Talking about taint propagation for Java at Acsac
15.12.2005 / Programming Languages, Security /
I presented our paper on taint
propagation for Java at Acsac this
past week. My co-authors were
fellow grad student Deepak Chandra
and our advisor Prof. Michael Franz.
The questions and feedback I
got sometimes caught me unawares
and made me think about
things I hadn’t considered so far.
Many thanks to Scott Stoller ,
David A. Wheeler and
Dave Wichers for their questions
and comments. And, of course, to
the anonymous reviewers too, of
which there were no less than
four.
Quick summary: our goal is
to combat vulnerabilities in web
applications arising from improperly
validated input. This, by the
way, is the largest single source
of security holes in web applications.
We have built a runtime
mechanism for the Java virtual
machine that marks untrusted
input as “tainted” and,
until it is cleaned
by some validation routine,
prohibits its use in security
sensitive methods, such as those
for executing SQL queries.
This is very much like
the taint mode in Perl, and
in fact, that was the original
inspiration for our work (though
we came at it from a totally
different perspective—see
this paper for background).
But our technique is more
flexible because the sources of
tainted data and the methods
where tainted data must not
be used (sinks) , are not
hard-coded into the interpreter
(like Perl), but are
independently specified.
This is a problem that is the
target of much research right now.
Proposed solutions include purely
static analysis techniques, purely
runtime techniques (like ours)
and every thing in between,
each with its own unique
trade offs.
The paper:
Taint Propagation for Java
by Vivek Haldar, Deepak.
Chandra and Michael Franz
19.1.2006 at 5:26 pm
[…] I’m going to give a talk about web application security in a seminar class held by my advisor Prof. Michael Franz later this afternoon. This blog post is supposed to be the accompanying “see here for more” link for the talk. Here are a few resources and pointers to go look at if you want to dive deeper into some of the topics I’m going to talk about.The OWASP page is a great resource for web app security in general. It’s the home of the top ten web vulnerabilities, as well as WebGoat and WebScarab.I maintain a list of research papers on the topic of web application security, with a strong tilt towards beating command injection attacks. There’s also a related doodle of the various proposed solutions. This area has gotten a lot of attention from CS researchers lately.Here at UCIrvine, we’ve done some work on hardening the JVM against attacks on web applications. I presented a paper on this at the last ACSAC. Here’s the paper (Taint Propagation for Java - PDF), and here are the slides for that talk (PDF).Finally, here are the slides of the talk. (PDF) […]
9.2.2006 at 4:17 pm
[…] As pointed out by the CSSE (context-sensitive string evaluation) paper, such higher-order attacks are particularly hard to guard against. Data coming from persistent storage such as a database is considered trusted to start with, and rarely checked. Runtime approaches that detect injection attacks by adding metadata to strings (such as CSSE, or our taint propagation approach) would actually need to also make their metadata persistent, and then restore it when persistent data is read back into memory. In implementation terms this is much harder because it touches parts other than the VM or interpreter — such as the database, or filesystem. Also, if metadata is written out to persistent storage, it might interfere with the operation of other programs that work off the same data. […]
15.3.2006 at 2:17 pm
[…] There you go — another channel for tainted input. This so-called “taint problem” comes up everywhere. Most recently, its been brought to light because of its implications for web application security, but if you dig deeper, its a much more fundamental problem that comes up whenever your program deals with untrusted input. […]