Presentation is loading. Please wait.

Presentation is loading. Please wait.

TAJ: Effective Taint Analysis of Web Applications

PublishPreston Alan Boone Modified over 9 years ago

Similar presentations

Presentation on theme: "TAJ: Effective Taint Analysis of Web Applications"— Presentation transcript:

1 TAJ: Effective Taint Analysis of Web Applications
Yinzhi Cao Reference:

2 * Inspired by Refl1 in SecuriBench Micro
Motivating Example* Taint Flow #1 * Inspired by Refl1 in SecuriBench Micro

3 * Inspired by Refl1 in SecuriBench Micro
Motivating Example* Taint Flow #2 Sanitizer * Inspired by Refl1 in SecuriBench Micro

4 * Inspired by Refl1 in SecuriBench Micro
Motivating Example* Taint Flow #3 Non-tainted * Inspired by Refl1 in SecuriBench Micro

5 * Inspired by Refl1 in SecuriBench Micro
Motivating Example* Reflection * Inspired by Refl1 in SecuriBench Micro

6 Several Concepts Slicing Thin Slicing Hybrid Thin Slicing
Taint Analysis Thin Slicing + Taint Analysis

7 Slicing Boring Definition: The slice of a program with respect to program point p and variable x consists of a reduced program that computes the same sequence of values for x at p. That is, at point p the behavior of the reduced program with respect to variable x is indistinguishable from that of the original program.

8 An Example 1. x = new A(); 2. z = x; y = new B(); 5. w = x;
a = new C(); 5. w = x; 6. w.f = y; 7. if (w == z) { 8. a.g = y 9. v = z.f; 10. } 1. x = new A(); 2. z = x; y = new B(); 5. w = x; 6. w.f = y; 7. if (w == z) { 9. v = z.f; 10. } Slicing for v at 9

9 Thin Slicing Only producer statements are preserved.
Producer statements - A statement t is a producer for a seed s iff (1) s = t or (2) t writes a value to a location directly used by some other producer Other statements: explainer statement

10 1. x = new A(); y = new B(); 2. z = x; 5. w.f = y; y = new B();
4. w = x; 5. w.f = y; 6. if (w == z) { 7. v = z.f; 8. } y = new B(); 5. w.f = y; 7. v = z.f; Thin Slicing seed 7

11 Dependence Graph

12 Two Types of Existing Thin Slicing
Context- and Flow- Insensitive Thin Slicing (Fast but inaccurate in most cases) Context- and Flow- Sensitive Thin Slicing (Slow but accurate in most cases)

13 So in TAJ, Hybrid Thin Slicing
Flow-insensitive and Context-sensitive for the heap Flow- and Context-sensitive for local variables Fast and accurate

14 Taint Analysis

15 Hybrid Thin Slicing + Taint Analysis

16

17 Note that this is forwards thin slicing instead of backwards thin slicing.

18 Several Tricks Played Taint Carriers Handling Exceptions
Code Reduction Eliminating Redundant Flows Refection APIs Native Methods

19 Taint Carrier private static class Internal { private String s;
public Internal(String s) { this.s = s; } public String toString() { return s; Internal i1 = new Internal(s1); // s1 is tainted writer.println(i1)

20 Create a pointer analysis So there is an edge between i1 and s
private static class Internal { private String s; public Internal(String s) { this.s = s; } public String toString() { return s; Internal i1 = new Internal(s1); // s1 is tainted writer.println(i1)

21 Handling Exceptions protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException { try { ... } catch (Exception e) { resp.getWriter().println(e); }

22 Problem: Exception.getMessage is the source but it is called implicitly at Exception.toString
Solution: Mark the combination println(e); as source.

23 Code Reduction Predict behavior of some common libraries and skip tracking. For example, URLEncoder.encode is a sanitizer.

24 Eliminating Redundant Flows
Flows are equivalent iff Parts under application code coincide Sinks corresponding to same issues type Dramatically improves user experience (on JBoard, x25 less reports) Sound, minimal with respect to remediation n1 n2 Application n3 n4 Library n5 n6 n7 n8 n9 n10 n11 Sinks with same issue type PLDI 2009

25 Others Reflection: Try to infer it if it is constant.
Native Methods: Hand-coded models.

26 Results Speed: Accuracy:
Hybrid thin slicing is 2.65X slower than context insensitive slicing (CI) Hybrid thin slicing is 29X faster than context sensitive slicing (CS) Accuracy: Accuracy score: the ratio between the number of true positives and the number of true and false positives combined Hybrid: 0.35, CS: 0.54, CI: 0.22

27 Pixy A flow-sensitive and context-sensitive data flow analysis for PHP.

28 Vulnerability One

29 Vulnerability Two

Download ppt "TAJ: Effective Taint Analysis of Web Applications"

Similar presentations

Runtime Prevention & Recovery Protect existing applications Advantages: Prevents vulnerabilities from doing harm Safe mode for Web application execution.

Runtime Prevention & Recovery Protect existing applications Advantages: Prevents vulnerabilities from doing harm Safe mode for Web application execution.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 10.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 10.
October 30, 2003CCS 2003 - Vinod Ganapathy1 Buffer Overrun Detection using Linear Programming and Static Analysis Vinod Ganapathy, Somesh Jha

October 30, 2003CCS Vinod Ganapathy1 Buffer Overrun Detection using Linear Programming and Static Analysis Vinod Ganapathy, Somesh Jha
A Survey of Program Slicing Techniques A Survey of Program Slicing Techniques Sections 3.1,3.6 Swathy Shankar 1000808953.

A Survey of Program Slicing Techniques A Survey of Program Slicing Techniques Sections 3.1,3.6 Swathy Shankar
Chapter 9 Code optimization Section 0 overview 1.Position of code optimizer 2.Purpose of code optimizer to get better efficiency –Run faster –Take less.

Chapter 9 Code optimization Section 0 overview 1.Position of code optimizer 2.Purpose of code optimizer to get better efficiency –Run faster –Take less.
CS18000: Problem Solving and Object-Oriented Programming.

CS18000: Problem Solving and Object-Oriented Programming.
Type-based Taint Analysis for Java Web Applications Wei Huang, Yao Dong and Ana Milanova Rensselaer Polytechnic Institute 1.

Type-based Taint Analysis for Java Web Applications Wei Huang, Yao Dong and Ana Milanova Rensselaer Polytechnic Institute 1.
2014 Network and Distributed System Security Symposium AppSealer: Automatic Generation of Vulnerability-Specific Patches for Preventing Component Hijecking.

2014 Network and Distributed System Security Symposium AppSealer: Automatic Generation of Vulnerability-Specific Patches for Preventing Component Hijecking.
Register Allocation CS 671 March 27, 2008. CS 671 – Spring 2008 1 Register Allocation - Motivation Consider adding two numbers together: Advantages: Fewer.

Register Allocation CS 671 March 27, CS 671 – Spring Register Allocation - Motivation Consider adding two numbers together: Advantages: Fewer.
Written by: Dr. JJ Shepherd

Written by: Dr. JJ Shepherd
Chapter 7 User-Defined Methods. Chapter Objectives  Understand how methods are used in Java programming  Learn about standard (predefined) methods and.

Chapter 7 User-Defined Methods. Chapter Objectives  Understand how methods are used in Java programming  Learn about standard (predefined) methods and.
Program Slicing Mark Weiser and Precise Dynamic Slicing Algorithms Xiangyu Zhang, Rajiv Gupta & Youtao Zhang Presented by Harini Ramaprasad.

Program Slicing Mark Weiser and Precise Dynamic Slicing Algorithms Xiangyu Zhang, Rajiv Gupta & Youtao Zhang Presented by Harini Ramaprasad.
1 Program Slicing Purvi Patel. 2 Contents Introduction What is program slicing? Principle of dependences Variants of program slicing Slicing classifications.

1 Program Slicing Purvi Patel. 2 Contents Introduction What is program slicing? Principle of dependences Variants of program slicing Slicing classifications.
Thin Slicing Manu Sridharan, Stephen J. Fink, Rastislav Bodík.

Thin Slicing Manu Sridharan, Stephen J. Fink, Rastislav Bodík.
Parameterized Object Sensitivity for Points-to Analysis for Java Presented By: - Anand Bahety Dan Bucatanschi.

Parameterized Object Sensitivity for Points-to Analysis for Java Presented By: - Anand Bahety Dan Bucatanschi.
The Ant and The Grasshopper Fast and Accurate Pointer Analysis for Millions of Lines of Code Ben Hardekopf and Calvin Lin PLDI 2007 (Best Paper & Best.

The Ant and The Grasshopper Fast and Accurate Pointer Analysis for Millions of Lines of Code Ben Hardekopf and Calvin Lin PLDI 2007 (Best Paper & Best.
Program Analysis with Set Constraints Ravi Chugh.

Program Analysis with Set Constraints Ravi Chugh.
EXCEPTIONS Def: An exception is a run-time error. Examples include: attempting to divide by zero, or manipulate invalid data.

EXCEPTIONS Def: An exception is a run-time error. Examples include: attempting to divide by zero, or manipulate invalid data.
ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.

ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.
Program Slicing for Refactoring Advanced SW Tools Seminar Jan 2005Yossi Peery.

Program Slicing for Refactoring Advanced SW Tools Seminar Jan 2005Yossi Peery.

Similar presentations

Ads by Google