Dynamic Taint Propagation - Black Hat Briefings · Dynamic Taint Propagation Finding...
Transcript of Dynamic Taint Propagation - Black Hat Briefings · Dynamic Taint Propagation Finding...
![Page 1: Dynamic Taint Propagation - Black Hat Briefings · Dynamic Taint Propagation Finding Vulnerabilities ... • Open source frameworks – AspectJ (Java) ... – Native code](https://reader030.fdocuments.us/reader030/viewer/2022011802/5b5b03627f8b9a55388d6c27/html5/thumbnails/1.jpg)
Dynamic Taint Propagation
Finding VulnerabilitiesWithout Attacking
Brian Chess / Jacob WestFortify Software
2.21.08
![Page 2: Dynamic Taint Propagation - Black Hat Briefings · Dynamic Taint Propagation Finding Vulnerabilities ... • Open source frameworks – AspectJ (Java) ... – Native code](https://reader030.fdocuments.us/reader030/viewer/2022011802/5b5b03627f8b9a55388d6c27/html5/thumbnails/2.jpg)
Overview
• Motivation• Dynamic taint propagation• Sources of inaccuracy• Integrating with QA• Related work• Parting thoughts
![Page 3: Dynamic Taint Propagation - Black Hat Briefings · Dynamic Taint Propagation Finding Vulnerabilities ... • Open source frameworks – AspectJ (Java) ... – Native code](https://reader030.fdocuments.us/reader030/viewer/2022011802/5b5b03627f8b9a55388d6c27/html5/thumbnails/3.jpg)
MOTIVATION
![Page 4: Dynamic Taint Propagation - Black Hat Briefings · Dynamic Taint Propagation Finding Vulnerabilities ... • Open source frameworks – AspectJ (Java) ... – Native code](https://reader030.fdocuments.us/reader030/viewer/2022011802/5b5b03627f8b9a55388d6c27/html5/thumbnails/4.jpg)
Existential Quantification
“there exists”
There existsa vulnerability
(again).
![Page 5: Dynamic Taint Propagation - Black Hat Briefings · Dynamic Taint Propagation Finding Vulnerabilities ... • Open source frameworks – AspectJ (Java) ... – Native code](https://reader030.fdocuments.us/reader030/viewer/2022011802/5b5b03627f8b9a55388d6c27/html5/thumbnails/5.jpg)
Universal Quantification
“for all”
For all bad things thatmight happen,
the program is safe.
![Page 6: Dynamic Taint Propagation - Black Hat Briefings · Dynamic Taint Propagation Finding Vulnerabilities ... • Open source frameworks – AspectJ (Java) ... – Native code](https://reader030.fdocuments.us/reader030/viewer/2022011802/5b5b03627f8b9a55388d6c27/html5/thumbnails/6.jpg)
Security vs. Software Development
Software Development
Security
![Page 7: Dynamic Taint Propagation - Black Hat Briefings · Dynamic Taint Propagation Finding Vulnerabilities ... • Open source frameworks – AspectJ (Java) ... – Native code](https://reader030.fdocuments.us/reader030/viewer/2022011802/5b5b03627f8b9a55388d6c27/html5/thumbnails/7.jpg)
Security vs. Software Development
Software Development
Security
Programmers Testers
![Page 8: Dynamic Taint Propagation - Black Hat Briefings · Dynamic Taint Propagation Finding Vulnerabilities ... • Open source frameworks – AspectJ (Java) ... – Native code](https://reader030.fdocuments.us/reader030/viewer/2022011802/5b5b03627f8b9a55388d6c27/html5/thumbnails/8.jpg)
Are you going to give me Yet Another Lecture About Static
Analysis (YALASA)?
• No• Focus on QA• Using static analysis requires
understanding code
![Page 9: Dynamic Taint Propagation - Black Hat Briefings · Dynamic Taint Propagation Finding Vulnerabilities ... • Open source frameworks – AspectJ (Java) ... – Native code](https://reader030.fdocuments.us/reader030/viewer/2022011802/5b5b03627f8b9a55388d6c27/html5/thumbnails/9.jpg)
Team Sizes at Microsoft
![Page 10: Dynamic Taint Propagation - Black Hat Briefings · Dynamic Taint Propagation Finding Vulnerabilities ... • Open source frameworks – AspectJ (Java) ... – Native code](https://reader030.fdocuments.us/reader030/viewer/2022011802/5b5b03627f8b9a55388d6c27/html5/thumbnails/10.jpg)
QA Testers vs. Security Testers
Functional Testers Security TestersKnow the program. Know security.
Need high functional coverage.
Need to find at least one vulnerability.
Lots of time and resources
(comparatively).
Often arrive at the party late and are
asked to leave early.
![Page 11: Dynamic Taint Propagation - Black Hat Briefings · Dynamic Taint Propagation Finding Vulnerabilities ... • Open source frameworks – AspectJ (Java) ... – Native code](https://reader030.fdocuments.us/reader030/viewer/2022011802/5b5b03627f8b9a55388d6c27/html5/thumbnails/11.jpg)
Typical Software Testing
ProgramUnder Test
![Page 12: Dynamic Taint Propagation - Black Hat Briefings · Dynamic Taint Propagation Finding Vulnerabilities ... • Open source frameworks – AspectJ (Java) ... – Native code](https://reader030.fdocuments.us/reader030/viewer/2022011802/5b5b03627f8b9a55388d6c27/html5/thumbnails/12.jpg)
Typical Security Testing
ProgramUnder Test
x x
Clear indicationof a vulnerabilityTest case to prove it.
![Page 13: Dynamic Taint Propagation - Black Hat Briefings · Dynamic Taint Propagation Finding Vulnerabilities ... • Open source frameworks – AspectJ (Java) ... – Native code](https://reader030.fdocuments.us/reader030/viewer/2022011802/5b5b03627f8b9a55388d6c27/html5/thumbnails/13.jpg)
Fault Injection Failings
• Bad input derails normal program flow• Cannot mutate functional tests and
retain coverageAdd
to cartEnter
AddressEnterCC
Input Input Input
![Page 14: Dynamic Taint Propagation - Black Hat Briefings · Dynamic Taint Propagation Finding Vulnerabilities ... • Open source frameworks – AspectJ (Java) ... – Native code](https://reader030.fdocuments.us/reader030/viewer/2022011802/5b5b03627f8b9a55388d6c27/html5/thumbnails/14.jpg)
Fault Injection Failings
• Result: bad test coverage• Result: missed vulnerabilities
Addto cart
EnterAddress
EnterCC
Input Input Input
![Page 15: Dynamic Taint Propagation - Black Hat Briefings · Dynamic Taint Propagation Finding Vulnerabilities ... • Open source frameworks – AspectJ (Java) ... – Native code](https://reader030.fdocuments.us/reader030/viewer/2022011802/5b5b03627f8b9a55388d6c27/html5/thumbnails/15.jpg)
Problem Summary
• QA has, security team lacks:– Good test coverage– Time and resources
• Security team has, QA lacks:– Security clue
![Page 16: Dynamic Taint Propagation - Black Hat Briefings · Dynamic Taint Propagation Finding Vulnerabilities ... • Open source frameworks – AspectJ (Java) ... – Native code](https://reader030.fdocuments.us/reader030/viewer/2022011802/5b5b03627f8b9a55388d6c27/html5/thumbnails/16.jpg)
Involve QA in Security
• Ease of use– Favor false negatives over false positives– Expect security team to test too
• Leverage existing QA tests– Achieve high coverage– Must be transformed into security tests
![Page 17: Dynamic Taint Propagation - Black Hat Briefings · Dynamic Taint Propagation Finding Vulnerabilities ... • Open source frameworks – AspectJ (Java) ... – Native code](https://reader030.fdocuments.us/reader030/viewer/2022011802/5b5b03627f8b9a55388d6c27/html5/thumbnails/17.jpg)
DYNAMIC TAINT PROPAGATION
![Page 18: Dynamic Taint Propagation - Black Hat Briefings · Dynamic Taint Propagation Finding Vulnerabilities ... • Open source frameworks – AspectJ (Java) ... – Native code](https://reader030.fdocuments.us/reader030/viewer/2022011802/5b5b03627f8b9a55388d6c27/html5/thumbnails/18.jpg)
Dynamic Taint Propagation
• Follow untrusted data and identify points where they are misused
![Page 19: Dynamic Taint Propagation - Black Hat Briefings · Dynamic Taint Propagation Finding Vulnerabilities ... • Open source frameworks – AspectJ (Java) ... – Native code](https://reader030.fdocuments.us/reader030/viewer/2022011802/5b5b03627f8b9a55388d6c27/html5/thumbnails/19.jpg)
Example: SQL Injection...user = request.getParameter("user"); try {sql = "SELECT * FROM users " +
"WHERE id='" + user + "'";stmt.executeQuery(sql);} ...
![Page 20: Dynamic Taint Propagation - Black Hat Briefings · Dynamic Taint Propagation Finding Vulnerabilities ... • Open source frameworks – AspectJ (Java) ... – Native code](https://reader030.fdocuments.us/reader030/viewer/2022011802/5b5b03627f8b9a55388d6c27/html5/thumbnails/20.jpg)
Tracking Taint
1. Associate taint marker with untrusted input as it enters the program
2. Propagate markers when stringvalues are copied or concatenated
3. Report vulnerabilities when tainted strings are passed to sensitive sinks
![Page 21: Dynamic Taint Propagation - Black Hat Briefings · Dynamic Taint Propagation Finding Vulnerabilities ... • Open source frameworks – AspectJ (Java) ... – Native code](https://reader030.fdocuments.us/reader030/viewer/2022011802/5b5b03627f8b9a55388d6c27/html5/thumbnails/21.jpg)
Java: Foundation
• Add taint storage to java.lang.String
Length Body
Length Taint Body
![Page 22: Dynamic Taint Propagation - Black Hat Briefings · Dynamic Taint Propagation Finding Vulnerabilities ... • Open source frameworks – AspectJ (Java) ... – Native code](https://reader030.fdocuments.us/reader030/viewer/2022011802/5b5b03627f8b9a55388d6c27/html5/thumbnails/22.jpg)
Java: Foundation
• StringBuilder and StringBufferpropagate taint markers appropriately
Tainted Tainted+ = Tainted
Untainted + = TaintedTainted
Untainted + = UntaintedUntainted
![Page 23: Dynamic Taint Propagation - Black Hat Briefings · Dynamic Taint Propagation Finding Vulnerabilities ... • Open source frameworks – AspectJ (Java) ... – Native code](https://reader030.fdocuments.us/reader030/viewer/2022011802/5b5b03627f8b9a55388d6c27/html5/thumbnails/23.jpg)
Java: Sources
• Instrument methods that introduce input to set taint markers, such as:– HttpServletRequest.getParameter() – PreparedStatement.executeQuery()– FileReader.read()– System.getenv()– ...
![Page 24: Dynamic Taint Propagation - Black Hat Briefings · Dynamic Taint Propagation Finding Vulnerabilities ... • Open source frameworks – AspectJ (Java) ... – Native code](https://reader030.fdocuments.us/reader030/viewer/2022011802/5b5b03627f8b9a55388d6c27/html5/thumbnails/24.jpg)
Java: Sinks
• Instrument sensitive methods to check for taint marker before executing, such as:– Statement.executeQuery() – JspWriter.print()– new File() – Runtime.exec()– ...
![Page 25: Dynamic Taint Propagation - Black Hat Briefings · Dynamic Taint Propagation Finding Vulnerabilities ... • Open source frameworks – AspectJ (Java) ... – Native code](https://reader030.fdocuments.us/reader030/viewer/2022011802/5b5b03627f8b9a55388d6c27/html5/thumbnails/25.jpg)
Example: SQL Injectionuser = request.getParameter("user");
try {sql = "SELECT * FROM users " +
"WHERE id='" + user + "'";
stmt.executeQuery(sql);}
TaintUtil.setTaint(user, 1);
TaintUtil.setTaint(sql,user.getTaint());TaintUtil.checkTaint(sql);
![Page 26: Dynamic Taint Propagation - Black Hat Briefings · Dynamic Taint Propagation Finding Vulnerabilities ... • Open source frameworks – AspectJ (Java) ... – Native code](https://reader030.fdocuments.us/reader030/viewer/2022011802/5b5b03627f8b9a55388d6c27/html5/thumbnails/26.jpg)
Results Overview
![Page 27: Dynamic Taint Propagation - Black Hat Briefings · Dynamic Taint Propagation Finding Vulnerabilities ... • Open source frameworks – AspectJ (Java) ... – Native code](https://reader030.fdocuments.us/reader030/viewer/2022011802/5b5b03627f8b9a55388d6c27/html5/thumbnails/27.jpg)
Security Coverage
![Page 28: Dynamic Taint Propagation - Black Hat Briefings · Dynamic Taint Propagation Finding Vulnerabilities ... • Open source frameworks – AspectJ (Java) ... – Native code](https://reader030.fdocuments.us/reader030/viewer/2022011802/5b5b03627f8b9a55388d6c27/html5/thumbnails/28.jpg)
SQL Injection Issue
![Page 29: Dynamic Taint Propagation - Black Hat Briefings · Dynamic Taint Propagation Finding Vulnerabilities ... • Open source frameworks – AspectJ (Java) ... – Native code](https://reader030.fdocuments.us/reader030/viewer/2022011802/5b5b03627f8b9a55388d6c27/html5/thumbnails/29.jpg)
Source
![Page 30: Dynamic Taint Propagation - Black Hat Briefings · Dynamic Taint Propagation Finding Vulnerabilities ... • Open source frameworks – AspectJ (Java) ... – Native code](https://reader030.fdocuments.us/reader030/viewer/2022011802/5b5b03627f8b9a55388d6c27/html5/thumbnails/30.jpg)
Sink
![Page 31: Dynamic Taint Propagation - Black Hat Briefings · Dynamic Taint Propagation Finding Vulnerabilities ... • Open source frameworks – AspectJ (Java) ... – Native code](https://reader030.fdocuments.us/reader030/viewer/2022011802/5b5b03627f8b9a55388d6c27/html5/thumbnails/31.jpg)
Severity Category URL
Critical SQL Injection/splc/listMyItems.do
Class Linecom.order.splc.ItemService
196Query Stack Trace
select * from item where item name = ‘adam‘ and ...
java.lang.Throwable atStackTrace$FirstNested$SecondNested.
<init>(StackTrace.java:267) at StackTrace$FirstNested.
<init>(StackTrace.java:256) at StackTrace.<init>(StackTrace.java:246) at StackTrace.
main(StackTrace.java:70)
Where is the Problem?
![Page 32: Dynamic Taint Propagation - Black Hat Briefings · Dynamic Taint Propagation Finding Vulnerabilities ... • Open source frameworks – AspectJ (Java) ... – Native code](https://reader030.fdocuments.us/reader030/viewer/2022011802/5b5b03627f8b9a55388d6c27/html5/thumbnails/32.jpg)
Instrumentation
• Instrument JRE classes once • Two ways to instrument program:
– Compile-time• Rewrite the program's class files on disk
– Runtime• Augment class loader to rewrite program
![Page 33: Dynamic Taint Propagation - Black Hat Briefings · Dynamic Taint Propagation Finding Vulnerabilities ... • Open source frameworks – AspectJ (Java) ... – Native code](https://reader030.fdocuments.us/reader030/viewer/2022011802/5b5b03627f8b9a55388d6c27/html5/thumbnails/33.jpg)
Aspect-Oriented Programming
• Express cross-cutting concerns independently from logic (aspects)
• Open source frameworks– AspectJ (Java)– AspectDNG (.NET)
• Could build home-brew instrumentation on top of bytecode library (BCEL, ASM)
![Page 34: Dynamic Taint Propagation - Black Hat Briefings · Dynamic Taint Propagation Finding Vulnerabilities ... • Open source frameworks – AspectJ (Java) ... – Native code](https://reader030.fdocuments.us/reader030/viewer/2022011802/5b5b03627f8b9a55388d6c27/html5/thumbnails/34.jpg)
Example
public aspect SQLInjectionCore extends ... {//Statementpointcut sqlInjectionStatement(String sql):(call(ResultSet Statement+.executeQuery(String)) && args(sql)) ...
}
![Page 35: Dynamic Taint Propagation - Black Hat Briefings · Dynamic Taint Propagation Finding Vulnerabilities ... • Open source frameworks – AspectJ (Java) ... – Native code](https://reader030.fdocuments.us/reader030/viewer/2022011802/5b5b03627f8b9a55388d6c27/html5/thumbnails/35.jpg)
Instrument Inside or Outside?
• Inside function body– Lower instrumentation cost
• Outside function call– Lower runtime cost / better reporting
![Page 36: Dynamic Taint Propagation - Black Hat Briefings · Dynamic Taint Propagation Finding Vulnerabilities ... • Open source frameworks – AspectJ (Java) ... – Native code](https://reader030.fdocuments.us/reader030/viewer/2022011802/5b5b03627f8b9a55388d6c27/html5/thumbnails/36.jpg)
Types of Taint
• Track distinct sources of untrusted input– Report XSS on data from the Web or
database, but not from the file system• Distinguish between different sources
when reporting vulnerabilities– Prioritize remotely exploitable vulnerabilites
![Page 37: Dynamic Taint Propagation - Black Hat Briefings · Dynamic Taint Propagation Finding Vulnerabilities ... • Open source frameworks – AspectJ (Java) ... – Native code](https://reader030.fdocuments.us/reader030/viewer/2022011802/5b5b03627f8b9a55388d6c27/html5/thumbnails/37.jpg)
Java: Foundation – Round 2
• Add taint storage and source information to java.lang.String storage
Length Taint
Length Taint Source Body
Body
![Page 38: Dynamic Taint Propagation - Black Hat Briefings · Dynamic Taint Propagation Finding Vulnerabilities ... • Open source frameworks – AspectJ (Java) ... – Native code](https://reader030.fdocuments.us/reader030/viewer/2022011802/5b5b03627f8b9a55388d6c27/html5/thumbnails/38.jpg)
Writing Rules
• Identifying the right methods is critical– Missing just one source or sink can be fatal
• Leverage experience from static analysis– Knowledge of security-relevant APIs
![Page 39: Dynamic Taint Propagation - Black Hat Briefings · Dynamic Taint Propagation Finding Vulnerabilities ... • Open source frameworks – AspectJ (Java) ... – Native code](https://reader030.fdocuments.us/reader030/viewer/2022011802/5b5b03627f8b9a55388d6c27/html5/thumbnails/39.jpg)
SOURCES OF INACCURACYGoing Wrong
![Page 40: Dynamic Taint Propagation - Black Hat Briefings · Dynamic Taint Propagation Finding Vulnerabilities ... • Open source frameworks – AspectJ (Java) ... – Native code](https://reader030.fdocuments.us/reader030/viewer/2022011802/5b5b03627f8b9a55388d6c27/html5/thumbnails/40.jpg)
Types of Inaccuracy
• False positives: erroneous bug reports– Painful for tool user
• False negatives: unreported bugs– Uh oh
![Page 41: Dynamic Taint Propagation - Black Hat Briefings · Dynamic Taint Propagation Finding Vulnerabilities ... • Open source frameworks – AspectJ (Java) ... – Native code](https://reader030.fdocuments.us/reader030/viewer/2022011802/5b5b03627f8b9a55388d6c27/html5/thumbnails/41.jpg)
False Positives:Unrecognized Input Validationuser = request.getParameter("user");if (!InputUtil.alphaOnly(user)) {return false;
}try {sql = "SELECT * FROM users " +
"WHERE id='" + user + "'";stmt.executeQuery(sql);
}
![Page 42: Dynamic Taint Propagation - Black Hat Briefings · Dynamic Taint Propagation Finding Vulnerabilities ... • Open source frameworks – AspectJ (Java) ... – Native code](https://reader030.fdocuments.us/reader030/viewer/2022011802/5b5b03627f8b9a55388d6c27/html5/thumbnails/42.jpg)
False Positives:Impossible Ctl Flow Paths• Paths that regular data can take that
malicious data cannot take• Solution: cleanse rules
– Remove taint when String is input to a regular expression, compared to static string, etc
![Page 43: Dynamic Taint Propagation - Black Hat Briefings · Dynamic Taint Propagation Finding Vulnerabilities ... • Open source frameworks – AspectJ (Java) ... – Native code](https://reader030.fdocuments.us/reader030/viewer/2022011802/5b5b03627f8b9a55388d6c27/html5/thumbnails/43.jpg)
Countering False Positives:Bug Verification
• Training wheels for security testers• Show which inputs to attack• Suggest attack data• Monitor call sites to determine if attack
succeeds
![Page 44: Dynamic Taint Propagation - Black Hat Briefings · Dynamic Taint Propagation Finding Vulnerabilities ... • Open source frameworks – AspectJ (Java) ... – Native code](https://reader030.fdocuments.us/reader030/viewer/2022011802/5b5b03627f8b9a55388d6c27/html5/thumbnails/44.jpg)
False Negatives
• Taint can go where we cannot follow– String decomposition– Native code– Written to file or database and read back
• Bad cleanse rules• Poor test coverage
![Page 45: Dynamic Taint Propagation - Black Hat Briefings · Dynamic Taint Propagation Finding Vulnerabilities ... • Open source frameworks – AspectJ (Java) ... – Native code](https://reader030.fdocuments.us/reader030/viewer/2022011802/5b5b03627f8b9a55388d6c27/html5/thumbnails/45.jpg)
False Negatives:String DecompositionStringBuffer sb = new StringBuffer();for (int i=0; i<tainted.length(); i++){sb.append(tainted.charAt(i));
}String untainted = sb.toString();return untainted;
![Page 46: Dynamic Taint Propagation - Black Hat Briefings · Dynamic Taint Propagation Finding Vulnerabilities ... • Open source frameworks – AspectJ (Java) ... – Native code](https://reader030.fdocuments.us/reader030/viewer/2022011802/5b5b03627f8b9a55388d6c27/html5/thumbnails/46.jpg)
False Negatives:Insufficient Input Validationuser = request.getParameter("user");if (!InputUtil.alphaOnly(user)) {return false;
}try {sql = "SELECT * FROM users " +
"WHERE id='" + user + "'";stmt.executeQuery(sql);
}
![Page 47: Dynamic Taint Propagation - Black Hat Briefings · Dynamic Taint Propagation Finding Vulnerabilities ... • Open source frameworks – AspectJ (Java) ... – Native code](https://reader030.fdocuments.us/reader030/viewer/2022011802/5b5b03627f8b9a55388d6c27/html5/thumbnails/47.jpg)
False Negatives:Poor Test Coverage• Only looks at paths that are executed• Bad QA Testing == Bad Security
Testing
![Page 48: Dynamic Taint Propagation - Black Hat Briefings · Dynamic Taint Propagation Finding Vulnerabilities ... • Open source frameworks – AspectJ (Java) ... – Native code](https://reader030.fdocuments.us/reader030/viewer/2022011802/5b5b03627f8b9a55388d6c27/html5/thumbnails/48.jpg)
INTEGRATING WITH QAPractical Considerations
![Page 49: Dynamic Taint Propagation - Black Hat Briefings · Dynamic Taint Propagation Finding Vulnerabilities ... • Open source frameworks – AspectJ (Java) ... – Native code](https://reader030.fdocuments.us/reader030/viewer/2022011802/5b5b03627f8b9a55388d6c27/html5/thumbnails/49.jpg)
In Practice
• Deployment may involve more or less involvement from central security team
Central Security Quality Assurance
![Page 50: Dynamic Taint Propagation - Black Hat Briefings · Dynamic Taint Propagation Finding Vulnerabilities ... • Open source frameworks – AspectJ (Java) ... – Native code](https://reader030.fdocuments.us/reader030/viewer/2022011802/5b5b03627f8b9a55388d6c27/html5/thumbnails/50.jpg)
Deployment Activities
Central Security Quality AssuranceInstrumentation
Functional testingTriage and Verification
Reporting bugs
![Page 51: Dynamic Taint Propagation - Black Hat Briefings · Dynamic Taint Propagation Finding Vulnerabilities ... • Open source frameworks – AspectJ (Java) ... – Native code](https://reader030.fdocuments.us/reader030/viewer/2022011802/5b5b03627f8b9a55388d6c27/html5/thumbnails/51.jpg)
Instrumentation
• Either QA or Security• Key considerations
– Cover program behavior– Cover security threats
![Page 52: Dynamic Taint Propagation - Black Hat Briefings · Dynamic Taint Propagation Finding Vulnerabilities ... • Open source frameworks – AspectJ (Java) ... – Native code](https://reader030.fdocuments.us/reader030/viewer/2022011802/5b5b03627f8b9a55388d6c27/html5/thumbnails/52.jpg)
Functional Testing
• QA• Key considerations
– Maximize coverage (existing goal)– Security knowledge not required
![Page 53: Dynamic Taint Propagation - Black Hat Briefings · Dynamic Taint Propagation Finding Vulnerabilities ... • Open source frameworks – AspectJ (Java) ... – Native code](https://reader030.fdocuments.us/reader030/viewer/2022011802/5b5b03627f8b9a55388d6c27/html5/thumbnails/53.jpg)
Triage and Verification
• Either QA or Security• Key considerations
– Understand issues in program context– Security knowledge
• Hand-holding to create "exploits"• Different bugs to different auditors• Targeted training
![Page 54: Dynamic Taint Propagation - Black Hat Briefings · Dynamic Taint Propagation Finding Vulnerabilities ... • Open source frameworks – AspectJ (Java) ... – Native code](https://reader030.fdocuments.us/reader030/viewer/2022011802/5b5b03627f8b9a55388d6c27/html5/thumbnails/54.jpg)
Reporting Bugs
• Either QA or Security• Key considerations
– Bug reporting conventions / protocols– Solid remediation advice
![Page 55: Dynamic Taint Propagation - Black Hat Briefings · Dynamic Taint Propagation Finding Vulnerabilities ... • Open source frameworks – AspectJ (Java) ... – Native code](https://reader030.fdocuments.us/reader030/viewer/2022011802/5b5b03627f8b9a55388d6c27/html5/thumbnails/55.jpg)
RELATED WORKOther people’s business
![Page 56: Dynamic Taint Propagation - Black Hat Briefings · Dynamic Taint Propagation Finding Vulnerabilities ... • Open source frameworks – AspectJ (Java) ... – Native code](https://reader030.fdocuments.us/reader030/viewer/2022011802/5b5b03627f8b9a55388d6c27/html5/thumbnails/56.jpg)
Related Work
• Perl• Taint propagation for Java• Constraint propagation for C• Fine-grained taint propagation for C• Taint propagation for PHP
![Page 57: Dynamic Taint Propagation - Black Hat Briefings · Dynamic Taint Propagation Finding Vulnerabilities ... • Open source frameworks – AspectJ (Java) ... – Native code](https://reader030.fdocuments.us/reader030/viewer/2022011802/5b5b03627f8b9a55388d6c27/html5/thumbnails/57.jpg)
Perl
#!/usr/bin/perl –Tmy $arg=shift;system($arg);
> Insecure $ENV{PATH }
![Page 58: Dynamic Taint Propagation - Black Hat Briefings · Dynamic Taint Propagation Finding Vulnerabilities ... • Open source frameworks – AspectJ (Java) ... – Native code](https://reader030.fdocuments.us/reader030/viewer/2022011802/5b5b03627f8b9a55388d6c27/html5/thumbnails/58.jpg)
Perl
#!/usr/bin/perl –Tmy $arg=shift;$ENV{PATH} = "/bin";system($arg);
> Insecure dependency in system while running with -T switch
![Page 59: Dynamic Taint Propagation - Black Hat Briefings · Dynamic Taint Propagation Finding Vulnerabilities ... • Open source frameworks – AspectJ (Java) ... – Native code](https://reader030.fdocuments.us/reader030/viewer/2022011802/5b5b03627f8b9a55388d6c27/html5/thumbnails/59.jpg)
Perl
• Automatically removes taint when string is used in regex
• Meant for active defense, not bug finding, so error messages are less than ideal
![Page 60: Dynamic Taint Propagation - Black Hat Briefings · Dynamic Taint Propagation Finding Vulnerabilities ... • Open source frameworks – AspectJ (Java) ... – Native code](https://reader030.fdocuments.us/reader030/viewer/2022011802/5b5b03627f8b9a55388d6c27/html5/thumbnails/60.jpg)
Taint Propagation for Java
• Haldar, Chandra, Franz (UC Irvine) ACSAC ‘05
• Taints Java String objects• Active protection, not bug detection• Notion of taint flags, but no impl
![Page 61: Dynamic Taint Propagation - Black Hat Briefings · Dynamic Taint Propagation Finding Vulnerabilities ... • Open source frameworks – AspectJ (Java) ... – Native code](https://reader030.fdocuments.us/reader030/viewer/2022011802/5b5b03627f8b9a55388d6c27/html5/thumbnails/61.jpg)
Constraint Propagation for C
• Larsen and Austin (U Michigan) USENIX ‘03
• Keep track of symbolic constraints on input while program is running
• Spot bugs where input is under-constrained
• Found multiple bugs in OpenSSH
![Page 62: Dynamic Taint Propagation - Black Hat Briefings · Dynamic Taint Propagation Finding Vulnerabilities ... • Open source frameworks – AspectJ (Java) ... – Native code](https://reader030.fdocuments.us/reader030/viewer/2022011802/5b5b03627f8b9a55388d6c27/html5/thumbnails/62.jpg)
Constraint Propagation for C
unsigned int x;int array[5];scanf(“%d”, &x);if (x > 4) die();x++;array[x]= 0;
x = 2x = 2x = 3OK
0 ≤ x ≤ ∞0 ≤ x ≤ 40 ≤ x ≤ 5ERROR!
ConcreteExecutionCode
SymbolicExecution
![Page 63: Dynamic Taint Propagation - Black Hat Briefings · Dynamic Taint Propagation Finding Vulnerabilities ... • Open source frameworks – AspectJ (Java) ... – Native code](https://reader030.fdocuments.us/reader030/viewer/2022011802/5b5b03627f8b9a55388d6c27/html5/thumbnails/63.jpg)
Fine-grained Taint Propagation
• Xu, Bhatkar, Sekar (Stony Brook), USENIX ‘06• Keep explicit taint state for every byte in the
program• Requires large chunk of program address
space• Clever optimizations make performance penalty
bearable in many cases
![Page 64: Dynamic Taint Propagation - Black Hat Briefings · Dynamic Taint Propagation Finding Vulnerabilities ... • Open source frameworks – AspectJ (Java) ... – Native code](https://reader030.fdocuments.us/reader030/viewer/2022011802/5b5b03627f8b9a55388d6c27/html5/thumbnails/64.jpg)
Fine-grained Taint PropagationProgram address space
00000000
FFFFFFFF
read(f, x, len);
Taint map
memcpy(y, x, len);
![Page 65: Dynamic Taint Propagation - Black Hat Briefings · Dynamic Taint Propagation Finding Vulnerabilities ... • Open source frameworks – AspectJ (Java) ... – Native code](https://reader030.fdocuments.us/reader030/viewer/2022011802/5b5b03627f8b9a55388d6c27/html5/thumbnails/65.jpg)
Fine-grained Taint Propagation
• Can detect most injection attacks– Buffer overflow, format string attacks, SQL
injection, command injection
• Works for interpreted languages with native interpreters (PHP).
![Page 66: Dynamic Taint Propagation - Black Hat Briefings · Dynamic Taint Propagation Finding Vulnerabilities ... • Open source frameworks – AspectJ (Java) ... – Native code](https://reader030.fdocuments.us/reader030/viewer/2022011802/5b5b03627f8b9a55388d6c27/html5/thumbnails/66.jpg)
PHP
• Easier to do fine-grained analysis– all program data represented with native
data structures• Augment interpreter to propagate taint• Small performance penalty • Core GRASP• Our vote: build it into the std interpreter
![Page 67: Dynamic Taint Propagation - Black Hat Briefings · Dynamic Taint Propagation Finding Vulnerabilities ... • Open source frameworks – AspectJ (Java) ... – Native code](https://reader030.fdocuments.us/reader030/viewer/2022011802/5b5b03627f8b9a55388d6c27/html5/thumbnails/67.jpg)
Static Analysis(YALASA)
• Advantage– can simulate execution of all possible
paths• Disadvantage
– necessarily less precise– does not know which paths are likely and
which are unlikely
![Page 68: Dynamic Taint Propagation - Black Hat Briefings · Dynamic Taint Propagation Finding Vulnerabilities ... • Open source frameworks – AspectJ (Java) ... – Native code](https://reader030.fdocuments.us/reader030/viewer/2022011802/5b5b03627f8b9a55388d6c27/html5/thumbnails/68.jpg)
SUMMARY
![Page 69: Dynamic Taint Propagation - Black Hat Briefings · Dynamic Taint Propagation Finding Vulnerabilities ... • Open source frameworks – AspectJ (Java) ... – Native code](https://reader030.fdocuments.us/reader030/viewer/2022011802/5b5b03627f8b9a55388d6c27/html5/thumbnails/69.jpg)
Conclusions
• Security is coming to QA!• Lessons from security in development
– Target process steps at strengths – Designs tools for the right audience– Use targeted training to bolster capabilities