater accuracy out-of-the-box • Less configuration • More reliable results • Easier to use Automatically detected / validated Automatically detected Detected in place No need for refactoring

  10. There’s more!

  11. What if your custom sanitizer is incomplete? • You wrote your own XSS sanitizer, but you forgot to handle certain characters • You THINK it works correctly, so you tell your analyzer that this is your sanitizer • Your analyzer trusts you and does not report an issue • But in fact, you do have a serious vulnerability! • With String Analysis, the analyzer doesn’t “trust you”;it is smart enough to understand on its own whether or not the sanitizer is doing everything it should be doing Do you trust this code ???

  12. ch == ‘<‘ ch == ‘>‘ ch == ‘”‘ ch != ‘<‘ && ch != ‘>‘ && ch != ‘”‘ – Public knowledge Under the Hood • Tracking conditions • Describing invariants on variables values • RegExp (JSA) • CFG (Minamide)

  13. The Challenges - An example from WebGoat A well designed sanitizer : Do you trust this code ???

  14. userName = <%00script>alert(1)</%00script> clean = <script>alert(1)</script> The Future - Exploit generation • Generating an exploit “proves” vulnerability exists …%43&alert(1)%23… …%43&alert(1)%23… Incorrect Sanitizer <script>alert(1)</script>

  15. Summary - Advantages of String Analysis • World’s smartest static analyzer • No need to define what the sanitizers are • Understands inline sanitization • Understands validators • Can verify your sanitizers really do what they’re supposed to • What this means for you • Greater accuracy out-of-the-box • Less configuration • More reliable results • Easier to use IBM Tokyo Research Lab

  16. Q&A ? !

More Related