Λ λ language based security taj: effective taint analysis of web applications pldi 2009 omer tripp...
Post on 22-Dec-2015
215 Views
Preview:
TRANSCRIPT
λλ
LanguageBasedSecurity
TAJ: Effective Taint Analysis of Web Applications
PLDI 2009
Omer TrippIBM Software Groupomert@il.ibm.com
Marco PistoiaIBM T. J. Watson Research Center
pistoia@us.ibm.com
Stephen FinkIBM T.J. Watson Research Center
sjfink@us.ibm.com
Manu SridharanIBM T.J. Watson Research Center
msridhar@us.ibm.com
Omri WeismanIBM Software Groupweisman@il.ibm.com
www.research.ibm.com/labasec
PLDI 2009 2
LaBaSec
λλOWASP* Top Ten Security Vulnerabilities
1. Cross-site scripting (XSS)2. Injection flaws3. Malicious file executions4. Insecure direct object reference5. Cross site request forgery (CSRF)6. Information leakage and improper error handling7. Broken authentication and improper session management8. Unsecure cryptographic storage9. Unsecure communications10. Failure to restrict URL accesses
1. Cross-site scripting (XSS)2. Injection flaws3. Malicious file executions4. Insecure direct object reference5. Cross site request forgery (CSRF)6. Information leakage and improper error handling7. Broken authentication and improper session management8. Unsecure cryptographic storage9. Unsecure communications10. Failure to restrict URL accesses
* Open Web Application Security Project (OWASP): http://www.owasp.org
PLDI 2009 3
LaBaSec
λλExisting Static-Analysis Solutions
Type systems: Complex, conservative, require code annotations
Classic slicing: Has not been shown to scale to large applications while
maintaining sufficient accuracy
PLDI 2009 4
LaBaSec
λλContributions of TAJ
Hybrid thin slicing Sound, effective modeling of Web applications Bounded-analysis techniques Implementation, productization* and extensive evaluation
* IBM Rational AppScan:http://www.ibm.com/software/awdtools/appscan/
PLDI 2009 5
LaBaSec
λλMotivating Example*
* Inspired by Refl1 inSecuriBench Micro
Taint Flow #1
PLDI 2009 6
LaBaSec
λλMotivating Example*
Sanitizer
* Inspired by Refl1 inSecuriBench Micro
Taint Flow #2
PLDI 2009 7
LaBaSec
λλMotivating Example*
* Inspired by Refl1 inSecuriBench Micro
Non-tainted
Taint Flow #3
PLDI 2009 8
LaBaSec
λλMotivating Example*
* Inspired by Refl1 inSecuriBench Micro
Reflection
PLDI 2009 9
LaBaSec
λλMotivating Example*
* Inspired by Refl1 inSecuriBench Micro
Different Map Keys
PLDI 2009 10
LaBaSec
λλMotivating Example*
* Inspired by Refl1 inSecuriBench Micro
Object Fields
PLDI 2009 11
LaBaSec
λλOutline of TAJ
Algorithm consists of 2 stages:1. Global pointer analysis
2. Slicing based on resulting call graph Rich set of models Effective reports Efficient behavior under restricted budget
PLDI 2009 12
LaBaSec
λλDimensions of Precision
Pointer analysis is a variant of Andersen’s analysis Custom context-sensitivity policy:
Unlimited-depth object sensitivity for Java collections (up to recursion)
One level of call-string context for factory methods One level of call-string context for taint APIs One-level receiver-object context-sensitivity as default
Analysis is field sensitive Analysis is intraprocedurally flow sensitive and
interprocedurally flow insensitive (accounting for multithreaded code)
PLDI 2009 13
LaBaSec
λλHybrid System Dependence Graph
st4st4
l2l2
l2l2
st4st4
l4l4
st2st2st1st1
l5l5l3l3
l1l1
st3st3
st5st5
c3c3
c4c4
sk1sk1
r3r3
r7r7
r8r8
r4r4
c2c2
s1s1
s2s2
r2r2
c1c1
c5c5
r5r5
r1r1
sk2sk2
stistiStorestatement
liliLoadstatement
skiskiSink-dispatchstatement
Hybrid SDG
Slice in theno-heap
SDG
Store-to-loaddirect edge
Load-to-store or load-to-sink summary edge
No-heap SDGedge
cici Call statement
riri Return statement
sisi Other statement
Computed based on preliminary pointer analysis
Computed using graph reachability over a no-heap SDG
PLDI 2009 14
LaBaSec
λλModeling
WebApplications
TaintCarriers
StringStringBuilderStringBuffer
Reflection
NativeMethods
Map Keys
JSP
Struts MVC
ExceptionsEJB
Internal i1
i1.s
map.put("key1", taint);nontaint = map.get("key2");map.put("key1", taint);nontaint = map.get("key2");ConcreteActionForm caf =
(ConcreteActionForm) af
DynaActionForm daf =(DynaActionForm) af
ENTERPRISE BEAN DEPLOYMENT DESCRIPTOR
<ejb-name>Bean1Bean</ejb-name> <home>Bean1Home</home> <remote>Bean1</remote> <ejb-class>Bean1Bean</ejb-class> <session-type>Stateless</session-type> <transaction-type>Bean1</transaction-type> <ejb-ref> <ejb-ref-name>ejb/Bean2</ejb-ref-name> <ejb-ref-type>Session</ejb-ref-type> <home>Bean2Home</home> <remote>Bean2</remote> <ejb-class>Bean2Bean</ejb-class> </ejb-ref>
ENTERPRISE BEAN DEPLOYMENT DESCRIPTOR
<ejb-name>Bean1Bean</ejb-name> <home>Bean1Home</home> <remote>Bean1</remote> <ejb-class>Bean1Bean</ejb-class> <session-type>Stateless</session-type> <transaction-type>Bean1</transaction-type> <ejb-ref> <ejb-ref-name>ejb/Bean2</ejb-ref-name> <ejb-ref-type>Session</ejb-ref-type> <home>Bean2Home</home> <remote>Bean2</remote> <ejb-class>Bean2Bean</ejb-class> </ejb-ref>
Bean1Bean.m1()
Bean2.m2()
Bean2Bean.m2()
Class.forNameMethod.invokeClass.forNameMethod.invoke
Thread.startAccessController. doPrivileged
Thread.startAccessController. doPrivileged
PLDI 2009 15
LaBaSec
λλEliminating Redundant Flows
Flows are equivalent iff Parts under application code
coincide Sinks corresponding to same
issues type
Dramatically improves user experience (on JBoard, x25 less reports)
Sound, minimal with respect to remediation
n2n2
n9n9n8n8
n4n4n3n3
n1n1
n11n11
n7n7n6n6n5n5
n10n10
Application
Library
Sinks with same issue type
PLDI 2009 16
LaBaSec
λλPriority-driven Call-graph Construction
Priority queue used to govern call-graph growth Sources are assigned priority 0 (most important) Recursively, for each “neighbor” t of node n:priority(t) = min{(priority(n) + 1), priority(t)}
Propagate priorities to fixed point “Locality-of-taint” principle
PLDI 2009 17
LaBaSec
λλExperimental Setup
Five variants assessed:1. Context sensitive (CS)2. Context insensitive (CI)3. Unbounded hybrid (i.e., running to completion)4. Prioritized hybrid (i.e., call graph bounded, priority-driven
scheme)5. Fully optimized hybrid (i.e., prioritized, “long” flows
eliminated, taint depth restricted, slice size bounded)
All implemented on top of WALA*
* IBM Watson Libraries for Analysis: http://wala.sf.net
PLDI 2009 18
LaBaSec
λλExperimental Results – Accuracy
X
XX
XX
PLDI 2009 19
LaBaSec
λλExperimental Results – Performance
PLDI 2009 21
LaBaSec
λλConclusion
Effective solution for taint analysis of Web applications based on pointer analysis and hybrid thin slicing
Efficient strategies for analysis under limited budget
General models for frameworks and other programming constructs
Thorough evaluation and productization
PLDI 2009 22
LaBaSec
λλFuture Work
Detailed comparison of demand-driven and priority-driven scheme
String analysis More languages Coverage of more attack vectors
top related