using partial taint tracking to
play

Using Partial Taint Tracking To Protect Against Injection Attacks - PowerPoint PPT Presentation

Dec 16, 2022 •281 likes •763 views

PHP Aspis: Using Partial Taint Tracking To Protect Against Injection Attacks Ioannis Papagiannis , Matteo Migliavacca, Peter Pietzuch Department of Computing, Imperial College London USENIX WebApps 2011 Portland, OR, USA Injection

  1. PHP Aspis: Using Partial Taint Tracking To Protect Against Injection Attacks Ioannis Papagiannis , Matteo Migliavacca, Peter Pietzuch Department of Computing, Imperial College London USENIX WebApps 2011 Portland, OR, USA

  2. Injection Vulnerability Example <?php $name=$GET[„name‟]; $sql = “SELECT * FROM USERS WHERE user=”. $name; mysql_query($sql); ?> USENIX WebApps 2011 2

  3. Injection Vulnerability Example http://…?name= <?php $name=$GET[„name‟]; $sql = “SELECT * FROM USERS WHERE user=”. ; mysql_query($sql); ?> USENIX WebApps 2011 3

  4. Sanitisation http://…?name= Yiannis <?php $name=$GET[„name‟]; $sql = “ SELECT * FROM USERS WHERE user=”. ; mysql_query($sql); ?> USENIX WebApps 2011 4

  5. Taint Tracking <?php 1 taint data in entry points $name=$GET[„name‟]; $sql = “SELECT * FROM USERS propagate taint 2 WHERE user=”. $name; use taint to guide sanitisation 3 mysql_query($sql); ?> USENIX WebApps 2011 5

  6. Taint Tracking in PHP No support taint 1. Suggested but ignored tracking [Venema06] 2. Custom research interpreters [Yip09, Pietraszek06] “modifications to the Zend engine should be avoided. Changes here result in incompatibilities with the rest of the world, and hardly anyone will ever adapt to specially patched Zend engines. … Therefore, this method is generally considered bad practice” The PHP Manual USENIX WebApps 2011 6

  7. PHP is popular data provided by langpop.com USENIX WebApps 2011 7

  8. PHP Aspis Contributions taint tracking! 1 Source-to-source transformations 2 Partial Taint Tracking USENIX WebApps 2011 8

  9. PHP Aspis Contributions taint tracking! 1 Source-to-source transformations 2 Partial Taint Tracking USENIX WebApps 2011 9

  10. Why source transformations? 1 Adopt officially • Custom Runtime • Source code transformations • On demand Portable USENIX WebApps 2011 10

  11. Why source transformations? 1 Adopt officially • Custom Runtime • Source code transformations • On demand Portable Challenges: 1. Not everything is an object (how can you attach taint to strings?) 2. The interpreter cannot be edited (no metaprogramming) USENIX WebApps 2011 11

  12. What is the performance overhead? 2 Partial taint tracking: Code is not equally vulnerable Third-party plugin code WordPress year WordPress Plugins 2009 2 13 2010 2 10 CVE WordPress-Platform Injection Vulnerabilities Code that handles user data CVE # Functionality 2009-2851 Display user comments 2009-3891 File upload handler 2010-4257 Trackback handling 2010-4536 Display user comments CVE WordPress-Core Injection Vulnerabilities USENIX WebApps 2011 12

  13. 1. Introduction 2. DESIGN 3. Implementation 4. Evaluation USENIX WebApps 2011 13

  14. PHP Aspis Overview PHP Aspis Transformed Application Tracking Code PHP Statements Library Calls Sanitisation Operations Non Tracking Code USENIX WebApps 2011 14

  15. PHP Aspis Overview PHP Aspis Transformed Application Tracking Code Input PHP Statements HTTP Request Library Calls “ Yiannis ” Sanitisation Operations Taint Non Tracking Code USENIX WebApps 2011 15

  16. PHP Aspis Overview PHP Aspis Transformed Application Tracking Code HTML Output Input SQL Query PHP Statements HTTP Request Library Calls “ Yiannis ” Sanitisation Operations Eval Statement Taint Non Tracking Code USENIX WebApps 2011 16

  17. PHP Aspis Overview WordPress WordPress plugin HTML Output Input SQL Query HTTP Request “ Yiannis ” Eval Statement Taint WordPress Core USENIX WebApps 2011 17

  18. PHP Aspis Overview PHP Aspis Transformed Application Tracking Code HTML Output Input SQL Query PHP Statements HTTP Request Library Calls “ Yiannis ” Sanitisation Operations Eval Statement Taint 2 Vulnerability prevention 1 Taint meta-data Non Tracking Code USENIX WebApps 2011 18

  19. PHP Aspis Overview PHP Aspis Transformed Application Tracking Code HTML Output Input SQL Query PHP Statements HTTP Request Library Calls “ Yiannis ” Sanitisation Operations Eval Statement Taint 2 Vulnerability prevention 1 Taint meta-data Non Tracking Code USENIX WebApps 2011 19

  20. Taint Meta-data 1 untainted “ SELECT * “SELECT * tainted tainted FROM USERS FROM USERS WHERE user=yiannis ”; WHERE user=yiannis ”; Variable Level Character Level o o Leads to false positives Precise information USENIX WebApps 2011 20

  21. Taint Meta-data 1 untainted “ SELECT * “SELECT * tainted tainted FROM USERS FROM USERS WHERE user=yiannis ”; WHERE user=yiannis ”; Variable Level Character Level o o Leads to false positives Precise information Partial sanitisation (e.g. ) untainted untainted “SELECT * (for SQL Injection) FROM USERS WHERE user=yiannis ”; More than 1 bit of taint meta-data is required USENIX WebApps 2011 21

  22. Taint Categories 1 Taint Category Example SQL Injection XSS Eval Injection untainted untainted untainted tainted tainted “SELECT * FROM USERS WHERE user=yiannis ”; USENIX WebApps 2011 22

  23. Taint Categories 1 Taint Category Example SQL Injection XSS Eval Injection untainted untainted untainted tainted tainted “SELECT * FROM USERS WHERE user=yiannis ”; Generic way to define: Sanitisation htmlentities() How an application is Functions htmlspecialchars() supposed to sanitise What to do if it doesn’t echo()→ AspisAntiXSS() Guarded print()→ AspisAntiXSS() Sinks … XSS taint category excerpt USENIX WebApps 2011 23

  24. PHP Aspis Overview PHP Aspis Transformed Application Tracking Code HTML Output Input SQL Query PHP Statements HTTP Request Library Calls “ Yiannis ” Sanitisation Operations Eval Statement Taint 2 Vulnerability prevention 1 Taint meta-data Non Tracking Code USENIX WebApps 2011 24

  25. PHP Aspis Overview PHP Aspis Transformed Application Tracking Code HTML Output Input SQL Query PHP Statements HTTP Request Library Calls “ Yiannis ” Sanitisation Operations Eval Statement Taint 2 Vulnerability prevention 1 Taint meta-data Non Tracking Code USENIX WebApps 2011 25

  26. Which vulnerabilities can be prevented? 2 Possible Data Flows to Tracking Non Tracking from Tracking Non Tracking USENIX WebApps 2011 26

  27. Tracking code only 2 PHP Aspis Transformed Application Tracking Code Input HTTP Request “ Yiannis ” Taint to Non Tracking Code Non Tracking Tracking from Tracking Non Tracking USENIX WebApps 2011 27

  28. Non Tracking code only 2 PHP Aspis Transformed Application Tracking Code Input HTTP Request “ Yiannis ” Taint to Non Tracking Code Non Tracking Tracking from Tracking Non Tracking USENIX WebApps 2011 28

  29. Non Tracking to Tracking 2 PHP Aspis Transformed Application Tracking Code Input HTTP Request “ Yiannis ” Taint to Non Tracking Code Non Tracking Tracking from Tracking Non Tracking USENIX WebApps 2011 29

  30. Tracking/Non Tracking mixes 2 PHP Aspis Transformed Application Tracking Code Input HTTP Request “ Yiannis ” Taint to Non Tracking Code Non Tracking Tracking from Tracking Non Tracking USENIX WebApps 2011 30

  31. Tracking to Non Tracking 2 PHP Aspis Transformed Application Tracking Code Input HTTP Request “ Yiannis ” Taint to Non Tracking Code Non Tracking Tracking from Tracking Non Tracking USENIX WebApps 2011 31

  32. Tracking to Non Tracking 2 PHP Aspis Transformed Application Tracking Code Input HTTP Request “ Yiannis ” Taint to Non Tracking Code Non Tracking Tracking from Tracking Non Tracking USENIX WebApps 2011 32

  33. Summary: Prevented Vulnerabilities 2 Vulnerabilities Prevented Vulnerabilities Not Prevented Tracking-code only Non Tracking-code only Tracking to non tracking Non Tracking to Tracking Tracking/Non Tracking mixes to to Non Non Tracking Tracking Tracking Tracking From from Tracking Tracking Non Non Tracking Tracking USENIX WebApps 2011 33

  34. 1. Introduction 2. Design 3. IMPLE LEMEN MENTAT ATION ON 4. Evaluation USENIX WebApps 2011 34

  35. Storing Taint Meta-Data Store taint in place Interoperation with non-tracking code Use arrays 2-10x faster than object initialisation Scalar assignment semantics Original value Aspis-protected value array ( “Hello” “Hello” , TaintCats ) array ( 12 12 , TaintCats ) USENIX WebApps 2011 35

  36. Taint Tracking Transformations Statements & Expressions must 1. operate with Aspis-protected values 2. propagate taint correctly 3. return Aspis-protected values Original expression Transformed Expression $s.$t concat($s,$t) if ($v) {} if ($v[0]) {} $j = postincr($i) $j = $i++ USENIX WebApps 2011 36

  37. PHP Function Library Library functions do not work with Aspis-protected values use interceptors! Default Interceptor Custom Interceptors strip input taint guess the taint of the output substr() add empty output taint good as the default reimplement the function fclose(), fopen() sort() More custom interceptors, less false negatives o Default: drop taint, not abort the call o Support existing applications without developer intervention USENIX WebApps 2011 37

Recommend

Speculative Taint Tracking (STT TT): A Comprehensive Protection for Speculatively Accessed Data

Speculative Taint Tracking (STT TT): A Comprehensive Protection for Speculatively Accessed Data

Speculative Taint Tracking (STT TT): A Comprehensive Protection for Speculatively Accessed Data JIYONG YU, , MENGJIA YAN, ARTEM KHYZHA*, ADAM MORRISON*, JOSEP TORRELLAS, CHRISTOPHER W. FLETCHER UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN

1.22k views • 85 slides
A posteriori taint-tracking for demonstrating non-interference in expressive low-level languages

A posteriori taint-tracking for demonstrating non-interference in expressive low-level languages

A posteriori taint-tracking for demonstrating non-interference in expressive low-level languages Peter Aldous and Matthew Might University of Utah This title is a little much, so Faster automated proofs that information doesnt leak in

1.66k views • 115 slides
Bochspwn Reloaded Detecting Kernel Memory Disclosure with x86 Emulation and Taint Tracking

Bochspwn Reloaded Detecting Kernel Memory Disclosure with x86 Emulation and Taint Tracking

Bochspwn Reloaded Detecting Kernel Memory Disclosure with x86 Emulation and Taint Tracking Mateusz j00ru Jurczyk Black Hat USA 2017, Las Vegas Agenda User kernel communication pitfalls in modern operating systems Introduction

1.21k views • 120 slides
Speculative Taint Tracking Lindsey McAllister 6.888 Fall 2020 Whats the Point? A system that

Speculative Taint Tracking Lindsey McAllister 6.888 Fall 2020 Whats the Point? A system that

Speculative Taint Tracking Lindsey McAllister 6.888 Fall 2020 Whats the Point? A system that efficiently protects against transient side-channel attacks by executing and selectively forwarding an instruction if it cannot forward a covert

411 views • 21 slides
Taint Tracking Oct 29, 2018 Prof. Raluca Ada Popa Slides adapted from Univ of Michigan 583 Fall

Taint Tracking Oct 29, 2018 Prof. Raluca Ada Popa Slides adapted from Univ of Michigan 583 Fall

CS 261: Systems Security Taint Tracking Oct 29, 2018 Prof. Raluca Ada Popa Slides adapted from Univ of Michigan 583 Fall 12 Announcements Exam next Wednesday Open book All lectures except for this one Presenter: Pasin No writer, but

533 views • 19 slides
Bochspwn Reloaded Detecting Kernel Memory Disclosure with x86 Emulation and Taint Tracking

Bochspwn Reloaded Detecting Kernel Memory Disclosure with x86 Emulation and Taint Tracking

Bochspwn Reloaded Detecting Kernel Memory Disclosure with x86 Emulation and Taint Tracking Mateusz j00ru Jurczyk REcon 2017, Montreal Alternative title (cheers Alex Ionescu!) Memory Disclosure Alternative title KERNELBLEED Agenda

1.7k views • 140 slides
The Taint Leakage Model Ron Rivest Crypto in the

The Taint Leakage Model Ron Rivest Crypto in the

The Taint Leakage Model Ron Rivest Crypto in the Clouds Workshop, MIT Rump Session Talk August 4, 2009 Taint Common term in soDware

238 views • 9 slides
Image Processing using Partial Differential Equations (PDE) Restoration, segmentation, tracking,

Image Processing using Partial Differential Equations (PDE) Restoration, segmentation, tracking,

Image Processing using Partial Differential Equations (PDE) Restoration, segmentation, tracking, optical flow estimation, registration Pierre Kornprobst NeuroMathComp project team INRIA Sophia Antipolis - M editerran ee Vision Student

781 views • 66 slides
Scalable and Precise Taint Analysis for Android Wei Huang 12 , Yao Dong 1 , Ana Milanova 1 ,

Scalable and Precise Taint Analysis for Android Wei Huang 12 , Yao Dong 1 , Ana Milanova 1 ,

Scalable and Precise Taint Analysis for Android Wei Huang 12 , Yao Dong 1 , Ana Milanova 1 , Julian Dolby 3 1 Rensselaer Polytechnic Institute 2 Google 3 IBM Research 1 Taint Analysis for Android Tracks flow of private data Controlled at

629 views • 35 slides
Dynamic Taint Propagation Finding Vulnerabilities Without Attacking Brian Chess / Jacob West

Dynamic Taint Propagation Finding Vulnerabilities Without Attacking Brian Chess / Jacob West

Dynamic Taint Propagation Finding Vulnerabilities Without Attacking Brian Chess / Jacob West Fortify Software 2.21.08 Overview Motivation Dynamic taint propagation Sources of inaccuracy Integrating with QA Related work

740 views • 70 slides
Boar taint challenges and opportunities Prof. Olena Doran University of the West of England

Boar taint challenges and opportunities Prof. Olena Doran University of the West of England

Boar taint challenges and opportunities Prof. Olena Doran University of the West of England Olena.doran@uwe.ac.uk BPEX Workshop, Peterborough, 20 March 2013 Boar Taint An offensive odour in the meat of 5-10% of uncastrated male pigs Is

707 views • 22 slides
All You Ever Wanted to Know About Dynamic Taint Analysis &amp; Forward Symbolic Execution (but

All You Ever Wanted to Know About Dynamic Taint Analysis &amp; Forward Symbolic Execution (but

All You Ever Wanted to Know About Dynamic Taint Analysis &amp; Forward Symbolic Execution (but might have been afraid to ask) (Yes, we were trying to overflow the title length field on the submission server) Edward J. Schwartz, Thanassis

738 views • 25 slides
Overview Partial Constituent Fronting in German The phenomenon: Partial constituent fronting

Overview Partial Constituent Fronting in German The phenomenon: Partial constituent fronting

Overview Partial Constituent Fronting in German The phenomenon: Partial constituent fronting in German Partial VPs Partial APs Kordula De Kuthy Detmar Meurers Partial NPs Interaction: Partial constituents embedded in VPs

224 views • 7 slides
JUST THE MATHS SLIDES NUMBER 14.1 PARTIAL DIFFERENTIATION 1 (Partial derivatives of the

JUST THE MATHS SLIDES NUMBER 14.1 PARTIAL DIFFERENTIATION 1 (Partial derivatives of the

JUST THE MATHS SLIDES NUMBER 14.1 PARTIAL DIFFERENTIATION 1 (Partial derivatives of the first order) by A.J.Hobson 14.1.1 Functions of several variables 14.1.2 The definition of a partial derivative UNIT 14.1 PARTIAL DIFFERENTIATION

295 views • 8 slides
Specu Sp culative T Taint T Track cking ( (ST STT): A Comp Comprehensive Prot otection

Specu Sp culative T Taint T Track cking ( (ST STT): A Comp Comprehensive Prot otection

Specu Sp culative T Taint T Track cking ( (ST STT): A Comp Comprehensive Prot otection on for or Transiently Accessed Secrets Ac Jiyong Yu, Mengjia Yan, Artem Khyzha,* Adam Morrison,* Josep Torrellas, Christopher W. Fletcher

298 views • 28 slides
Dynamic Code Evaluation &amp; Taint Analysis Prof. Tom Austin San Jos State University

Dynamic Code Evaluation &amp; Taint Analysis Prof. Tom Austin San Jos State University

CS 152: Programming Language Paradigms Dynamic Code Evaluation &amp; Taint Analysis Prof. Tom Austin San Jos State University Parsing JSON (in-class) Review: additional Ruby eval methods instance_eval evaluates code within the body of an

689 views • 43 slides
Tracking by learning Arnold W.M. Smeulders Tracking Online tracking is to determine the location

Tracking by learning Arnold W.M. Smeulders Tracking Online tracking is to determine the location

Tracking by learning Arnold W.M. Smeulders Tracking Online tracking is to determine the location of one target in video starting from a bounding box in the first frame. When conceived as an instant learning problem, the task is to discriminate

651 views • 39 slides
Taintless Defeating taint-powered protection techniques Abbas Naderi (aka AbiusX) Mandana

Taintless Defeating taint-powered protection techniques Abbas Naderi (aka AbiusX) Mandana

Taintless Defeating taint-powered protection techniques Abbas Naderi (aka AbiusX) Mandana Bagheri Shahin Ramezany Covered Topics y Before We Begin Taintless While you obtain the tools and get ready, well Describing the

465 views • 45 slides
Dytan: A Generic Dynamic Taint Analysis Framework James Clause, Wanchun (Paul) Li, and

Dytan: A Generic Dynamic Taint Analysis Framework James Clause, Wanchun (Paul) Li, and

Dytan: A Generic Dynamic Taint Analysis Framework James Clause, Wanchun (Paul) Li, and Alessandro Orso College of Computing Georgia Institute of Technology Partially supported by: NSF awards CCF-0541080 and CCR-0205422 to Georgia Tech, DHS

671 views • 40 slides
Minemu The world's fastest taint tracker Attack detection aimed at production environments. Erik

Minemu The world's fastest taint tracker Attack detection aimed at production environments. Erik

Minemu The world's fastest taint tracker Attack detection aimed at production environments. Erik Bosman, Asia Slowinska, and Herbert Bos Challenge! ftp://ftp.minemu.org runs Proftpd vulnerable to CVE-2010-4221 First exploiter gets a present!

669 views • 40 slides
Android Taint Flow Analysis for App Sets Will Klieber*, Lori Flynn, Amar Bhosale , Limin Jia,

Android Taint Flow Analysis for App Sets Will Klieber*, Lori Flynn, Amar Bhosale , Limin Jia,

Android Taint Flow Analysis for App Sets Will Klieber*, Lori Flynn, Amar Bhosale , Limin Jia, and Lujo Bauer Carnegie Mellon University *presenting Motivation Detect malicious apps that leak sensitive data. E.g., leak contacts list to

514 views • 26 slides
Tracking Articulated Objects Alexander (Sasha) Lambert CS7495 Fall 2014 Tracking From Depth

Tracking Articulated Objects Alexander (Sasha) Lambert CS7495 Fall 2014 Tracking From Depth

Tracking Articulated Objects Alexander (Sasha) Lambert CS7495 Fall 2014 Tracking From Depth Infra-red point-clouds (structured light) Affordable sensors (Primesense) Large body of work on people-tracking Complex tracking

409 views • 23 slides
Tracking Catalog: Uncovering and analyzing user tracking on the Internet Tomasz Bujlow Valentn

Tracking Catalog: Uncovering and analyzing user tracking on the Internet Tomasz Bujlow Valentn

Introduction Tracking catalog Tracking mechanisms Open questions Tracking Catalog: Uncovering and analyzing user tracking on the Internet Tomasz Bujlow Valentn Carela-Espaol Pere Barlet-Ros Computer Architecture Dept. (DAC) UPC

581 views • 10 slides
Eye Tracking and Topics EMA in Computer Eye tracking definition Science Eye tracker

Eye Tracking and Topics EMA in Computer Eye tracking definition Science Eye tracker

Eye Tracking and Topics EMA in Computer Eye tracking definition Science Eye tracker history Eye tracking theory Computer Literacy 1 Lecture 23 Different kinds of eye trackers 11/11/2008 Electromagnetic Articulography (EMA)

459 views • 6 slides

More recommend