Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
EFFICIENT CHARACTER-LEVEL TAINT TRACKING FOR JAVA Erika Chin David Wagner UC Berkeley WEB APPLICATIONS 80% of all web applications are vulnerable to attack [1] Most are command injection attacks (mixed control and data channel): SQL injection XSS HTTP response splitting Path traversal Shell command injection 2 [1] J. Grossman. WhiteHat website security statistics report, Aug 2008. EXAMPLE – SQL INJECTION Query = “SELECT * FROM students WHERE name = ‘ ” + studentName + “ ’ ”; What if: studentName = Bobby “SELECT * FROM students WHERE name = ‘Bobby’ ” studentName = Bobby’; DROP TABLE students; -“SELECT * FROM students WHERE name = ‘Bobby’; DROP TABLE students; --’ ” 3 Inspired by XKCD: http://xkcd.com/327/ COMMAND INJECTION ATTACKS Command Injection Attack Command Elements SQL injection attack SQL keywords and operators XSS JavaScript HTTP response splitting Newlines (CR, LF) Path traversal ‘/’ , “..” Shell command injection Shell keywords and operators, meta-characters 4 A NATURAL APPROACH – TAINT TRACKING AT THE CHARACTER LEVEL Others have argued that taint tracking aids the detection of command injection attacks Taint tracking reveals what data gets touched by user input Attacks are injected into web applications in the form of strings, so we can limit the scope of tracking to strings Character-level information narrows the focus to specific portions of the string 5 OUR FOCUS We focus on taint tracking for Java web applications Many commercial enterprises use Java for their web services 6 CHARACTER-LEVEL TAINT TRACKING FOR JAVA 1. 2. 3. Source Tainting: Augment the Java Servlets implementation to mark user input as tainted (Tomcat 6) Taint Propagation: Replace the stringrelated classes in the Java library with augmented classes that track taint status (IBM JDK6) Sink Checking: At each sink, use the taint information to detect attacks by checking that control data is not tainted 7 SOURCE TAINTING We mark all information from the HTTP request as untrusted Protocol Path Form Parameters http://www.youtube.com/results?search_query=rick+roll… GET /results?search_query=rick+roll&search_type=&aq… Host: www.youtube.com … HTTP Headers: Referrer: http://www.youtube.com/ Cookies, Cookie: use_hitbox=72c46ff6cddcb7c5585… Session Id, etc. 8 SOURCE TAINTING: AUGMENTED CLASSES Replace the Tomcat Servlet classes with our own modified classes javax.servlet.http.HttpServletRequest javax.servlet.http.Cookie javax.servlet.http.HttpSession org.apache.catalina.connector.CoyoteReader 9 BASIC TAINT PROPAGATION Example code snippet: String city = request.GetParameter(“city”); String punctuation = “, ”; String state = “CA”; String temp = punctuation.concat(state); String location = city.concat(temp); 10 TAINT PROPAGATION: ORIGINAL STRING CLASS city B e punctuation , state C A r k e l e char[] y temp = punctuation.concat(state) city.concat(temp) B e r k e l e y , C A , C A 11 TAINT PROPAGATION: MODIFIED STRING CLASS city punctuation B e r k e l e y T T T T T T T , F state T char[] boolean[] F C A F F temp = punctuation.concat(state) , F city.concat(temp) B e r k e l e y , T T T T T T T F T C A F F F C A 12 F F F OPTIMIZED TAINT PROPAGATION To reduce the overhead of taint tracking, only track taint when necessary Only allocate boolean taint array once the String contains a tainted character Reduces overhead by eliminating array copies for operations on fully untainted strings 13 OPTIMIZED TAINT PROPAGATION city punctuation B e r k e l e y T T T T T T T T , F nullF state C A F nullF temp = punctuation.concat(state) city.concat(temp) , C A F nullF F C A B e r k e l e y , T T T T T T T F T F 14 F F F TAINT PROPAGATION: AUGMENTED CLASSES java.lang.String java.lang.StringBuffer java.lang.StringBuilder 15 SINK CHECKING Sinks can use taint information to detect commands in user-supplied data SQL – instrument the JDBC to parse the SQL queries and check for SQL keywords and operators that contain tainted characters XSS – examine HTML for tainted JavaScript Details of how to do this are welldocumented in the previous literature and not the focus of this work [2] 16 [2] Su and Wassermann. The essence of command injection attacks in web applications. POPL ’06. BENEFITS Provides a basis to protect from command injection attacks Simple, easy to adopt and deploy Server-side change One-time modification No change to web application byte code No need for web application source code Works immediately with Java legacy applications Efficient 17 BENEFITS CON’T Handles web applications that call string methods reflectively Java reflection allows calls to methods selected at runtime Our approach can track the taint for these reflected calls 18 LIMITATIONS For backwards compatibility we do not record taint status in the serialized form May lose taint status via string operations with chars and char arrays Cannot hold taint status in primitives Does not defend against malicious web developers 19 PERFORMANCE OVERHEAD: 0-15% 20 CONTRIBUTIONS Efficient character-level taint tracking Runtime overhead <15% Works immediately for Java legacy code Easy to adopt and deploy 21 Thank you! Any questions? 22