Type-based Taint Analysis for Java Web Applications Wei Huang, Yao Dong and Ana Milanova Rensselaer Polytechnic Institute 1.

Slides:



Advertisements
Similar presentations
Runtime Prevention & Recovery Protect existing applications Advantages: Prevents vulnerabilities from doing harm Safe mode for Web application execution.
Advertisements

Preventing Web Application Injections with Complementary Character Coding Raymond Mui Phyllis Frankl Polytechnic Institute of NYU Presented at ESORICS.
Teachable Static Analysis Workbench by Igor Konnov, Dmitry Kozlov.
Designed-in Security Some Major Challenges Security Group Department of Computer Science University of California, Santa Barbara Trustworthy.
GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.
Finding Security Errors in Java Applications Using Lightweight Static Analysis Benjamin Livshits Computer Science Lab Stanford University.
Omer Tripp November 9 th, 2009 Static Analysis for Security A Case Study in the Automation of Code Auditing.
SOFTWARE SECURITY JORINA VAN MALSEN 1 FLAX: Systematic Discovery of Client-Side Validation Vulnerabilities in Rich Web Applications.
ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Gary Wassermann and Zhendong Su UC Davis Slides from
1 Detecting Logic Vulnerabilities in E- Commerce Applications Presenter: Liu Yin Slides Adapted from Fangqi Sun Computer Science Department College of.
CQual: A Tool for Adding Type Qualifiers to C Jeff Foster et al UC Berkeley OSQ Retreat, May
Λ λ Language Based Security TAJ: Effective Taint Analysis of Web Applications PLDI 2009 Omer Tripp IBM Software Group Marco Pistoia IBM.
1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.
Automatic Creation of SQL Injection and Cross-Site Scripting Attacks 2nd-order XSS attacks 1st-order XSS attacks SQLI attacks Adam Kiezun, Philip J. Guo,
+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.
TAJ: Effective Taint Analysis of Web Applications
Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.
SQL INJECTION COUNTERMEASURES &
Hamdi Yesilyurt, MA Student in MSDF & PhD-Public Affaris SQL Riji Jacob MS Student in Computer Science.
Approaches to Application Security – DSM
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
Automatically Hardening Web Applications Using Precise Tainting Anh Nguyen-Tuong Salvatore Guarnieri Doug Greene Jeff Shirley David Evans University of.
Security Testing Case Study 360logica Software Testing Services.
Saving the World Wide Web from Vulnerable JavaScript International Symposium on Software Testing and Analysis (ISSTA 2011) Omer Tripp IBM Software Group.
Preventing Web Application Injections with Complementary Character Coding Raymond Mui Phyllis Frankl Polytechnic Institute of NYU Presented at ESORICS.
Inference and Checking of Object Ownership Wei Huang 1, Werner Dietl 2, Ana Milanova 1, Michael D. Ernst 2 1 Rensselaer Polytechnic Institute 2 University.
Attacking Applications: SQL Injection & Buffer Overflows.
CSC-682 Cryptography & Computer Security Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Pompi Rotaru Based on an article.
Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.
SQL injection Figure 1 By Kaveri Bhasin. Motive of SQL Injection Obtain data from database Modify system functions Insert data in the backend database.
CANDID : Preventing SQL Injection Attacks Using Dynamic Candidate Evaluations V. N. Venkatakrishnan Assistant Professor, Computer Science University of.
Jose Sanchez 1 o Tielei Wang†, TaoWei†, Zhiqiang Lin‡, Wei Zou†. o Purdue University & Peking University o Proceedings of NDSS'09: Network and Distributed.
Analysis of SQL injection prevention using a filtering proxy server By: David Rowe Supervisor: Barry Irwin.
Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program.
SQL INJECTIONS Presented By: Eloy Viteri. What is SQL Injection An SQL injection attack is executed when a web page allows users to enter text into a.
Slide 1 Vitaly Shmatikov CS 380S Static Detection of Web Application Vulnerabilities.
Static Analysis James Walden Northern Kentucky University.
Middleware Vulnerabilities Damian Tamayo Kansas State University MSE 2 nd Semester.
Finding Security Vulnerabilities in Java Applications with Static Analysis Reviewed by Roy Ford.
Web Application Vulnerabilities ECE 4112 Internetwork Security, Spring 2005 Chris Kelly Chris Lewis April 28, 2005 ECE 4112 Internetwork Security, Spring.
By Davide Balzarotti Marco Cova Viktoria V. FelmetsgerGiovanni Vigna Presented by: Mostafa Saad.
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
Michael Dalton, Christos Kozyrakis, and Nickolai Zeldovich MIT, Stanford University USENIX 09’ Nemesis: Preventing Authentication & Access Control Vulnerabilities.
Security Attacks CS 795. Buffer Overflow Problem Buffer overflow Analysis of Buffer Overflow Attacks.
© 2011 IBM Corporation Hybrid Analysis for JavaScript Security Assessment Omer Tripp Omri Weisman Salvatore Guarnieri IBM Software Group Sep 2011.
EECS 354: Network Security Group Members: Patrick Wong Eric Chan Shira Schneidman Web Attacks Project: Detecting XSS and SQL Injection Vulnerabilities.
The Potential of Sampling for Dynamic Analysis Joseph L. GreathouseTodd Austin Advanced Computer Architecture Laboratory University of Michigan PLAS, San.
ReIm & ReImInfer: Checking and Inference of Reference Immutability and Method Purity Wei Huang 1, Ana Milanova 1, Werner Dietl 2, Michael D. Ernst 2 1.
Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications Davide Balzarotti, Marco Cova, Vika Felmetsger, Nenad Jovanovic,
Zac Fenigshtien  Introduction: 3 Tier Architecture  SQL Injection ◦ Parameter Sandboxing ◦ Blacklisting, Whitelisting.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Introduction SQL Injection is a very old security attack. It first came into existence in the early 1990's ex: ”Hackers” movie hero does SQL Injection.
Module: Software Engineering of Web Applications
Detecting Vulnerabilities in Web Code with concolic execution
Suji Munetoh, The Graduate University for Advanced Studies & IBM
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
Automatic Web Security Unit Testing: XSS Vulnerability Detection Mahmoud Mohammadi, Bill Chu, Heather Richter, Emerson Murphy-Hill Presenter:
SQL Injection.
Static Detection of Cross-Site Scripting Vulnerabilities
Theodore Lawson CSCE548 Student Presentation, Topic #2
Security mechanisms and vulnerabilities in .NET
Taint tracking Suman Jana.
Advanced Penetration testing
Chapter 13 Security Methods Part 3.
Securing Web Applications with Information Flow Tracking
CS5123 Software Validation and Quality Assurance
Automatically Hardening Web Applications Using Precise Tainting
Presentation transcript:

Type-based Taint Analysis for Java Web Applications Wei Huang, Yao Dong and Ana Milanova Rensselaer Polytechnic Institute 1

Taint Analysis for Java Web Applications Tracks flows from untrusted sources to sensitive sinks ◦ Such flows can cause SQL-injection, Cross-site scripting, other attacks 2 Untrusted input Sensitive sinks unsanitized SOURCES : ServletRequest.getParameter(), etc. SOURCES : ServletRequest.getParameter(), etc. SINKS : Statement.execute(), etc SINKS : Statement.execute(), etc

SQL Injection HttpServletRequest req =...; Statement stat =...; String user = req.getParameter(“user”); String query = “SELECT * FROM Users WHERE name = “ + user; stat.execute(query); Tainted input “John OR 1=1” SELECT * FROM Users WHERE name = John OR 1 = 1 SELECT * FROM Users WHERE name = John OR 1 = 1 3

Work on Taint Analysis Finding Security Vulnerabilities with Static Analysis [Livshits and Lam, Usenix Security’05] TAJ [Tripp et al. PLDI’09] F4F [Sridharan et al. OOPSLA’11] Andromeda [Tripp et al. FASE’13] TAJ, F4F and Andromeda are included in a commercial tool from IBM, called AppScan 4

Issues with Existing Work Dataflow and points-to based approaches Reflection Libraries Frameworks 5

Our Type-based Taint Analysis SFlow: a type system SFlowInfer: inference tool for SFlow ◦ Takes Java program where sources are typed tainted and sinks are typed safe ◦ Infers SFlow types for the rest of the variables ◦ If inference succeeds --- no flows from sources to sinks ◦ If it fails with type errors --- potential flows Easily and effectively handles reflection, libraries and frameworks 6

Inference and Checking Framework 7 Unified Typing Rules Set-Based Solver Extract Typing Type Checking Parameters Instantiated Rules Set-based Solution Concrete Typing Program Source Annotated Libraries Annotated Libraries Immutability (ReIm) Universe Types (UT) Ownership Types (OT) SFlow AJ EnerJ More? Immutability (ReIm) Universe Types (UT) Ownership Types (OT) SFlow AJ EnerJ More?

SFlowInfer The instantiated inference tool Detects (or verifies the absence of) information flow violations Java source Annotated Libraries SFlowInfer Result Sources and Sinks 8

SQL Injection HttpServletRequest req =...; Statement stat =...; tainted String user = req.getParameter(“user”); tainted String query = “SELECT * FROM Users WHERE name = “ + user; stat.execute(query); Source: the return value is tainted Type error! Sink: the parameter is safe Subtyping: safe <: tainted Subtyping: safe <: tainted 9

Contributions SFlow: A context-sensitive type system for secure information flow SFlowInfer: An inference algorithm for SFlow ◦ SFlowInfer is an effective taint analysis tool Implementation and evaluation 10

Outline SFlow type system Inference algorithm for SFlow Handling of reflection, libraries and frameworks Implementation and evaluation 11

SFlow Type Qualifiers tainted: A variable x is tainted, if there is flow from an untrusted source to x safe: A variable x is safe if there is flow from x to a safe sink poly: The polymorphic qualifier, can be instantiated to tainted or safe safe <: poly <: tainted 12

Instantiated Typing Rules for SFlow (TCALL) T Viewpoint adaptation accounts for context sensitivity. q y is the context of adaptation. Additional constraints… 13

Outline SFlow type system Inference algorithm for SFlow Handling of reflection, libraries and frameworks Implementation and evaluation 14

Inference and Checking Framework 15 Unified Typing Rules Set-Based Solver Extract Typing Type Checking Parameters Instantiated Rules Set-based Solution Concrete Typing Program Source Annotated Libraries Annotated Libraries Immutability (ReIm) Universe Types (UT) Ownership Types (OT) SFlow AJ EnerJ More? Immutability (ReIm) Universe Types (UT) Ownership Types (OT) SFlow AJ EnerJ More?

Set-based Solver Set Mapping S : ◦ variable  {tainted, poly, safe} Iterates over statements s ◦ Removes infeasible qualifiers for each variable in s according to the typing rule Until reaches a fixpoint, and outputs ◦ Type errors if one or more variables get assigned the empty set, or ◦ A set-based solution 16

From Stanford Securibench-micro 17 StringBuffer buf; … foo(buf, buf, resp, req); void foo(StringBuffer b, StringBuffer b2, ServletResponse resp, ServletRequest req) { String name; name = req.getParameter(NAME);//source b.append(name); PrintWriter writer = resp.getWriter(); String str = b2.toString(); writer.println(str); //sink } StringBuffer buf; … foo(buf, buf, resp, req); void foo(StringBuffer b, StringBuffer b2, ServletResponse resp, ServletRequest req) { String name; name = req.getParameter(NAME);//source b.append(name); PrintWriter writer = resp.getWriter(); String str = b2.toString(); writer.println(str); //sink }

From Stanford Securibench-micro 18 StringBuffer buf; … foo(buf, buf, resp, req); void foo(StringBuffer b, StringBuffer b2, ServletResponse resp, ServletRequest req) { String name; name = req.getParameter(NAME);//source b.append(name); PrintWriter writer = resp.getWriter(); String str = b2.toString(); writer.println(str); //sink } StringBuffer buf; … foo(buf, buf, resp, req); void foo(StringBuffer b, StringBuffer b2, ServletResponse resp, ServletRequest req) { String name; name = req.getParameter(NAME);//source b.append(name); PrintWriter writer = resp.getWriter(); String str = b2.toString(); writer.println(str); //sink }

From Stanford Securibench-micro 19 StringBuffer buf; … foo(buf, buf, resp, req); void foo(StringBuffer b, StringBuffer b2, ServletResponse resp, ServletRequest req) { String name; name = req.getParameter(NAME);//source b.append(name); PrintWriter writer = resp.getWriter(); String str = b2.toString(); writer.println(str); //sink } StringBuffer buf; … foo(buf, buf, resp, req); void foo(StringBuffer b, StringBuffer b2, ServletResponse resp, ServletRequest req) { String name; name = req.getParameter(NAME);//source b.append(name); PrintWriter writer = resp.getWriter(); String str = b2.toString(); writer.println(str); //sink }

From Stanford Securibench-micro 20 StringBuffer buf; … foo(buf, buf, resp, req); void foo(StringBuffer b, StringBuffer b2, ServletResponse resp, ServletRequest req) { String name; name = req.getParameter(NAME);//source b.append(name); PrintWriter writer = resp.getWriter(); String str = b2.toString(); writer.println(str); //sink } StringBuffer buf; … foo(buf, buf, resp, req); void foo(StringBuffer b, StringBuffer b2, ServletResponse resp, ServletRequest req) { String name; name = req.getParameter(NAME);//source b.append(name); PrintWriter writer = resp.getWriter(); String str = b2.toString(); writer.println(str); //sink }

From Stanford Securibench-micro 21 StringBuffer buf; … foo(buf, buf, resp, req); void foo(StringBuffer b, StringBuffer b2, ServletResponse resp, ServletRequest req) { String name; name = req.getParameter(NAME);//source b.append(name); PrintWriter writer = resp.getWriter(); String str = b2.toString(); writer.println(str); //sink } StringBuffer buf; … foo(buf, buf, resp, req); void foo(StringBuffer b, StringBuffer b2, ServletResponse resp, ServletRequest req) { String name; name = req.getParameter(NAME);//source b.append(name); PrintWriter writer = resp.getWriter(); String str = b2.toString(); writer.println(str); //sink }

From Stanford Securibench-micro 22 StringBuffer buf; … foo(buf, buf, resp, req); void foo(StringBuffer b, StringBuffer b2, ServletResponse resp, ServletRequest req) { String name; name = req.getParameter(NAME);//source b.append(name); PrintWriter writer = resp.getWriter(); String str = b2.toString(); writer.println(str); //sink, BAD! } StringBuffer buf; … foo(buf, buf, resp, req); void foo(StringBuffer b, StringBuffer b2, ServletResponse resp, ServletRequest req) { String name; name = req.getParameter(NAME);//source b.append(name); PrintWriter writer = resp.getWriter(); String str = b2.toString(); writer.println(str); //sink, BAD! }

Set-based Solver 23 {tainted,poly,safe} StringBuffer buf; … foo(buf, buf, resp, req); void foo({tainted,poly,safe} StringBuffer b, {tainted,poly,safe} StringBuffer b2, ServletResponse resp, ServletRequest req) { {tainted,poly,safe} String name; name = req.getParameter(NAME);//source b.append(name); PrintWriter writer = resp.getWriter(); {tainted,poly,safe} String str = b2.toString(); writer.println(str); //sink, BAD: flow from source! } {tainted,poly,safe} StringBuffer buf; … foo(buf, buf, resp, req); void foo({tainted,poly,safe} StringBuffer b, {tainted,poly,safe} StringBuffer b2, ServletResponse resp, ServletRequest req) { {tainted,poly,safe} String name; name = req.getParameter(NAME);//source b.append(name); PrintWriter writer = resp.getWriter(); {tainted,poly,safe} String str = b2.toString(); writer.println(str); //sink, BAD: flow from source! }

Set-based Solver 24 {tainted,poly,safe} StringBuffer buf; … foo(buf, buf, resp, req); void foo({tainted,poly,safe} StringBuffer b, {tainted,poly,safe} StringBuffer b2, ServletResponse resp, ServletRequest req) { {tainted,poly,safe} String name; name = req.getParameter(NAME);//source b.append(name); PrintWriter writer = resp.getWriter(); {tainted,poly,safe} String str = b2.toString(); writer.println(str); //sink, BAD: flow from source! } {tainted,poly,safe} StringBuffer buf; … foo(buf, buf, resp, req); void foo({tainted,poly,safe} StringBuffer b, {tainted,poly,safe} StringBuffer b2, ServletResponse resp, ServletRequest req) { {tainted,poly,safe} String name; name = req.getParameter(NAME);//source b.append(name); PrintWriter writer = resp.getWriter(); {tainted,poly,safe} String str = b2.toString(); writer.println(str); //sink, BAD: flow from source! }

Set-based Solver 25 {tainted,poly,safe} StringBuffer buf; … foo(buf, buf, resp, req); void foo({tainted,poly,safe} StringBuffer b, {tainted,poly,safe} StringBuffer b2, ServletResponse resp, ServletRequest req) { {tainted,poly,safe} String name; name = req.getParameter(NAME);//source b.append(name); PrintWriter writer = resp.getWriter(); {tainted,poly,safe} String str = b2.toString(); writer.println(str); //sink, BAD: flow from source! } {tainted,poly,safe} StringBuffer buf; … foo(buf, buf, resp, req); void foo({tainted,poly,safe} StringBuffer b, {tainted,poly,safe} StringBuffer b2, ServletResponse resp, ServletRequest req) { {tainted,poly,safe} String name; name = req.getParameter(NAME);//source b.append(name); PrintWriter writer = resp.getWriter(); {tainted,poly,safe} String str = b2.toString(); writer.println(str); //sink, BAD: flow from source! }

Set-based Solver 26 {tainted,poly,safe} StringBuffer buf; … foo(buf, buf, resp, req); void foo({tainted,poly,safe} StringBuffer b, {tainted,poly,safe} StringBuffer b2, ServletResponse resp, ServletRequest req) { {tainted,poly,safe} String name; name = req.getParameter(NAME);//source b.append(name); PrintWriter writer = resp.getWriter(); {tainted,poly,safe} String str = b2.toString(); writer.println(str); //sink, BAD: flow from source! } {tainted,poly,safe} StringBuffer buf; … foo(buf, buf, resp, req); void foo({tainted,poly,safe} StringBuffer b, {tainted,poly,safe} StringBuffer b2, ServletResponse resp, ServletRequest req) { {tainted,poly,safe} String name; name = req.getParameter(NAME);//source b.append(name); PrintWriter writer = resp.getWriter(); {tainted,poly,safe} String str = b2.toString(); writer.println(str); //sink, BAD: flow from source! }

Set-based Solver 27 {tainted,poly,safe} StringBuffer buf; … foo(buf, buf, resp, req); void foo({tainted,poly,safe} StringBuffer b, {tainted,poly,safe} StringBuffer b2, ServletResponse resp, ServletRequest req) { {tainted,poly,safe} String name; name = req.getParameter(NAME);//source b.append(name); PrintWriter writer = resp.getWriter(); {tainted,poly,safe} String str = b2.toString(); writer.println(str); //sink, BAD: flow from source! } {tainted,poly,safe} StringBuffer buf; … foo(buf, buf, resp, req); void foo({tainted,poly,safe} StringBuffer b, {tainted,poly,safe} StringBuffer b2, ServletResponse resp, ServletRequest req) { {tainted,poly,safe} String name; name = req.getParameter(NAME);//source b.append(name); PrintWriter writer = resp.getWriter(); {tainted,poly,safe} String str = b2.toString(); writer.println(str); //sink, BAD: flow from source! }

Set-based Solver 28 {tainted,poly,safe} StringBuffer buf; … foo(buf, buf, resp, req); void foo({tainted,poly,safe} StringBuffer b, {tainted,poly,safe} StringBuffer b2, ServletResponse resp, ServletRequest req) { {tainted,poly,safe} String name; name = req.getParameter(NAME);//source b.append(name); PrintWriter writer = resp.getWriter(); {tainted,poly,safe} String str = b2.toString(); writer.println(str); //sink } {tainted,poly,safe} StringBuffer buf; … foo(buf, buf, resp, req); void foo({tainted,poly,safe} StringBuffer b, {tainted,poly,safe} StringBuffer b2, ServletResponse resp, ServletRequest req) { {tainted,poly,safe} String name; name = req.getParameter(NAME);//source b.append(name); PrintWriter writer = resp.getWriter(); {tainted,poly,safe} String str = b2.toString(); writer.println(str); //sink } Type error! tainted or poly str cannot be assigned to safe parameter!

Set-based Solver (Cont’d) What if the set-based solver terminates without a type error? Extract the maximal typing from set-based solution according to preference ranking tainted > poly > safe ◦ If S(x) = {poly, safe} the maximal typing types x poly Unfortunately, the maximal typing for SFlow does not always type-check 29

Inference and Checking Framework 30 Unified Typing Rules Set-Based Solver Extract Typing Type Checking Parameters Instantiated Rules Set-based Solution Concrete Typing Program Source Annotated Libraries Annotated Libraries Immutability (ReIm) Universe Types (UT) Ownership Types (OT) SFlow AJ EnerJ More? Immutability (ReIm) Universe Types (UT) Ownership Types (OT) SFlow AJ EnerJ More?

Maximal Typing class A { {String f; {String get(A this) { return this.f; } A y =...; String x = y.get(); writer.println(x); // sink Unfortunately, the maximal typing for SFlow does not always type-check! 31

Maximal Typing (Cont’d) class A { {poly} String f; {poly,safe} String get({poly,safe} this) { return this.f; } {tainted,poly,safe} A y =...; {safe} String x = y.get(); writer.println(x); 32

Maximal Typing (Cont’d) class A { {poly} String f; {poly,safe} String get({poly,safe} this) { return this.f; } {tainted,poly,safe} A y =...; {safe} String x = y.get(); writer.println(x); 33

Maximal Typing (Cont’d) class A { {poly} String f; {poly,safe} String get({poly,safe} this) { return this.f; } {tainted,poly,safe} A y =...; {safe} String x = y.get(); writer.println(x); ✗ 34

Method Summary Constraints Reflect the relations between parameters and return values Further remove infeasible qualifiers String id(String p) { String x = p; return x; } 35

Method Summary Constraints (Cont’d) class A { {poly} String f; {poly,safe} String get({poly,safe} this) { return this.f; } {tainted,poly,safe} A y =...; {safe} String x = y.get(); writer.println(x); 36

Method Summary Constraints (Cont’d) class A { {poly} String f; {poly,safe} String get({poly,safe} this) { return this.f; } {tainted,poly,safe} A y =...; {safe} String x = y.get(); writer.println(x); ✔ 37

Outline SFlow type system Inference algorithm for SFlow Handling of reflection, libraries and frameworks Implementation and evaluation 38

Reflection, Libraries and Frameworks Reflective object creation is easy! There is no need to abstract heap objects! Flow from x to y is reflected through subtyping x <: y 39 X x = (X)Class.forName(“str”).newInstance(); x.f = a; // a is a source y = x; b = y.f; // b is a sink

Reflection, Libraries and Frameworks (Cont’d) Libraries (JDK, third-party, frameworks) Unknown library methods are typed poly, poly  poly safe l = r.m(r1,r2) l = r.m(tainted r1,r2) 40

Reflection, Libraries and Frameworks (Cont’d) Frameworks (e.g., Struts, Spring) ◦ Framework classes/interfaces are subclassed/implemented in web application code Superclass-subclass relation is handled using function subtyping constraints UserAction.execute(ActionForm userForm) <: Action.execute(tainted ActionForm form) entails form <: userForm //userForm is tainted 41

Outline SFlow type system Inference algorithm for SFlow Handling of reflection, libraries and frameworks Implementation and evaluation 42

Implementation Built in inference and checking framework for pluggable types [Huang et al. ECOOP’12] ◦ Instantiated framework with SFlow ◦ Built on top of the Checker Framework [Papi et al. ISSTA’08, Dietl et al. ICSE’11] Publicly available at ◦ 43

Evaluation DroidBench ◦ A suit of 39 Android apps by [Arzt et al. PLDI’14 ] for evaluating taint analysis for Android Java web applications ◦ Stanford Securibench: a suit by Ben Livshits designed for evaluating taint analysis ◦ Other web applications from previous work ◦ 13 web applications comprising 473kLOC 44

DroidBench [ Arzt et al. PLDI’14 ] Tool NameAppScanFortify SCAFlowDroi d SFlowInfer Correct warning ✔ False warning ✖ 5449 Missed flow Precision ✔ /( ✔ + ✖ ) 74%81%86%76% Recall ✔ /( ✔ +) 50%61%93%100% SFlowInfer outperforms AppScan and Fortify SCA FlowDroid [ Arzt et al. PLDI’14 ] is flow-sensitive ◦ DroidBench is designed for flow sensitivity 45

Java Web Applications We manually examined all type errors Parameter Manipulation / SQL Injection ◦ 7 benchmarks have no type errors ◦ 66 type errors correspond to true flows ◦ Average false positive rate: 15% Parameter Manipulation / XSS ◦ 8 benchmarks have no type errors ◦ 143 type errors correspond to true flows ◦ Average false positive rate: 4% 46

Runtime Performance SFlowInfer takes less than 3 minutes on all but 2 benchmarks Largest benchmark, photov 126kLOC, takes 640 seconds ◦ Can be optimized Maximal heap size is set to 2GB! 47

Conclusion A type system for secure information flow An efficient type inference algorithm ◦ Effective taint analysis tool Evaluation on 473kLOC Publicly available at ◦ 48

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.