λλ

LanguageBasedSecurity

TAJ: Effective Taint Analysis of Web Applications

PLDI 2009

Omer TrippIBM Software Groupomert@il.ibm.com

Marco PistoiaIBM T. J. Watson Research Center

pistoia@us.ibm.com

Stephen FinkIBM T.J. Watson Research Center

sjfink@us.ibm.com

Manu SridharanIBM T.J. Watson Research Center

msridhar@us.ibm.com

Omri WeismanIBM Software Groupweisman@il.ibm.com

www.research.ibm.com/labasec

PLDI 2009 2

LaBaSec

λλOWASP* Top Ten Security Vulnerabilities

1. Cross-site scripting (XSS)2. Injection flaws3. Malicious file executions4. Insecure direct object reference5. Cross site request forgery (CSRF)6. Information leakage and improper error handling7. Broken authentication and improper session management8. Unsecure cryptographic storage9. Unsecure communications10. Failure to restrict URL accesses

1. Cross-site scripting (XSS)2. Injection flaws3. Malicious file executions4. Insecure direct object reference5. Cross site request forgery (CSRF)6. Information leakage and improper error handling7. Broken authentication and improper session management8. Unsecure cryptographic storage9. Unsecure communications10. Failure to restrict URL accesses

* Open Web Application Security Project (OWASP): http://www.owasp.org

PLDI 2009 3

LaBaSec

λλExisting Static-Analysis Solutions

Type systems: Complex, conservative, require code annotations

Classic slicing: Has not been shown to scale to large applications while

maintaining sufficient accuracy

PLDI 2009 4

LaBaSec

λλContributions of TAJ

Hybrid thin slicing Sound, effective modeling of Web applications Bounded-analysis techniques Implementation, productization* and extensive evaluation

* IBM Rational AppScan:http://www.ibm.com/software/awdtools/appscan/

PLDI 2009 5

LaBaSec

λλMotivating Example*

* Inspired by Refl1 inSecuriBench Micro

Taint Flow #1

PLDI 2009 6

LaBaSec

λλMotivating Example*

Sanitizer

* Inspired by Refl1 inSecuriBench Micro

Taint Flow #2

PLDI 2009 7

LaBaSec

λλMotivating Example*

* Inspired by Refl1 inSecuriBench Micro

Non-tainted

Taint Flow #3

PLDI 2009 8

LaBaSec

λλMotivating Example*

* Inspired by Refl1 inSecuriBench Micro

Reflection

PLDI 2009 9

LaBaSec

λλMotivating Example*

* Inspired by Refl1 inSecuriBench Micro

Different Map Keys

PLDI 2009 10

LaBaSec

λλMotivating Example*

* Inspired by Refl1 inSecuriBench Micro

Object Fields

PLDI 2009 11

LaBaSec

λλOutline of TAJ

Algorithm consists of 2 stages:1. Global pointer analysis

2. Slicing based on resulting call graph Rich set of models Effective reports Efficient behavior under restricted budget

PLDI 2009 12

LaBaSec

λλDimensions of Precision

Pointer analysis is a variant of Andersen’s analysis Custom context-sensitivity policy:

Unlimited-depth object sensitivity for Java collections (up to recursion)

One level of call-string context for factory methods One level of call-string context for taint APIs One-level receiver-object context-sensitivity as default

Analysis is field sensitive Analysis is intraprocedurally flow sensitive and

interprocedurally flow insensitive (accounting for multithreaded code)

PLDI 2009 13

LaBaSec

λλHybrid System Dependence Graph

st4st4

l2l2

l2l2

st4st4

l4l4

st2st2st1st1

l5l5l3l3

l1l1

st3st3

st5st5

c3c3

c4c4

sk1sk1

r3r3

r7r7

r8r8

r4r4

c2c2

s1s1

s2s2

r2r2

c1c1

c5c5

r5r5

r1r1

sk2sk2

stistiStorestatement

liliLoadstatement

skiskiSink-dispatchstatement

Hybrid SDG

Slice in theno-heap

SDG

Store-to-loaddirect edge

Load-to-store or load-to-sink summary edge

No-heap SDGedge

cici Call statement

riri Return statement

sisi Other statement

Computed based on preliminary pointer analysis

Computed using graph reachability over a no-heap SDG

PLDI 2009 14

LaBaSec

λλModeling

WebApplications

TaintCarriers

StringStringBuilderStringBuffer

Reflection

NativeMethods

Map Keys

JSP

Struts MVC

ExceptionsEJB

Internal i1

i1.s

map.put("key1", taint);nontaint = map.get("key2");map.put("key1", taint);nontaint = map.get("key2");ConcreteActionForm caf =

(ConcreteActionForm) af

DynaActionForm daf =(DynaActionForm) af

ENTERPRISE BEAN DEPLOYMENT DESCRIPTOR

<ejb-name>Bean1Bean</ejb-name> <home>Bean1Home</home> <remote>Bean1</remote> <ejb-class>Bean1Bean</ejb-class> <session-type>Stateless</session-type> <transaction-type>Bean1</transaction-type> <ejb-ref> <ejb-ref-name>ejb/Bean2</ejb-ref-name> <ejb-ref-type>Session</ejb-ref-type> <home>Bean2Home</home> <remote>Bean2</remote> <ejb-class>Bean2Bean</ejb-class> </ejb-ref>

ENTERPRISE BEAN DEPLOYMENT DESCRIPTOR

<ejb-name>Bean1Bean</ejb-name> <home>Bean1Home</home> <remote>Bean1</remote> <ejb-class>Bean1Bean</ejb-class> <session-type>Stateless</session-type> <transaction-type>Bean1</transaction-type> <ejb-ref> <ejb-ref-name>ejb/Bean2</ejb-ref-name> <ejb-ref-type>Session</ejb-ref-type> <home>Bean2Home</home> <remote>Bean2</remote> <ejb-class>Bean2Bean</ejb-class> </ejb-ref>

Bean1Bean.m1()

Bean2.m2()

Bean2Bean.m2()

Class.forNameMethod.invokeClass.forNameMethod.invoke

Thread.startAccessController. doPrivileged

Thread.startAccessController. doPrivileged

PLDI 2009 15

LaBaSec

λλEliminating Redundant Flows

Flows are equivalent iff Parts under application code

coincide Sinks corresponding to same

issues type

Dramatically improves user experience (on JBoard, x25 less reports)

Sound, minimal with respect to remediation

n2n2

n9n9n8n8

n4n4n3n3

n1n1

n11n11

n7n7n6n6n5n5

n10n10

Application

Library

Sinks with same issue type

PLDI 2009 16

LaBaSec

λλPriority-driven Call-graph Construction

Priority queue used to govern call-graph growth Sources are assigned priority 0 (most important) Recursively, for each “neighbor” t of node n:priority(t) = min{(priority(n) + 1), priority(t)}

Propagate priorities to fixed point “Locality-of-taint” principle

PLDI 2009 17

LaBaSec

λλExperimental Setup

Five variants assessed:1. Context sensitive (CS)2. Context insensitive (CI)3. Unbounded hybrid (i.e., running to completion)4. Prioritized hybrid (i.e., call graph bounded, priority-driven

scheme)5. Fully optimized hybrid (i.e., prioritized, “long” flows

eliminated, taint depth restricted, slice size bounded)

All implemented on top of WALA*

* IBM Watson Libraries for Analysis: http://wala.sf.net

PLDI 2009 18

LaBaSec

λλExperimental Results – Accuracy

X

XX

XX

PLDI 2009 19

LaBaSec

λλExperimental Results – Performance

PLDI 2009 21

LaBaSec

λλConclusion

Effective solution for taint analysis of Web applications based on pointer analysis and hybrid thin slicing

Efficient strategies for analysis under limited budget

General models for frameworks and other programming constructs

Thorough evaluation and productization

PLDI 2009 22

LaBaSec

λλFuture Work

Detailed comparison of demand-driven and priority-driven scheme

String analysis More languages Coverage of more attack vectors

λλ

LanguageBasedSecurity

Thank You!

www.research.ibm.com/labasec