Presentation is loading. Please wait.

Presentation is loading. Please wait.

Λ λ Language Based Security TAJ: Effective Taint Analysis of Web Applications PLDI 2009 Omer Tripp IBM Software Group Marco Pistoia IBM.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Λ λ Language Based Security TAJ: Effective Taint Analysis of Web Applications PLDI 2009 Omer Tripp IBM Software Group Marco Pistoia IBM."— Presentation transcript:

1 λ λ Language Based Security TAJ: Effective Taint Analysis of Web Applications PLDI 2009 Omer Tripp IBM Software Group omert@il.ibm.com Marco Pistoia IBM T. J. Watson Research Center pistoia@us.ibm.com Stephen Fink IBM T.J. Watson Research Center sjfink@us.ibm.com Manu Sridharan IBM T.J. Watson Research Center msridhar@us.ibm.com Omri Weisman IBM Software Group weisman@il.ibm.com www.research.ibm.com/labasec

2 LaBaSec λ λ PLDI 20092 OWASP * Top Ten Security Vulnerabilities 1.Cross-site scripting (XSS) 2.Injection flaws 3.Malicious file executions 4.Insecure direct object reference 5.Cross site request forgery (CSRF) 6.Information leakage and improper error handling 7.Broken authentication and improper session management 8.Unsecure cryptographic storage 9.Unsecure communications 10.Failure to restrict URL accesses 1.Cross-site scripting (XSS) 2.Injection flaws 3.Malicious file executions 4.Insecure direct object reference 5.Cross site request forgery (CSRF) 6.Information leakage and improper error handling 7.Broken authentication and improper session management 8.Unsecure cryptographic storage 9.Unsecure communications 10.Failure to restrict URL accesses * Open Web Application Security Project (OWASP): http://www.owasp.org http://www.owasp.org

3 LaBaSec λ λ PLDI 20093 Existing Static-Analysis Solutions Type systems:  Complex, conservative, require code annotations Classic slicing:  Has not been shown to scale to large applications while maintaining sufficient accuracy

4 LaBaSec λ λ PLDI 20094 Contributions of TAJ Hybrid thin slicing Sound, effective modeling of Web applications Bounded-analysis techniques Implementation, productization* and extensive evaluation * IBM Rational AppScan: http://www.ibm.com/software/awdtools/appscan/ http://www.ibm.com/software/awdtools/appscan/

5 LaBaSec λ λ PLDI 20095 Motivating Example * * Inspired by Refl1 in SecuriBench Micro Taint Flow #1

6 LaBaSec λ λ PLDI 20096 Motivating Example * Sanitizer * Inspired by Refl1 in SecuriBench Micro Taint Flow #2

7 LaBaSec λ λ PLDI 20097 Motivating Example * * Inspired by Refl1 in SecuriBench Micro Non-tainted Taint Flow #3

8 LaBaSec λ λ PLDI 20098 Motivating Example * * Inspired by Refl1 in SecuriBench Micro Reflection

9 LaBaSec λ λ PLDI 20099 Motivating Example * * Inspired by Refl1 in SecuriBench Micro Different Map Keys

10 LaBaSec λ λ PLDI 200910 Motivating Example * * Inspired by Refl1 in SecuriBench Micro Object Fields

11 LaBaSec λ λ PLDI 200911 Outline of TAJ Algorithm consists of 2 stages: 1. Global pointer analysis 2. Slicing based on resulting call graph Rich set of models Effective reports Efficient behavior under restricted budget

12 LaBaSec λ λ PLDI 200912 Dimensions of Precision Pointer analysis is a variant of Andersen’s analysis Custom context-sensitivity policy: Unlimited-depth object sensitivity for Java collections (up to recursion) One level of call-string context for factory methods One level of call-string context for taint APIs One-level receiver-object context-sensitivity as default Analysis is field sensitive Analysis is intraprocedurally flow sensitive and interprocedurally flow insensitive (accounting for multithreaded code)

13 LaBaSec λ λ PLDI 200913 Hybrid System Dependence Graph st 4 l2l2 l2l2 l2l2 l2l2 l4l4 l4l4 st 2 st 1 l5l5 l5l5 l3l3 l3l3 l1l1 l1l1 st 3 st 5 c3c3 c3c3 c4c4 c4c4 sk 1 r3r3 r3r3 r7r7 r7r7 r8r8 r8r8 r4r4 r4r4 c2c2 c2c2 s1s1 s1s1 s2s2 s2s2 r2r2 r2r2 c1c1 c1c1 c5c5 c5c5 r5r5 r5r5 r1r1 r1r1 sk 2 st i Store statement lili lili Load statement sk i Sink-dispatch statement Hybrid SDG Slice in the no-heap SDG Store-to-load direct edge Load-to-store or load- to-sink summary edge No-heap SDG edge cici cici Call statement riri riri Return statement sisi sisi Other statement Computed based on preliminary pointer analysis Computed using graph reachability over a no-heap SDG

14 LaBaSec λ λ PLDI 200914 Modeling Web Applications Taint Carriers String StringBuilder StringBuffer Reflection Native Methods Map Keys JSP Struts MVC ExceptionsEJB Internal i1 i1.s map.put("key1", taint); nontaint = map.get("key2"); map.put("key1", taint); nontaint = map.get("key2"); ConcreteActionForm caf = (ConcreteActionForm) af DynaActionForm daf = (DynaActionForm) af ENTERPRISE BEAN DEPLOYMENT DESCRIPTOR Bean1Bean Bean1Home Bean1 Bean1Bean Stateless Bean1 ejb/Bean2 Session Bean2Home Bean2 Bean2Bean ENTERPRISE BEAN DEPLOYMENT DESCRIPTOR Bean1Bean Bean1Home Bean1 Bean1Bean Stateless Bean1 ejb/Bean2 Session Bean2Home Bean2 Bean2Bean Bean1Bean.m1() Bean2.m2() Bean2Bean.m2() Class.forName Method.invoke Thread.start AccessController. doPrivileged Thread.start AccessController. doPrivileged

15 LaBaSec λ λ PLDI 200915 Eliminating Redundant Flows Flows are equivalent iff Parts under application code coincide Sinks corresponding to same issues type Dramatically improves user experience (on JBoard, x25 less reports) Sound, minimal with respect to remediation n2n2 n2n2 n9n9 n9n9 n8n8 n8n8 n4n4 n4n4 n3n3 n3n3 n1n1 n1n1 n 11 n7n7 n7n7 n6n6 n6n6 n5n5 n5n5 n 10 Application Library Sinks with same issue type

16 LaBaSec λ λ PLDI 200916 Priority-driven Call-graph Construction Priority queue used to govern call-graph growth Sources are assigned priority 0 (most important) Recursively, for each “neighbor” t of node n: priority(t) = min{(priority(n) + 1), priority(t)} Propagate priorities to fixed point “Locality-of-taint” principle

17 LaBaSec λ λ PLDI 200917 Experimental Setup Five variants assessed: 1. Context sensitive (CS) 2. Context insensitive (CI) 3. Unbounded hybrid (i.e., running to completion) 4. Prioritized hybrid (i.e., call graph bounded, priority-driven scheme) 5. Fully optimized hybrid (i.e., prioritized, “long” flows eliminated, taint depth restricted, slice size bounded) All implemented on top of WALA * * IBM Watson Libraries for Analysis: http://wala.sf.net http://wala.sf.net

18 LaBaSec λ λ PLDI 200918 Experimental Results – Accuracy X X X X X

19 LaBaSec λ λ PLDI 200919 Experimental Results – Performance

20 LaBaSec λ λ PLDI 200920 Experimental Results – Performance

21 LaBaSec λ λ PLDI 200921 Conclusion Effective solution for taint analysis of Web applications based on pointer analysis and hybrid thin slicing Efficient strategies for analysis under limited budget General models for frameworks and other programming constructs Thorough evaluation and productization

22 LaBaSec λ λ PLDI 200922 Future Work Detailed comparison of demand-driven and priority-driven scheme String analysis More languages Coverage of more attack vectors

23 λ λ Language Based Security Thank You! www.research.ibm.com/labasec

Download ppt "Λ λ Language Based Security TAJ: Effective Taint Analysis of Web Applications PLDI 2009 Omer Tripp IBM Software Group Marco Pistoia IBM."

Similar presentations

Runtime Prevention & Recovery Protect existing applications Advantages: Prevents vulnerabilities from doing harm Safe mode for Web application execution.

Runtime Prevention & Recovery Protect existing applications Advantages: Prevents vulnerabilities from doing harm Safe mode for Web application execution.
Webgoat.

Webgoat.
R O O T S Field-Sensitive Points-to-Analysis Eda GÜNGÖR

R O O T S Field-Sensitive Points-to-Analysis Eda GÜNGÖR
ASSUMPTION HIERARCHY FOR A CHA CALL GRAPH CONSTRUCTION ALGORITHM JASON SAWIN & ATANAS ROUNTEV.

ASSUMPTION HIERARCHY FOR A CHA CALL GRAPH CONSTRUCTION ALGORITHM JASON SAWIN & ATANAS ROUNTEV.
Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.

Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
Context-Sensitive Interprocedural Points-to Analysis in the Presence of Function Pointers Presentation by Patrick Kaleem Justin.

Context-Sensitive Interprocedural Points-to Analysis in the Presence of Function Pointers Presentation by Patrick Kaleem Justin.
When Role Models Have Flaws: Static Validation of Enterprise Security Policies Marco Pistoia IBM T. J. Watson Research Center Hawthorne, New York

When Role Models Have Flaws: Static Validation of Enterprise Security Policies Marco Pistoia IBM T. J. Watson Research Center Hawthorne, New York
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
SEC835 OWASP Top Ten Project.

SEC835 OWASP Top Ten Project.
Type-based Taint Analysis for Java Web Applications Wei Huang, Yao Dong and Ana Milanova Rensselaer Polytechnic Institute 1.

Type-based Taint Analysis for Java Web Applications Wei Huang, Yao Dong and Ana Milanova Rensselaer Polytechnic Institute 1.
Parameterized Object Sensitivity for Points-to Analysis for Java Presented By: - Anand Bahety Dan Bucatanschi.

Parameterized Object Sensitivity for Points-to Analysis for Java Presented By: - Anand Bahety Dan Bucatanschi.
Omer Tripp November 9 th, 2009 Static Analysis for Security A Case Study in the Automation of Code Auditing.

Omer Tripp November 9 th, 2009 Static Analysis for Security A Case Study in the Automation of Code Auditing.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Advanced Security Center Overview Northern Illinois University.

Advanced Security Center Overview Northern Illinois University.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Scaling CFL-Reachability-Based Points- To Analysis Using Context-Sensitive Must-Not-Alias Analysis Guoqing Xu, Atanas Rountev, Manu Sridharan Ohio State.

Scaling CFL-Reachability-Based Points- To Analysis Using Context-Sensitive Must-Not-Alias Analysis Guoqing Xu, Atanas Rountev, Manu Sridharan Ohio State.
1 Refinement-Based Context-Sensitive Points-To Analysis for Java Manu Sridharan, Rastislav Bodík UC Berkeley PLDI 2006.

1 Refinement-Based Context-Sensitive Points-To Analysis for Java Manu Sridharan, Rastislav Bodík UC Berkeley PLDI 2006.
Aaron Blankstein and Michael J. Freedman Princeton University Tuan Tran.

Aaron Blankstein and Michael J. Freedman Princeton University Tuan Tran.

Similar presentations

Ads by Google