Transcript Roy Ford
Finding Security Vulnerabilities
in Java Applications with Static
Analysis
Reviewed by Roy Ford
Me
Graduated University of Waterloo with a BMath
in 1985
Worked 23 years with Procter & Gamble
Telecom, Networking, Mainframe, App
Development, ACF2, Voice and Video
Hope to graduate this year
Static Analysis
Scanning of Source code to identify potential
security problems
Like a spell checker, except we are looking
for potential security weaknesses in code
Focus of paper was the development of a
Static Analysis tool that tested for Java
Servlets with unchecked input
Reason for doing Static Analysis
A review of 250 Web Applications showed
that 92% were vulnerable to a hacker attack
75% of all attacks target web based
applications
Firewalls lock out everything else but Port 80
Methods of Injecting Malicious Data
Parameter tampering
URL Manipulation
Hidden Field manipulation
HTTP Header tampering
in a HTML Form
Referrer field
Cookie poisoning
And what you can do when you inject
malicious data
SQL Injection
Cross-site scripting
HTTP Response splitting
Path Traversal
Forcing the server to send back 2 responses to
one Get or Put
Controlling files outside of the normal path
Command Injection
Static Analysis Architecture
Source
Parse Source
Analyze Parse
Tables
Report Results
Security Rules
• Static Analysis Tool usually works with source code
• The Source code is parsed like a compiler
• Rules are then applied to the parse tree to validate
•Results are reported back to the user
Papers Static Analysis Architecture
Java Byte Codes
Pointer
Analysis
bddbddb
Analyzer
PQL
Datalog
Queries
Eclipse UI
• System reads in Java Byte Codes
• Pointer Analysis is done on Byte Codes
• PQL rules are converted to Datalog queries and fed into a bddbddb Analyzer
• bddbddb generates warnings and feed the results into Eclipse for reporting
Pointer Analysis
Focus of the tool is track any tainted object
propagation through the system
A tainted source is anything that the user can modify
A sink is a place were tainted source can cause a
bad result
SQL statements, command shells
A derivation is modification to the source
Input forms, URL’s, Cookies
Usually a String method
The information takes a path through the system,
from source, through derivations to a sink
Descriptors
Source & Sink Descriptor
Derivation Descriptor
(Method, parameter #, path)
(Method, source parameter #, source path, dest
parameter #, dest path)
Parameter number of -1 implies a return
result from a method
Pointer Analysis (From the Paper)
Source Descriptor
(HttpServletRequest.getParameter(String),−1, e)
Sink Descriptor
(Connection.executeQuery(String), 1, e)
Derivation Descriptor
(StringBuffer.append(String), 1, e ,−1, e)
Program Query language (PQL)
A language that allows the user to specify the
source, sink and path of a potential security
violation
PQL rules work like Regular Expressions, if
they match a potential security violation has
been identified
PQL Example (From the paper)
query main()
returns
object Object sourceObj, sinkObj;
matches { sourceObj := source();
sinkObj := derived*(sourceObj);
sinkObj := sink();
}
derived*(object Object x)
returns
object Object y;
uses
object Object temp;
matches { y := x |
temp := derived(x); y := derived*(temp);
}
PQL Example (From the Paper)
query source()
returns
object Object sourceObj;
uses
object String[] sourceArray;
object HttpServletRequest req;
matches { sourceObj = req.getParameter(_)
| sourceObj = req.getHeader(_)
| sourceArray = req.getParameterValues(_);
sourceObj = sourceArray[]
| ...
}
query sink()
returns
object Object sinkObj;
uses
object java.sql.Statement stmt;
object java.sql.Connection con;
matches { stmt.executeQuery(sinkObj)
| stmt.execute(sinkObj)
| con.prepareStatement(sinkObj)
| ...
}
PQL Example (From the paper)
query derived(object Object x)
returns
object Object y;
matches { y.append(x)
| y = _.append(x)
| y = new String(x)
| y = new StringBuffer(x)
| y = x.toString()
| y = x.substring(_ ,_)
| y = x.toString(_)
| ...
}
Test Results
Tool tested on 9 open source Java systems
Total of 392 sources and 393 sinks
41 potential security violations
12 false positives
29 security errors
Questions
What problem does this work attempt to solve
What are the most important novel
contributions
Are the conclusions supported
What other explanation exists
What modification would improve the
research
Is the analysis sound
Useful Links
Benjamin Livshits old Stanford Website
Benjamin Livshits Paper Presentation
http://suif.stanford.edu/~livshits/papers/tr/webappsec_tr.pdf
SecuriBench Benchmark Test Samples
http://research.microsoft.com/~livshits/papers/ppt/ssec05.ppt#1
Technical Report
http://suif.stanford.edu/~livshits/
http://suif.stanford.edu/~livshits/securibench/intro.html
Bddbddb
http://bddbddb.sourceforge.net/index.html