E FFICIENT C HARACTER - LEVEL T AINT T RACKING FOR J AVA Erika Chin David Wagner UC Berkeley.

Slides:

Advertisements

Similar presentations

© 2008 Security Compass inc. 1 Firefox Plug-ins for Application Penetration Testing Exploit-Me.

Advertisements

Type-based Taint Analysis for Java Web Applications Wei Huang, Yao Dong and Ana Milanova Rensselaer Polytechnic Institute 1.

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

Technology Overview JAVA Servlets CS-611 S. Witherspoon.

Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Gary Wassermann and Zhendong Su UC Davis Slides from

Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

The 10 Most Critical Web Application Security Vulnerabilities

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

ASHIMA KALRA.  INTRODUCTION TO JSP INTRODUCTION TO JSP  IMPLICIT OBJECTS IMPLICIT OBJECTS  COOKIES COOKIES.

1 Forms for the Web Tom Muck

Secure Software Engineering: Input Vulnerabilities

CSCI 6962: Server-side Design and Programming Course Introduction and Overview.

Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.

Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.

Lets Make our Web Applications Secure. Dipankar Sinha Project Manager Infrastructure and Hosting.

Comp2513 Forms and CGI Server Applications Daniel L. Silver, Ph.D.

+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.

Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.

SQL INJECTION COUNTERMEASURES &

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

NDSS 2007 Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, Giovanni Vigna.

Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.

Automatically Hardening Web Applications Using Precise Tainting Anh Nguyen-Tuong Salvatore Guarnieri Doug Greene Jeff Shirley David Evans University of.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

A Security Review Process for Existing Software Applications

Web Application Programming Carol Wolf Computer Science.

AMNESIA: Analysis and Monitoring for NEutralizing SQL- Injection Attacks Published by Wiliam Halfond and Alessandro Orso Presented by El Shibani Omar CS691.

Benjamin Davis Hao Chen University of California, Davis.

Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 5 “Database and Cloud Security”.

Preventing Web Application Injections with Complementary Character Coding Raymond Mui Phyllis Frankl Polytechnic Institute of NYU Presented at ESORICS.

® IBM Software Group © 2007 IBM Corporation JSP Expression Language

Chapter 8 Cookies And Security JavaScript, Third Edition.

CSC-682 Cryptography & Computer Security Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Pompi Rotaru Based on an article.

School of Computing and Information Systems CS 371 Web Application Programming Security Avoiding and Preventing Attacks.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Input Validation – common associated risks  ______________ user input controls SQL statements ultimately executed by a database server

C ANDID : P REVENTING SQL I NJECTION A TTACKS U SING D YNAMIC C ANDIDATE E VALUATIONS Presented by Jeong-hoon, Park 1.

SQL INJECTIONS Presented By: Eloy Viteri. What is SQL Injection An SQL injection attack is executed when a web page allows users to enter text into a.

nd Joint Workshop between Security Research Labs in JAPAN and KOREA Marking Scheme for Semantic- aware Web Application Security HPC.

Aniket Joshi Justin Thomas. Agenda Introduction to SQL Injection SQL Injection Attack SQL Injection Prevention Summary.

® IBM Software Group © 2007 IBM Corporation Best Practices for Session Management

Finding Security Vulnerabilities in Java Applications with Static Analysis Reviewed by Roy Ford.

Chapter 10 XML and Web Services. Topics Why a standards-compliant XML parser Why a standard (off the shelf) XML parser Validation. External references.

Protecting Browsers from Extension Vulnerabilities Paper by: Adam Barth, Adrienne Porter Felt, Prateek Saxena at University of California, Berkeley and.

Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.

1 State and Session Management HTTP is a stateless protocol – it has no memory of prior connections and cannot distinguish one request from another. The.

Module: Software Engineering of Web Applications Chapter 3 (Cont.): user-input-validation testing of web applications 1.

What Is XSS ? ! Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Java Programming: Advanced Topics 1 Building Web Applications Chapter 13.

Example – SQL Injection MySQL & PHP code: // The next instruction prompts the user is to supply an ID $personID = getIDstringFromUser(); $sqlQuery = "SELECT.

Shibboleth 1.2 Technical Overview “So you thought 1.1 was complicated…” Scott Cantor The Ohio State University and Internet2 Scott Cantor.

SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.

Web Security (cont.) 1. Referral issues r HTTP referer (originally referrer) – HTTP header that designates calling resource  Page on which a link is.

Database and Cloud Security

Web Application Vulnerabilities, Detection Mechanisms, and Defenses

World Wide Web policy.

Static Detection of Cross-Site Scripting Vulnerabilities

CS 371 Web Application Programming

Example – SQL Injection

Marking Scheme for Semantic-aware Web Application Security

CS5123 Software Validation and Quality Assurance

Automatically Hardening Web Applications Using Precise Tainting

Presentation transcript:

E FFICIENT C HARACTER - LEVEL T AINT T RACKING FOR J AVA Erika Chin David Wagner UC Berkeley

W EB A PPLICATIONS 80% of all web applications are vulnerable to attack [1] Most are command injection attacks (mixed control and data channel): SQL injection XSS HTTP response splitting Path traversal Shell command injection [1] J. Grossman. WhiteHat website security statistics report, Aug

E XAMPLE – SQL INJECTION Query = “SELECT * FROM students WHERE name = ‘ ” + studentName + “ ’ ”; What if: studentName = Bobby “SELECT * FROM students WHERE name = ‘Bobby’ ” studentName = Bobby’; DROP TABLE students; -- “SELECT * FROM students WHERE name = ‘Bobby’; DROP TABLE students; --’ ” Inspired by XKCD: 3

C OMMAND I NJECTION A TTACKS Command Injection AttackCommand Elements SQL injection attackSQL keywords and operators XSSJavaScript HTTP response splittingNewlines (CR, LF) Path traversal‘/’, “..” Shell command injectionShell keywords and operators, meta-characters 4

A N ATURAL A PPROACH – T AINT T RACKING AT THE C HARACTER LEVEL Others have argued that taint tracking aids the detection of command injection attacks Taint tracking reveals what data gets touched by user input Attacks are injected into web applications in the form of strings, so we can limit the scope of tracking to strings Character-level information narrows the focus to specific portions of the string 5

O UR F OCUS We focus on taint tracking for Java web applications Many commercial enterprises use Java for their web services 6

C HARACTER - LEVEL T AINT T RACKING F OR J AVA 1. Source Tainting: Augment the Java Servlets implementation to mark user input as tainted (Tomcat 6) 2. Taint Propagation: Replace the string- related classes in the Java library with augmented classes that track taint status (IBM JDK6) 3. Sink Checking: At each sink, use the taint information to detect attacks by checking that control data is not tainted 7

We mark all information from the HTTP request as untrusted GET /results?search_query=rick+roll&search_type=&aq… Host: … Referrer: Cookie: use_hitbox=72c46ff6cddcb7c5585… S OURCE T AINTING Form Parameters Protocol Path HTTP Headers: Cookies, Session Id, etc. 8

S OURCE T AINTING : A UGMENTED C LASSES Replace the Tomcat Servlet classes with our own modified classes javax.servlet.http.HttpServletRequest javax.servlet.http.Cookie javax.servlet.http.HttpSession org.apache.catalina.connector.CoyoteReader 9

B ASIC T AINT P ROPAGATION Example code snippet: String city = request.GetParameter(“city”); String punctuation = “, ”; String state = “CA”; String temp = punctuation.concat( state ); String location = city.concat( temp ); 10

T AINT P ROPAGATION : O RIGINAL S TRING C LASS city char[] punctuation state temp = punctuation.concat( state ) city.concat( temp ) Berkeley, CA,CA 11 Berkeley,CA

12 T AINT P ROPAGATION : M ODIFIED S TRING C LASS city char[] boolean[] punctuation state temp = punctuation.concat( state ) city.concat( temp ) Berkeley, CA,CA Berkeley,CA TTTTTTTT FF FF FFFF TTTTTTTTFFFF

O PTIMIZED T AINT P ROPAGATION To reduce the overhead of taint tracking, only track taint when necessary Only allocate boolean taint array once the String contains a tainted character Reduces overhead by eliminating array copies for operations on fully untainted strings 13

FF FF FFFF O PTIMIZED T AINT P ROPAGATION city punctuation state temp = punctuation.concat( state ) city.concat( temp ) Berkeley, CA,CA TTTTTTTT null 14 Berkeley,CA TTTTTTTTFFFF

T AINT P ROPAGATION : A UGMENTED C LASSES java.lang.String java.lang.StringBuffer java.lang.StringBuilder 15

S INK C HECKING Sinks can use taint information to detect commands in user-supplied data SQL – instrument the JDBC to parse the SQL queries and check for SQL keywords and operators that contain tainted characters XSS – examine HTML for tainted JavaScript Details of how to do this are well- documented in the previous literature and not the focus of this work [2] [2] Su and Wassermann. The essence of command injection attacks in web applications. POPL ’06. 16

B ENEFITS Provides a basis to protect from command injection attacks Simple, easy to adopt and deploy Server-side change One-time modification No change to web application byte code No need for web application source code Works immediately with Java legacy applications Efficient 17

B ENEFITS C ON ’ T Handles web applications that call string methods reflectively Java reflection allows calls to methods selected at runtime Our approach can track the taint for these reflected calls 18

L IMITATIONS For backwards compatibility we do not record taint status in the serialized form May lose taint status via string operations with chars and char arrays Cannot hold taint status in primitives Does not defend against malicious web developers 19

P ERFORMANCE O VERHEAD : 0-15% 20

C ONTRIBUTIONS Efficient character-level taint tracking Runtime overhead <15% Works immediately for Java legacy code Easy to adopt and deploy 21

Thank you! Any questions? 22