Finding Security Errors in Java Applications Using Lightweight Static Analysis Benjamin Livshits Computer Science Lab Stanford University.

Slides:



Advertisements
Similar presentations
Runtime Prevention & Recovery Protect existing applications Advantages: Prevents vulnerabilities from doing harm Safe mode for Web application execution.
Advertisements

Finding Application Errors and Security Flaws Using PQL: a Program Query Language MICHAEL MARTIN, BENJAMIN LIVSHITS, MONICA S. LAM PRESENTED BY SATHISHKUMAR.
Type-based Taint Analysis for Java Web Applications Wei Huang, Yao Dong and Ana Milanova Rensselaer Polytechnic Institute 1.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
Static code check – Klocwork
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Servlets and a little bit of Web Services Russell Beale.
ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.
Turning Eclipse Against Itself: Finding Errors in Eclipse Sources Benjamin Livshits Stanford University.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Introduction to Web Based Application. Web-based application TCP/IP (HTTP) protocol Using WWW technology & software Distributed environment.
CS 290C: Formal Models for Web Software Lecture 1: Introduction Instructor: Tevfik Bultan.
© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 14 Implementation Flaws Part 2: Malicious Input and Data Validation Issues.
1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.
Testing Static Analysis Tools using Exploitable Buffer Overflows from Open Source Code Zitser, Lippmann & Leek Presented by: José Troche.
Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Object Oriented Databases by Adam Stevenson. Object Databases Became commercially popular in mid 1990’s Became commercially popular in mid 1990’s You.
Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.
Prevent Cross-Site Scripting (XSS) attack
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.
CSCI 6962: Server-side Design and Programming Secure Web Programming.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
A Security Review Process for Existing Software Applications
Introduction to Internet Programming (Web Based Application)
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 5 “Database and Cloud Security”.
Computer Security and Penetration Testing
Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.
3-Protecting Systems Dr. John P. Abraham Professor UTPA.
OSI and TCP/IP Models And Some Vulnerabilities AfNOG th May 2011 – 10 th June 2011 Tanzania By Marcus K. G. Adomey.
Attacking Applications: SQL Injection & Buffer Overflows.
Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.
CSCE 548 Secure Software Development Final Exam – Review.
Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.
Watching Software Run Brian ChessNov 18, Success is foreseeing failure. – Henry Petroski.
OWASP Top Ten #1 Unvalidated Input. Agenda What is the OWASP Top 10? Where can I find it? What is Unvalidated Input? What environments are effected? How.
Analysis of SQL injection prevention using a filtering proxy server By: David Rowe Supervisor: Barry Irwin.
SEC835 Runtime integrity and resource control. Application based Denial of Service Application can crash for many reasons and at any time due to programming.
Beyond negative security Signatures are not always enough Or Katz Trustwave ot.com/
APPLICATION PENETRATION TESTING Author: Herbert H. Thompson Presentation by: Nancy Cohen.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program.
SQL INJECTIONS Presented By: Eloy Viteri. What is SQL Injection An SQL injection attack is executed when a web page allows users to enter text into a.
By Sean Rose and Erik Hazzard.  SQL Injection is a technique that exploits security weaknesses of the database layer of an application in order to gain.
Finding Security Vulnerabilities in Java Applications with Static Analysis Reviewed by Roy Ford.
Topics Network topology Virtual LAN Port scanners and utilities Packet sniffers Weak protocols Practical exercise.
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
Database Security Lesson Introduction ●Understand the importance of securing data stored in databases ●Learn how the structured nature of data in databases.
What is a Servlet? Java Program that runs in a Java web server and conforms to the servlet api. A program that uses class library that decodes and encodes.
Security Attacks CS 795. Buffer Overflow Problem Buffer overflow Analysis of Buffer Overflow Attacks.
EECS 354: Network Security Group Members: Patrick Wong Eric Chan Shira Schneidman Web Attacks Project: Detecting XSS and SQL Injection Vulnerabilities.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
SQL INJECTION Lecturer: A.Prof.Dr. DANG TRAN KHANH Student :Le Nguyen Truong Giang.
Web Security (cont.) 1. Referral issues r HTTP referer (originally referrer) – HTTP header that designates calling resource  Page on which a link is.
Content Coverity Static Analysis Use cases of Coverity Examples
Application Communities
CMSC 345 Defensive Programming Practices from Software Engineering 6th Edition by Ian Sommerville.
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
Chapter 7: Identifying Advanced Attacks
World Wide Web policy.
Theodore Lawson CSCE548 Student Presentation, Topic #2
CSCE 548 Secure Software Development Final Exam – Review 2016
A Security Review Process for Existing Software Applications
PHP / MySQL Introduction
MIS Professor Sandvig MIS 324 Professor Sandvig
Lecture 2 - SQL Injection
CS5123 Software Validation and Quality Assurance
Presentation transcript:

Finding Security Errors in Java Applications Using Lightweight Static Analysis Benjamin Livshits Computer Science Lab Stanford University

Vulnerability Research Focus Static analysis for vulnerability detection Until recently, a large portion of server- side software was written in C/C++ Vulnerabilities come from poor language and API design: Buffer overruns Buffer overruns Format string violations Format string violations More profound: Time-of-check-time-of-use errors (TOCTOU) Time-of-check-time-of-use errors (TOCTOU)

Security Errors in Java are Emerging Situation is changing… More and more Web-based applications are written in Java Web-based applications are good vulnerability targets New categories of errors in this domain SQL Injections Cross-site scripting HTTP response splitting Forceful browsing LDAP injection Bad session stores

Finding Errors with Static Analysis Our approach: Static Analysis has been proven useful for finding security errors in C programs Static Analysis has been proven useful for finding security errors in C programs Apply to Java to find new categories of errors Apply to Java to find new categories of errors What we did: Created user-friendly code analysis tools Created user-friendly code analysis tools Based on Eclipse, an open-source Java IDE Based on Eclipse, an open-source Java IDE Easy to run on your own code Easy to run on your own code Focused on two types of errors so far Focused on two types of errors so far Bad session stores SQL injections We look at these two error patterns next… We look at these two error patterns next…

Focus on Two Error Patterns Object o = … HttpSession s = … s.setAttribute(“name”, o); Unchecked input passed to backend database Carefully crafted input containing SQL will be interpreted by database Can be used by the malicious user to read unauthorized info, delete data, even execute commands, etc. Bad session storeSQL injection A common pattern in servlets leading to errors HttpSessions need to be saved to disk Object o must implement java.io.Serializable Bad API design Can lead to crashes and DOS attacks String query = request.getParameter(“name”); java.sql.Statement stmt = … stmt.executeQuery(query);

Our Tools… Identify all sources of user information Identify all sinks where sensitive data can flow Filter out sinks that take constant strings Help to follow data from sources to sinks Report errors Bad session storesSQL Injections Look at the type of the 2 nd argument of setAttribute: setAttribute(…, expr); setAttribute(…, expr); Do a type check for expr that don’t implement java.io.Serializable Report errors

Screen shot Potential Error Error in the source

Benchmarks 10 Web-based applications Widely deployed and vulnerable to attacks Most blogging tools Quite large – 10s of KLOC Rely on very large J2EE libs

Results for Bad Session Stores Found 14 errors 8 false posititives 37% false pos rate Why false positives? Declared types are too wide Declared types are too wide Can improve with better type info from pointer analysis Can improve with better type info from pointer analysis

Results for SQL Injections Found 6 errors Can find “low- hanging” errors Easy when sources and sinks are “close” Often they are very far apart Many require more elaborate analysis

Summary Created lightweight interactive tools for finding security errors in Java Found a total of 20 errors However, there are false positives and false positives and “unknowns” – potential errors our tools can’t address “unknowns” – potential errors our tools can’t addressConclusion: Our tools are good for finding simpler errors Our tools are good for finding simpler errors Hard errors often require a stronger analysis of data propagation Hard errors often require a stronger analysis of data propagation Working on a pointer analysis-based approach Working on a pointer analysis-based approach