FlexiTaint: A Programmable Accelerator for Dynamic Taint Propagation
Dynamic Code Evaluation & Taint Analysisaustin/...EvalAndTaintAnalysis.pdf& Taint Analysis ....
Transcript of Dynamic Code Evaluation & Taint Analysisaustin/...EvalAndTaintAnalysis.pdf& Taint Analysis ....
![Page 1: Dynamic Code Evaluation & Taint Analysisaustin/...EvalAndTaintAnalysis.pdf& Taint Analysis . Announcement For next class, read Chapter 6 of your textbook. ... • In most languages,](https://reader034.fdocuments.us/reader034/viewer/2022051607/602f5d1647e4dd14d4701ba1/html5/thumbnails/1.jpg)
C152 – Programming Language Paradigms Prof. Tom Austin, Fall 2014
Dynamic Code Evaluation & Taint Analysis
![Page 2: Dynamic Code Evaluation & Taint Analysisaustin/...EvalAndTaintAnalysis.pdf& Taint Analysis . Announcement For next class, read Chapter 6 of your textbook. ... • In most languages,](https://reader034.fdocuments.us/reader034/viewer/2022051607/602f5d1647e4dd14d4701ba1/html5/thumbnails/2.jpg)
Announcement
For next class, read Chapter 6 of your textbook. (You can skip Section 6.8). Also, install ANTLR from http://www.antlr.org/.
![Page 3: Dynamic Code Evaluation & Taint Analysisaustin/...EvalAndTaintAnalysis.pdf& Taint Analysis . Announcement For next class, read Chapter 6 of your textbook. ... • In most languages,](https://reader034.fdocuments.us/reader034/viewer/2022051607/602f5d1647e4dd14d4701ba1/html5/thumbnails/3.jpg)
Dynamic code evaluation
![Page 4: Dynamic Code Evaluation & Taint Analysisaustin/...EvalAndTaintAnalysis.pdf& Taint Analysis . Announcement For next class, read Chapter 6 of your textbook. ... • In most languages,](https://reader034.fdocuments.us/reader034/viewer/2022051607/602f5d1647e4dd14d4701ba1/html5/thumbnails/4.jpg)
eval • Allows for code to be executed dynamically. • In most languages, eval only takes a string: eval "puts 2+3"
• While this feature is widely popular (especially in JavaScript), it is also a source of security problems. – See Richards et al. The Eval that Men Do, 2011 for
more details
![Page 5: Dynamic Code Evaluation & Taint Analysisaustin/...EvalAndTaintAnalysis.pdf& Taint Analysis . Announcement For next class, read Chapter 6 of your textbook. ... • In most languages,](https://reader034.fdocuments.us/reader034/viewer/2022051607/602f5d1647e4dd14d4701ba1/html5/thumbnails/5.jpg)
Additional Ruby eval methods
• Ruby has additional variants for dynamically evaluating code in special contexts. – instance_eval evaluates code within the body
of an object. – class_eval evaluates code within the body of a
class. • These methods can take a string or (more
safely) a block of code. • Why are these methods useful?
![Page 6: Dynamic Code Evaluation & Taint Analysisaustin/...EvalAndTaintAnalysis.pdf& Taint Analysis . Announcement For next class, read Chapter 6 of your textbook. ... • In most languages,](https://reader034.fdocuments.us/reader034/viewer/2022051607/602f5d1647e4dd14d4701ba1/html5/thumbnails/6.jpg)
class_eval example
(in class)
![Page 7: Dynamic Code Evaluation & Taint Analysisaustin/...EvalAndTaintAnalysis.pdf& Taint Analysis . Announcement For next class, read Chapter 6 of your textbook. ... • In most languages,](https://reader034.fdocuments.us/reader034/viewer/2022051607/602f5d1647e4dd14d4701ba1/html5/thumbnails/7.jpg)
Developers are human: they will make mistakes.
Secure By Architecture
How can we design tools so that the systems they create are inherently secure?
![Page 8: Dynamic Code Evaluation & Taint Analysisaustin/...EvalAndTaintAnalysis.pdf& Taint Analysis . Announcement For next class, read Chapter 6 of your textbook. ... • In most languages,](https://reader034.fdocuments.us/reader034/viewer/2022051607/602f5d1647e4dd14d4701ba1/html5/thumbnails/8.jpg)
Success story: memory-safe languages
• Once upon a time, buffer overflow vulnerabilities were ubiquitous.
• Memory-safe languages manage memory automatically – Developer focus on functionality – Security-critical bugs are eliminated
• Buffer overflows have virtually disappeared – Except in your OS, web browser, etc.
![Page 9: Dynamic Code Evaluation & Taint Analysisaustin/...EvalAndTaintAnalysis.pdf& Taint Analysis . Announcement For next class, read Chapter 6 of your textbook. ... • In most languages,](https://reader034.fdocuments.us/reader034/viewer/2022051607/602f5d1647e4dd14d4701ba1/html5/thumbnails/9.jpg)
Three Security Mechanisms
• Object capabilities: restrict what code can access. (covered another day)
• Taint analysis: protect critical fields from "dirty" data.
• Information flow analysis: Prevent secrets from leaking.
![Page 10: Dynamic Code Evaluation & Taint Analysisaustin/...EvalAndTaintAnalysis.pdf& Taint Analysis . Announcement For next class, read Chapter 6 of your textbook. ... • In most languages,](https://reader034.fdocuments.us/reader034/viewer/2022051607/602f5d1647e4dd14d4701ba1/html5/thumbnails/10.jpg)
Taint Analysis: Protecting against dirty data
![Page 11: Dynamic Code Evaluation & Taint Analysisaustin/...EvalAndTaintAnalysis.pdf& Taint Analysis . Announcement For next class, read Chapter 6 of your textbook. ... • In most languages,](https://reader034.fdocuments.us/reader034/viewer/2022051607/602f5d1647e4dd14d4701ba1/html5/thumbnails/11.jpg)
Taint Analysis
• Any variable under the control of an outside user poses a security risk – Examples: SQL injection, cross-site scripting
(XSS), cross-site request forgery (CSRF), etc. • Taint tracking tracks untrusted variables and
prevents then from being used in unsafe operations
![Page 12: Dynamic Code Evaluation & Taint Analysisaustin/...EvalAndTaintAnalysis.pdf& Taint Analysis . Announcement For next class, read Chapter 6 of your textbook. ... • In most languages,](https://reader034.fdocuments.us/reader034/viewer/2022051607/602f5d1647e4dd14d4701ba1/html5/thumbnails/12.jpg)
Taint Tracking History
• 1989 – Perl 3 included support for a taint mode • 1996 – Netscape included support for a taint
mode in server-side JavaScript – Also available in the client, but disabled by default – Later abandoned
• Ruby later implemented a taint mode; we'll review in more depth.
![Page 13: Dynamic Code Evaluation & Taint Analysisaustin/...EvalAndTaintAnalysis.pdf& Taint Analysis . Announcement For next class, read Chapter 6 of your textbook. ... • In most languages,](https://reader034.fdocuments.us/reader034/viewer/2022051607/602f5d1647e4dd14d4701ba1/html5/thumbnails/13.jpg)
Taint Mode in Ruby
• Focused on protecting against integrity attacks. – E.g. Data pulled from an HTML form cannot be
passed to eval. • Not possible to taint booleans or ints. • Multiple ways to run in safe mode: – Use –T command line flag. – Include $SAFE variable in code.
![Page 14: Dynamic Code Evaluation & Taint Analysisaustin/...EvalAndTaintAnalysis.pdf& Taint Analysis . Announcement For next class, read Chapter 6 of your textbook. ... • In most languages,](https://reader034.fdocuments.us/reader034/viewer/2022051607/602f5d1647e4dd14d4701ba1/html5/thumbnails/14.jpg)
$SAFE levels in Ruby
• 0 – No checking (default) • 1 – Tainted data cannot be passed to eval – Cannot load/require new files
• 2 – Can't change, make, or remove directories • 3 – New strings/objects are automatically tainted – Cannot untaint tainted values
• 4 – Safe objects become immutable
![Page 15: Dynamic Code Evaluation & Taint Analysisaustin/...EvalAndTaintAnalysis.pdf& Taint Analysis . Announcement For next class, read Chapter 6 of your textbook. ... • In most languages,](https://reader034.fdocuments.us/reader034/viewer/2022051607/602f5d1647e4dd14d4701ba1/html5/thumbnails/15.jpg)
s = "puts 4-3".taint $SAFE = 1 # Can't eval tainted data s.untaint # Removes taint from data puts s.tainted? eval s $SAFE = 3 s2 = "puts 2 * 7" # Tainted s2.untaint # Won't work now eval s2 eval s # this is OK
![Page 16: Dynamic Code Evaluation & Taint Analysisaustin/...EvalAndTaintAnalysis.pdf& Taint Analysis . Announcement For next class, read Chapter 6 of your textbook. ... • In most languages,](https://reader034.fdocuments.us/reader034/viewer/2022051607/602f5d1647e4dd14d4701ba1/html5/thumbnails/16.jpg)
Information Flow Analysis
Here be dragons…
![Page 17: Dynamic Code Evaluation & Taint Analysisaustin/...EvalAndTaintAnalysis.pdf& Taint Analysis . Announcement For next class, read Chapter 6 of your textbook. ... • In most languages,](https://reader034.fdocuments.us/reader034/viewer/2022051607/602f5d1647e4dd14d4701ba1/html5/thumbnails/17.jpg)
Taint vs. Information Flow Analysis
• Track/prevent flow of sensitive information. • Taint analysis focuses on integrity:
does "dirty" data corrupt trusted data? – Generally simpler to handle – usually ignores
certain (impractical?) attacks. • Information flow analysis handles integrity
as well, but focuses on confidentiality: does secret data leak to public channels?
![Page 18: Dynamic Code Evaluation & Taint Analysisaustin/...EvalAndTaintAnalysis.pdf& Taint Analysis . Announcement For next class, read Chapter 6 of your textbook. ... • In most languages,](https://reader034.fdocuments.us/reader034/viewer/2022051607/602f5d1647e4dd14d4701ba1/html5/thumbnails/18.jpg)
Developer
Sensitive Data
Challenge of Securing Information
Private Channel
Public Channel
Policy: Keep location of the spray paint can from leaking to public channels.
![Page 19: Dynamic Code Evaluation & Taint Analysisaustin/...EvalAndTaintAnalysis.pdf& Taint Analysis . Announcement For next class, read Chapter 6 of your textbook. ... • In most languages,](https://reader034.fdocuments.us/reader034/viewer/2022051607/602f5d1647e4dd14d4701ba1/html5/thumbnails/19.jpg)
Developer
Sensitive Data
Private Channel
Public Channel
if (chan.police){ write(chan, spraycanLocation); }
if (chan.police){ write(chan, spraycanLocation); }
Challenge of Securing Information
![Page 20: Dynamic Code Evaluation & Taint Analysisaustin/...EvalAndTaintAnalysis.pdf& Taint Analysis . Announcement For next class, read Chapter 6 of your textbook. ... • In most languages,](https://reader034.fdocuments.us/reader034/viewer/2022051607/602f5d1647e4dd14d4701ba1/html5/thumbnails/20.jpg)
Developer
Sensitive Data
Private Channel
Public Channel
if (chan.police){ write(chan, spraycanLocation); }
if (chan.police){ write(chan, spraycanLocation); }
New Developers
write(chan, spraycanLocation);
New System Requirements
![Page 21: Dynamic Code Evaluation & Taint Analysisaustin/...EvalAndTaintAnalysis.pdf& Taint Analysis . Announcement For next class, read Chapter 6 of your textbook. ... • In most languages,](https://reader034.fdocuments.us/reader034/viewer/2022051607/602f5d1647e4dd14d4701ba1/html5/thumbnails/21.jpg)
Information Leaked
![Page 22: Dynamic Code Evaluation & Taint Analysisaustin/...EvalAndTaintAnalysis.pdf& Taint Analysis . Announcement For next class, read Chapter 6 of your textbook. ... • In most languages,](https://reader034.fdocuments.us/reader034/viewer/2022051607/602f5d1647e4dd14d4701ba1/html5/thumbnails/22.jpg)
Applications often make use of 3rd party libraries of questionable quality...
Additional Information Flow Challenges
…or have vulnerabilities to code injection attacks...
…so we must assume that the attacker is able to inject code into our system.
![Page 23: Dynamic Code Evaluation & Taint Analysisaustin/...EvalAndTaintAnalysis.pdf& Taint Analysis . Announcement For next class, read Chapter 6 of your textbook. ... • In most languages,](https://reader034.fdocuments.us/reader034/viewer/2022051607/602f5d1647e4dd14d4701ba1/html5/thumbnails/23.jpg)
Sensitive Data
Public Data
Private Channel
Public Channel
Information Flow Analysis in Action
![Page 24: Dynamic Code Evaluation & Taint Analysisaustin/...EvalAndTaintAnalysis.pdf& Taint Analysis . Announcement For next class, read Chapter 6 of your textbook. ... • In most languages,](https://reader034.fdocuments.us/reader034/viewer/2022051607/602f5d1647e4dd14d4701ba1/html5/thumbnails/24.jpg)
Private Channel
Public Channel
Sensitive Data
Public Data
Information Flow Analysis in Action
![Page 25: Dynamic Code Evaluation & Taint Analysisaustin/...EvalAndTaintAnalysis.pdf& Taint Analysis . Announcement For next class, read Chapter 6 of your textbook. ... • In most languages,](https://reader034.fdocuments.us/reader034/viewer/2022051607/602f5d1647e4dd14d4701ba1/html5/thumbnails/25.jpg)
Sensitive Data
Public Data
Private Channel
Public Channel
Public outputs do not depend on private inputs
Termination-Insensitive Non-Interference
![Page 26: Dynamic Code Evaluation & Taint Analysisaustin/...EvalAndTaintAnalysis.pdf& Taint Analysis . Announcement For next class, read Chapter 6 of your textbook. ... • In most languages,](https://reader034.fdocuments.us/reader034/viewer/2022051607/602f5d1647e4dd14d4701ba1/html5/thumbnails/26.jpg)
Explicit and Implicit Flows
spraycanLocation = "Kwik-E-Mart"police;
Location is only visible to the police. x = spraycanLocation;
Explicit flow from spraycanLocation to x.
if (x.charAt(0) < 'N') {
firstCharMax = 12;
}
Implicit flow from x to firstCharMax.
![Page 27: Dynamic Code Evaluation & Taint Analysisaustin/...EvalAndTaintAnalysis.pdf& Taint Analysis . Announcement For next class, read Chapter 6 of your textbook. ... • In most languages,](https://reader034.fdocuments.us/reader034/viewer/2022051607/602f5d1647e4dd14d4701ba1/html5/thumbnails/27.jpg)
write(chan, spraycanLocation);
Developer
Core Functionality Security Expert
Business Domain Expert
Label Data
Attach label police to spraycanLocation
Enforcement Mechanism
label: police chan: police
![Page 28: Dynamic Code Evaluation & Taint Analysisaustin/...EvalAndTaintAnalysis.pdf& Taint Analysis . Announcement For next class, read Chapter 6 of your textbook. ... • In most languages,](https://reader034.fdocuments.us/reader034/viewer/2022051607/602f5d1647e4dd14d4701ba1/html5/thumbnails/28.jpg)
write(chan, spraycanLocation);
Developer
Core Functionality Security Expert
Business Domain Expert
Label Data
Attach label police to spraycanLocation
Enforcement Mechanism
label: police chan: public
DENIED
![Page 29: Dynamic Code Evaluation & Taint Analysisaustin/...EvalAndTaintAnalysis.pdf& Taint Analysis . Announcement For next class, read Chapter 6 of your textbook. ... • In most languages,](https://reader034.fdocuments.us/reader034/viewer/2022051607/602f5d1647e4dd14d4701ba1/html5/thumbnails/29.jpg)
Denning-style Static Analysis
• Done through a static certification process, perhaps integrated into a compiler.
• Data can flow down the lattice • Programs can be guaranteed
to be secure before the program is ever executed.
![Page 30: Dynamic Code Evaluation & Taint Analysisaustin/...EvalAndTaintAnalysis.pdf& Taint Analysis . Announcement For next class, read Chapter 6 of your textbook. ... • In most languages,](https://reader034.fdocuments.us/reader034/viewer/2022051607/602f5d1647e4dd14d4701ba1/html5/thumbnails/30.jpg)
Static Analysis Certification var secret = truebank; var y = true;
if (secret)
y = false;
var leak = true;
if (y)
leak = false;
• Analysis ensures that private data does not affect public data. • In this example, y's final value depends on x. • [Denning 1976]
![Page 31: Dynamic Code Evaluation & Taint Analysisaustin/...EvalAndTaintAnalysis.pdf& Taint Analysis . Announcement For next class, read Chapter 6 of your textbook. ... • In most languages,](https://reader034.fdocuments.us/reader034/viewer/2022051607/602f5d1647e4dd14d4701ba1/html5/thumbnails/31.jpg)
Purely Dynamic Info Flow Controls
• Instrument interpreter with runtime controls • Implicit flows can be handled by: – Ignoring unsafe updates – Crashing on unsafe updates – Leaking some data (not satisfying
noninterference)
![Page 32: Dynamic Code Evaluation & Taint Analysisaustin/...EvalAndTaintAnalysis.pdf& Taint Analysis . Announcement For next class, read Chapter 6 of your textbook. ... • In most languages,](https://reader034.fdocuments.us/reader034/viewer/2022051607/602f5d1647e4dd14d4701ba1/html5/thumbnails/32.jpg)
Lab: Taint tracking
Today's lab explores taint tracking in Ruby. Starter code is available on the course website. Details in Canvas.