Abstract
A great deal of research on sanitizer placement, sanitizer correctness, checking path validity, and policy inference, has been done in the last five to ten years, involving type systems, static analysis and runtime monitoring and enforcement. However, in pretty much all work thus far, the burden of sanitizer placement has fallen on the developer. However, sanitizer placement in large-scale applications is difficult, and developers are likely to make errors, and thus create security vulnerabilities.
This paper advocates a radically different approach: we aim to fully automate the placement of sanitizers by analyzing the ow of tainted data in the program. We argue that developers are better off leaving out sanitizers entirely instead of trying to place them.
This paper proposes a fully automatic technique for sanitizer placement. Placement is static whenever possible, switching to run time when necessary. Run-time taint tracking techniques can be used to track the source of a value, and thus apply appropriate sanitization. However, due to the runtime overhead of run-time taint tracking, our technique avoids it wherever possible.
Supplemental Material
- A. V. Aho, M. Lam, R. Sethi, and J. D. Ullman. Compilers: Principles, Techniques, and Tools. Addison-Wesley, 2007. Google Scholar
Digital Library
- D. Avots, M. Dalton, B. Livshits, and M. S. Lam. Improving software security with a C pointer analysis. In Proceedings of the International Conference on Software Engineering, May 2005. Google Scholar
Digital Library
- D. Balzarotti, M. Cova, V. Felmetsger, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna. Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications. In Proceedings of the IEEE Symposium on Security and Privacy, May 2008. Google Scholar
Digital Library
- D. Bates, A. Barth, and C. Jackson. Regular expressions considered harmful in client-side XSS filters. In Proceedings of the International World Wide Web Conference, 2010. Google Scholar
Digital Library
- P. Briggs and K. D. Cooper. Effective partial redundancy elimination. In Proceedings of the Conference on Programming Language Design and Implementation, 1994. Google Scholar
Digital Library
- B. Chess and J. West. Dynamic taint propagation: Finding vulnerabilities without attacking. Information Security Technical Reports, 13, January 2008. Google Scholar
Digital Library
- E. Chin and D. Wagner. Efficient character-level taint tracking for Java. In Proceedings of the Workshop on Secure Web Services, 2009. Google Scholar
Digital Library
- S. Chong, K. Vikram, and A. C. Myers. Sif: enforcing confidentiality and integrity in Web applications. In phProceedings of Usenix Security Symposium, 2007. Google Scholar
Digital Library
- M. Egele, C. Kruegel, E. Kirda, and G. Vigna. PiOS: Detecting privacy leaks in iOS applications. In Proceedings of the Annual Network and Distributed System Security Symposium, Feb. 2011.Google Scholar
- W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth. TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In Proceedings of the Usenix Conference on Operating Systems Design and Implementation, 2010. Google Scholar
Digital Library
- V. Haldar, D. Chandra, and M. Franz. Dynamic taint propagation for Java. In Proceedings of the Annual Computer Security Applications Conference, Dec. 2005. Google Scholar
Digital Library
- C. Hammer and G. Snelting. Flow-sensitive, context-sensitive, and object-sensitive information flow control based on program dependence graphs. International Journal of Information Security, 8 (6): 399--422, Dec. 2009. Google Scholar
Digital Library
- C. Hammer, J. Krinke, and F. Nodes. Intransitive noninterference in dependence graphs. In 2nd International Symposium on Leveraging Application of Formal Methods, Verification and Validation, Nov. 2006. Google Scholar
Digital Library
- C. Hammer, J. Krinke, and G. Snelting. Information flow control for java based on path conditions in dependence graphs. In IEEE International Symposium on Secure Software Engineering, Mar. 2006.Google Scholar
- P. Hooimeijer, B. Livshits, D. Molnar, P. Saxena, and M. Veanes. Fast and precise sanitizer analysis with BEK. In Proceedings of the Usenix Security Symposium, Aug. 2011. Google Scholar
Digital Library
- A. L. Hosking, N. Nystrom, D. Whitlock, Q. Cutts, and A. Diwan. Partial redundancy elimination for access path expressions. Software Practice and Experience, 31, May 2001. Google Scholar
Digital Library
- Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D.-T. Lee, and S.-Y. Kuo. Securing Web application code by static analysis and runtime protection. In Proceedings of the International Conference on World Wide Web, 2004. Google Scholar
Digital Library
- N. Jovanovic, C. Kruegel, and E. Kirda. Pixy: A static analysis tool for detecting Web application vulnerabilities (short paper). In Proceedings of the IEEE Symposium on Security and Privacy, 2006. Google Scholar
Digital Library
- D. King, S. Jha, D. Muthukumaran, T. Jaeger, S. Jha, and S. A. Seshia. Automating security mediation placement. In Proceedings of the European Symposium on Programming, 2010. Google Scholar
Digital Library
- J. Knoop, O. Rüthing, and B. Steffen. Lazy code motion. SIGPLAN Notes, 39: 460--472, April 2004. Google Scholar
Digital Library
- T. Kremenek, P. Twohey, G. Back, A. Y. Ng, and D. R. Engler. From uncertainty to belief: Inferring the specification within. In Symposium on Operating Systems Design and Implementation, Nov. 2006. Google Scholar
Digital Library
- B. Livshits and M. S. Lam. Finding security errors in Java programs with static analysis. In Proceedings of the Usenix Security Symposium, 2005. Google Scholar
Digital Library
- B. Livshits, A. V. Nori, S. K. Rajamani, and A. Banerjee. Merlin: Specification inference for explicit information flow problems. In Proceedings of the Conference on Programming Language Design and Implementation, June 2009. Google Scholar
Digital Library
- M. Martin, B. Livshits, and M. S. Lam. Finding application errors and security flaws using PQL: a program query language. In Proceedings of the Conference on Object Oriented Programming Systems Languages and Applications, pages 365--383, 2005. Google Scholar
Digital Library
- M. Martin, B. Livshits, and M. S. Lam. SecuriFly: runtime vulnerability protection for Web applications. Technical report, Stanford University, 2006.Google Scholar
- Microsoft Code Analysis Tool .NET (CAT.NET). http://www.microsoft.com/en-us/download/details.aspx?id=19968, 3 2009.Google Scholar
- Microsoft web protection library. http://wpl.codeplex.com/, 2012.Google Scholar
- N. Mitchell, G. Sevitsky, and H. Srinivasan. The diary of a datum: an approach to modeling runtime complexity in framework-based applications. In Proceedings of the European Conference on Object-Oriented Programming, Systems, Languages, and Applications, 2005.Google Scholar
- A. Nguyen-Tuong, S. Guarnieri, D. Greene, J. Shirley, and D. Evans. Automatically hardening Web applications using precise tainting. In Proceedings of the IFIP International Information Security Conference, 2005.Google Scholar
Cross Ref
- OWASP. OWASP-Java-HTML-sanitizer. http://code.google.com/p/owasp-java-html-sanitizer/, 2011.Google Scholar
- T. Pietraszek and C. V. Berghe. Defending against injection attacks through context-sensitive string evaluation. In Proceedings of the Recent Advances in Intrusion Detection, Sept. 2005. Google Scholar
Digital Library
- W. Robertson and G. Vigna. Static enforcement of web application integrity through strong typing. In Proceedings of the Usenix Security Symposium, 2009\natexlaba. Google Scholar
Digital Library
- W. Robertson and G. Vigna. Static enforcement of web application integrity through strong typing. In Proceedings of the Usenix Security Symposium, Aug. 2009\natexlabb. Google Scholar
Digital Library
- RSnake. XSS cheat sheet for filter evasion. http://ha.ckers.org/xss.html.Google Scholar
- O. Rüthing, J. Knoop, and B. Steffen. Sparse code motion. In Proceedings of the Symposium on Principles of Programming Languages, 2000. Google Scholar
Digital Library
- A. Sabelfeld and A. C. Myers. Language-based information-flow security. IEEE Journal on Selected Areas in Communications, 21 (1): 5--19, Jan. 2003. Google Scholar
Digital Library
- A. Sabelfeld and D. Sands. Dimensions and principles of declassification. In Proceedings of the 18th IEEE Computer Security Foundations Workshop, pages 255--269. IEEE Computer Society, June 2005. Google Scholar
Digital Library
- M. Samuel, P. Saxena, and D. Song. Context-sensitive auto-sanitization in web templating languages using type qualifiers. In Proceedings of the Conference on Computer and Communications Security, Oct. 2011. Google Scholar
Digital Library
- P. Saxena, D. Molnar, and B. Livshits. ScriptGard: Automatic context-sensitive sanitization for large-scale legacy web applications. In Proceedings of the Conference on Computer and Communications Security, Oct. 2011. Google Scholar
Digital Library
- B. Scholz, C. Zhang, and C. Cifuentes. User-input dependence analysis via graph reachability. Technical Report 2008--171, Sun Microsystems Labs, 2008. Google Scholar
Digital Library
- V. Srivastava, M. D. Bond, K. S. McKinley, and V. Shmatikov. A security policy oracle: detecting security holes using multiple API implementations. In Proceedings of the Conference on Programming Language Design and Implementation, 2011. Google Scholar
Digital Library
- Z. Su and G. Wassermann. The essence of command injection attacks in Web applications. In phProceedings of the Symposium on Principles of Programming Languages, 2006. Google Scholar
Digital Library
- O. Tripp, M. Pistoia, S. J. Fink, M. Sridharan, and O. Weisman. TAJ: effective taint analysis of web applications. In Proceedings of the Conference on Programming Language Design and Implementation, 2009. Google Scholar
Digital Library
- J. Vaughan and S. Chong. Inference of expressive declassification policies. In phProceedings of IEEE Symposium on Security and Privacy, May 2011. Google Scholar
Digital Library
- M. Veanes, P. Hooimeijer, B. Livshits, D. Molnar, and N. Bjorner. Symbolic finite state transducers: Algorithms and applications. In Proceedings of the Sympolisium on Principles of Programming Languages, Jan. 2012. Google Scholar
Digital Library
- J. Weinberger, P. Saxena, D. Akhawe, M. Finifter, R. Shin, and D. Song. A systematic analysis of XSS sanitization in web application frameworks. In phProceedings of the European Symposium on Research in Computer Security, Sept. 2011. Google Scholar
Digital Library
- Y. Xie and A. Aiken. Static detection of security vulnerabilities in scripting languages. In Proceedings of the Usenix Security Symposium, 2006. Google Scholar
Digital Library
- E. Z. Yang. HTML purifier. http://code.google.com/p/owasp-java-html-sanitizer/, 2011.Google Scholar
Index Terms
Towards fully automatic placement of security sanitizers and declassifiers
Recommendations
Towards fully automatic placement of security sanitizers and declassifiers
POPL '13: Proceedings of the 40th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languagesA great deal of research on sanitizer placement, sanitizer correctness, checking path validity, and policy inference, has been done in the last five to ten years, involving type systems, static analysis and runtime monitoring and enforcement. However, ...
Security analysis on "A chaotic fragile watermarking technique with precise localization"
WiCOM'09: Proceedings of the 5th International Conference on Wireless communications, networking and mobile computingSecurity holes resulting from the independence of pixels in the existing fragile watermarking technique with pixel-precise localization have been pointed out. In this paper, the security of an algorithm with precise localization is analyzed. Vector ...
A Security Analysis of the Precise Time Protocol (Short Paper)
Information and Communications SecurityAbstractThis paper reports on a security analysis of the IEEE 1588 standard, a.k.a. Precise Time Protocol (PTP). We show that attackers can use the protocol to (a) incorrectly resynchronize clocks, (b) rearrange or disrupt the hierarchy of PTP clocks, (c) ...







Comments