taj: effective taint analysis of web...
TRANSCRIPT
![Page 1: TAJ: Effective Taint Analysis of Web Applicationspeople.cs.vt.edu/~ryder/6304/lectures/10-TrippEtAl-TAJ...Presented by Dong Chen Omer Tripp, Marco Pistoia, Stephen Fink, Manu Sridharan,](https://reader034.vdocuments.net/reader034/viewer/2022042115/5e91c84ba16d2f31ce438e5a/html5/thumbnails/1.jpg)
Presented by Dong Chen
Omer Tripp, Marco Pistoia, Stephen Fink, Manu Sridharan, Omri Weisman
Published in PLDI 2009
TAJ: Effective Taint Analysis of Web Applications
![Page 2: TAJ: Effective Taint Analysis of Web Applicationspeople.cs.vt.edu/~ryder/6304/lectures/10-TrippEtAl-TAJ...Presented by Dong Chen Omer Tripp, Marco Pistoia, Stephen Fink, Manu Sridharan,](https://reader034.vdocuments.net/reader034/viewer/2022042115/5e91c84ba16d2f31ce438e5a/html5/thumbnails/2.jpg)
Recall: Taint Analysis
Source
Sink
Sanitizer
![Page 3: TAJ: Effective Taint Analysis of Web Applicationspeople.cs.vt.edu/~ryder/6304/lectures/10-TrippEtAl-TAJ...Presented by Dong Chen Omer Tripp, Marco Pistoia, Stephen Fink, Manu Sridharan,](https://reader034.vdocuments.net/reader034/viewer/2022042115/5e91c84ba16d2f31ce438e5a/html5/thumbnails/3.jpg)
Outline
´ Background ´ Motivation ´ Approach ´ Evaluation ´ Conclusion
![Page 4: TAJ: Effective Taint Analysis of Web Applicationspeople.cs.vt.edu/~ryder/6304/lectures/10-TrippEtAl-TAJ...Presented by Dong Chen Omer Tripp, Marco Pistoia, Stephen Fink, Manu Sridharan,](https://reader034.vdocuments.net/reader034/viewer/2022042115/5e91c84ba16d2f31ce438e5a/html5/thumbnails/4.jpg)
Outline
´ Background ´ Motivation ´ Approach ´ Evaluation ´ Conclusion
![Page 5: TAJ: Effective Taint Analysis of Web Applicationspeople.cs.vt.edu/~ryder/6304/lectures/10-TrippEtAl-TAJ...Presented by Dong Chen Omer Tripp, Marco Pistoia, Stephen Fink, Manu Sridharan,](https://reader034.vdocuments.net/reader034/viewer/2022042115/5e91c84ba16d2f31ce438e5a/html5/thumbnails/5.jpg)
OWASP Top Ten Security Vulnerabilities
http://www.owasp.org
![Page 6: TAJ: Effective Taint Analysis of Web Applicationspeople.cs.vt.edu/~ryder/6304/lectures/10-TrippEtAl-TAJ...Presented by Dong Chen Omer Tripp, Marco Pistoia, Stephen Fink, Manu Sridharan,](https://reader034.vdocuments.net/reader034/viewer/2022042115/5e91c84ba16d2f31ce438e5a/html5/thumbnails/6.jpg)
Existing solutions
´ Type systems: ´ Complex, conservative, require
code annotations
´ Slicing: ´ Has not been shown to scale to
large applications
![Page 7: TAJ: Effective Taint Analysis of Web Applicationspeople.cs.vt.edu/~ryder/6304/lectures/10-TrippEtAl-TAJ...Presented by Dong Chen Omer Tripp, Marco Pistoia, Stephen Fink, Manu Sridharan,](https://reader034.vdocuments.net/reader034/viewer/2022042115/5e91c84ba16d2f31ce438e5a/html5/thumbnails/7.jpg)
Outline
´ Background ´ Motivation ´ Approach ´ Evaluation ´ Conclusion
![Page 8: TAJ: Effective Taint Analysis of Web Applicationspeople.cs.vt.edu/~ryder/6304/lectures/10-TrippEtAl-TAJ...Presented by Dong Chen Omer Tripp, Marco Pistoia, Stephen Fink, Manu Sridharan,](https://reader034.vdocuments.net/reader034/viewer/2022042115/5e91c84ba16d2f31ce438e5a/html5/thumbnails/8.jpg)
Motivating Example
![Page 9: TAJ: Effective Taint Analysis of Web Applicationspeople.cs.vt.edu/~ryder/6304/lectures/10-TrippEtAl-TAJ...Presented by Dong Chen Omer Tripp, Marco Pistoia, Stephen Fink, Manu Sridharan,](https://reader034.vdocuments.net/reader034/viewer/2022042115/5e91c84ba16d2f31ce438e5a/html5/thumbnails/9.jpg)
Motivating Example
![Page 10: TAJ: Effective Taint Analysis of Web Applicationspeople.cs.vt.edu/~ryder/6304/lectures/10-TrippEtAl-TAJ...Presented by Dong Chen Omer Tripp, Marco Pistoia, Stephen Fink, Manu Sridharan,](https://reader034.vdocuments.net/reader034/viewer/2022042115/5e91c84ba16d2f31ce438e5a/html5/thumbnails/10.jpg)
Outline
´ Background ´ Motivation ´ Approach ´ Evaluation ´ Conclusion
![Page 11: TAJ: Effective Taint Analysis of Web Applicationspeople.cs.vt.edu/~ryder/6304/lectures/10-TrippEtAl-TAJ...Presented by Dong Chen Omer Tripp, Marco Pistoia, Stephen Fink, Manu Sridharan,](https://reader034.vdocuments.net/reader034/viewer/2022042115/5e91c84ba16d2f31ce438e5a/html5/thumbnails/11.jpg)
TAJ
´ Consists of 2 stages: ´ Pointer analysis
´ Slicing algorithm
´ Effective reports
´ Efficient behavior under restricted budget
![Page 12: TAJ: Effective Taint Analysis of Web Applicationspeople.cs.vt.edu/~ryder/6304/lectures/10-TrippEtAl-TAJ...Presented by Dong Chen Omer Tripp, Marco Pistoia, Stephen Fink, Manu Sridharan,](https://reader034.vdocuments.net/reader034/viewer/2022042115/5e91c84ba16d2f31ce438e5a/html5/thumbnails/12.jpg)
Pointer analysis and call-graph construction ´ Pointer analysis is a variant of Andersen’s
analysis ´ Custom context-sensitivity policy:
´ Unlimited-depth object sensitivity for Java collections
´ One level of call-string context for factory methods
´ One level of call-string context for taint APIs
´ Pointer analysis of TAJ is field sensitive
![Page 13: TAJ: Effective Taint Analysis of Web Applicationspeople.cs.vt.edu/~ryder/6304/lectures/10-TrippEtAl-TAJ...Presented by Dong Chen Omer Tripp, Marco Pistoia, Stephen Fink, Manu Sridharan,](https://reader034.vdocuments.net/reader034/viewer/2022042115/5e91c84ba16d2f31ce438e5a/html5/thumbnails/13.jpg)
Hybrid thin slicing
st4
l2
l2
st4
l4
st2 st1
l5 l3
l1
st3
st5
c3
c4
sk1
r3
r7
r8
r4
c2
s1
s2
r2
c1
c5
r5
r1
sk2
sti Store statement
li Load statement
ski Sink-dispatch statement
Hybrid SDG
Slice in the no-heap
SDG
Store-to-load direct edge Load-to-store or load- to-sink summary edge No-heap SDG edge
ci Call statement
ri Return statement
si Other statement
Direct edges: computed based on preliminary pointer analysis Summary edges: computed using no-heap SDG
![Page 14: TAJ: Effective Taint Analysis of Web Applicationspeople.cs.vt.edu/~ryder/6304/lectures/10-TrippEtAl-TAJ...Presented by Dong Chen Omer Tripp, Marco Pistoia, Stephen Fink, Manu Sridharan,](https://reader034.vdocuments.net/reader034/viewer/2022042115/5e91c84ba16d2f31ce438e5a/html5/thumbnails/14.jpg)
Eliminating Redundant Reports
Example: 1. Use p1 and p2 2. Use p3 and p4
![Page 15: TAJ: Effective Taint Analysis of Web Applicationspeople.cs.vt.edu/~ryder/6304/lectures/10-TrippEtAl-TAJ...Presented by Dong Chen Omer Tripp, Marco Pistoia, Stephen Fink, Manu Sridharan,](https://reader034.vdocuments.net/reader034/viewer/2022042115/5e91c84ba16d2f31ce438e5a/html5/thumbnails/15.jpg)
Priority-driven Call-graph Construction
• Priority queue used to govern call-graph growth
• Sources are assigned priority 0, others maxNodes
• Recursively, for each “neighbor” t of node n: pr (t) = min{(pr (n) + 1), pr (t)}
• Propagation process runs to a fixed point
• “Locality-of-taint” principle
![Page 16: TAJ: Effective Taint Analysis of Web Applicationspeople.cs.vt.edu/~ryder/6304/lectures/10-TrippEtAl-TAJ...Presented by Dong Chen Omer Tripp, Marco Pistoia, Stephen Fink, Manu Sridharan,](https://reader034.vdocuments.net/reader034/viewer/2022042115/5e91c84ba16d2f31ce438e5a/html5/thumbnails/16.jpg)
Outline
´ Background ´ Motivation ´ Approach ´ Evaluation ´ Conclusion
![Page 17: TAJ: Effective Taint Analysis of Web Applicationspeople.cs.vt.edu/~ryder/6304/lectures/10-TrippEtAl-TAJ...Presented by Dong Chen Omer Tripp, Marco Pistoia, Stephen Fink, Manu Sridharan,](https://reader034.vdocuments.net/reader034/viewer/2022042115/5e91c84ba16d2f31ce438e5a/html5/thumbnails/17.jpg)
Evaluation • Performance
![Page 18: TAJ: Effective Taint Analysis of Web Applicationspeople.cs.vt.edu/~ryder/6304/lectures/10-TrippEtAl-TAJ...Presented by Dong Chen Omer Tripp, Marco Pistoia, Stephen Fink, Manu Sridharan,](https://reader034.vdocuments.net/reader034/viewer/2022042115/5e91c84ba16d2f31ce438e5a/html5/thumbnails/18.jpg)
Evaluation • Accuracy
![Page 19: TAJ: Effective Taint Analysis of Web Applicationspeople.cs.vt.edu/~ryder/6304/lectures/10-TrippEtAl-TAJ...Presented by Dong Chen Omer Tripp, Marco Pistoia, Stephen Fink, Manu Sridharan,](https://reader034.vdocuments.net/reader034/viewer/2022042115/5e91c84ba16d2f31ce438e5a/html5/thumbnails/19.jpg)
Outline
´ Background ´ Motivation ´ Approach ´ Evaluation ´ Conclusion
![Page 20: TAJ: Effective Taint Analysis of Web Applicationspeople.cs.vt.edu/~ryder/6304/lectures/10-TrippEtAl-TAJ...Presented by Dong Chen Omer Tripp, Marco Pistoia, Stephen Fink, Manu Sridharan,](https://reader034.vdocuments.net/reader034/viewer/2022042115/5e91c84ba16d2f31ce438e5a/html5/thumbnails/20.jpg)
Conclusion
• Effective solution for taint analysis of Web applications based on pointer analysis and hybrid thin slicing
• Efficient strategies for analysis under limited budget
![Page 21: TAJ: Effective Taint Analysis of Web Applicationspeople.cs.vt.edu/~ryder/6304/lectures/10-TrippEtAl-TAJ...Presented by Dong Chen Omer Tripp, Marco Pistoia, Stephen Fink, Manu Sridharan,](https://reader034.vdocuments.net/reader034/viewer/2022042115/5e91c84ba16d2f31ce438e5a/html5/thumbnails/21.jpg)
Questions