Post on 18-Dec-2015
EFFICIENT CHARACTER-LEVEL TAINT TRACKING FOR JAVAErika Chin
David Wagner
UC Berkeley
2
WEB APPLICATIONS
80% of all web applications are vulnerable to attack [1]
Most are command injection attacks (mixed control and data channel):SQL injectionXSSHTTP response splittingPath traversalShell command injection
[1] J. Grossman. WhiteHat website security statistics report, Aug 2008.
3
EXAMPLE – SQL INJECTION
Query = “SELECT * FROM students WHERE name = ‘ ” + studentName + “ ’ ”;
What if: studentName = Bobby“SELECT * FROM students WHERE name = ‘Bobby’ ”
studentName = Bobby’; DROP TABLE students; --“SELECT * FROM students WHERE name = ‘Bobby’;
DROP TABLE students; --’ ”
Inspired by XKCD: http://xkcd.com/327/
4
COMMAND INJECTION ATTACKS
Command Injection Attack Command Elements
SQL injection attack SQL keywords and operators
XSS JavaScript
HTTP response splitting Newlines (CR, LF)
Path traversal ‘/’ , “..”
Shell command injection Shell keywords and operators, meta-characters
5
A NATURAL APPROACH – TAINT TRACKING AT THE CHARACTER LEVEL
Others have argued that taint tracking aids the detection of command injection attacksTaint tracking reveals what data gets
touched by user input Attacks are injected into web
applications in the form of strings, so we can limit the scope of tracking to strings
Character-level information narrows the focus to specific portions of the string
6
OUR FOCUS
We focus on taint tracking for Java web applications
Many commercial enterprises use Java for their web services
7
CHARACTER-LEVELTAINT TRACKING FOR JAVA
1. Source Tainting: Augment the Java Servlets implementation to mark user input as tainted (Tomcat 6)
2. Taint Propagation: Replace the string-related classes in the Java library with augmented classes that track taint status (IBM JDK6)
3. Sink Checking: At each sink, use the taint information to detect attacks by checking that control data is not tainted
8
We mark all information from the HTTP request as untrusted
http://www.youtube.com/results?search_query=rick+roll…GET /results?search_query=rick+roll&search_type=&aq…Host: www.youtube.com…Referrer: http://www.youtube.com/Cookie: use_hitbox=72c46ff6cddcb7c5585…
SOURCE TAINTING
Form ParametersProtocol
Path
HTTP Headers: Cookies,Session Id, etc.
9
SOURCE TAINTING: AUGMENTED CLASSES
Replace the Tomcat Servlet classes with our own modified classesjavax.servlet.http.HttpServletRequestjavax.servlet.http.Cookiejavax.servlet.http.HttpSessionorg.apache.catalina.connector.CoyoteReade
r
10
BASIC TAINT PROPAGATION
Example code snippet:
String city = request.GetParameter(“city”);
String punctuation = “, ”;String state = “CA”;
String temp = punctuation.concat(state);
String location = city.concat(temp);
11
TAINT PROPAGATION:ORIGINAL STRING CLASS
citychar[]
punctuation
state
temp = punctuation.concat(state)
city.concat(temp)
B e r k e l e y
,
C A
, C A
B e r k e l e y , C A
12
TAINT PROPAGATION:MODIFIED STRING CLASS
city char[]
boolean[]
punctuation
state
temp = punctuation.concat(state)
city.concat(temp)
B e r k e l e y
,
C A
, C A
B e r k e l e y , C A
T T T T T T T T
F F
F F
F F F F
T T T T T T T T F F F F
13
OPTIMIZED TAINT PROPAGATION
To reduce the overhead of taint tracking, only track taint when necessary
Only allocate boolean taint array once the String contains a tainted character
Reduces overhead by eliminating array copies for operations on fully untainted strings
14
F F
F F
F F F F
OPTIMIZED TAINT PROPAGATION
city
punctuation
state
temp = punctuation.concat(state)
city.concat(temp)
B e r k e l e y
,
C A
, C A
T T T T T T T T
null
null
null
B e r k e l e y , C A
T T T T T T T T F F F F
15
TAINT PROPAGATION:AUGMENTED CLASSES java.lang.String java.lang.StringBuffer java.lang.StringBuilder
16
SINK CHECKING
Sinks can use taint information to detect commands in user-supplied dataSQL – instrument the JDBC to parse the
SQL queries and check for SQL keywords and operators that contain tainted characters
XSS – examine HTML for tainted JavaScript Details of how to do this are well-
documented in the previous literature and not the focus of this work [2]
[2] Su and Wassermann. The essence of command injection attacks in web applications. POPL ’06.
17
BENEFITS
Provides a basis to protect from command injection attacks
Simple, easy to adopt and deployServer-side changeOne-time modificationNo change to web application byte codeNo need for web application source codeWorks immediately with Java legacy
applications Efficient
18
BENEFITS CON’T
Handles web applications that call string methods reflectivelyJava reflection allows calls to methods
selected at runtimeOur approach can track the taint for
these reflected calls
19
LIMITATIONS
For backwards compatibility we do not record taint status in the serialized form
May lose taint status via string operations with chars and char arraysCannot hold taint status in primitives
Does not defend against malicious web developers
20
PERFORMANCE OVERHEAD: 0-15%
21
CONTRIBUTIONS
Efficient character-level taint tracking Runtime overhead <15% Works immediately for Java legacy
code Easy to adopt and deploy
22
Thank you!
Any questions?