dynamic taint propagation
TRANSCRIPT
-
8/14/2019 Dynamic Taint Propagation
1/49
Dyna mic Ta int
PropagationRic k Mc Phee, Dir Eng ineering , Fortify
March 31 April 2, 2009
-
8/14/2019 Dynamic Taint Propagation
2/49
Overview
Motivation
Dynamic ta int propaga tionIntegra ting with QA
-
8/14/2019 Dynamic Taint Propagation
3/49
Motivation
-
8/14/2019 Dynamic Taint Propagation
4/49
Sec urity vs. SoftwareDevelopment
Software Development
Sec urity
-
8/14/2019 Dynamic Taint Propagation
5/49
Sec urity vs. SoftwareDevelopment
Software Development
Sec urity
Programmers Testers
-
8/14/2019 Dynamic Taint Propagation
6/49
Team Sizes a t Mic rosoft
-
8/14/2019 Dynamic Taint Propagation
7/49
QA Testers vs. Sec urityTesters
QA Testers Security Testers
Know the program. Know security.
Need highfunctionalcoverage.
Need to find a tleast one
vulnerability.
Lots of time andresources
(comparatively).
Often a rrive a t theparty la te a nd a re
asked to leaveearly.
-
8/14/2019 Dynamic Taint Propagation
8/49
Typ ic a l Sec urity Testing
ProgramUnder Test x x
Test c ase to p rove it.
-
8/14/2019 Dynamic Taint Propagation
9/49
Fault Injec tion TestingFailings
Bad input d era ils norma l p rogram flow
Cannot muta te func tiona l tests and reta incoverage
Addto c a rt
EnterAddress
EnterCC
Input Input Input
-
8/14/2019 Dynamic Taint Propagation
10/49
Fault Injec tion TestingFailings
Result: bad test c overage
Result: missed vulnerab ilities
Addto c a rt
EnterAddress
EnterCC
Input Input Input
-
8/14/2019 Dynamic Taint Propagation
11/49
Prob lem Summary
QA team has, sec urity team lac ks:
Good test c overageTime and resourc es
Sec urity team has, QA team lac ks:Sec urity expertise
-
8/14/2019 Dynamic Taint Propagation
12/49
Involve QA in Sec urity
Ease of use
Favor fa lse nega tives over fa lse positivesExpec t the sec urity team to test too
Leverage existing QA testsAc hieve high coverageMust be transformed into sec urity tests
-
8/14/2019 Dynamic Taint Propagation
13/49
Dynamic Ta intPropagation
-
8/14/2019 Dynamic Taint Propagation
14/49
Dynamic Ta int Propaga tion
Follow untrusted da ta and identify points
where they a re misused
-
8/14/2019 Dynamic Taint Propagation
15/49
Example: SQL Injec tion
...user = request.getParameter("user");
try {sql = "SELECT * FROM users " +
"WHERE id='" + user + "'";
stmt.executeQuery(sql);}
-
8/14/2019 Dynamic Taint Propagation
16/49
Trac king Ta int
Assoc ia te ta int marker with untrusted input
as it enters the p rogram
Propaga te markers when string va lues a re
c op ied or c onc a tena ted
Report vulnerab ilities when ta int strings a re
passed to sensitive sinks
-
8/14/2019 Dynamic Taint Propagation
17/49
Java : Founda tions
Add ta int storage to java.lang.String
Length Body
Length Taint Body
-
8/14/2019 Dynamic Taint Propagation
18/49
Java : Founda tions
StringBuilder and StringBuffer p ropaga te
ta int markers appropria tely
Tainted Tainted+ = Tainted
Untainted + = TaintedTainted
Untainted + = UntaintedUntainted
-
8/14/2019 Dynamic Taint Propagation
19/49
Java : Sourc es
Instrument methods tha t introduc e input to
initia lize ta int markers:HttpServletRequest.getParameter()PreparedStatement.executeQuery()FileReader.read()System.getenv()
-
8/14/2019 Dynamic Taint Propagation
20/49
Java : Sinks
Instrument sensitive methods to c hec k for
ta int markers before exec uting :Statement.executeQuery()JspWriter.print()new File()Runtime.exec()
-
8/14/2019 Dynamic Taint Propagation
21/49
Example: SQL Injec tion
...user = request.getParameter("user");
try {sql = "SELECT * FROM users " +
"WHERE id='" + user + "'";
stmt.executeQuery(sql);}
-
8/14/2019 Dynamic Taint Propagation
22/49
Example: SQL Injec tion
...user = request.getParameter("user");TaintUtil.setTaint(user, 1);
try {sql = "SELECT * FROM users " +
"WHERE id='" + user + "'";
TaintUtil.setTaint(sql,user.getTaint());TaintUtil.checkTaint(sql);
stmt.executeQuery(sql);}
...
-
8/14/2019 Dynamic Taint Propagation
23/49
Results Overview
-
8/14/2019 Dynamic Taint Propagation
24/49
Sec urity Coverage
-
8/14/2019 Dynamic Taint Propagation
25/49
SQL Injec tion Issue
-
8/14/2019 Dynamic Taint Propagation
26/49
Sourc e Information
-
8/14/2019 Dynamic Taint Propagation
27/49
Sink Information
-
8/14/2019 Dynamic Taint Propagation
28/49
Where Is The Prob lem?
Severity Category URL
Critical SQL Injection/splc/listMyItems.do
Class Linecom.order.splc.ItemService
196
Query Stack Trace
select * from item where
item name = adam and
...
java.lang.Throwable at
StackTrace$FirstNested$SecondNested.
(StackTrace.java:267) at
StackTrace$FirstNested.
(StackTrace.java:256) at StackTrace.
(StackTrace.java:246) at StackTrace.
main(StackTrace.java:70)
-
8/14/2019 Dynamic Taint Propagation
29/49
Instrumenta tion Tec hniques
Instrument JRE c lasses onc e
Two tec hniques to instrument the p rogramCompile-time
Rewrite p rogram c lass files on d isk
Run-timeAugment J2EE c lass loader to rewrite
program
-
8/14/2019 Dynamic Taint Propagation
30/49
Aspect-OrientedProgramming
Express c ross-c utting c onc erns
independently of p rogram log ic (aspec ts)
Open sourc e frameworksAspec tJ (Java)Aspec tDNG (.NET)
Build on top of bytec ode lib ra ries (e.g .,
BCEL, ASM)
-
8/14/2019 Dynamic Taint Propagation
31/49
Instrument Inside orOutside?
Inside func tion body
Lower instrumenta tion c ost
Outside func tion ca llLower runtime c ost / better reporting
-
8/14/2019 Dynamic Taint Propagation
32/49
Types of Ta int
Trac k d istinc t sourc es of untrusted inp ut
Report XSS on da ta from the web orda tabase, but not from the file system
Distinguish between d ifferent sourc es when
reporting vulnerab ilitiesPrioritize remotely exp loitab le
vulnerabilities
-
8/14/2019 Dynamic Taint Propagation
33/49
Java : Founda tions II
Add ta int storage and sourc e information
to java.lang.String
Length Body
Length Taint Source Body
-
8/14/2019 Dynamic Taint Propagation
34/49
Sourc es ofInaccuracy
-
8/14/2019 Dynamic Taint Propagation
35/49
Types of Inac c urac y
Fa lse positives: erroneous bug reports
Makes tools pa inful for the user
Fa lse nega tives: unreported rea l bugsDamages the va lue of the tool
-
8/14/2019 Dynamic Taint Propagation
36/49
Fa lse Positives:Unrec ognized Va lida tion
Fa lse positives: erroneous bug reports
Makes tools pa inful for the user
Fa lse nega tives: unreported rea l bugsDamages the va lue of the tool
-
8/14/2019 Dynamic Taint Propagation
37/49
Fa lse Positives:Impossib le Code Pa th
Paths that regula r da ta c an take that
ma lic ious da ta c annot
Need to p rovide c leanse rules in dynamic
ta int ana lysisRemove ta int when a string is input to aregula r expression, c ompared to sta tic
string , etc .
-
8/14/2019 Dynamic Taint Propagation
38/49
Countering Fa lse Positives:Bug Verific a tion
Tra ining wheels for sec urity testers
Show whic h inputs to foc us a tta c ks onSuggest a ttac k da taMonitor sinks to determine whether a tta c ks
succeed
-
8/14/2019 Dynamic Taint Propagation
39/49
Fa lse Negatives
Ta int can go where it c an t be fo llowed
String dec ompositionNative cod eWritten to a file or a da tabase and read
backPoor c leanse rulesPoor test c overage
Only looks a t pa ths tha t a re exec utedBad QA testing == Bad sec urity testing
-
8/14/2019 Dynamic Taint Propagation
40/49
Integra ting withQA Proc esses
-
8/14/2019 Dynamic Taint Propagation
41/49
In Prac tic e
Dep loyment may require more or less
involvement o f centra l sec urity team
Central Security Quality Assurance
-
8/14/2019 Dynamic Taint Propagation
42/49
Dep loyment Ac tivities
Central Security Quality Assurance
Instrumentation
Functional testing
Triage and Verification
Reporting bugs
-
8/14/2019 Dynamic Taint Propagation
43/49
Instrumentation
Performed by either Sec urity or QA / Build
Key c onsidera tionsCover p rogram behaviorCover sec urity threa ts
-
8/14/2019 Dynamic Taint Propagation
44/49
Func tiona l Testing
Performed QA
Key c onsidera tionsMa ximize c ode c overage (existing goa l)Sec urity knowledge is not required
-
8/14/2019 Dynamic Taint Propagation
45/49
Triage and Verific a tion
Performed by either Sec urity o r QA
Key c onsidera tionsUnd ersta nd issues in p rogram c ontext
Sec urity knowledgeCrea te exp loitsAssign d ifferent bugs to d ifferent sta ff
Targeted tra ining
-
8/14/2019 Dynamic Taint Propagation
46/49
Reporting Bugs
Performed by either Sec urity o r QA
Key c onsidera tionsFollow usua l bug reporting c onventions
Solid remed ia tion a dvic e
-
8/14/2019 Dynamic Taint Propagation
47/49
Summary
-
8/14/2019 Dynamic Taint Propagation
48/49
-
8/14/2019 Dynamic Taint Propagation
49/49
Thank you!
For more information:
Ric k Mc PheeSr. Direc tor, Engineering
Fortify650 358 5637
rmc [email protected] omwww.fortify.com
mailto:[email protected]:[email protected]