using partial taint tracking to
play

Using Partial Taint Tracking To Protect Against Injection Attacks - PowerPoint PPT Presentation

Dec 16, 2022 •281 likes •763 views

PHP Aspis: Using Partial Taint Tracking To Protect Against Injection Attacks Ioannis Papagiannis , Matteo Migliavacca, Peter Pietzuch Department of Computing, Imperial College London USENIX WebApps 2011 Portland, OR, USA Injection

  1. PHP Aspis: Using Partial Taint Tracking To Protect Against Injection Attacks Ioannis Papagiannis , Matteo Migliavacca, Peter Pietzuch Department of Computing, Imperial College London USENIX WebApps 2011 Portland, OR, USA

  2. Injection Vulnerability Example <?php $name=$GET[„name‟]; $sql = “SELECT * FROM USERS WHERE user=”. $name; mysql_query($sql); ?> USENIX WebApps 2011 2

  3. Injection Vulnerability Example http://…?name= <?php $name=$GET[„name‟]; $sql = “SELECT * FROM USERS WHERE user=”. ; mysql_query($sql); ?> USENIX WebApps 2011 3

  4. Sanitisation http://…?name= Yiannis <?php $name=$GET[„name‟]; $sql = “ SELECT * FROM USERS WHERE user=”. ; mysql_query($sql); ?> USENIX WebApps 2011 4

  5. Taint Tracking <?php 1 taint data in entry points $name=$GET[„name‟]; $sql = “SELECT * FROM USERS propagate taint 2 WHERE user=”. $name; use taint to guide sanitisation 3 mysql_query($sql); ?> USENIX WebApps 2011 5

  6. Taint Tracking in PHP No support taint 1. Suggested but ignored tracking [Venema06] 2. Custom research interpreters [Yip09, Pietraszek06] “modifications to the Zend engine should be avoided. Changes here result in incompatibilities with the rest of the world, and hardly anyone will ever adapt to specially patched Zend engines. … Therefore, this method is generally considered bad practice” The PHP Manual USENIX WebApps 2011 6

  7. PHP is popular data provided by langpop.com USENIX WebApps 2011 7

  8. PHP Aspis Contributions taint tracking! 1 Source-to-source transformations 2 Partial Taint Tracking USENIX WebApps 2011 8

  9. PHP Aspis Contributions taint tracking! 1 Source-to-source transformations 2 Partial Taint Tracking USENIX WebApps 2011 9

  10. Why source transformations? 1 Adopt officially • Custom Runtime • Source code transformations • On demand Portable USENIX WebApps 2011 10

  11. Why source transformations? 1 Adopt officially • Custom Runtime • Source code transformations • On demand Portable Challenges: 1. Not everything is an object (how can you attach taint to strings?) 2. The interpreter cannot be edited (no metaprogramming) USENIX WebApps 2011 11

  12. What is the performance overhead? 2 Partial taint tracking: Code is not equally vulnerable Third-party plugin code WordPress year WordPress Plugins 2009 2 13 2010 2 10 CVE WordPress-Platform Injection Vulnerabilities Code that handles user data CVE # Functionality 2009-2851 Display user comments 2009-3891 File upload handler 2010-4257 Trackback handling 2010-4536 Display user comments CVE WordPress-Core Injection Vulnerabilities USENIX WebApps 2011 12

  13. 1. Introduction 2. DESIGN 3. Implementation 4. Evaluation USENIX WebApps 2011 13

  14. PHP Aspis Overview PHP Aspis Transformed Application Tracking Code PHP Statements Library Calls Sanitisation Operations Non Tracking Code USENIX WebApps 2011 14

  15. PHP Aspis Overview PHP Aspis Transformed Application Tracking Code Input PHP Statements HTTP Request Library Calls “ Yiannis ” Sanitisation Operations Taint Non Tracking Code USENIX WebApps 2011 15

  16. PHP Aspis Overview PHP Aspis Transformed Application Tracking Code HTML Output Input SQL Query PHP Statements HTTP Request Library Calls “ Yiannis ” Sanitisation Operations Eval Statement Taint Non Tracking Code USENIX WebApps 2011 16

  17. PHP Aspis Overview WordPress WordPress plugin HTML Output Input SQL Query HTTP Request “ Yiannis ” Eval Statement Taint WordPress Core USENIX WebApps 2011 17

  18. PHP Aspis Overview PHP Aspis Transformed Application Tracking Code HTML Output Input SQL Query PHP Statements HTTP Request Library Calls “ Yiannis ” Sanitisation Operations Eval Statement Taint 2 Vulnerability prevention 1 Taint meta-data Non Tracking Code USENIX WebApps 2011 18

  19. PHP Aspis Overview PHP Aspis Transformed Application Tracking Code HTML Output Input SQL Query PHP Statements HTTP Request Library Calls “ Yiannis ” Sanitisation Operations Eval Statement Taint 2 Vulnerability prevention 1 Taint meta-data Non Tracking Code USENIX WebApps 2011 19

  20. Taint Meta-data 1 untainted “ SELECT * “SELECT * tainted tainted FROM USERS FROM USERS WHERE user=yiannis ”; WHERE user=yiannis ”; Variable Level Character Level o o Leads to false positives Precise information USENIX WebApps 2011 20

  21. Taint Meta-data 1 untainted “ SELECT * “SELECT * tainted tainted FROM USERS FROM USERS WHERE user=yiannis ”; WHERE user=yiannis ”; Variable Level Character Level o o Leads to false positives Precise information Partial sanitisation (e.g. ) untainted untainted “SELECT * (for SQL Injection) FROM USERS WHERE user=yiannis ”; More than 1 bit of taint meta-data is required USENIX WebApps 2011 21

  22. Taint Categories 1 Taint Category Example SQL Injection XSS Eval Injection untainted untainted untainted tainted tainted “SELECT * FROM USERS WHERE user=yiannis ”; USENIX WebApps 2011 22

  23. Taint Categories 1 Taint Category Example SQL Injection XSS Eval Injection untainted untainted untainted tainted tainted “SELECT * FROM USERS WHERE user=yiannis ”; Generic way to define: Sanitisation htmlentities() How an application is Functions htmlspecialchars() supposed to sanitise What to do if it doesn’t echo()→ AspisAntiXSS() Guarded print()→ AspisAntiXSS() Sinks … XSS taint category excerpt USENIX WebApps 2011 23

  24. PHP Aspis Overview PHP Aspis Transformed Application Tracking Code HTML Output Input SQL Query PHP Statements HTTP Request Library Calls “ Yiannis ” Sanitisation Operations Eval Statement Taint 2 Vulnerability prevention 1 Taint meta-data Non Tracking Code USENIX WebApps 2011 24

  25. PHP Aspis Overview PHP Aspis Transformed Application Tracking Code HTML Output Input SQL Query PHP Statements HTTP Request Library Calls “ Yiannis ” Sanitisation Operations Eval Statement Taint 2 Vulnerability prevention 1 Taint meta-data Non Tracking Code USENIX WebApps 2011 25

  26. Which vulnerabilities can be prevented? 2 Possible Data Flows to Tracking Non Tracking from Tracking Non Tracking USENIX WebApps 2011 26

  27. Tracking code only 2 PHP Aspis Transformed Application Tracking Code Input HTTP Request “ Yiannis ” Taint to Non Tracking Code Non Tracking Tracking from Tracking Non Tracking USENIX WebApps 2011 27

  28. Non Tracking code only 2 PHP Aspis Transformed Application Tracking Code Input HTTP Request “ Yiannis ” Taint to Non Tracking Code Non Tracking Tracking from Tracking Non Tracking USENIX WebApps 2011 28

  29. Non Tracking to Tracking 2 PHP Aspis Transformed Application Tracking Code Input HTTP Request “ Yiannis ” Taint to Non Tracking Code Non Tracking Tracking from Tracking Non Tracking USENIX WebApps 2011 29

  30. Tracking/Non Tracking mixes 2 PHP Aspis Transformed Application Tracking Code Input HTTP Request “ Yiannis ” Taint to Non Tracking Code Non Tracking Tracking from Tracking Non Tracking USENIX WebApps 2011 30

  31. Tracking to Non Tracking 2 PHP Aspis Transformed Application Tracking Code Input HTTP Request “ Yiannis ” Taint to Non Tracking Code Non Tracking Tracking from Tracking Non Tracking USENIX WebApps 2011 31

  32. Tracking to Non Tracking 2 PHP Aspis Transformed Application Tracking Code Input HTTP Request “ Yiannis ” Taint to Non Tracking Code Non Tracking Tracking from Tracking Non Tracking USENIX WebApps 2011 32

  33. Summary: Prevented Vulnerabilities 2 Vulnerabilities Prevented Vulnerabilities Not Prevented Tracking-code only Non Tracking-code only Tracking to non tracking Non Tracking to Tracking Tracking/Non Tracking mixes to to Non Non Tracking Tracking Tracking Tracking From from Tracking Tracking Non Non Tracking Tracking USENIX WebApps 2011 33

  34. 1. Introduction 2. Design 3. IMPLE LEMEN MENTAT ATION ON 4. Evaluation USENIX WebApps 2011 34

  35. Storing Taint Meta-Data Store taint in place Interoperation with non-tracking code Use arrays 2-10x faster than object initialisation Scalar assignment semantics Original value Aspis-protected value array ( “Hello” “Hello” , TaintCats ) array ( 12 12 , TaintCats ) USENIX WebApps 2011 35

  36. Taint Tracking Transformations Statements & Expressions must 1. operate with Aspis-protected values 2. propagate taint correctly 3. return Aspis-protected values Original expression Transformed Expression $s.$t concat($s,$t) if ($v) {} if ($v[0]) {} $j = postincr($i) $j = $i++ USENIX WebApps 2011 36

  37. PHP Function Library Library functions do not work with Aspis-protected values use interceptors! Default Interceptor Custom Interceptors strip input taint guess the taint of the output substr() add empty output taint good as the default reimplement the function fclose(), fopen() sort() More custom interceptors, less false negatives o Default: drop taint, not abort the call o Support existing applications without developer intervention USENIX WebApps 2011 37

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Speculative Taint Tracking (STT TT): A Comprehensive Protection for Speculatively Accessed Data

Speculative Taint Tracking (STT TT): A Comprehensive Protection for Speculatively Accessed Data

Speculative Taint Tracking (STT TT): A Comprehensive Protection for Speculatively Accessed Data JIYONG YU, , MENGJIA YAN, ARTEM KHYZHA*, ADAM MORRISON*, JOSEP TORRELLAS, CHRISTOPHER W. FLETCHER UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN

1.22k views • 85 slides
A posteriori taint-tracking for demonstrating non-interference in expressive low-level languages

A posteriori taint-tracking for demonstrating non-interference in expressive low-level languages

A posteriori taint-tracking for demonstrating non-interference in expressive low-level languages Peter Aldous and Matthew Might University of Utah This title is a little much, so Faster automated proofs that information doesnt leak in

1.66k views • 115 slides
Bochspwn Reloaded Detecting Kernel Memory Disclosure with x86 Emulation and Taint Tracking

Bochspwn Reloaded Detecting Kernel Memory Disclosure with x86 Emulation and Taint Tracking

Bochspwn Reloaded Detecting Kernel Memory Disclosure with x86 Emulation and Taint Tracking Mateusz j00ru Jurczyk Black Hat USA 2017, Las Vegas Agenda User kernel communication pitfalls in modern operating systems Introduction

1.21k views • 120 slides
Speculative Taint Tracking Lindsey McAllister 6.888 Fall 2020 Whats the Point? A system that

Speculative Taint Tracking Lindsey McAllister 6.888 Fall 2020 Whats the Point? A system that

Speculative Taint Tracking Lindsey McAllister 6.888 Fall 2020 Whats the Point? A system that efficiently protects against transient side-channel attacks by executing and selectively forwarding an instruction if it cannot forward a covert

411 views • 21 slides
Taint Tracking Oct 29, 2018 Prof. Raluca Ada Popa Slides adapted from Univ of Michigan 583 Fall

Taint Tracking Oct 29, 2018 Prof. Raluca Ada Popa Slides adapted from Univ of Michigan 583 Fall

CS 261: Systems Security Taint Tracking Oct 29, 2018 Prof. Raluca Ada Popa Slides adapted from Univ of Michigan 583 Fall 12 Announcements Exam next Wednesday Open book All lectures except for this one Presenter: Pasin No writer, but

533 views • 19 slides
Bochspwn Reloaded Detecting Kernel Memory Disclosure with x86 Emulation and Taint Tracking

Bochspwn Reloaded Detecting Kernel Memory Disclosure with x86 Emulation and Taint Tracking

Bochspwn Reloaded Detecting Kernel Memory Disclosure with x86 Emulation and Taint Tracking Mateusz j00ru Jurczyk REcon 2017, Montreal Alternative title (cheers Alex Ionescu!) Memory Disclosure Alternative title KERNELBLEED Agenda

1.7k views • 140 slides
The Taint Leakage Model Ron Rivest Crypto in the

The Taint Leakage Model Ron Rivest Crypto in the

The Taint Leakage Model Ron Rivest Crypto in the Clouds Workshop, MIT Rump Session Talk August 4, 2009 Taint Common term in soDware

238 views • 9 slides
Image Processing using Partial Differential Equations (PDE) Restoration, segmentation, tracking,

Image Processing using Partial Differential Equations (PDE) Restoration, segmentation, tracking,

Image Processing using Partial Differential Equations (PDE) Restoration, segmentation, tracking, optical flow estimation, registration Pierre Kornprobst NeuroMathComp project team INRIA Sophia Antipolis - M editerran ee Vision Student

781 views • 66 slides
Scalable and Precise Taint Analysis for Android Wei Huang 12 , Yao Dong 1 , Ana Milanova 1 ,

Scalable and Precise Taint Analysis for Android Wei Huang 12 , Yao Dong 1 , Ana Milanova 1 ,

Scalable and Precise Taint Analysis for Android Wei Huang 12 , Yao Dong 1 , Ana Milanova 1 , Julian Dolby 3 1 Rensselaer Polytechnic Institute 2 Google 3 IBM Research 1 Taint Analysis for Android Tracks flow of private data Controlled at

629 views • 35 slides
Dynamic Taint Propagation Finding Vulnerabilities Without Attacking Brian Chess / Jacob West

Dynamic Taint Propagation Finding Vulnerabilities Without Attacking Brian Chess / Jacob West

Dynamic Taint Propagation Finding Vulnerabilities Without Attacking Brian Chess / Jacob West Fortify Software 2.21.08 Overview Motivation Dynamic taint propagation Sources of inaccuracy Integrating with QA Related work

740 views • 70 slides
Boar taint challenges and opportunities Prof. Olena Doran University of the West of England

Boar taint challenges and opportunities Prof. Olena Doran University of the West of England

Boar taint challenges and opportunities Prof. Olena Doran University of the West of England Olena.doran@uwe.ac.uk BPEX Workshop, Peterborough, 20 March 2013 Boar Taint An offensive odour in the meat of 5-10% of uncastrated male pigs Is

707 views • 22 slides
All You Ever Wanted to Know About Dynamic Taint Analysis &amp; Forward Symbolic Execution (but

All You Ever Wanted to Know About Dynamic Taint Analysis &amp; Forward Symbolic Execution (but

All You Ever Wanted to Know About Dynamic Taint Analysis &amp; Forward Symbolic Execution (but might have been afraid to ask) (Yes, we were trying to overflow the title length field on the submission server) Edward J. Schwartz, Thanassis

738 views • 25 slides
Overview Partial Constituent Fronting in German The phenomenon: Partial constituent fronting

Overview Partial Constituent Fronting in German The phenomenon: Partial constituent fronting

Overview Partial Constituent Fronting in German The phenomenon: Partial constituent fronting in German Partial VPs Partial APs Kordula De Kuthy Detmar Meurers Partial NPs Interaction: Partial constituents embedded in VPs

224 views • 7 slides
JUST THE MATHS SLIDES NUMBER 14.1 PARTIAL DIFFERENTIATION 1 (Partial derivatives of the

JUST THE MATHS SLIDES NUMBER 14.1 PARTIAL DIFFERENTIATION 1 (Partial derivatives of the

JUST THE MATHS SLIDES NUMBER 14.1 PARTIAL DIFFERENTIATION 1 (Partial derivatives of the first order) by A.J.Hobson 14.1.1 Functions of several variables 14.1.2 The definition of a partial derivative UNIT 14.1 PARTIAL DIFFERENTIATION

295 views • 8 slides
Specu Sp culative T Taint T Track cking ( (ST STT): A Comp Comprehensive Prot otection

Specu Sp culative T Taint T Track cking ( (ST STT): A Comp Comprehensive Prot otection

Specu Sp culative T Taint T Track cking ( (ST STT): A Comp Comprehensive Prot otection on for or Transiently Accessed Secrets Ac Jiyong Yu, Mengjia Yan, Artem Khyzha,* Adam Morrison,* Josep Torrellas, Christopher W. Fletcher

298 views • 28 slides
Dynamic Code Evaluation &amp; Taint Analysis Prof. Tom Austin San Jos State University

Dynamic Code Evaluation &amp; Taint Analysis Prof. Tom Austin San Jos State University

CS 152: Programming Language Paradigms Dynamic Code Evaluation &amp; Taint Analysis Prof. Tom Austin San Jos State University Parsing JSON (in-class) Review: additional Ruby eval methods instance_eval evaluates code within the body of an

689 views • 43 slides
Cyber Moving Targets Yashar Dehkan Asl Introduction An overview of different cyber moving target

Cyber Moving Targets Yashar Dehkan Asl Introduction An overview of different cyber moving target

Cyber Moving Targets Yashar Dehkan Asl Introduction An overview of different cyber moving target techniques, their threat models, and their technical details. Cyber moving target technique: Defend a system Increase the complexity of cyber

442 views • 40 slides
Survey of Cyber Moving Targets Second Edition Authors: B.C. Ward S.R. Gomez R.W. Skowyra D.

Survey of Cyber Moving Targets Second Edition Authors: B.C. Ward S.R. Gomez R.W. Skowyra D.

Survey of Cyber Moving Targets Second Edition Authors: B.C. Ward S.R. Gomez R.W. Skowyra D. Bigelow J.N. Martin J.W. Landry H. Okhravi Presenter: Jinghui Liao Outline Cyber Kill Chain Attack technique Moving-targets technique

562 views • 37 slides
Using Fault Injection to Turn Data Transfers into Arbitrary Execution Cristofaro Mune Niek

Using Fault Injection to Turn Data Transfers into Arbitrary Execution Cristofaro Mune Niek

Using Fault Injection to Turn Data Transfers into Arbitrary Execution Cristofaro Mune Niek Timmers c.mune@pulse-sec.com niek@twentytwosecurity.com @pulsoid @tieknimmers Todays agenda Introduction Fault Injection basics Fault

1.05k views • 56 slides
Reaction Injection Molding (RIM)- Low Quantity Injection Molding for the Life Sciences Industry

Reaction Injection Molding (RIM)- Low Quantity Injection Molding for the Life Sciences Industry

Reaction Injection Molding (RIM)- Low Quantity Injection Molding for the Life Sciences Industry Presented by: Ken Schweitz, President and Doug Culbertson, VP Business Development of Premold Corp Section I. Advantages of RIM Economical

441 views • 29 slides
Robust Probabilistic Fake Packet Injection for Receiver-Location Privacy Ruben Rios 1 , Jorge

Robust Probabilistic Fake Packet Injection for Receiver-Location Privacy Ruben Rios 1 , Jorge

Robust Probabilistic Fake Packet Injection for Receiver-Location Privacy Ruben Rios 1 , Jorge Cuellar 2 , Javier Lopez 1 1 NICS Lab University of Mlaga 2 Siemens AG, Munich E SORI CS 2012 10-14 Se pt. Pisa (I ta ly)

432 views • 25 slides
A1 (Part 1): Injection Command and Code injection A1 Injection Tricking an application

A1 (Part 1): Injection Command and Code injection A1 Injection Tricking an application

A1 (Part 1): Injection Command and Code injection A1 Injection Tricking an application into executing commands or code embedded in data Data and code mixing! Often injected into interpreters SQL, PHP, Python, JavaScript, LDAP,

377 views • 14 slides
Morales 1 , 2 Hetor Garia Brue 2 Redaelli 2 tino 2 Ro derik , Sefano , Gianlua V alen

Morales 1 , 2 Hetor Garia Brue 2 Redaelli 2 tino 2 Ro derik , Sefano , Gianlua V alen

MD1388: A tiv e Halo Con trol using narro w band exitation at injetion Morales 1 , 2 Hetor Garia Brue 2 Redaelli 2 tino 2 Ro derik , Sefano , Gianlua V alen , h 2 agner 2 Xu 2 Daniel V alu , Jos hk a W , C.

190 views • 7 slides
NO SQL! NO INJECTION? A talk on the state of NoSQL security IBM Cyber Security Center of IBM

NO SQL! NO INJECTION? A talk on the state of NoSQL security IBM Cyber Security Center of IBM

NO SQL! NO INJECTION? A talk on the state of NoSQL security IBM Cyber Security Center of IBM AppScan Excellence Aviv Ron Emanuel Bronshtein Alexandra Shulman-Peleg IBM Security Systems Cyber Center of Excellence AVIV RON Security

452 views • 27 slides

More recommend