Towards fully automatic placement of security sanitizers and declassifiers

A great deal of research on sanitizer placement, sanitizer correctness, checking path validity, and policy inference, has been done in the last five to ten years, involving type systems, static analysis and runtime monitoring and enforcement. However, in pretty much all work thus far, the burden of sanitizer placement has fallen on the developer. However, sanitizer placement in large-scale applications is difficult, and developers are likely to make errors, and thus create security vulnerabilities. This paper advocates a radically different approach: we aim to fully automate the placement of sanitizers by analyzing the ow of tainted data in the program. We argue that developers are better off leaving out sanitizers entirely instead of trying to place them. This paper proposes a fully automatic technique for sanitizer placement. Placement is static whenever possible, switching to run time when necessary. Run-time taint tracking techniques can be used to track the source of a value, and thus apply appropriate sanitization. However, due to the runtime overhead of run-time taint tracking, our technique avoids it wherever possible.

[1]  Alfred V. Aho,et al.  Compilers: Principles, Techniques, and Tools , 1986, Addison-Wesley series in computer science / World student series edition.

[2]  Bernhard Steffen,et al.  Lazy code motion , 1992, PLDI '92.

[3]  Keith D. Cooper,et al.  Effective partial redundancy elimination , 1994, PLDI '94.

[4]  Amer Diwan,et al.  Partial redundancy elimination for access path expressions , 1999, Softw. Pract. Exp..

[5]  Bernhard Steffen,et al.  Sparse code motion , 2000, POPL '00.

[6]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[7]  D. T. Lee,et al.  Securing web application code by static analysis and runtime protection , 2004, WWW '04.

[8]  Benjamin Livshits,et al.  Finding application errors and security flaws using PQL: a program query language , 2005, OOPSLA '05.

[9]  N. Mitchell,et al.  The Diary of a Datum: An Approach to Modeling Runtime Complexity in Framework-Based Applications , 2005 .

[10]  Benjamin Livshits,et al.  Finding Security Vulnerabilities in Java Applications with Static Analysis , 2005, USENIX Security Symposium.

[11]  Michael Franz,et al.  Dynamic taint propagation for Java , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[12]  Anh Nguyen-Tuong,et al.  Automatically Hardening Web Applications Using Precise Tainting , 2005, SEC.

[13]  David Sands,et al.  Dimensions and principles of declassification , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[14]  D. Avots,et al.  Improving software security with a C pointer analysis , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[15]  Tadeusz Pietraszek,et al.  Defending Against Injection Attacks Through Context-Sensitive String Evaluation , 2005, RAID.

[16]  Nick Mitchell,et al.  Modeling Runtime Behavior in Framework-Based Applications , 2006, ECOOP.

[17]  Zhendong Su,et al.  The essence of command injection attacks in web applications , 2006, POPL '06.

[18]  Christopher Krügel,et al.  Pixy: a static analysis tool for detecting Web application vulnerabilities , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[19]  Dawson R. Engler,et al.  From uncertainty to belief: inferring the specification within , 2006, OSDI '06.

[20]  Gregor Snelting,et al.  Information Flow Control for Java Based on Path Conditions in Dependence Graphs , 2006, ISSSE.

[21]  Jens Krinke,et al.  Intransitive Noninterference in Dependence Graphs , 2006, Second International Symposium on Leveraging Applications of Formal Methods, Verification and Validation (isola 2006).

[22]  Alexander Aiken,et al.  Static Detection of Security Vulnerabilities in Scripting Languages , 2006, USENIX Security Symposium.

[23]  Andrew C. Myers,et al.  SIF: Enforcing Confidentiality and Integrity in Web Applications , 2007, USENIX Security Symposium.

[24]  Jacob West,et al.  Dynamic taint propagation: Finding vulnerabilities without attacking , 2008, Inf. Secur. Tech. Rep..

[25]  Cristina Cifuentes,et al.  User-Input Dependence Analysis via Graph Reachability , 2008, 2008 Eighth IEEE International Working Conference on Source Code Analysis and Manipulation.

[26]  Christopher Krügel,et al.  Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[27]  David A. Wagner,et al.  Efficient character-level taint tracking for Java , 2009, SWS '09.

[28]  Manu Sridharan,et al.  TAJ: effective taint analysis of web applications , 2009, PLDI '09.

[29]  Giovanni Vigna,et al.  Static Enforcement of Web Application Integrity Through Strong Typing , 2009, USENIX Security Symposium.

[30]  Benjamin Livshits,et al.  Merlin: specification inference for explicit information flow problems , 2009, PLDI '09.

[31]  Gregor Snelting,et al.  Flow-sensitive, context-sensitive, and object-sensitive information flow control based on program dependence graphs , 2009, International Journal of Information Security.

[32]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[33]  Somesh Jha,et al.  Automating Security Mediation Placement , 2010, ESOP.

[34]  Collin Jackson,et al.  Regular expressions considered harmful in client-side XSS filters , 2010, WWW '10.

[35]  Vitaly Shmatikov,et al.  A security policy oracle: detecting security holes using multiple API implementations , 2011, PLDI '11.

[36]  Dawn Xiaodong Song,et al.  Context-sensitive auto-sanitization in web templating languages using type qualifiers , 2011, CCS '11.

[37]  Benjamin Livshits,et al.  Fast and Precise Sanitizer Analysis with BEK , 2011, USENIX Security Symposium.

[38]  Dawn Xiaodong Song,et al.  A Systematic Analysis of XSS Sanitization in Web Application Frameworks , 2011, ESORICS.

[39]  Christopher Krügel,et al.  PiOS: Detecting Privacy Leaks in iOS Applications , 2011, NDSS.

[40]  Benjamin Livshits,et al.  SCRIPTGARD: automatic context-sensitive sanitization for large-scale legacy web applications , 2011, CCS '11.

[41]  Stephen Chong,et al.  Inference of Expressive Declassification Policies , 2011, 2011 IEEE Symposium on Security and Privacy.

[42]  Nikolaj Bjørner,et al.  Symbolic finite state transducers: algorithms and applications , 2012, POPL '12.

[43]  B. Livshits,et al.  Towards fully automatic placement of security sanitizers and declassifiers , 2013, POPL.