efficient character-level taint tracking for java
DESCRIPTION
Efficient Character-level Taint Tracking for Java. Erika Chin David Wagner UC Berkeley. Web Applications. 80% of all web applications are vulnerable to attack [1] Most are command injection attacks (mixed control and data channel): SQL injection XSS HTTP response splitting - PowerPoint PPT PresentationTRANSCRIPT
EFFICIENT CHARACTER-LEVEL TAINT TRACKING FOR JAVAErika ChinDavid WagnerUC Berkeley
2
WEB APPLICATIONS 80% of all web applications are
vulnerable to attack [1] Most are command injection attacks
(mixed control and data channel):SQL injectionXSSHTTP response splittingPath traversalShell command injection
[1] J. Grossman. WhiteHat website security statistics report, Aug 2008.
3
EXAMPLE – SQL INJECTIONQuery = “SELECT * FROM students WHERE name =
‘ ” + studentName + “ ’ ”;
What if: studentName = Bobby“SELECT * FROM students WHERE name = ‘Bobby’ ”
studentName = Bobby’; DROP TABLE students; --“SELECT * FROM students WHERE name = ‘Bobby’;
DROP TABLE students; --’ ”
Inspired by XKCD: http://xkcd.com/327/
4
COMMAND INJECTION ATTACKS
Command Injection Attack Command ElementsSQL injection attack SQL keywords and operatorsXSS JavaScriptHTTP response splitting Newlines (CR, LF)Path traversal ‘/’ , “..”Shell command injection Shell keywords and operators,
meta-characters
5
A NATURAL APPROACH – TAINT TRACKING AT THE CHARACTER LEVEL Others have argued that taint tracking
aids the detection of command injection attacksTaint tracking reveals what data gets
touched by user input Attacks are injected into web
applications in the form of strings, so we can limit the scope of tracking to strings
Character-level information narrows the focus to specific portions of the string
6
OUR FOCUS We focus on taint tracking for Java web
applications Many commercial enterprises use Java
for their web services
7
CHARACTER-LEVELTAINT TRACKING FOR JAVA1. Source Tainting: Augment the Java
Servlets implementation to mark user input as tainted (Tomcat 6)
2. Taint Propagation: Replace the string-related classes in the Java library with augmented classes that track taint status (IBM JDK6)
3. Sink Checking: At each sink, use the taint information to detect attacks by checking that control data is not tainted
8
We mark all information from the HTTP request as untrusted
http://www.youtube.com/results?search_query=rick+roll…GET /results?search_query=rick+roll&search_type=&aq…Host: www.youtube.com…Referrer: http://www.youtube.com/Cookie: use_hitbox=72c46ff6cddcb7c5585…
SOURCE TAINTING
Form ParametersProtocol
Path
HTTP Headers: Cookies,Session Id, etc.
9
SOURCE TAINTING: AUGMENTED CLASSES Replace the Tomcat Servlet classes with
our own modified classesjavax.servlet.http.HttpServletRequestjavax.servlet.http.Cookiejavax.servlet.http.HttpSessionorg.apache.catalina.connector.CoyoteReade
r
10
BASIC TAINT PROPAGATIONExample code snippet:
String city = request.GetParameter(“city”);
String punctuation = “, ”;String state = “CA”;
String temp = punctuation.concat(state);
String location = city.concat(temp);
11
TAINT PROPAGATION:ORIGINAL STRING CLASScity
char[]
punctuation
state
temp = punctuation.concat(state)
city.concat(temp)
B e r k e l e y
,
C A
, C A
B e r k e l e y , C A
12
TAINT PROPAGATION:MODIFIED STRING CLASScity char[]
boolean[]punctuation
state
temp = punctuation.concat(state)
city.concat(temp)
B e r k e l e y
,
C A
, C A
B e r k e l e y , C A
T T T T T T T T
F F
F F
F F F F
T T T T T T T T F F F F
13
OPTIMIZED TAINT PROPAGATION To reduce the overhead of taint
tracking, only track taint when necessary
Only allocate boolean taint array once the String contains a tainted character
Reduces overhead by eliminating array copies for operations on fully untainted strings
14
F F
F F
F F F F
OPTIMIZED TAINT PROPAGATIONcity
punctuation
state
temp = punctuation.concat(state)
city.concat(temp)
B e r k e l e y
,
C A
, C A
T T T T T T T T
null
null
null
B e r k e l e y , C AT T T T T T T T F F F F
15
TAINT PROPAGATION:AUGMENTED CLASSES java.lang.String java.lang.StringBuffer java.lang.StringBuilder
16
SINK CHECKING Sinks can use taint information to
detect commands in user-supplied dataSQL – instrument the JDBC to parse the
SQL queries and check for SQL keywords and operators that contain tainted characters
XSS – examine HTML for tainted JavaScript Details of how to do this are well-
documented in the previous literature and not the focus of this work [2]
[2] Su and Wassermann. The essence of command injection attacks in web applications. POPL ’06.
17
BENEFITS Provides a basis to protect from
command injection attacks Simple, easy to adopt and deploy
Server-side changeOne-time modificationNo change to web application byte codeNo need for web application source codeWorks immediately with Java legacy
applications Efficient
18
BENEFITS CON’T Handles web applications that call
string methods reflectivelyJava reflection allows calls to methods
selected at runtimeOur approach can track the taint for
these reflected calls
19
LIMITATIONS For backwards compatibility we do not
record taint status in the serialized form
May lose taint status via string operations with chars and char arraysCannot hold taint status in primitives
Does not defend against malicious web developers
20
PERFORMANCE OVERHEAD: 0-15%
21
CONTRIBUTIONS Efficient character-level taint tracking Runtime overhead <15% Works immediately for Java legacy
code Easy to adopt and deploy
22
Thank you!
Any questions?