TAJ: Effective Taint Analysis of Web Applications

Slides:



Advertisements
Similar presentations
Runtime Prevention & Recovery Protect existing applications Advantages: Prevents vulnerabilities from doing harm Safe mode for Web application execution.
Advertisements

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 10.
October 30, 2003CCS Vinod Ganapathy1 Buffer Overrun Detection using Linear Programming and Static Analysis Vinod Ganapathy, Somesh Jha
A Survey of Program Slicing Techniques A Survey of Program Slicing Techniques Sections 3.1,3.6 Swathy Shankar
Chapter 9 Code optimization Section 0 overview 1.Position of code optimizer 2.Purpose of code optimizer to get better efficiency –Run faster –Take less.
CS18000: Problem Solving and Object-Oriented Programming.
Type-based Taint Analysis for Java Web Applications Wei Huang, Yao Dong and Ana Milanova Rensselaer Polytechnic Institute 1.
2014 Network and Distributed System Security Symposium AppSealer: Automatic Generation of Vulnerability-Specific Patches for Preventing Component Hijecking.
Register Allocation CS 671 March 27, CS 671 – Spring Register Allocation - Motivation Consider adding two numbers together: Advantages: Fewer.
Written by: Dr. JJ Shepherd
Chapter 7 User-Defined Methods. Chapter Objectives  Understand how methods are used in Java programming  Learn about standard (predefined) methods and.
Program Slicing Mark Weiser and Precise Dynamic Slicing Algorithms Xiangyu Zhang, Rajiv Gupta & Youtao Zhang Presented by Harini Ramaprasad.
1 Program Slicing Purvi Patel. 2 Contents Introduction What is program slicing? Principle of dependences Variants of program slicing Slicing classifications.
Thin Slicing Manu Sridharan, Stephen J. Fink, Rastislav Bodík.
Parameterized Object Sensitivity for Points-to Analysis for Java Presented By: - Anand Bahety Dan Bucatanschi.
The Ant and The Grasshopper Fast and Accurate Pointer Analysis for Millions of Lines of Code Ben Hardekopf and Calvin Lin PLDI 2007 (Best Paper & Best.
Program Analysis with Set Constraints Ravi Chugh.
EXCEPTIONS Def: An exception is a run-time error. Examples include: attempting to divide by zero, or manipulate invalid data.
ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.
Program Slicing for Refactoring Advanced SW Tools Seminar Jan 2005Yossi Peery.
Tracking Moving Objects in Anonymized Trajectories Nikolay Vyahhi 1, Spiridon Bakiras 2, Panos Kalnis 3, and Gabriel Ghinita 3 1 St. Petersburg State University.
An Efficient Inclusion-Based Points-To Analysis for Strictly-Typed Languages John Whaley Monica S. Lam Computer Systems Laboratory Stanford University.
Composing Dataflow Analyses and Transformations Sorin Lerner (University of Washington) David Grove (IBM T.J. Watson) Craig Chambers (University of Washington)
Region-Based Model Abstraction Jeremy Condit Jim Larus Sriram Rajamani Jakob Rehof OSQ Lunch 7 September 2003.
Λ λ Language Based Security TAJ: Effective Taint Analysis of Web Applications PLDI 2009 Omer Tripp IBM Software Group Marco Pistoia IBM.
TAJ: Effective Taint Analysis of Web Applications PLDI 2009 Omer Tripp, Marco Pistoia, Stephen J. Fink, Manu Sridharan, Omri Weisman.
Java Software Solutions Lewis and Loftus Chapter 2 1 Copyright 1997 by John Lewis and William Loftus. All rights reserved. Software Concepts -- Introduction.
1 Identifiers  Identifiers are the words a programmer uses in a program  An identifier can be made up of letters, digits, the underscore character (
Abstract Data Types (ADTs) and data structures: terminology and definitions A type is a collection of values. For example, the boolean type consists of.
CMSC 202 Exceptions. Aug 7, Error Handling In the ideal world, all errors would occur when your code is compiled. That won’t happen. Errors which.
Saving the World Wide Web from Vulnerable JavaScript International Symposium on Software Testing and Analysis (ISSTA 2011) Omer Tripp IBM Software Group.
Chapter 1: Introducing JAVA. 2 Introduction Why JAVA Applets and Server Side Programming Very rich GUI libraries Portability (machine independence) A.
Introduction to Programming David Goldschmidt, Ph.D. Computer Science The College of Saint Rose Java Fundamentals (Comments, Variables, etc.)
Programming Language C++ Xulong Peng CSC415 Programming Languages.
1 Code Generation Part II Chapter 9 COP5621 Compiler Construction Copyright Robert van Engelen, Florida State University, 2005.
PRESTO: Program Analyses and Software Tools Research Group, Ohio State University Merging Equivalent Contexts for Scalable Heap-cloning-based Points-to.
ILM Proprietary and Confidential -
Chapter 2: Java Fundamentals
Chapter 6—Objects and Classes The Art and Science of An Introduction to Computer Science ERIC S. ROBERTS Java Objects and Classes C H A P T E R 6 To beautify.
Slide 1 Vitaly Shmatikov CS 380S Static Detection of Web Application Vulnerabilities.
CS 153: Concepts of Compiler Design October 10 Class Meeting Department of Computer Science San Jose State University Fall 2015 Instructor: Ron Mak
ESEC/FSE-99 1 Data-Flow Analysis of Program Fragments Atanas Rountev 1 Barbara G. Ryder 1 William Landi 2 1 Department of Computer Science, Rutgers University.
Pointer Analysis Survey. Rupesh Nasre. Aug 24, 2007.
MaskIt: Privately Releasing User Context Streams for Personalized Mobile Applications SIGMOD '12 Proceedings of the 2012 ACM SIGMOD International Conference.
Lesson 2.8 Solving Systems of Equations by Elimination 1.
CS-1030 Dr. Mark L. Hornick 1 Basic C++ State the difference between a function/class declaration and a function/class definition. Explain the purpose.
1 Software Testing & Quality Assurance Lecture 13 Created by: Paulo Alencar Modified by: Frank Xu.
Sept 12ICSM'041 Precise Identification of Side-Effect-Free Methods in Java Atanas (Nasko) Rountev Ohio State University.
© 2006 Pearson Addison-Wesley. All rights reserved 1-1 Chapter 1 Review of Java Fundamentals.
Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications Davide Balzarotti, Marco Cova, Vika Felmetsger, Nenad Jovanovic,
OOP Tirgul 7. What We’ll Be Seeing Today  Packages  Exceptions  Ex4 2.
INFORMATION-FLOW ANALYSIS OF ANDROID APPLICATIONS IN DROIDSAFE JARED YOUNG.
Enterprise Java v050228MVC1 Model, View, Controller Web Architecture.
Phoenix Based Dynamic Slicing Debugging Tool Eric Cheng Lin Xu Matt Gruskin Ravi Ramaseshan Microsoft Phoenix Intern Team (Summer '06)
Optimistic Hybrid Analysis
Data Flow Analysis Suman Jana
Chapter 7 User-Defined Methods.
Harvesting Runtime Values in Android Applications That Feature Anti-Analysis Techniques Presented by Vikraman Mohan.
In Class Assg 4 - Solution
In Class Assg 3 - Solution
A Survey of Program Slicing Techniques: Section 4
University Of Virginia
SUDS: An Infrastructure for Creating Bug Detection Tools
Johannes Lerch, Ben Hermann, Eric Bodden, and Mira Mezini
Chapter 1: Computer Systems
Exercise 11.1 Write a code fragment that performs the same function as the statement below without using the crash method Toolbox.crash(amount < 0,
Final Exam Review Inheritance Template Functions and Classes
CMSC 202 Exceptions.
Pointer analysis John Rollinson & Kaiyuan Li
Presentation transcript:

TAJ: Effective Taint Analysis of Web Applications Yinzhi Cao Reference: http://www.cs.tau.ac.il/~omertrip/pldi09/TAJ.ppt www.cs.cmu.edu/~soonhok/talks/20110301.pdf

* Inspired by Refl1 in SecuriBench Micro Motivating Example* Taint Flow #1 * Inspired by Refl1 in SecuriBench Micro

* Inspired by Refl1 in SecuriBench Micro Motivating Example* Taint Flow #2 Sanitizer * Inspired by Refl1 in SecuriBench Micro

* Inspired by Refl1 in SecuriBench Micro Motivating Example* Taint Flow #3 Non-tainted * Inspired by Refl1 in SecuriBench Micro

* Inspired by Refl1 in SecuriBench Micro Motivating Example* Reflection * Inspired by Refl1 in SecuriBench Micro

Several Concepts Slicing Thin Slicing Hybrid Thin Slicing Taint Analysis Thin Slicing + Taint Analysis

Slicing Boring Definition: The slice of a program with respect to program point p and variable x consists of a reduced program that computes the same sequence of values for x at p. That is, at point p the behavior of the reduced program with respect to variable x is indistinguishable from that of the original program.

An Example 1. x = new A(); 2. z = x; y = new B(); 5. w = x; a = new C(); 5. w = x; 6. w.f = y; 7. if (w == z) { 8. a.g = y 9. v = z.f; 10. } 1. x = new A(); 2. z = x; y = new B(); 5. w = x; 6. w.f = y; 7. if (w == z) { 9. v = z.f; 10. } Slicing for v at 9

Thin Slicing Only producer statements are preserved. Producer statements - A statement t is a producer for a seed s iff (1) s = t or (2) t writes a value to a location directly used by some other producer Other statements: explainer statement

1. x = new A(); y = new B(); 2. z = x; 5. w.f = y; y = new B(); 4. w = x; 5. w.f = y; 6. if (w == z) { 7. v = z.f; 8. } y = new B(); 5. w.f = y; 7. v = z.f; Thin Slicing seed 7

Dependence Graph

Two Types of Existing Thin Slicing Context- and Flow- Insensitive Thin Slicing (Fast but inaccurate in most cases) Context- and Flow- Sensitive Thin Slicing (Slow but accurate in most cases)

So in TAJ, Hybrid Thin Slicing Flow-insensitive and Context-sensitive for the heap Flow- and Context-sensitive for local variables Fast and accurate

Taint Analysis

Hybrid Thin Slicing + Taint Analysis

Note that this is forwards thin slicing instead of backwards thin slicing.

Several Tricks Played Taint Carriers Handling Exceptions Code Reduction Eliminating Redundant Flows Refection APIs Native Methods

Taint Carrier private static class Internal { private String s; public Internal(String s) { this.s = s; } public String toString() { return s; Internal i1 = new Internal(s1); // s1 is tainted writer.println(i1)

Create a pointer analysis So there is an edge between i1 and s private static class Internal { private String s; public Internal(String s) { this.s = s; } public String toString() { return s; Internal i1 = new Internal(s1); // s1 is tainted writer.println(i1)

Handling Exceptions protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException { try { ... } catch (Exception e) { resp.getWriter().println(e); }

Problem: Exception.getMessage is the source but it is called implicitly at Exception.toString Solution: Mark the combination println(e); as source.

Code Reduction Predict behavior of some common libraries and skip tracking. For example, URLEncoder.encode is a sanitizer.

Eliminating Redundant Flows Flows are equivalent iff Parts under application code coincide Sinks corresponding to same issues type Dramatically improves user experience (on JBoard, x25 less reports) Sound, minimal with respect to remediation n1 n2 Application n3 n4 Library n5 n6 n7 n8 n9 n10 n11 Sinks with same issue type PLDI 2009

Others Reflection: Try to infer it if it is constant. Native Methods: Hand-coded models.

Results Speed: Accuracy: Hybrid thin slicing is 2.65X slower than context insensitive slicing (CI) Hybrid thin slicing is 29X faster than context sensitive slicing (CS) Accuracy: Accuracy score: the ratio between the number of true positives and the number of true and false positives combined Hybrid: 0.35, CS: 0.54, CI: 0.22

Pixy A flow-sensitive and context-sensitive data flow analysis for PHP.

Vulnerability One

Vulnerability Two

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.