Skip to main content
SpringerLink
Log in
Book cover

Australasian Conference on Information Security and Privacy

ACISP 2019: Information Security and Privacy pp 494–513Cite as

Practical Dynamic Taint Tracking for Exploiting Input Sanitization Error in Java Applications

Part of the Lecture Notes in Computer Science book series (LNSC,volume 11547)

Abstract

Errors in the sanitization of user inputs lead to serious security vulnerabilities. Many applications contain such errors, making them vulnerable to input sanitization exploits. Therefore, internet worms via exploiting vulnerabilities in applications infect hundreds of thousands of users in a matter of short time, causing hundreds of millions of dollars in damages. To successfully counter internet worm attacks, we need automatic detection and defense mechanisms. First, we need automatic detection mechanisms that can detect runtime attacks for vulnerabilities. A disclosure mechanism should be simple to deploy, resulting in few false positives and few false negatives.

In this paper we present Tainer, an automatic dynamic taint analysis framework to detect and generate exploits for sanitization based vulnerabilities for Java web applications. Particularly, our method is based on tracking the flow of taint information from untrusted input the application sensitive methods (such as console, file, network, database or another program). Our proposed framework is portable, quick, accurate, and does not need the source code of applications. We demonstrate the usefulness of the framework by detecting several zero-day actual vulnerabilities in popular Java applications.

This is a preview of subscription content, access via your institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   79.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   99.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    https://asm.ow2.io/.

  2. 2.

    http://serp.sourceforge.net/.

  3. 3.

    https://cve.mitre.org.

  4. 4.

    https://www.exploit-db.com.

  5. 5.

    https://curl.haxx.se.

  6. 6.

    https://github.com/xmendez/wfuzz.

  7. 7.

    https://github.com/rapid7/metasploit-framework.

  8. 8.

    https://nvd.nist.gov.

References

  1. Aarniala, J.: Instrumenting Java bytecode. In: Seminar Work for the Compilerscourse, Department of Computer Science, University of Helsinki, Finland (2005)

    Google Scholar 

  2. AlBreiki, H.H., Mahmoud, Q.H.: Evaluation of static analysis tools for software security. In: 2014 10th International Conference on Innovations in Information Technology (INNOVATIONS), pp. 93–98. IEEE (2014)

    Google Scholar 

  3. Arzt, S., et al.: Flowdroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. ACM SIGPLAN Not. 49(6), 259–269 (2014)

    CrossRef  Google Scholar 

  4. Balzarotti, D., et al.: Saner: composing static and dynamic analysis to validate sanitization in web applications. In: 2008 IEEE Symposium on Security and Privacy (SP 2008), pp. 387–401 (2008)

    Google Scholar 

  5. Bell, J.: Detecting, isolating, and enforcing dependencies among and within test cases. In: Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering, pp. 799–802. ACM (2014)

    Google Scholar 

  6. Binder, W., Hulaas, J., Moret, P.: Advanced Java bytecode instrumentation. In: Proceedings of the 5th International Symposium on Principles and Practice of Programming in Java, pp. 135–144. ACM (2007)

    Google Scholar 

  7. Boonstoppel, P., Cadar, C., Engler, D.: RWset: attacking path explosion in constraint-based test generation. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 351–366. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78800-3_27

    CrossRef  Google Scholar 

  8. Brumley, D., Caballero, J., Liang, Z., Newsome, J., Song, D.: Towards automatic discovery of deviations in binary implementations with applications to error detection and fingerprint generation. In: USENIX Security Symposium, p. 15 (2007)

    Google Scholar 

  9. Chiba, S.: Javassist: Java bytecode engineering made simple. Java Dev. J. 9(1), 30 (2004)

    Google Scholar 

  10. Clause, J., Li, W., Orso, A.: Dytan: a generic dynamic taint analysis framework. In: Proceedings of the 2007 International Symposium on Software Testing and Analysis, pp. 196–206. ACM (2007)

    Google Scholar 

  11. Dahm, M.: Byte code engineering. In: Cap, C.H. (ed.) JIT 1999. INFORMAT, pp. 267–277. Springer, Heidelberg (1999). https://doi.org/10.1007/978-3-642-60247-4_25

    CrossRef  Google Scholar 

  12. Dahm, M., van Zyl, J., Haase, E.: The bytecode engineering library (BCEL) (2003)

    Google Scholar 

  13. Dalton, M., Kozyrakis, C., Zeldovich, N.: Nemesis: preventing authentication & [and] access control vulnerabilities in web applications (2009)

    Google Scholar 

  14. Enck, W., et al.: TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM Trans. Comput. Syst. (TOCS) 32(2), 5 (2014)

    CrossRef  Google Scholar 

  15. Fan, N., Winslow, A.B., Wu, T.B., Yu, J.X.: Automatic deployment of Java classes using byte code instrumentation. US Patent 8,397,227, 12 March 2013

    Google Scholar 

  16. Feng, H.H., Kolesnikov, O.M., Fogla, P., Lee, W., Gong, W.: Anomaly detection using call stack information. In: 2003 Symposium on Security and Privacy, pp. 62–75. IEEE (2003)

    Google Scholar 

  17. Spring Framework: Spring framework. https://spring.io/?. Accessed Mar 2018

  18. Gao, D., Reiter, M.K., Song, D.: Gray-box extraction of execution graphs for anomaly detection. In: Proceedings of the 11th ACM Conference on Computer and Communications Security, pp. 318–329. ACM (2004)

    Google Scholar 

  19. Giffin, J.T., Jha, S., Miller, B.P.: Detecting manipulated remote call streams. In: USENIX Security Symposium, pp. 61–79 (2002)

    Google Scholar 

  20. Godefroid, P., Levin, M.Y., Molnar, D.A.: SAGE: whitebox fuzzing for security testing. ACM Queue 55(3), 40–44 (2012)

    Google Scholar 

  21. Goldberg, A., Haveland, K.: Instrumentation of Java bytecode for runtime analysis (2003)

    Google Scholar 

  22. Gupta, S., Gupta, B.B.: Detection, avoidance, and attack pattern mechanisms in modern web application vulnerabilities: present and future challenges. Int. J. Cloud Appl. Comput. (IJCAC) 7(3), 1–43 (2017)

    Google Scholar 

  23. Haldar, V., Chandra, D., Franz, M.: Dynamic taint propagation for Java. In: 21st Annual Computer Security Applications Conference, pp. 9–pp. IEEE (2005)

    Google Scholar 

  24. Henderson, A.: DECAF: a platform-neutral whole-system dynamic binary analysis platform. IEEE Trans. Softw. Eng. 43(2), 164–184 (2017)

    CrossRef  MathSciNet  Google Scholar 

  25. Hu, A., Peng, G., Chen, Z., Zhu, Z.: A struts2 unknown vulnerability attack detection and backtracking scheme based on multilayer monitoring. In: Xu, M., Qin, Z., Yan, F., Fu, S. (eds.) CTCIS 2017. CCIS, vol. 704, pp. 383–396. Springer, Singapore (2017). https://doi.org/10.1007/978-981-10-7080-8_26

    CrossRef  Google Scholar 

  26. Ishrat, M., Saxena, M., Alamgir, M.: Comparison of static and dynamic analysis for runtime monitoring. Int. J. Comput. Sci. Commun. Netw. 2(5), 615–617 (2012)

    Google Scholar 

  27. Kang, M.G., McCamant, S., Poosankam, P., Song, D.: DTA++: dynamic taint analysis with targeted control-flow propagation. In: NDSS (2011)

    Google Scholar 

  28. Kim, H.C., Keromytis, A.: On the deployment of dynamic taint analysis for application communities. IEICE Trans. Inf. Syst. 92(3), 548–551 (2009)

    CrossRef  Google Scholar 

  29. Kuleshov, E.: Using the ASM framework to implement common Java bytecode transformation patterns. Aspect-Oriented Software Development (2007)

    Google Scholar 

  30. Li, L., Dong, Q., Liu, D., Zhu, L.: The application of fuzzing in web software security vulnerabilities test. In: 2013 International Conference on Information Technology and Applications, pp. 130–133 (2013)

    Google Scholar 

  31. Liang, S.: The Java Native Interface: Programmer’s Guide and Specification. Addison-Wesley Professional, Boston (1999)

    Google Scholar 

  32. Livshits, B., Martin, M., Lam, M.S.: SecuriFly: runtime protection and recovery from web application vulnerabilities. Technical report (2006)

    Google Scholar 

  33. Livshits, V.B., Lam, M.S.: Finding security vulnerabilities in Java applications with static analysis. In: USENIX Security Symposium, vol. 14, p. 18 (2005)

    Google Scholar 

  34. Luszcz, J.: Apache struts 2: how technical and development gaps caused the equifax breach. Netw. Secur. 2018(1), 5–8 (2018)

    CrossRef  Google Scholar 

  35. Medeiros, I., Neves, N., Correia, M.: DEKANT: a static analysis tool that learns to detect web application vulnerabilities. In: Proceedings of the 25th International Symposium on Software Testing and Analysis, pp. 1–11. ACM (2016)

    Google Scholar 

  36. Mongiovì, M., Giannone, G., Fornaia, A., Pappalardo, G., Tramontana, E.: Combining static and dynamic data flow analysis: a hybrid approach for detecting data leaks in Java applications. In: Proceedings of the 30th Annual ACM Symposium on Applied Computing, pp. 1573–1579. ACM (2015)

    Google Scholar 

  37. Naderi-Afooshteh, A., Nguyen-Tuong, A., Bagheri-Marzijarani, M., Hiser, J.D., Davidson, J.W.: Joza: hybrid taint inference for defeating web application SQL injection attacks. In: 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 172–183. IEEE (2015)

    Google Scholar 

  38. Newsome, J., Karp, B., Song, D.: Polygraph: automatically generating signatures for polymorphic worms. In: 2005 IEEE Symposium on Security and Privacy, pp. 226–241. IEEE (2005)

    Google Scholar 

  39. Newsome, J., Song, D.X.: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In: NDSS, vol. 5, pp. 3–4. Citeseer (2005)

    Google Scholar 

  40. Pérez, P.M., Filipiak, J., Sierra, J.M.: LAPSE+ static analysis security software: vulnerabilities detection in Java EE applications. In: Park, J.J., Yang, L.T., Lee, C. (eds.) FutureTech 2011. CCIS, vol. 184, pp. 148–156. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22333-4_17

    CrossRef  Google Scholar 

  41. Qin, F., Wang, C., Li, Z., Kim, H., Zhou, Y., Wu, Y.: LIFT: a low-overhead practical information flow tracking system for detecting security attacks. In: 2006 39th Annual IEEE/ACM International Symposium on Microarchitecture, MICRO-39, pp. 135–148. IEEE (2006)

    Google Scholar 

  42. Royer, M.E., Chawathe, S.S.: Java unit annotations for units-of-measurement error prevention. In: 2018 IEEE 8th Annual Computing and Communication Workshop and Conference (CCWC), pp. 816–822. IEEE (2018)

    Google Scholar 

  43. Schwartz, E.J., Avgerinos, T., Brumley, D.: All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). In: 2010 IEEE Symposium on Security and Privacy (SP), pp. 317–331. IEEE (2010)

    Google Scholar 

  44. Shoshitaishvili, Y., et al.: SOK: (state of) the art of war: offensive techniques in binary analysis. In: 2016 IEEE Symposium on Security and Privacy (SP), pp. 138–157. IEEE (2016)

    Google Scholar 

  45. Song, D., et al.: BitBlaze: a new approach to computer security via binary analysis. In: Sekar, R., Pujari, A.K. (eds.) ICISS 2008. LNCS, vol. 5352, pp. 1–25. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-89862-7_1

    CrossRef  Google Scholar 

  46. Suh, G.E., Lee, J.W., Zhang, D., Devadas, S.: Secure program execution via dynamic information flow tracking. In: ACM SIGPLAN Notices, vol. 39, pp. 85–96. ACM (2004)

    Google Scholar 

  47. Stenzel, O.: Gradient index films and multilayers. The Physics of Thin Film Optical Spectra. SSSS, vol. 44, pp. 163–180. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-21602-7_8

    CrossRef  Google Scholar 

  48. Xu, W., Bhatkar, S., Sekar, R.: Practical dynamic taint analysis for countering input validation attacks on web applications. Technical report SECLAB-05-04, Department of Computer Science, Stony Brook (2005)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. University of Potsdam, August-Bebel-Strasse 89, 14482, Potsdam, Germany

    Mohammadreza Ashouri

Authors
  1. Mohammadreza Ashouri
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Mohammadreza Ashouri .

Editor information

Editors and Affiliations

  1. Massey University, Palmerston North, New Zealand

    Julian Jang-Jaccard

  2. University of Wollongong, Wollongong, NSW, Australia

    Dr. Fuchun Guo

Appendix A

Appendix A

Table 3. Some of the specified source and sink methods in Tainer
Full size table
Table 4. Some of the regular expressions used in the framework
Full size table

Rights and permissions

Reprints and Permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Ashouri, M. (2019). Practical Dynamic Taint Tracking for Exploiting Input Sanitization Error in Java Applications. In: Jang-Jaccard, J., Guo, F. (eds) Information Security and Privacy. ACISP 2019. Lecture Notes in Computer Science(), vol 11547. Springer, Cham. https://doi.org/10.1007/978-3-030-21548-4_27

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-21548-4_27

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-21547-7

  • Online ISBN: 978-3-030-21548-4

  • eBook Packages: Computer ScienceComputer Science (R0)

search

Navigation