Taint Trace Analysis for Java Web Applications

taint trace analysis for java web applications l.w
1 / 18
Embed
Share

Taint trace analysis is crucial in identifying and mitigating security vulnerabilities in Java web applications. By tracking taint flows and unifying information-flow and points-to analysis, developers can enhance their security posture and prevent exploits such as Injection and Cross-Site Scripting. This article covers taint analysis, points-to analysis, Datalog, and provides insights into identifying security vulnerabilities in Java web applications.

  • Java
  • Web applications
  • Security vulnerabilities
  • Taint analysis
  • Points-to analysis
rayaanacharya
mjoo Follow

Uploaded on | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. Taint Trace Analysis For Java Web Applications

  2. 1. Motivation 1.Security vulnerabilities, which are software bugs exploitable by attackers, have been long standing challenges in software security and cyber security. 2. Of those notorious top security risks published by OWASP, Injection and Cross-Site Scripting (XSS) are usually triggered by crafted user input strings that are propagated through web application to reach their victims without censorship.

  3. 2. Taint Analysis 1. Taint analysis is an indispensable weapon in our combat against security vulnerabilities in system software, network software, and mobile applications 2. Taint analysis aims to tracking taint flows in web applications,the existing tools report only the taint sources with their corresponding taint sinks, which do not fully reveal all useful details that would guide a developer to identify or locate security vulnerabilities with ease.

  4. Traditional definition (Sink, Source) <securibench.micro.basic.Basic7: void doGet(javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse)>/jav ax.servlet.http.HttpServletRequest.getParameter/0 (Source) <securibench.micro.basic.Basic7: void doGet(javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse)>/jav a.io.PrintWriter.println/0 (Sink)

  5. 3.Points-To analysis 1. Points-to analysis is a fundamental static program analysis, computing what abstract objects a program expression may point to. 2. We make unification of information-flow and points-to analysis in our analysis

  6. VarPointsTo Example <securibench.micro.basic.Basic7: void doGet(javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse)>/new java.lang.StringBuffer/0 <securibench.micro.basic.Basic7: void doGet(javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse)>/buf#_ 38

  7. 4. Datalog 1. Datalog is a declarative logic programming language that syntactically is a subset of Prolog. It is often used as a query language for deductive databases. In recent years, Datalog has found new application in data integration, information extraction, networking, program analysis, security, cloud computing and machine learning.

  8. Datalog definition These two lines define two facts parent(xerces, brooke). parent(brooke, damocles). meaning: xerces is a parent of brooke and brooke is a parent of damocles. ancestor(X, Y) :- parent(X, Y). ancestor(X, Y) :- parent(X, Z), ancestor(Z, Y). meaning: X is an ancestor of Y if X is a parent of Y. X is an ancestor of Y if X is a parent of some Z, and Z is an ancestor of Y.

  9. Build datalog relation from Java Program 1. Soot acquires .fact files from Java ByteCode of Java Programs 2. Doop uses Souffle(Souffl is a logic programming language inspired by Datalog) to read from the .fact files to acquire the corresponding relations.

  10. Build datalog relation from Java Program .decl _Var_Type(?var:Var, ?type:Type) .input _Var_Type(filename="Var-Type.facts") isVar(?var), isType(?type), Var_Type(?var, ?type) :- //Then we can use isVar, isType _Var_Type(?var, ?type). //and Var_Type relation now

  11. 5. A Toy Example

  12. 6. Principle: Context 2 Object Sensitive + Heap

  13. Principle: Information flow

  14. Principle: Link rule the list of C is the final output List showed in toy example above

  15. 7. Experiment Results

  16. Experiment Results 1. we achieves 87% precision and 94% recall, with a 90% F1 score. This effectively shows that TTA produces an acceptable result for the current benchmark suite. 2. From the table, one may find that our trace generation algorithm only adds a small amount of run-time overhead (less than 38%) to the original algorithm.

  17. 8. Conclusion 1. We have introduced an extension for context-sensitive taint analysis for Java (P/Taint), called Taint Trace Analysis (TTA) 2. In contrast to most existing taint analysis works, the produced taint traces from TTA may provide more useful information for the detection and tracking of security vulnerabilities in Java web applications

  18. 9. Future work In the future, we will extend the existing work to analyze Android apps, and we also plan to further optimize our algorithm to achieve higher precision and a quicker visualization procedure.

Related


No related presentations.

More Related Content