DOCSLIB.ORG

Techniques and Tools for Engineering Secure Web Applications

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Techniques and Tools for Engineering Secure Web Applications Gary Michael Wassermann September 2008 Computer Science Techniques and Tools for Engineering Secure Web Applications Abstract With the rise of the Internet, web applications, such as online banking and web-based email, have become integral to many people’s daily lives. Web applications have brought with them new classes of computer security vulnerabilities, such as SQL injection and cross-site scripting (XSS), that in recent years have exceeded previously prominent vulner- ability classes, such as buffer overflows, in both reports of new vulnerabilities and reports of exploits. SQL injection and XSS are both instances of the broader class of input validation- based vulnerabilities. At their core, both involve one system receiving, transforming, and constructing string values, some of which come from untrusted sources, and presenting those values to another system that interprets them as programs or program fragments. These input validation-based vulnerabilities therefore require fundamentally new techniques to characterize and mitigate them. This dissertation addresses input validation-based vulnerabilities that arise in the con- text of web applications, or more generally, in the context of metaprogramming. This dissertation provides the first principled characteriztion, based on concepts from program- ming languages and compilers, for such vulnerabilities, with formal definitions for SQL injection and XSS in particular. Building on this characterization, the dissertation also contributes practical algorithms for runtime protection, static analysis, and testing-based analysis of web applications to identify vulnerabilities in application code and prevent at- tackers from exploiting them. This dissertation additionally reports on implementations of these algorithms, showing them to be effective for their respective settings. They have low runtime overhead, validate the definitions, scale to large code bases, have low false-positive rates, handle real-world application code, and find previously unreported vulnerabilities. Techniques and Tools for Engineering Secure Web Applications By Gary Michael Wassermann B.S. (University of California, Davis) 2002 DISSERTATION Submitted in partial satisfaction of the requirements for the degree of DOCTOR OF PHILOSOPHY in COMPUTER SCIENCE in the OFFICE OF GRADUATE STUDIES of the UNIVERSITY OF CALIFORNIA DAVIS Approved: Professor Zhendong Su (Chair) Professor Premkumar T. Devanbu Professor Ronald Olsson Committee in Charge 2008 i c Gary Wassermann, 2008. All rights reserved. To my Lord and Savior, Jesus Christ and to my wife, Jaci, who has been a help and a joy to me. ii iii Contents 1 Introduction 1 1.1 WebApplications................................. 1 1.2 Input Validation-Based Vulnerabilities . ......... 2 1.3 CommonDefenses ................................ 6 1.4 DissertationStructure . ... 7 2 SQL Injection: Characterization and Runtime Checking 9 2.1 Introduction.................................... 9 2.2 OverviewofApproach .............................. 11 2.3 FormalDescriptions .............................. 14 2.3.1 Problem Formalization . 14 2.3.2 Algorithm for Runtime Enforcement . 18 2.3.3 CorrectnessandComplexity. 22 2.4 Applications.................................... 23 2.4.1 CrossSiteScripting ........................... 23 2.4.2 XPathInjection ............................. 24 2.4.3 ShellInjection .............................. 25 2.5 Implementation.................................. 25 2.6 Evaluation..................................... 26 2.6.1 EvaluationSetup............................. 27 2.6.2 Results .................................. 29 2.6.3 Discussions ................................ 30 2.7 RelatedWork................................... 31 2.7.1 InputFilteringTechniques. 31 2.7.2 Syntactic Structure Enforcement . 31 2.7.3 RuntimeEnforcement . .. .. .. .. .. .. .. 32 2.7.4 Meta-Programming............................ 34 3 Static Analysis for SQL Injection 36 3.1 Introduction.................................... 36 3.2 Overview ..................................... 38 3.2.1 ExampleVulnerability . 38 3.2.2 AnalysisOverview ............................ 40 3.3 AnalysisAlgorithm............................... 42 3.3.1 String-TaintAnalysis . 42 3.3.2 Policy-Conformance Analysis . 48 3.3.3 Soundness................................. 51 3.4 Implementation.................................. 51 3.5 Evaluation..................................... 52 3.5.1 TestSubjects ............................... 53 3.5.2 AccuracyandBugReports . 54 3.5.3 Scalability and Performance . 55 3.6 RelatedWork................................... 57 3.6.1 StaticStringAnalysis . 57 3.6.2 StaticTaintChecking .......................... 58 4 Static Analysis for Detecting XSS Vulnerabilities 60 4.1 CausesofXSSVulnerabilities . 60 4.2 Overview ..................................... 62 4.2.1 CurrentPractice ............................. 62 4.2.2 OurApproach .............................. 62 4.2.3 RunningExample ............................ 64 4.3 AnalysisAlgorithm............................... 64 4.3.1 String-taintAnalysis . 65 4.3.2 Preventing Untrusted Script . 67 4.4 EmpiricalEvaluation. 71 4.4.1 Implementation.............................. 71 4.4.2 TestSubjects ............................... 71 4.4.3 EvaluationResults ............................ 73 4.4.4 CurrentLimitations ........................... 78 4.5 RelatedWork................................... 79 4.5.1 Server-Side Validation . 79 4.5.2 Client-Side Mitigation . 80 5 Concolic Testing of Web Applications 83 5.1 Introduction.................................... 83 5.2 Overview ..................................... 86 5.2.1 ExampleCode .............................. 87 5.2.2 ConstraintGeneration . 87 5.2.3 ConstraintResolution . 89 5.2.4 TestOracles................................ 90 5.2.5 Selective Constraint Generation . 92 5.3 Algorithm..................................... 93 5.4 Evaluation..................................... 101 5.4.1 Implementation.............................. 101 5.4.2 TestSubjects ............................... 102 5.4.3 Evaluation ................................ 104 5.5 Limitations .................................... 106 5.6 RelatedWork................................... 107 iv 5.6.1 TestInputGeneration . 107 5.6.2 Web Application Testing . 108 5.6.3 Static Analysis of PHP Web Applications . 108 6 Conclusion 110 6.1 Summary ..................................... 110 6.2 ExtensionsandEnhancements . 112 6.3 Outlook ...................................... 113 v vi List of Figures 1.1 Web application system architecture. ....... 2 1.2 Recent vulnerability and attack numbers. ....... 3 1.3 Resultsofrecentattacks. ... 4 2.1 A JSP page for retrieving credit card numbers. ....... 11 2.2 System architecture of SqlCheck........................ 13 2.3 Parse trees for generated queries. ...... 16 2.4 Simplified grammar for the SELECT statement.................. 20 2.5 Exampleaugmentedgrammar. 21 2.6 Parse tree fragments for an augmented query. ....... 21 3.1 ExamplecodewithanSQLCIV. 39 3.2 SQLCIVanalysisworkflow. 40 3.3 Exampleintermediategrammar. 41 3.4 Grammarreflectsdataflow. 43 3.5 Examplefinitestatetransducer.. ..... 44 3.6 Taint propagation in CFG-FSA intersection. ........ 46 3.7 Semantics of explode............................... 47 3.8 Sourceofafalsepositive. 53 3.9 Source of an indirect errorreport......................... 54 4.1 VulnerablePHPcode. .............................. 63 4.2 CodeinSSAform. ................................ 65 4.3 ProductionsforextendedCFG. 65 4.4 Example intermediate grammar for XSS analysis. ........ 66 4.5 Clientarchitecture.. 68 4.6 Transducerwithuntrusteddata. 70 4.7 A vulnerability in Claroline 1.5.3. ....... 75 5.1 ExamplePHPcode. ............................... 86 5.2 A transducer for concatenation. ..... 89 5.3 An automaton and its image over a transducer. ...... 89 5.4 Expressionlanguage. .. .. .. .. .. .. .. .. 93 5.5 Algorithm to construct sets of single variable-occurrence expressions. 94 5.6 Constraintlanguage. .. .. .. .. .. .. .. .. 95 5.7 Type conversion from Boolean in PHP. 97 5.8 Algorithm for converting arbitrary constraints to Boolean constraints. 97 5.9 FSA image and construction and inversion. ...... 98 5.10 Algorithm to solve for variables. ...... 99 5.11 InputhandlingcodeinMantis. 102 5.12 InputhandlingcodeinMambo. 103 vii viii List of Tables 2.1 Subject programs used in our empirical evaluation. .......... 27 2.2 Precision and timing results for SqlCheck................... 29 3.1 Resourceusagefromevaluation.. ..... 52 3.2 Evaluationresults. .............................. 53 4.1 Statisticsonsubjects’files. ..... 71 4.2 File and memory results for test subjects. ....... 72 4.3 Timingresultsfortestsubjects.. ...... 72 4.4 Bugreports..................................... 74 4.5 Analysis results for input validation functions. ............ 75 4.6 Explanation of vulnerabilities. ....... 77 5.1 Tracelogfiledata. ................................ 104 5.2 Iterations to find an injection vulnerability. .......... 105 Abstract With the rise of the Internet, web applications, such as online banking and web-based email, have become integral to many people’s daily lives. Web applications have brought with them new classes of computer security vulnerabilities, such as SQL injection and cross-site scripting (XSS), that in recent years have exceeded previously prominent vulner- ability classes, such as buffer overflows, in both reports of new vulnerabilities and reports of exploits. SQL injection and XSS
Load more

Recommended publications
  • Lecture Notes on Language-Based Security
    Lecture Notes on Language-Based Security Erik Poll Radboud University Nijmegen Updated September 2019 These lecture notes discuss language-based security, which is the term loosely used for the collection of features and mechanisms that a programming language can provide to help in building secure applications. These features include: memory safety and typing, as offered by so-called safe pro- gramming languages; language mechanisms to enforce various forms of access con- trol (such as sandboxing), similar to access control traditionally offered by operating systems; mechanisms that go beyond what typical operating systems do, such as information flow control. Contents 1 Introduction 4 2 Operating system based security 7 2.1 Operating system abstractions and access control . .7 2.2 Imperfections in abstractions . 10 2.3 What goes wrong . 10 3 Safe programming languages 12 3.1 Safety & (un)definedness . 13 3.1.1 Safety and security . 14 3.2 Memory safety . 15 3.2.1 Ensuring memory safety . 15 3.2.2 Memory safety and undefinedness . 16 3.2.3 Stronger notions of memory safety . 16 3.3 Type safety . 17 3.3.1 Expressivity . 18 3.3.2 Breaking type safety . 18 3.3.3 Ensuring type safety . 19 3.4 Other notions of safety . 19 3.4.1 Safety concerns in low-level languages . 20 3.4.2 Safe arithmetic . 20 3.4.3 Thread safety . 21 3.5 Other language-level guarantees . 22 3.5.1 Visibility . 22 3.5.2 Constant values and immutable data structures . 23 4 Language-based access control 26 4.1 Language platforms .
    [Show full text]
  • Detecting PHP-Based Cross-Site Scripting Vulnerabilities Using Static Program Analysis
    Detecting PHP-based Cross-Site Scripting Vulnerabilities Using Static Program Analysis A thesis submitted in partial fulfillment of the requirements for the degree of Master of Science in Cyber Security by Steven M. Kelbley B.S. Biological Sciences, Wright State University, 2012 2016 Wright State University i WRIGHT STATE UNIVERSITY GRADUATE SCHOOL December 1, 2016 I HEREBY RECOMMEND THAT THE THESIS PREPARED UNDER MY SUPERVISION BY Steven M. Kelbley ENTITLED Detecting PHP-based Cross-Site Scripting Vulnerabilities Using Static Program Analysis BE ACCEPTED IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF Master of Science in Cyber Security. _________________________________ Junjie Zhang, Ph.D. Thesis Director _________________________________ Mateen Rizki, Ph.D. Chair, Department of Computer Science and Engineering Committee on Final Examination _________________________________ Junjie Zhang, Ph.D. _________________________________ Krishnaprasad Thirunarayan, Ph.D. _________________________________ Adam Bryant, Ph.D. _________________________________ Robert E. W. Fyffe, Ph.D. Vice President for Research and Dean of the Graduate School ABSTRACT Kelbley, Steven. M.S. Cyber Security, Department of Computer Science, Wright State University, 2016. Detecting PHP-based Cross-Site Scripting Vulnerabilities Using Static Program Analysis. With the widespread adoption of dynamic web applications in recent years, a number of threats to the security of these applications have emerged as significant challenges for application developers. The security of developed applications has become a higher pri- ority for both developers and their employers as cyber attacks become increasingly more prevalent and damaging. Some of the most used web application frameworks are written in PHP and have be- come major targets due to the large number of servers running these applications world- wide.
    [Show full text]
  • Experiences with Building Security Checking and Understanding Tool
    RC24243 (W0704-095) April 18, 2007 Computer Science IBM Research Report Experiences with Building Security Checking and Understanding Tool Ted Habeck, Larry Koved, Orlando Marquez, Vugranam C. Sreedhar, Michael Steiner, Wietse Venema, Samuel Weber IBM Research Division Thomas J. Watson Research Center P.O. Box 704 Yorktown Heights, NY 10598 Gabriela Cretu Columbia University New York, NY 10027 Krishnaprasad Vikram Cornell University Ithaca, NY 14850 Research Division Almaden - Austin - Beijing - Haifa - India - T. J. Watson - Tokyo - Zurich LIMITED DISTRIBUTION NOTICE: This report has been submitted for publication outside of IBM and will probably be copyrighted if accepted for publication. It has been issued as a Research Report for early dissemination of its contents. In view of the transfer of copyright to the outside publisher, its distribution outside of IBM prior to publication should be limited to peer communications and specific requests. After outside publication, requests should be filled only by reprints or legally obtained copies of the article (e.g. , payment of royalties). Copies may be requested from IBM T. J. Watson Research Center , P. O. Box 218, Yorktown Heights, NY 10598 USA (email: [email protected]). Some reports are available on the internet at http://domino.watson.ibm.com/library/CyberDig.nsf/home . Experiences With Building Security Checking and Understanding Tool Ted Habeck Vugranam C. Sreedhar Gabriela Cretu ∗ Larry Koved Michael Steiner Columbia University Orlando Marquez Wietse Venema New York, NY 10027 IBM TJ Watson Research Center Samuel Weber [email protected] Hawthrone, NY 10532 IBM TJ Watson Research Center {habeck,koved,omarquez}@us.ibm.com Hawthrone, NY 10532 {vugranam,msteiner,wietse}@us.ibm.com, [email protected] Krishnaprasad Vikram∗ Cornell University Ithaca, NY 14850 [email protected] Abstract tive assistance to this large and growing community.
    [Show full text]
  • Secure Programming for Linux and Unix HOWTO
    Secure Programming for Linux and Unix HOWTO David A. Wheeler v3.010 Edition Copyright © 1999, 2000, 2001, 2002, 2003 David A. Wheeler v3.010, 3 March 2003 This book provides a set of design and implementation guidelines for writing secure programs for Linux and Unix systems. Such programs include application programs used as viewers of remote data, web applications (including CGI scripts), network servers, and setuid/setgid programs. Specific guidelines for C, C++, Java, Perl, PHP, Python, Tcl, and Ada95 are included. For a current version of the book, see http://www.dwheeler.com/secure−programs This book is Copyright (C) 1999−2003 David A. Wheeler. Permission is granted to copy, distribute and/or modify this book under the terms of the GNU Free Documentation License (GFDL), Version 1.1 or any later version published by the Free Software Foundation; with the invariant sections being ``About the Author'', with no Front−Cover Texts, and no Back−Cover texts. A copy of the license is included in the section entitled "GNU Free Documentation License". This book is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Secure Programming for Linux and Unix HOWTO Table of Contents Chapter 1. Introduction......................................................................................................................................1 Chapter 2. Background......................................................................................................................................4
    [Show full text]
  • Detecting PHP-Based Cross-Site Scripting Vulnerabilities Using Static Program Analysis
    Wright State University CORE Scholar Browse all Theses and Dissertations Theses and Dissertations 2016 Detecting PHP-based Cross-Site Scripting Vulnerabilities Using Static Program Analysis Steven M. Kelbley Wright State University Follow this and additional works at: https://corescholar.libraries.wright.edu/etd_all Part of the Computer Engineering Commons, and the Computer Sciences Commons Repository Citation Kelbley, Steven M., "Detecting PHP-based Cross-Site Scripting Vulnerabilities Using Static Program Analysis" (2016). Browse all Theses and Dissertations. 1655. https://corescholar.libraries.wright.edu/etd_all/1655 This Thesis is brought to you for free and open access by the Theses and Dissertations at CORE Scholar. It has been accepted for inclusion in Browse all Theses and Dissertations by an authorized administrator of CORE Scholar. For more information, please contact [email protected]. Detecting PHP-based Cross-Site Scripting Vulnerabilities Using Static Program Analysis A thesis submitted in partial fulfillment of the requirements for the degree of Master of Science in Cyber Security by Steven M. Kelbley B.S. Biological Sciences, Wright State University, 2012 2016 Wright State University i WRIGHT STATE UNIVERSITY GRADUATE SCHOOL December 1, 2016 I HEREBY RECOMMEND THAT THE THESIS PREPARED UNDER MY SUPERVISION BY Steven M. Kelbley ENTITLED Detecting PHP-based Cross-Site Scripting Vulnerabilities Using Static Program Analysis BE ACCEPTED IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF Master of Science in Cyber Security. _________________________________ Junjie Zhang, Ph.D. Thesis Director _________________________________ Mateen Rizki, Ph.D. Chair, Department of Computer Science and Engineering Committee on Final Examination _________________________________ Junjie Zhang, Ph.D. _________________________________ Krishnaprasad Thirunarayan, Ph.D.
    [Show full text]
  • Untangling the Web of Client-Side Cross-Site Scripting
    Untangling the Web of Client-Side Cross-Site Scripting Untersuchungen zu Client-seitigem Cross-Site Scripting Der Technischen Fakultät der Friedrich-Alexander-Universität Erlangen-Nürnberg zur Erlangung des Grades DOKTOR-INGENIEUR vorgelegt von Benjamin Stock aus Mainz Als Dissertation genehmigt von der Technischen Fakultät der Friedrich-Alexander-Universität Erlangen-Nürnberg Tag der mündlichen Prüfung: 31.08.2015 Vorsitzende des Promotionsorgans: Prof. Dr.-Ing. habil. Marion Merklein Gutachter: Prof. Dr.-Ing. Felix Freiling Prof. Dr. Michael Backes Abstract The Web’s functionality has shifted from purely server-side code to rich client-side applications, which allow the user to interact with a site without the need for a full page load. While server-side attacks, such as SQL or command injection, still pose a threat, this change in the Web’s model also increases the impact of vulnerabilities aiming at exploiting the client. The most prominent representative of such client- side attacks is Cross-Site Scripting, where the attacker’s goal is to inject code of his choosing into the application, which is subsequently executed by the victimized browsers in the context of the vulnerable site. This thesis provides insights into different aspects of Cross-Site Scripting. First, we show that the concept of password managers, which aim to allow users to choose more secure passwords and, thus, increase the overall security of user accounts, is susceptible to attacks which abuse Cross-Site Scripting flaws. In our analysis, we found that almost all built-in password managers can be leveraged by a Cross-Site Scripting attacker to steal stored credentials. Based on our observations, we present a secure concept for password managers, which does not insert password data into the document such that it is accessible from the injected JavaScript code.
    [Show full text]
  • Designing Security Architecture Solutions
    TEAMFLY Team-Fly® Designing Security Architecture Solutions Jay Ramachandran Wiley Computer Publishing John Wiley & Sons, Inc. Designing Security Architecture Solutions Designing Security Architecture Solutions Jay Ramachandran Wiley Computer Publishing John Wiley & Sons, Inc. Publisher: Robert Ipsen Editor: Carol Long Managing Editor: Micheline Frederick Developmental Editor: Adaobi Obi Text Design & Composition: D&G Limited, LLC Designations used by companies to distinguish their products are often claimed as trademarks. In all instances where John Wiley & Sons, Inc., is aware of a claim, the product names appear in initial capital or ALL CAPITAL LETTERS. Readers, however, should contact the appropriate companies for more complete information regarding trademarks and registration. This book is printed on acid-free paper. Copyright © 2002 by Jay Ramachandran. All rights reserved. Published by John Wiley & Sons, Inc. Published simultaneously in Canada. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authoriza- tion through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 750-4744. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 605 Third Avenue, New York, NY 10158-0012, (212) 850-6011, fax (212) 850-6008, E-Mail: PERMREQ @ WILEY.COM. This publication is designed to provide accurate and authoritative information in regard to the subject matter covered.
    [Show full text]
  • Comparing Selected Criteria of Programming Languages Java, PHP, C++, Perl, Haskell, Aspectj, Ruby, COBOL, Bash Scripts and Scheme Revision 1.0 Sultan S
    Comparing Selected Criteria of Programming Languages Java, PHP, C++, Perl, Haskell, AspectJ, Ruby, COBOL, Bash Scripts and Scheme Revision 1.0 Sultan S. Al-Qahtani Luis F. Guzman Concordia University Concordia University Montreal, Quebec, Canada Montreal, Quebec, Canada [email protected] [email protected] Rafik Arif Adrien Tevoedjre Concordia University Concordia University Montreal, Quebec, Canada Montreal, Quebec, Canada [email protected] [email protected] Pawel Pietrzynski Concordia University Montreal, Quebec, Canada [email protected] Abstract Comparison of programming languages is a common topic of discussion among software engineers. Few languages ever become sufficiently popular that they are used by more than a few people or find their niche in research or education; but professional programmers can easily use dozens of different languages during their career. Multiple programming languages are designed, specified, and implemented every year in order to keep up with the changing programming paradigms, hardware evolution, etc. In this paper we present a comparative study between ten programming languages: Haskell, Java, Perl, C++, AspectJ, COBOL, Ruby, PHP, Bash Scripts, and Scheme; with respect of the following criteria: Secure programming practices, web applications development, web services design and composition, object oriented-based abstraction, reflection, aspect-orientation, functional programming, declarative programming, batch scripting, and user interface prototype design. 1. Introduction The first high-level programming languages were designed during the 1950s. Ever since then, programming languages have been a fascinating and productive area of study [43]. Thousands of different programming languages have been created, mainly in the computer field, with many more being created every year; they are designed, specified, and implemented for the purpose of being up to date with the evolving programming paradigms (e.g.
    [Show full text]
  • Juturna: Lightweight, Pluggable and Selective Taint Tracking for Java
    Institut für Programmstrukturen und Datenorganisation (IPD) Lehrstuhl Prof. Dr.-Ing. Snelting Juturna: Lightweight, Pluggable and Selective Taint Tracking for Java Masterarbeit von Florian Dominik Loch an der Fakultät für Informatik / in Kooperation mit der SAP SE Erstgutachter: Prof. Dr.-Ing. Gregor Snelting Zweitgutachter: Prof. Dr. Bernhard Beckert Betreuer KIT: Dipl.-Inform. Martin Mohr Betreuer SAP SE: Dr. Martin Johns Bearbeitungszeit: 12. Juli 2017 – 19. Februar 2018 KIT – Die Forschungsuniversität in der Helmholtz-Gemeinschaft www.kit.edu Erklärung Hiermit erkläre ich, Florian Dominik Loch, dass ich die vorliegende Masterarbeit selbstständig verfasst habe und keine anderen als die angegebenen Quellen und Hilfs- mittel benutzt habe, die wörtlich oder inhaltlich übernommenen Stellen als solche kenntlich gemacht und die Satzung des KIT zur Sicherung guter wissenschaftlicher Praxis beachtet habe. Ort, Datum Unterschrift III Abstract Injection-Angriffe, wie bspw. SQL-Injection oder Cross-site Scripting, sind vielfäl- tig und stellen eine große Bedrohung für (Web-)Applikationen und ihre Nutzer dar – für Privatpersonen gleichermaßen wie für Unternehmen. Bisherige Arbeiten haben klar gezeigt, dass die Idee des Taint-Trackings – Werte zu markieren und ihren Fluss durch die Applikation zur Laufzeit zu überwachen – effektiv sind bzgl. der Erkennung einer Vielzahl solcher Verwundbarkeiten sowie der Verhinderung einer Ausnutzung. Allerdings sind aktuelle Taint-Tracking-Systeme für Java SE/Java EE noch nicht wirklich für den produktiven Einsatz geeignet. Die vorliegende Arbeit setzt sich mit den Anforderungen eines solchen Umfeldes auseinander und stellt, in Form von Juturna, einen neuen Ansatz vor. Dieser versucht, jenen Anforderungen unter Verwendung etablierter Techniken und neuer Ideen gerecht zu werden. Eines der großen, aktuellen Probleme von Taint-Tracking ist dabei der immanen- te Overhead bzgl.
    [Show full text]
  • Dynamic Taint Tracking for Java-Based Web Applications
    DEGREE PROJECT IN THE FIELD OF TECHNOLOGY INFORMATION AND COMMUNICATION TECHNOLOGY AND THE MAIN FIELD OF STUDY COMPUTER SCIENCE AND ENGINEERING, SECOND CYCLE, 30 CREDITS STOCKHOLM, SWEDEN 2018 WebTaint: Dynamic Taint Tracking for Java-based Web Applications FREDRIK ADOLFSSON KTH ROYAL INSTITUTE OF TECHNOLOGY SCHOOL OF ARCHITECTURE AND THE BUILT ENVIRONMENT WebTaint: Dynamic Taint Tracking for Java-based Web Applications FREDRIK ADOLFSSON Master in Computer Science Date: June 21, 2018 Supervisor: Musard Balliu Examiner: Mads Dam Swedish title: WebTaint: Dynamic Taint Tracking för Java-baserade webbapplikationer School of Computer Science and Communication iii Abstract The internet is a source of information and it connects the world through a single platform. Many businesses have taken advantage of this to share information, to communicate with customers, and to cre- ate new business opportunities. However, this does not come without drawbacks as there exists an elevated risk to become targeted in attacks. The thesis implemented a dynamic taint tracker, named WebTaint, to detect and prevent confidentiality and integrity vulnerabilities in Java- based web applications. We evaluated to what extent WebTaint can combat integrity vulnerabilities. The possible advantages and disad- vantages of using the application is introduced as well as an explication whether the application was capable of being integrated into produc- tion services. The results show that WebTaint helps to combat SQL Injection and Cross-Site Scripting attacks. However, there are drawbacks in the form of additional time and memory overhead. The implemented solution is therefore not suitable for time or memory sensitive domains. WebTaint could be recommended for use in test environments where security ex- perts utilize the taint tracker to find TaintExceptions through manual and automatic attacks.
    [Show full text]