Efficient Character-level Taint Tracking for Java

Download Report

Transcript Efficient Character-level Taint Tracking for Java 

EFFICIENT CHARACTER-LEVEL
TAINT TRACKING FOR JAVA
Erika Chin
David Wagner
UC Berkeley
WEB APPLICATIONS
 80%
of all web applications are vulnerable
to attack [1]
 Most are command injection attacks
(mixed control and data channel):





SQL injection
XSS
HTTP response splitting
Path traversal
Shell command injection
2
[1] J. Grossman. WhiteHat website security statistics report, Aug 2008.
EXAMPLE – SQL INJECTION
Query = “SELECT * FROM students WHERE name = ‘ ”
+ studentName + “ ’ ”;
What if:
 studentName = Bobby
“SELECT * FROM students WHERE name = ‘Bobby’ ”
studentName = Bobby’; DROP TABLE students; -“SELECT * FROM students WHERE name = ‘Bobby’;
DROP TABLE students; --’ ”

3
Inspired by XKCD: http://xkcd.com/327/
COMMAND INJECTION ATTACKS
Command Injection Attack
Command Elements
SQL injection attack
SQL keywords and operators
XSS
JavaScript
HTTP response splitting
Newlines (CR, LF)
Path traversal
‘/’ , “..”
Shell command injection
Shell keywords and operators,
meta-characters
4
A NATURAL APPROACH – TAINT
TRACKING AT THE CHARACTER LEVEL
 Others
have argued that taint tracking
aids the detection of command injection
attacks

Taint tracking reveals what data gets touched
by user input
 Attacks
are injected into web applications
in the form of strings, so we can limit the
scope of tracking to strings
 Character-level information narrows the
focus to specific portions of the string
5
OUR FOCUS
 We
focus on taint tracking for Java web
applications
 Many commercial enterprises use Java for
their web services
6
CHARACTER-LEVEL
TAINT TRACKING FOR JAVA
1.
2.
3.
Source Tainting: Augment the Java
Servlets implementation to mark user
input as tainted (Tomcat 6)
Taint Propagation: Replace the stringrelated classes in the Java library with
augmented classes that track taint
status (IBM JDK6)
Sink Checking: At each sink, use the
taint information to detect attacks by
checking that control data is not tainted
7
SOURCE TAINTING
 We
mark all information from the HTTP
request as untrusted
Protocol
Path
Form Parameters
http://www.youtube.com/results?search_query=rick+roll…
GET /results?search_query=rick+roll&search_type=&aq…
Host: www.youtube.com
…
HTTP
Headers:
Referrer: http://www.youtube.com/
Cookies,
Cookie: use_hitbox=72c46ff6cddcb7c5585…
Session Id,
etc.
8
SOURCE TAINTING: AUGMENTED CLASSES
 Replace
the Tomcat Servlet classes with our
own modified classes
javax.servlet.http.HttpServletRequest
 javax.servlet.http.Cookie
 javax.servlet.http.HttpSession
 org.apache.catalina.connector.CoyoteReader

9
BASIC TAINT PROPAGATION
Example code snippet:
String city = request.GetParameter(“city”);
String punctuation = “, ”;
String state = “CA”;
String temp = punctuation.concat(state);
String location = city.concat(temp);
10
TAINT PROPAGATION:
ORIGINAL STRING CLASS
city
B e
punctuation
,
state
C A
r
k
e
l
e
char[]
y
temp = punctuation.concat(state)
city.concat(temp)
B e
r
k
e
l
e
y
,
C A
,
C A
11
TAINT PROPAGATION:
MODIFIED STRING CLASS
city
punctuation
B e
r
k
e
l
e
y
T
T
T
T
T
T
T
,
F
state
T
char[]
boolean[]
F
C A
F
F
temp = punctuation.concat(state)
,
F
city.concat(temp)
B e
r
k
e
l
e
y
,
T
T
T
T
T
T
T
F
T
C A
F
F
F
C A
12
F
F
F
OPTIMIZED TAINT PROPAGATION
 To
reduce the overhead of taint tracking,
only track taint when necessary
 Only allocate boolean taint array once the
String contains a tainted character
 Reduces overhead by eliminating array
copies for operations on fully untainted
strings
13
OPTIMIZED TAINT PROPAGATION
city
punctuation
B e
r
k
e
l
e
y
T
T
T
T
T
T
T
T
,
F
nullF
state
C A
F
nullF
temp = punctuation.concat(state)
city.concat(temp)
,
C A
F
nullF
F
C A
B e
r
k
e
l
e
y
,
T
T
T
T
T
T
T
F
T
F
14
F
F
F
TAINT PROPAGATION:
AUGMENTED CLASSES
 java.lang.String
 java.lang.StringBuffer
 java.lang.StringBuilder
15
SINK CHECKING
 Sinks
can use taint information to detect
commands in user-supplied data


SQL – instrument the JDBC to parse the SQL
queries and check for SQL keywords and
operators that contain tainted characters
XSS – examine HTML for tainted JavaScript
 Details
of how to do this are welldocumented in the previous literature and
not the focus of this work [2]
16
[2] Su and Wassermann. The essence of command injection attacks in web applications. POPL ’06.
BENEFITS
 Provides
a basis to protect from command
injection attacks
 Simple, easy to adopt and deploy
Server-side change
 One-time modification
 No change to web application byte code
 No need for web application source code
 Works immediately with Java legacy
applications

 Efficient
17
BENEFITS CON’T
 Handles
web applications that call string
methods reflectively
Java reflection allows calls to methods
selected at runtime
 Our approach can track the taint for these
reflected calls

18
LIMITATIONS
 For
backwards compatibility we do not
record taint status in the serialized form
 May lose taint status via string operations
with chars and char arrays

Cannot hold taint status in primitives
 Does
not defend against malicious web
developers
19
PERFORMANCE OVERHEAD: 0-15%
20
CONTRIBUTIONS
 Efficient
character-level taint tracking
 Runtime overhead <15%
 Works immediately for Java legacy code
 Easy to adopt and deploy
21
Thank you!
Any questions?
22