ABSTRACT
A great deal of research on sanitizer placement, sanitizer correctness, checking path validity, and policy inference, has been done in the last five to ten years, involving type systems, static analysis and runtime monitoring and enforcement. However, in pretty much all work thus far, the burden of sanitizer placement has fallen on the developer. However, sanitizer placement in large-scale applications is difficult, and developers are likely to make errors, and thus create security vulnerabilities.
This paper advocates a radically different approach: we aim to fully automate the placement of sanitizers by analyzing the ow of tainted data in the program. We argue that developers are better off leaving out sanitizers entirely instead of trying to place them.
This paper proposes a fully automatic technique for sanitizer placement. Placement is static whenever possible, switching to run time when necessary. Run-time taint tracking techniques can be used to track the source of a value, and thus apply appropriate sanitization. However, due to the runtime overhead of run-time taint tracking, our technique avoids it wherever possible.
Supplemental Material
- A. V. Aho, M. Lam, R. Sethi, and J. D. Ullman. Compilers: Principles, Techniques, and Tools. Addison-Wesley, 2007. Google ScholarDigital Library
- D. Avots, M. Dalton, B. Livshits, and M. S. Lam. Improving software security with a C pointer analysis. In Proceedings of the International Conference on Software Engineering, May 2005. Google ScholarDigital Library
- D. Balzarotti, M. Cova, V. Felmetsger, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna. Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications. In Proceedings of the IEEE Symposium on Security and Privacy, May 2008. Google ScholarDigital Library
- D. Bates, A. Barth, and C. Jackson. Regular expressions considered harmful in client-side XSS filters. In Proceedings of the International World Wide Web Conference, 2010. Google ScholarDigital Library
- P. Briggs and K. D. Cooper. Effective partial redundancy elimination. In Proceedings of the Conference on Programming Language Design and Implementation, 1994. Google ScholarDigital Library
- B. Chess and J. West. Dynamic taint propagation: Finding vulnerabilities without attacking. Information Security Technical Reports, 13, January 2008. Google ScholarDigital Library
- E. Chin and D. Wagner. Efficient character-level taint tracking for Java. In Proceedings of the Workshop on Secure Web Services, 2009. Google ScholarDigital Library
- S. Chong, K. Vikram, and A. C. Myers. Sif: enforcing confidentiality and integrity in Web applications. In phProceedings of Usenix Security Symposium, 2007. Google ScholarDigital Library
- M. Egele, C. Kruegel, E. Kirda, and G. Vigna. PiOS: Detecting privacy leaks in iOS applications. In Proceedings of the Annual Network and Distributed System Security Symposium, Feb. 2011.Google Scholar
- W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth. TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In Proceedings of the Usenix Conference on Operating Systems Design and Implementation, 2010. Google ScholarDigital Library
- V. Haldar, D. Chandra, and M. Franz. Dynamic taint propagation for Java. In Proceedings of the Annual Computer Security Applications Conference, Dec. 2005. Google ScholarDigital Library
- C. Hammer and G. Snelting. Flow-sensitive, context-sensitive, and object-sensitive information flow control based on program dependence graphs. International Journal of Information Security, 8 (6): 399--422, Dec. 2009. Google ScholarDigital Library
- C. Hammer, J. Krinke, and F. Nodes. Intransitive noninterference in dependence graphs. In 2nd International Symposium on Leveraging Application of Formal Methods, Verification and Validation, Nov. 2006. Google ScholarDigital Library
- C. Hammer, J. Krinke, and G. Snelting. Information flow control for java based on path conditions in dependence graphs. In IEEE International Symposium on Secure Software Engineering, Mar. 2006.Google Scholar
- P. Hooimeijer, B. Livshits, D. Molnar, P. Saxena, and M. Veanes. Fast and precise sanitizer analysis with BEK. In Proceedings of the Usenix Security Symposium, Aug. 2011. Google ScholarDigital Library
- A. L. Hosking, N. Nystrom, D. Whitlock, Q. Cutts, and A. Diwan. Partial redundancy elimination for access path expressions. Software Practice and Experience, 31, May 2001. Google ScholarDigital Library
- Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D.-T. Lee, and S.-Y. Kuo. Securing Web application code by static analysis and runtime protection. In Proceedings of the International Conference on World Wide Web, 2004. Google ScholarDigital Library
- N. Jovanovic, C. Kruegel, and E. Kirda. Pixy: A static analysis tool for detecting Web application vulnerabilities (short paper). In Proceedings of the IEEE Symposium on Security and Privacy, 2006. Google ScholarDigital Library
- D. King, S. Jha, D. Muthukumaran, T. Jaeger, S. Jha, and S. A. Seshia. Automating security mediation placement. In Proceedings of the European Symposium on Programming, 2010. Google ScholarDigital Library
- J. Knoop, O. Rüthing, and B. Steffen. Lazy code motion. SIGPLAN Notes, 39: 460--472, April 2004. Google ScholarDigital Library
- T. Kremenek, P. Twohey, G. Back, A. Y. Ng, and D. R. Engler. From uncertainty to belief: Inferring the specification within. In Symposium on Operating Systems Design and Implementation, Nov. 2006. Google ScholarDigital Library
- B. Livshits and M. S. Lam. Finding security errors in Java programs with static analysis. In Proceedings of the Usenix Security Symposium, 2005. Google ScholarDigital Library
- B. Livshits, A. V. Nori, S. K. Rajamani, and A. Banerjee. Merlin: Specification inference for explicit information flow problems. In Proceedings of the Conference on Programming Language Design and Implementation, June 2009. Google ScholarDigital Library
- M. Martin, B. Livshits, and M. S. Lam. Finding application errors and security flaws using PQL: a program query language. In Proceedings of the Conference on Object Oriented Programming Systems Languages and Applications, pages 365--383, 2005. Google ScholarDigital Library
- M. Martin, B. Livshits, and M. S. Lam. SecuriFly: runtime vulnerability protection for Web applications. Technical report, Stanford University, 2006.Google Scholar
- Microsoft Code Analysis Tool .NET (CAT.NET). http://www.microsoft.com/en-us/download/details.aspx?id=19968, 3 2009.Google Scholar
- Microsoft web protection library. http://wpl.codeplex.com/, 2012.Google Scholar
- N. Mitchell, G. Sevitsky, and H. Srinivasan. The diary of a datum: an approach to modeling runtime complexity in framework-based applications. In Proceedings of the European Conference on Object-Oriented Programming, Systems, Languages, and Applications, 2005.Google Scholar
- A. Nguyen-Tuong, S. Guarnieri, D. Greene, J. Shirley, and D. Evans. Automatically hardening Web applications using precise tainting. In Proceedings of the IFIP International Information Security Conference, 2005.Google ScholarCross Ref
- OWASP. OWASP-Java-HTML-sanitizer. http://code.google.com/p/owasp-java-html-sanitizer/, 2011.Google Scholar
- T. Pietraszek and C. V. Berghe. Defending against injection attacks through context-sensitive string evaluation. In Proceedings of the Recent Advances in Intrusion Detection, Sept. 2005. Google ScholarDigital Library
- W. Robertson and G. Vigna. Static enforcement of web application integrity through strong typing. In Proceedings of the Usenix Security Symposium, 2009\natexlaba. Google ScholarDigital Library
- W. Robertson and G. Vigna. Static enforcement of web application integrity through strong typing. In Proceedings of the Usenix Security Symposium, Aug. 2009\natexlabb. Google ScholarDigital Library
- RSnake. XSS cheat sheet for filter evasion. http://ha.ckers.org/xss.html.Google Scholar
- O. Rüthing, J. Knoop, and B. Steffen. Sparse code motion. In Proceedings of the Symposium on Principles of Programming Languages, 2000. Google ScholarDigital Library
- A. Sabelfeld and A. C. Myers. Language-based information-flow security. IEEE Journal on Selected Areas in Communications, 21 (1): 5--19, Jan. 2003. Google ScholarDigital Library
- A. Sabelfeld and D. Sands. Dimensions and principles of declassification. In Proceedings of the 18th IEEE Computer Security Foundations Workshop, pages 255--269. IEEE Computer Society, June 2005. Google ScholarDigital Library
- M. Samuel, P. Saxena, and D. Song. Context-sensitive auto-sanitization in web templating languages using type qualifiers. In Proceedings of the Conference on Computer and Communications Security, Oct. 2011. Google ScholarDigital Library
- P. Saxena, D. Molnar, and B. Livshits. ScriptGard: Automatic context-sensitive sanitization for large-scale legacy web applications. In Proceedings of the Conference on Computer and Communications Security, Oct. 2011. Google ScholarDigital Library
- B. Scholz, C. Zhang, and C. Cifuentes. User-input dependence analysis via graph reachability. Technical Report 2008--171, Sun Microsystems Labs, 2008. Google ScholarDigital Library
- V. Srivastava, M. D. Bond, K. S. McKinley, and V. Shmatikov. A security policy oracle: detecting security holes using multiple API implementations. In Proceedings of the Conference on Programming Language Design and Implementation, 2011. Google ScholarDigital Library
- Z. Su and G. Wassermann. The essence of command injection attacks in Web applications. In phProceedings of the Symposium on Principles of Programming Languages, 2006. Google ScholarDigital Library
- O. Tripp, M. Pistoia, S. J. Fink, M. Sridharan, and O. Weisman. TAJ: effective taint analysis of web applications. In Proceedings of the Conference on Programming Language Design and Implementation, 2009. Google ScholarDigital Library
- J. Vaughan and S. Chong. Inference of expressive declassification policies. In phProceedings of IEEE Symposium on Security and Privacy, May 2011. Google ScholarDigital Library
- M. Veanes, P. Hooimeijer, B. Livshits, D. Molnar, and N. Bjorner. Symbolic finite state transducers: Algorithms and applications. In Proceedings of the Sympolisium on Principles of Programming Languages, Jan. 2012. Google ScholarDigital Library
- J. Weinberger, P. Saxena, D. Akhawe, M. Finifter, R. Shin, and D. Song. A systematic analysis of XSS sanitization in web application frameworks. In phProceedings of the European Symposium on Research in Computer Security, Sept. 2011. Google ScholarDigital Library
- Y. Xie and A. Aiken. Static detection of security vulnerabilities in scripting languages. In Proceedings of the Usenix Security Symposium, 2006. Google ScholarDigital Library
- E. Z. Yang. HTML purifier. http://code.google.com/p/owasp-java-html-sanitizer/, 2011.Google Scholar
Index Terms
- Towards fully automatic placement of security sanitizers and declassifiers
Recommendations
Towards fully automatic placement of security sanitizers and declassifiers
POPL '13A great deal of research on sanitizer placement, sanitizer correctness, checking path validity, and policy inference, has been done in the last five to ten years, involving type systems, static analysis and runtime monitoring and enforcement. However, ...
Towards automatic restrictification of CUDA kernel arguments
ASE '18: Proceedings of the 33rd ACM/IEEE International Conference on Automated Software EngineeringMany procedural languages, such as C and C++, have pointers. Pointers are powerful and convenient, but pointer aliasing still hinders compiler optimizations, despite several years of research on pointer aliasing analysis. Because alias analysis is a ...
Security analysis on "A chaotic fragile watermarking technique with precise localization"
WiCOM'09: Proceedings of the 5th International Conference on Wireless communications, networking and mobile computingSecurity holes resulting from the independence of pixels in the existing fragile watermarking technique with pixel-precise localization have been pointed out. In this paper, the security of an algorithm with precise localization is analyzed. Vector ...
Comments