e fficient c haracter - level t aint t racking for j ava erika chin david wagner uc berkeley
TRANSCRIPT
![Page 1: E FFICIENT C HARACTER - LEVEL T AINT T RACKING FOR J AVA Erika Chin David Wagner UC Berkeley](https://reader030.vdocuments.net/reader030/viewer/2022032723/56649d145503460f949e89ab/html5/thumbnails/1.jpg)
EFFICIENT CHARACTER-LEVEL TAINT TRACKING FOR JAVAErika Chin
David Wagner
UC Berkeley
![Page 2: E FFICIENT C HARACTER - LEVEL T AINT T RACKING FOR J AVA Erika Chin David Wagner UC Berkeley](https://reader030.vdocuments.net/reader030/viewer/2022032723/56649d145503460f949e89ab/html5/thumbnails/2.jpg)
2
WEB APPLICATIONS
80% of all web applications are vulnerable to attack [1]
Most are command injection attacks (mixed control and data channel):SQL injectionXSSHTTP response splittingPath traversalShell command injection
[1] J. Grossman. WhiteHat website security statistics report, Aug 2008.
![Page 3: E FFICIENT C HARACTER - LEVEL T AINT T RACKING FOR J AVA Erika Chin David Wagner UC Berkeley](https://reader030.vdocuments.net/reader030/viewer/2022032723/56649d145503460f949e89ab/html5/thumbnails/3.jpg)
3
EXAMPLE – SQL INJECTION
Query = “SELECT * FROM students WHERE name = ‘ ” + studentName + “ ’ ”;
What if: studentName = Bobby“SELECT * FROM students WHERE name = ‘Bobby’ ”
studentName = Bobby’; DROP TABLE students; --“SELECT * FROM students WHERE name = ‘Bobby’;
DROP TABLE students; --’ ”
Inspired by XKCD: http://xkcd.com/327/
![Page 4: E FFICIENT C HARACTER - LEVEL T AINT T RACKING FOR J AVA Erika Chin David Wagner UC Berkeley](https://reader030.vdocuments.net/reader030/viewer/2022032723/56649d145503460f949e89ab/html5/thumbnails/4.jpg)
4
COMMAND INJECTION ATTACKS
Command Injection Attack Command Elements
SQL injection attack SQL keywords and operators
XSS JavaScript
HTTP response splitting Newlines (CR, LF)
Path traversal ‘/’ , “..”
Shell command injection Shell keywords and operators, meta-characters
![Page 5: E FFICIENT C HARACTER - LEVEL T AINT T RACKING FOR J AVA Erika Chin David Wagner UC Berkeley](https://reader030.vdocuments.net/reader030/viewer/2022032723/56649d145503460f949e89ab/html5/thumbnails/5.jpg)
5
A NATURAL APPROACH – TAINT TRACKING AT THE CHARACTER LEVEL
Others have argued that taint tracking aids the detection of command injection attacksTaint tracking reveals what data gets
touched by user input Attacks are injected into web
applications in the form of strings, so we can limit the scope of tracking to strings
Character-level information narrows the focus to specific portions of the string
![Page 6: E FFICIENT C HARACTER - LEVEL T AINT T RACKING FOR J AVA Erika Chin David Wagner UC Berkeley](https://reader030.vdocuments.net/reader030/viewer/2022032723/56649d145503460f949e89ab/html5/thumbnails/6.jpg)
6
OUR FOCUS
We focus on taint tracking for Java web applications
Many commercial enterprises use Java for their web services
![Page 7: E FFICIENT C HARACTER - LEVEL T AINT T RACKING FOR J AVA Erika Chin David Wagner UC Berkeley](https://reader030.vdocuments.net/reader030/viewer/2022032723/56649d145503460f949e89ab/html5/thumbnails/7.jpg)
7
CHARACTER-LEVELTAINT TRACKING FOR JAVA
1. Source Tainting: Augment the Java Servlets implementation to mark user input as tainted (Tomcat 6)
2. Taint Propagation: Replace the string-related classes in the Java library with augmented classes that track taint status (IBM JDK6)
3. Sink Checking: At each sink, use the taint information to detect attacks by checking that control data is not tainted
![Page 8: E FFICIENT C HARACTER - LEVEL T AINT T RACKING FOR J AVA Erika Chin David Wagner UC Berkeley](https://reader030.vdocuments.net/reader030/viewer/2022032723/56649d145503460f949e89ab/html5/thumbnails/8.jpg)
8
We mark all information from the HTTP request as untrusted
http://www.youtube.com/results?search_query=rick+roll…GET /results?search_query=rick+roll&search_type=&aq…Host: www.youtube.com…Referrer: http://www.youtube.com/Cookie: use_hitbox=72c46ff6cddcb7c5585…
SOURCE TAINTING
Form ParametersProtocol
Path
HTTP Headers: Cookies,Session Id, etc.
![Page 9: E FFICIENT C HARACTER - LEVEL T AINT T RACKING FOR J AVA Erika Chin David Wagner UC Berkeley](https://reader030.vdocuments.net/reader030/viewer/2022032723/56649d145503460f949e89ab/html5/thumbnails/9.jpg)
9
SOURCE TAINTING: AUGMENTED CLASSES
Replace the Tomcat Servlet classes with our own modified classesjavax.servlet.http.HttpServletRequestjavax.servlet.http.Cookiejavax.servlet.http.HttpSessionorg.apache.catalina.connector.CoyoteReade
r
![Page 10: E FFICIENT C HARACTER - LEVEL T AINT T RACKING FOR J AVA Erika Chin David Wagner UC Berkeley](https://reader030.vdocuments.net/reader030/viewer/2022032723/56649d145503460f949e89ab/html5/thumbnails/10.jpg)
10
BASIC TAINT PROPAGATION
Example code snippet:
String city = request.GetParameter(“city”);
String punctuation = “, ”;String state = “CA”;
String temp = punctuation.concat(state);
String location = city.concat(temp);
![Page 11: E FFICIENT C HARACTER - LEVEL T AINT T RACKING FOR J AVA Erika Chin David Wagner UC Berkeley](https://reader030.vdocuments.net/reader030/viewer/2022032723/56649d145503460f949e89ab/html5/thumbnails/11.jpg)
11
TAINT PROPAGATION:ORIGINAL STRING CLASS
citychar[]
punctuation
state
temp = punctuation.concat(state)
city.concat(temp)
B e r k e l e y
,
C A
, C A
B e r k e l e y , C A
![Page 12: E FFICIENT C HARACTER - LEVEL T AINT T RACKING FOR J AVA Erika Chin David Wagner UC Berkeley](https://reader030.vdocuments.net/reader030/viewer/2022032723/56649d145503460f949e89ab/html5/thumbnails/12.jpg)
12
TAINT PROPAGATION:MODIFIED STRING CLASS
city char[]
boolean[]
punctuation
state
temp = punctuation.concat(state)
city.concat(temp)
B e r k e l e y
,
C A
, C A
B e r k e l e y , C A
T T T T T T T T
F F
F F
F F F F
T T T T T T T T F F F F
![Page 13: E FFICIENT C HARACTER - LEVEL T AINT T RACKING FOR J AVA Erika Chin David Wagner UC Berkeley](https://reader030.vdocuments.net/reader030/viewer/2022032723/56649d145503460f949e89ab/html5/thumbnails/13.jpg)
13
OPTIMIZED TAINT PROPAGATION
To reduce the overhead of taint tracking, only track taint when necessary
Only allocate boolean taint array once the String contains a tainted character
Reduces overhead by eliminating array copies for operations on fully untainted strings
![Page 14: E FFICIENT C HARACTER - LEVEL T AINT T RACKING FOR J AVA Erika Chin David Wagner UC Berkeley](https://reader030.vdocuments.net/reader030/viewer/2022032723/56649d145503460f949e89ab/html5/thumbnails/14.jpg)
14
F F
F F
F F F F
OPTIMIZED TAINT PROPAGATION
city
punctuation
state
temp = punctuation.concat(state)
city.concat(temp)
B e r k e l e y
,
C A
, C A
T T T T T T T T
null
null
null
B e r k e l e y , C A
T T T T T T T T F F F F
![Page 15: E FFICIENT C HARACTER - LEVEL T AINT T RACKING FOR J AVA Erika Chin David Wagner UC Berkeley](https://reader030.vdocuments.net/reader030/viewer/2022032723/56649d145503460f949e89ab/html5/thumbnails/15.jpg)
15
TAINT PROPAGATION:AUGMENTED CLASSES java.lang.String java.lang.StringBuffer java.lang.StringBuilder
![Page 16: E FFICIENT C HARACTER - LEVEL T AINT T RACKING FOR J AVA Erika Chin David Wagner UC Berkeley](https://reader030.vdocuments.net/reader030/viewer/2022032723/56649d145503460f949e89ab/html5/thumbnails/16.jpg)
16
SINK CHECKING
Sinks can use taint information to detect commands in user-supplied dataSQL – instrument the JDBC to parse the
SQL queries and check for SQL keywords and operators that contain tainted characters
XSS – examine HTML for tainted JavaScript Details of how to do this are well-
documented in the previous literature and not the focus of this work [2]
[2] Su and Wassermann. The essence of command injection attacks in web applications. POPL ’06.
![Page 17: E FFICIENT C HARACTER - LEVEL T AINT T RACKING FOR J AVA Erika Chin David Wagner UC Berkeley](https://reader030.vdocuments.net/reader030/viewer/2022032723/56649d145503460f949e89ab/html5/thumbnails/17.jpg)
17
BENEFITS
Provides a basis to protect from command injection attacks
Simple, easy to adopt and deployServer-side changeOne-time modificationNo change to web application byte codeNo need for web application source codeWorks immediately with Java legacy
applications Efficient
![Page 18: E FFICIENT C HARACTER - LEVEL T AINT T RACKING FOR J AVA Erika Chin David Wagner UC Berkeley](https://reader030.vdocuments.net/reader030/viewer/2022032723/56649d145503460f949e89ab/html5/thumbnails/18.jpg)
18
BENEFITS CON’T
Handles web applications that call string methods reflectivelyJava reflection allows calls to methods
selected at runtimeOur approach can track the taint for
these reflected calls
![Page 19: E FFICIENT C HARACTER - LEVEL T AINT T RACKING FOR J AVA Erika Chin David Wagner UC Berkeley](https://reader030.vdocuments.net/reader030/viewer/2022032723/56649d145503460f949e89ab/html5/thumbnails/19.jpg)
19
LIMITATIONS
For backwards compatibility we do not record taint status in the serialized form
May lose taint status via string operations with chars and char arraysCannot hold taint status in primitives
Does not defend against malicious web developers
![Page 20: E FFICIENT C HARACTER - LEVEL T AINT T RACKING FOR J AVA Erika Chin David Wagner UC Berkeley](https://reader030.vdocuments.net/reader030/viewer/2022032723/56649d145503460f949e89ab/html5/thumbnails/20.jpg)
20
PERFORMANCE OVERHEAD: 0-15%
![Page 21: E FFICIENT C HARACTER - LEVEL T AINT T RACKING FOR J AVA Erika Chin David Wagner UC Berkeley](https://reader030.vdocuments.net/reader030/viewer/2022032723/56649d145503460f949e89ab/html5/thumbnails/21.jpg)
21
CONTRIBUTIONS
Efficient character-level taint tracking Runtime overhead <15% Works immediately for Java legacy
code Easy to adopt and deploy
![Page 22: E FFICIENT C HARACTER - LEVEL T AINT T RACKING FOR J AVA Erika Chin David Wagner UC Berkeley](https://reader030.vdocuments.net/reader030/viewer/2022032723/56649d145503460f949e89ab/html5/thumbnails/22.jpg)
22
Thank you!
Any questions?