Dynamic Taint Propagation

8/14/2019 Dynamic Taint Propagation

1/49

Dyna mic Ta int

PropagationRic k Mc Phee, Dir Eng ineering , Fortify

March 31 April 2, 2009


2/49

Overview

Motivation

Dynamic ta int propaga tionIntegra ting with QA


3/49

Motivation


4/49

Sec urity vs. SoftwareDevelopment

Software Development

Sec urity


5/49

Sec urity vs. SoftwareDevelopment

Software Development

Sec urity

Programmers Testers


6/49

Team Sizes a t Mic rosoft


7/49

QA Testers vs. Sec urityTesters

QA Testers Security Testers

Know the program. Know security.

Need highfunctionalcoverage.

Need to find a tleast one

vulnerability.

Lots of time andresources

(comparatively).

Often a rrive a t theparty la te a nd a re

asked to leaveearly.


8/49

Typ ic a l Sec urity Testing

ProgramUnder Test x x

Test c ase to p rove it.


9/49

Fault Injec tion TestingFailings

Bad input d era ils norma l p rogram flow

Cannot muta te func tiona l tests and reta incoverage

Addto c a rt

EnterAddress

EnterCC

Input Input Input


10/49

Fault Injec tion TestingFailings

Result: bad test c overage

Result: missed vulnerab ilities

Addto c a rt

EnterAddress

EnterCC

Input Input Input


11/49

Prob lem Summary

QA team has, sec urity team lac ks:

Good test c overageTime and resourc es

Sec urity team has, QA team lac ks:Sec urity expertise


12/49

Involve QA in Sec urity

Ease of use

Favor fa lse nega tives over fa lse positivesExpec t the sec urity team to test too

Leverage existing QA testsAc hieve high coverageMust be transformed into sec urity tests


13/49

Dynamic Ta intPropagation


14/49

Dynamic Ta int Propaga tion

Follow untrusted da ta and identify points

where they a re misused


15/49

Example: SQL Injec tion

...user = request.getParameter("user");

try {sql = "SELECT * FROM users " +

"WHERE id='" + user + "'";

stmt.executeQuery(sql);}


16/49

Trac king Ta int

Assoc ia te ta int marker with untrusted input

as it enters the p rogram

Propaga te markers when string va lues a re

c op ied or c onc a tena ted

Report vulnerab ilities when ta int strings a re

passed to sensitive sinks


17/49

Java : Founda tions

Add ta int storage to java.lang.String

Length Body

Length Taint Body


18/49

Java : Founda tions

StringBuilder and StringBuffer p ropaga te

ta int markers appropria tely

Tainted Tainted+ = Tainted

Untainted + = TaintedTainted

Untainted + = UntaintedUntainted


19/49

Java : Sourc es

Instrument methods tha t introduc e input to

initia lize ta int markers:HttpServletRequest.getParameter()PreparedStatement.executeQuery()FileReader.read()System.getenv()


20/49

Java : Sinks

Instrument sensitive methods to c hec k for

ta int markers before exec uting :Statement.executeQuery()JspWriter.print()new File()Runtime.exec()


21/49


...user = request.getParameter("user");





22/49


...user = request.getParameter("user");TaintUtil.setTaint(user, 1);



TaintUtil.setTaint(sql,user.getTaint());TaintUtil.checkTaint(sql);


...


23/49

Results Overview


24/49

Sec urity Coverage


25/49

SQL Injec tion Issue


26/49

Sourc e Information


27/49

Sink Information


28/49

Where Is The Prob lem?

Severity Category URL

Critical SQL Injection/splc/listMyItems.do

Class Linecom.order.splc.ItemService

196

Query Stack Trace

select * from item where

item name = adam and

...

java.lang.Throwable at

StackTrace$FirstNested$SecondNested.

(StackTrace.java:267) at

StackTrace$FirstNested.

(StackTrace.java:256) at StackTrace.

(StackTrace.java:246) at StackTrace.

main(StackTrace.java:70)


29/49

Instrumenta tion Tec hniques

Instrument JRE c lasses onc e

Two tec hniques to instrument the p rogramCompile-time

Rewrite p rogram c lass files on d isk

Run-timeAugment J2EE c lass loader to rewrite

program


30/49

Aspect-OrientedProgramming

Express c ross-c utting c onc erns

independently of p rogram log ic (aspec ts)

Open sourc e frameworksAspec tJ (Java)Aspec tDNG (.NET)

Build on top of bytec ode lib ra ries (e.g .,

BCEL, ASM)


31/49

Instrument Inside orOutside?

Inside func tion body

Lower instrumenta tion c ost

Outside func tion ca llLower runtime c ost / better reporting


32/49

Types of Ta int

Trac k d istinc t sourc es of untrusted inp ut

Report XSS on da ta from the web orda tabase, but not from the file system

Distinguish between d ifferent sourc es when

reporting vulnerab ilitiesPrioritize remotely exp loitab le

vulnerabilities


33/49

Java : Founda tions II

Add ta int storage and sourc e information

to java.lang.String

Length Body

Length Taint Source Body


34/49

Sourc es ofInaccuracy


35/49

Types of Inac c urac y

Fa lse positives: erroneous bug reports

Makes tools pa inful for the user

Fa lse nega tives: unreported rea l bugsDamages the va lue of the tool


36/49

Fa lse Positives:Unrec ognized Va lida tion

Fa lse positives: erroneous bug reports

Makes tools pa inful for the user

Fa lse nega tives: unreported rea l bugsDamages the va lue of the tool


37/49

Fa lse Positives:Impossib le Code Pa th

Paths that regula r da ta c an take that

ma lic ious da ta c annot

Need to p rovide c leanse rules in dynamic

ta int ana lysisRemove ta int when a string is input to aregula r expression, c ompared to sta tic

string , etc .


38/49

Countering Fa lse Positives:Bug Verific a tion

Tra ining wheels for sec urity testers

Show whic h inputs to foc us a tta c ks onSuggest a ttac k da taMonitor sinks to determine whether a tta c ks

succeed


39/49

Fa lse Negatives

Ta int can go where it c an t be fo llowed

String dec ompositionNative cod eWritten to a file or a da tabase and read

backPoor c leanse rulesPoor test c overage

Only looks a t pa ths tha t a re exec utedBad QA testing == Bad sec urity testing


40/49

Integra ting withQA Proc esses


41/49

In Prac tic e

Dep loyment may require more or less

involvement o f centra l sec urity team

Central Security Quality Assurance


42/49

Dep loyment Ac tivities

Central Security Quality Assurance

Instrumentation

Functional testing

Triage and Verification

Reporting bugs


43/49

Instrumentation

Performed by either Sec urity or QA / Build

Key c onsidera tionsCover p rogram behaviorCover sec urity threa ts


44/49

Func tiona l Testing

Performed QA

Key c onsidera tionsMa ximize c ode c overage (existing goa l)Sec urity knowledge is not required


45/49

Triage and Verific a tion

Performed by either Sec urity o r QA

Key c onsidera tionsUnd ersta nd issues in p rogram c ontext

Sec urity knowledgeCrea te exp loitsAssign d ifferent bugs to d ifferent sta ff

Targeted tra ining


46/49

Reporting Bugs

Performed by either Sec urity o r QA

Key c onsidera tionsFollow usua l bug reporting c onventions

Solid remed ia tion a dvic e


47/49

Summary


48/49


49/49

Thank you!

For more information:

Ric k Mc PheeSr. Direc tor, Engineering

Fortify650 358 5637

rmc [email protected] omwww.fortify.com
mailto:[email protected]:[email protected]

Documents

Dynamic Taint Propagation