λ Language Based Security TAJ: Effective Taint Analysis of Web Applications PLDI 2009 Omer Tripp IBM Software Group [email protected]Marco Pistoia IBM T. J. Watson Research Center [email protected]Stephen Fink IBM T.J. Watson Research Center [email protected]Manu Sridharan IBM T.J. Watson Research Center [email protected]Omri Weisman IBM Software Group [email protected]www.research.ibm.com/labasec
22
Embed
Λ λ Language Based Security TAJ: Effective Taint Analysis of Web Applications PLDI 2009 Omer Tripp IBM Software Group [email protected] Marco Pistoia IBM.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
1. Cross-site scripting (XSS)2. Injection flaws3. Malicious file executions4. Insecure direct object reference5. Cross site request forgery (CSRF)6. Information leakage and improper error handling7. Broken authentication and improper session management8. Unsecure cryptographic storage9. Unsecure communications10. Failure to restrict URL accesses
1. Cross-site scripting (XSS)2. Injection flaws3. Malicious file executions4. Insecure direct object reference5. Cross site request forgery (CSRF)6. Information leakage and improper error handling7. Broken authentication and improper session management8. Unsecure cryptographic storage9. Unsecure communications10. Failure to restrict URL accesses
* Open Web Application Security Project (OWASP): http://www.owasp.org
PLDI 2009 3
LaBaSec
λλExisting Static-Analysis Solutions
Type systems: Complex, conservative, require code annotations
Classic slicing: Has not been shown to scale to large applications while
maintaining sufficient accuracy
PLDI 2009 4
LaBaSec
λλContributions of TAJ
Hybrid thin slicing Sound, effective modeling of Web applications Bounded-analysis techniques Implementation, productization* and extensive evaluation
* IBM Rational AppScan:http://www.ibm.com/software/awdtools/appscan/
PLDI 2009 5
LaBaSec
λλMotivating Example*
* Inspired by Refl1 inSecuriBench Micro
Taint Flow #1
PLDI 2009 6
LaBaSec
λλMotivating Example*
Sanitizer
* Inspired by Refl1 inSecuriBench Micro
Taint Flow #2
PLDI 2009 7
LaBaSec
λλMotivating Example*
* Inspired by Refl1 inSecuriBench Micro
Non-tainted
Taint Flow #3
PLDI 2009 8
LaBaSec
λλMotivating Example*
* Inspired by Refl1 inSecuriBench Micro
Reflection
PLDI 2009 9
LaBaSec
λλMotivating Example*
* Inspired by Refl1 inSecuriBench Micro
Different Map Keys
PLDI 2009 10
LaBaSec
λλMotivating Example*
* Inspired by Refl1 inSecuriBench Micro
Object Fields
PLDI 2009 11
LaBaSec
λλOutline of TAJ
Algorithm consists of 2 stages:1. Global pointer analysis
2. Slicing based on resulting call graph Rich set of models Effective reports Efficient behavior under restricted budget
PLDI 2009 12
LaBaSec
λλDimensions of Precision
Pointer analysis is a variant of Andersen’s analysis Custom context-sensitivity policy:
Unlimited-depth object sensitivity for Java collections (up to recursion)
One level of call-string context for factory methods One level of call-string context for taint APIs One-level receiver-object context-sensitivity as default
Analysis is field sensitive Analysis is intraprocedurally flow sensitive and
interprocedurally flow insensitive (accounting for multithreaded code)
PLDI 2009 13
LaBaSec
λλHybrid System Dependence Graph
st4st4
l2l2
l2l2
st4st4
l4l4
st2st2st1st1
l5l5l3l3
l1l1
st3st3
st5st5
c3c3
c4c4
sk1sk1
r3r3
r7r7
r8r8
r4r4
c2c2
s1s1
s2s2
r2r2
c1c1
c5c5
r5r5
r1r1
sk2sk2
stistiStorestatement
liliLoadstatement
skiskiSink-dispatchstatement
Hybrid SDG
Slice in theno-heap
SDG
Store-to-loaddirect edge
Load-to-store or load-to-sink summary edge
No-heap SDGedge
cici Call statement
riri Return statement
sisi Other statement
Computed based on preliminary pointer analysis
Computed using graph reachability over a no-heap SDG
Flows are equivalent iff Parts under application code
coincide Sinks corresponding to same
issues type
Dramatically improves user experience (on JBoard, x25 less reports)
Sound, minimal with respect to remediation
n2n2
n9n9n8n8
n4n4n3n3
n1n1
n11n11
n7n7n6n6n5n5
n10n10
Application
Library
Sinks with same issue type
PLDI 2009 16
LaBaSec
λλPriority-driven Call-graph Construction
Priority queue used to govern call-graph growth Sources are assigned priority 0 (most important) Recursively, for each “neighbor” t of node n:priority(t) = min{(priority(n) + 1), priority(t)}
Propagate priorities to fixed point “Locality-of-taint” principle