Top

Published in:

2019 | OriginalPaper | Chapter

Practical Dynamic Taint Tracking for Exploiting Input Sanitization Error in Java Applications

Author : Mohammadreza Ashouri

Published in: Information Security and Privacy

Publisher: Springer International Publishing

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Errors in the sanitization of user inputs lead to serious security vulnerabilities. Many applications contain such errors, making them vulnerable to input sanitization exploits. Therefore, internet worms via exploiting vulnerabilities in applications infect hundreds of thousands of users in a matter of short time, causing hundreds of millions of dollars in damages. To successfully counter internet worm attacks, we need automatic detection and defense mechanisms. First, we need automatic detection mechanisms that can detect runtime attacks for vulnerabilities. A disclosure mechanism should be simple to deploy, resulting in few false positives and few false negatives.

In this paper we present Tainer, an automatic dynamic taint analysis framework to detect and generate exploits for sanitization based vulnerabilities for Java web applications. Particularly, our method is based on tracking the flow of taint information from untrusted input the application sensitive methods (such as console, file, network, database or another program). Our proposed framework is portable, quick, accurate, and does not need the source code of applications. We demonstrate the usefulness of the framework by detecting several zero-day actual vulnerabilities in popular Java applications.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

previous chapter A Low Overhead Error Correction Algorithm Using Random Permutation for SRAM PUFs

next chapter AMOGAP: Defending Against Man-in-the-Middle and Offline Guessing Attacks on Passwords

Available only for authorised users

https://asm.ow2.io/.

http://serp.sourceforge.net/.

https://cve.mitre.org.

https://www.exploit-db.com.

https://curl.haxx.se.

https://github.com/xmendez/wfuzz.

https://github.com/rapid7/metasploit-framework.

https://nvd.nist.gov.

Aarniala, J.: Instrumenting Java bytecode. In: Seminar Work for the Compilerscourse, Department of Computer Science, University of Helsinki, Finland (2005)

AlBreiki, H.H., Mahmoud, Q.H.: Evaluation of static analysis tools for software security. In: 2014 10th International Conference on Innovations in Information Technology (INNOVATIONS), pp. 93–98. IEEE (2014)

Arzt, S., et al.: Flowdroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. ACM SIGPLAN Not. 49(6), 259–269 (2014)CrossRef

Balzarotti, D., et al.: Saner: composing static and dynamic analysis to validate sanitization in web applications. In: 2008 IEEE Symposium on Security and Privacy (SP 2008), pp. 387–401 (2008)

Bell, J.: Detecting, isolating, and enforcing dependencies among and within test cases. In: Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering, pp. 799–802. ACM (2014)

Binder, W., Hulaas, J., Moret, P.: Advanced Java bytecode instrumentation. In: Proceedings of the 5th International Symposium on Principles and Practice of Programming in Java, pp. 135–144. ACM (2007)

Boonstoppel, P., Cadar, C., Engler, D.: RWset: attacking path explosion in constraint-based test generation. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 351–366. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78800-3_27CrossRef

Brumley, D., Caballero, J., Liang, Z., Newsome, J., Song, D.: Towards automatic discovery of deviations in binary implementations with applications to error detection and fingerprint generation. In: USENIX Security Symposium, p. 15 (2007)

Chiba, S.: Javassist: Java bytecode engineering made simple. Java Dev. J. 9(1), 30 (2004)

10.

Clause, J., Li, W., Orso, A.: Dytan: a generic dynamic taint analysis framework. In: Proceedings of the 2007 International Symposium on Software Testing and Analysis, pp. 196–206. ACM (2007)

11.

Dahm, M.: Byte code engineering. In: Cap, C.H. (ed.) JIT 1999. INFORMAT, pp. 267–277. Springer, Heidelberg (1999). https://doi.org/10.1007/978-3-642-60247-4_25CrossRef

12.

Dahm, M., van Zyl, J., Haase, E.: The bytecode engineering library (BCEL) (2003)

13.

Dalton, M., Kozyrakis, C., Zeldovich, N.: Nemesis: preventing authentication & [and] access control vulnerabilities in web applications (2009)

14.

Enck, W., et al.: TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM Trans. Comput. Syst. (TOCS) 32(2), 5 (2014)CrossRef

15.

Fan, N., Winslow, A.B., Wu, T.B., Yu, J.X.: Automatic deployment of Java classes using byte code instrumentation. US Patent 8,397,227, 12 March 2013

16.

Feng, H.H., Kolesnikov, O.M., Fogla, P., Lee, W., Gong, W.: Anomaly detection using call stack information. In: 2003 Symposium on Security and Privacy, pp. 62–75. IEEE (2003)

17.

Spring Framework: Spring framework. https://spring.io/?. Accessed Mar 2018

18.

Gao, D., Reiter, M.K., Song, D.: Gray-box extraction of execution graphs for anomaly detection. In: Proceedings of the 11th ACM Conference on Computer and Communications Security, pp. 318–329. ACM (2004)

19.

Giffin, J.T., Jha, S., Miller, B.P.: Detecting manipulated remote call streams. In: USENIX Security Symposium, pp. 61–79 (2002)

20.

Godefroid, P., Levin, M.Y., Molnar, D.A.: SAGE: whitebox fuzzing for security testing. ACM Queue 55(3), 40–44 (2012)

21.

Goldberg, A., Haveland, K.: Instrumentation of Java bytecode for runtime analysis (2003)

22.

Gupta, S., Gupta, B.B.: Detection, avoidance, and attack pattern mechanisms in modern web application vulnerabilities: present and future challenges. Int. J. Cloud Appl. Comput. (IJCAC) 7(3), 1–43 (2017)

23.

Haldar, V., Chandra, D., Franz, M.: Dynamic taint propagation for Java. In: 21st Annual Computer Security Applications Conference, pp. 9–pp. IEEE (2005)

24.

Henderson, A.: DECAF: a platform-neutral whole-system dynamic binary analysis platform. IEEE Trans. Softw. Eng. 43(2), 164–184 (2017)MathSciNetCrossRef

25.

Hu, A., Peng, G., Chen, Z., Zhu, Z.: A struts2 unknown vulnerability attack detection and backtracking scheme based on multilayer monitoring. In: Xu, M., Qin, Z., Yan, F., Fu, S. (eds.) CTCIS 2017. CCIS, vol. 704, pp. 383–396. Springer, Singapore (2017). https://doi.org/10.1007/978-981-10-7080-8_26CrossRef

26.

Ishrat, M., Saxena, M., Alamgir, M.: Comparison of static and dynamic analysis for runtime monitoring. Int. J. Comput. Sci. Commun. Netw. 2(5), 615–617 (2012)

27.

Kang, M.G., McCamant, S., Poosankam, P., Song, D.: DTA++: dynamic taint analysis with targeted control-flow propagation. In: NDSS (2011)

28.

Kim, H.C., Keromytis, A.: On the deployment of dynamic taint analysis for application communities. IEICE Trans. Inf. Syst. 92(3), 548–551 (2009)CrossRef

29.

Kuleshov, E.: Using the ASM framework to implement common Java bytecode transformation patterns. Aspect-Oriented Software Development (2007)

30.

Li, L., Dong, Q., Liu, D., Zhu, L.: The application of fuzzing in web software security vulnerabilities test. In: 2013 International Conference on Information Technology and Applications, pp. 130–133 (2013)

31.

Liang, S.: The Java Native Interface: Programmer’s Guide and Specification. Addison-Wesley Professional, Boston (1999)

32.

Livshits, B., Martin, M., Lam, M.S.: SecuriFly: runtime protection and recovery from web application vulnerabilities. Technical report (2006)

33.

Livshits, V.B., Lam, M.S.: Finding security vulnerabilities in Java applications with static analysis. In: USENIX Security Symposium, vol. 14, p. 18 (2005)

34.

Luszcz, J.: Apache struts 2: how technical and development gaps caused the equifax breach. Netw. Secur. 2018(1), 5–8 (2018)CrossRef

35.

Medeiros, I., Neves, N., Correia, M.: DEKANT: a static analysis tool that learns to detect web application vulnerabilities. In: Proceedings of the 25th International Symposium on Software Testing and Analysis, pp. 1–11. ACM (2016)

36.

Mongiovì, M., Giannone, G., Fornaia, A., Pappalardo, G., Tramontana, E.: Combining static and dynamic data flow analysis: a hybrid approach for detecting data leaks in Java applications. In: Proceedings of the 30th Annual ACM Symposium on Applied Computing, pp. 1573–1579. ACM (2015)

37.

Naderi-Afooshteh, A., Nguyen-Tuong, A., Bagheri-Marzijarani, M., Hiser, J.D., Davidson, J.W.: Joza: hybrid taint inference for defeating web application SQL injection attacks. In: 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 172–183. IEEE (2015)

38.

Newsome, J., Karp, B., Song, D.: Polygraph: automatically generating signatures for polymorphic worms. In: 2005 IEEE Symposium on Security and Privacy, pp. 226–241. IEEE (2005)

39.

Newsome, J., Song, D.X.: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In: NDSS, vol. 5, pp. 3–4. Citeseer (2005)

40.

Pérez, P.M., Filipiak, J., Sierra, J.M.: LAPSE+ static analysis security software: vulnerabilities detection in Java EE applications. In: Park, J.J., Yang, L.T., Lee, C. (eds.) FutureTech 2011. CCIS, vol. 184, pp. 148–156. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22333-4_17CrossRef

41.

Qin, F., Wang, C., Li, Z., Kim, H., Zhou, Y., Wu, Y.: LIFT: a low-overhead practical information flow tracking system for detecting security attacks. In: 2006 39th Annual IEEE/ACM International Symposium on Microarchitecture, MICRO-39, pp. 135–148. IEEE (2006)

42.

Royer, M.E., Chawathe, S.S.: Java unit annotations for units-of-measurement error prevention. In: 2018 IEEE 8th Annual Computing and Communication Workshop and Conference (CCWC), pp. 816–822. IEEE (2018)

43.

Schwartz, E.J., Avgerinos, T., Brumley, D.: All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). In: 2010 IEEE Symposium on Security and Privacy (SP), pp. 317–331. IEEE (2010)

44.

Shoshitaishvili, Y., et al.: SOK: (state of) the art of war: offensive techniques in binary analysis. In: 2016 IEEE Symposium on Security and Privacy (SP), pp. 138–157. IEEE (2016)

45.

Song, D., et al.: BitBlaze: a new approach to computer security via binary analysis. In: Sekar, R., Pujari, A.K. (eds.) ICISS 2008. LNCS, vol. 5352, pp. 1–25. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-89862-7_1CrossRef

46.

Suh, G.E., Lee, J.W., Zhang, D., Devadas, S.: Secure program execution via dynamic information flow tracking. In: ACM SIGPLAN Notices, vol. 39, pp. 85–96. ACM (2004)

47.

Stenzel, O.: Gradient index films and multilayers. The Physics of Thin Film Optical Spectra. SSSS, vol. 44, pp. 163–180. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-21602-7_8CrossRef

48.

Xu, W., Bhatkar, S., Sekar, R.: Practical dynamic taint analysis for countering input validation attacks on web applications. Technical report SECLAB-05-04, Department of Computer Science, Stony Brook (2005)

Title: Practical Dynamic Taint Tracking for Exploiting Input Sanitization Error in Java Applications
Author: Mohammadreza Ashouri
Publisher: Springer International Publishing
Book: Information Security and Privacy
Print ISBN: 978-3-030-21547-7

Electronic ISBN: 978-3-030-21548-4

Copyright Year: 2019
DOI: https://doi.org/10.1007/978-3-030-21548-4_27

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner