research-article

Using Precise Taint Tracking for Auto-sanitization

Authors:

Thomas H. Austin,

Cormac FlanaganAuthors Info & Claims

PLAS '17: Proceedings of the 2017 Workshop on Programming Languages and Analysis for Security

Pages 15 - 24

https://doi.org/10.1145/3139337.3139341

Published: 30 October 2017 Publication History

Abstract

Taint analysis has been used in numerous scripting languages such as Perl and Ruby to defend against various form of code injection attacks, such as cross-site scripting (XSS) and SQL-injection. However, most taint analysis systems simply fail when tainted information is used in a possibly unsafe manner. In this paper, we explore how precise taint tracking can be used in order to secure web content. Rather than simply crashing, we propose that a library-writer defined sanitization function can instead be used on the tainted portions of a string. With this approach, library writers or framework developers can design their tools to be resilient, even if inexperienced developers misuse these libraries in unsafe ways. In other words, developer mistakes do not have to result in system crashes to guarantee security. We implement both coarse-grained and precise taint tracking in JavaScript, and show how our precise taint tracking API can be used to defend against SQL injection and XSS attacks. We further evaluate the performance of this approach, showing that precise taint tracking involves an overhead of approximately 22%.

References

[1]

Thomas H. Austin, Tim Disney, and Cormac Flanagan. 2011. Virtual values for language extension. In Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA). ACM, 921--938.

Digital Library

[2]

Thomas H. Austin and Cormac Flanagan 2010. Permissive dynamic information flow analysis. In Programming Languages and Analysis for Security. ACM, 1--12.

Digital Library

[3]

Thomas H. Austin and Cormac Flanagan 2012. Multiple facets for dynamic information flow. In Symposium on Principles of Programming Languages (POPL). ACM, 165--178.

Digital Library

[4]

Lujo Bauer, Shaoying Cai, Limin Jia, Timothy Passaro, Michael Stroucken, and Yuan Tian. 2015. Run-time Monitoring and Formal Analysis of Information Flows in Chromium Network and Distributed System Security Symposium (NDSS). The Internet Society.

[5]

Abhishek Bichhawat, Vineet Rajani, Deepak Garg, and Christian Hammer 2014natexlaba. Generalizing Permissive-Upgrade in Dynamic Information Flow Analysis Programming Languages and Analysis for Security. ACM.

[6]

Abhishek Bichhawat, Vineet Rajani, Deepak Garg, and Christian Hammer 2014natexlabb. Information Flow Control in WebKit»s JavaScript Bytecode Principles of Security and Trust (POST). Springer, 159--178.

[7]

Abhishek Bichhawat, Vineet Rajani, Jinank Jain, Deepak Garg, and Christian Hammer 2017. WebPol: Fine-grained Information Flow Policies for Web Browsers. (2017).

[8]

Nataliia Bielova and Tamara Rezk 2016natexlaba. Spot the Difference: Secure Multi-execution and Multiple Facets European Symposium on Research (ESORICS). Springer, 501--519. https://doi.org/10.1007/978--3--319--45744--4_25

[9]

Nataliia Bielova and Tamara Rezk 2016natexlabb. A Taxonomy of Information Flow Monitors. In Principles of Security and Trust (POST). Springer.

[10]

Walter Chang, Brandon Streiff, and Calvin Lin. 2008. Efficient and extensible security enforcement using dynamic data flow analysis Conference on Computer and Communications Security (CCS). ACM, 39--50.

[11]

Laurent Christophe, Elisa Gonzalez Boix, Wolfgang De Meuter, and Coen De Roover 2016. Linvail: A General-Purpose Platform for Shadow Execution of JavaScript International Conference on Software Analysis, Evolution, and Reengineering (SANER). IEEE Computer Society, 260--270.

[12]

Andrey Chudnov and David A. Naumann 2015. Inlined Information Flow Monitoring for JavaScript Conference on Computer and Communications Security (CCS). ACM, 629--643. showURL%http://doi.acm.org/10.1145/2810103.2813684

[13]

Ravi Chugh, Jeffrey A. Meister, Ranjit Jhala, and Sorin Lerner 2009. Staged information flow for JavaScript. In Conference on Programming Language Design and Implementation (PLDI). ACM.

Digital Library

[14]

James A. Clause, Wanchun Li, and Alessandro Orso. 2007. Dytan: a generic dynamic taint analysis framework. International Symposium on Software Testing and Analysis, ISSTA. ACM, 196--206.

Digital Library

[15]

Tom Van Cutsem and Mark S. Miller 2010. Proxies: Design Principles for Robust Object-oriented Intercession APIs Dynamic Languages Symposium (DLS). ACM.

[16]

Dominique Devriese and Frank Piessens 2010. Noninterference through Secure Multi-execution. In Symposium on Security and Privacy. IEEE, Los Alamitos, CA, USA, 109--124.

Digital Library

[17]

Salvatore Guarnieri, Marco Pistoia, Omer Tripp, Julian Dolby, Stephen Teilhet, and Ryan Berg. 2011. Saving the world wide web from vulnerable JavaScript International Symposium on Software Testing and Analysis, ISSTA. ACM, 177--187. https://doi.org/10.1145/2001420.2001442

[18]

Arjun Guha, Jean-Baptiste Jeannin, Rachit Nigam, Jane Tangen, and Rian Shambaugh. 2017. Fission: Secure Dynamic Code-Splitting for JavaScript Summit on Advances in Programming Languages (SNAPL). Schloss Dagstuhl - Leibniz-Zentrum fuer Informatik, 5:1--5:13. https://doi.org/10.4230/LIPIcs.SNAPL.2017.5

[19]

Arjun Guha, Shriram Krishnamurthi, and Trevor Jim. 2009. Using static analysis for Ajax intrusion detection Web 2.0 Security & Privacy 2012. 561--570. https://doi.org/10.1145/1526709.1526785

[20]

Daniel Hedin, Arnar Birgisson, Luciano Bello, and Andrei Sabelfeld 2014. JSFlow: tracking information flow in JavaScript and its APIs Symposium on Applied Computing (SAC). ACM, 1663--1671. https://doi.org/10.1145/2554850.2554909

[21]

Daniel Hedin and Andrei Sabelfeld 2012. Information-flow security for a core of JavaScript Computer Security Foundations Symposium (CSF). IEEE.

[22]

Daniel Hedin and Andrei Sabelfeld 2015. Web Application Security Using JSFlow. In 17th International Symposium on Symbolic and Numeric Algorithms for Scientific Computing, SYNASC 2015, Timisoara, Romania, September 21--24, 2015. IEEE, 16--19.

Digital Library

[23]

Daniel Hedin, Alexander Sjösten, Frank Piessens, and Andrei Sabelfeld 2017. A Principled Approach to Tracking Information Flow in the Presence of Libraries Principles of Security and Trust (POST). Springer, 49--70. https://doi.org/10.1007/978--3--662--54455--6_3

[24]

Dongseok Jang, Ranjit Jhala, Sorin Lerner, and Hovav Shacham 2010. An empirical study of privacy-violating information flows in JavaScript web applications Computer & Communications Security. ACM.

[25]

Prakasam Kannan, Thomas H. Austin, Mark Stamp, Tim Disney, and Cormac Flanagan 2016. Virtual Values for Taint and Information Flow Analysis Workshop on Meta-Programming Techniques and Reflection, META. ACM.

[26]

Christoph Kerschbaumer, Eric Hennigan, Per Larsen, Stefan Brunthaler, and Michael Franz. 2013. Towards Precise and Efficient Information Flow Control in Web Browsers Trust and Trustworthy Computing Conference. Springer.

[27]

V. Benjamin Livshits and Monica S. Lam 2005. Finding Security Vulnerabilities in Java Applications with Static Analysis USENIX Security Symposium. USENIX Association.

[28]

James Newsome and Dawn Xiaodong Song 2005. Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software. In Network and Distributed System Security Symposium (NDSS). The Internet Society.

[29]

A. Nguyen-Tuong, S. Guarnieri, D. Greene, J. Shirley, and D. Evans 2005. Automatically hardening web applications using precise tainting IFIP International Information Security Conference. Springer, 295--307.

[30]

Inian Parameshwaran, Enrico Budianto, Shweta Shinde, Hung Dang, Atul Sadhu, and Prateek Saxena 2015. DexterJS: robust testing platform for DOM-based XSS vulnerabilities Special Interest Group on Software Engineering (SIGSOFT). 946--949. https://doi.org/10.1145/2786805.2803191

[31]

Tadeusz Pietraszek and Chris Vanden Berghe 2005. Defending Against Injection Attacks Through Context-Sensitive String Evaluation Recent Advances in Intrusion Detection Symposium (RAID). 124--145. https://doi.org/10.1007/11663812_7

[32]

Gregor Richards, Christian Hammer, Brian Burg, and Jan Vitek. 2011. The Eval That Men Do: A Large-scale Study of the Use of Eval in Javascript Applications European Conference on Object-oriented Programming (ECOOP). Springer-Verlag, 52--78.

[33]

Daniel Schoepe, Musard Balliu, Frank Piessens, and Andrei Sabelfeld 2016. Let»s Face It: Faceted Values for Taint Tracking. European Symposium on Research (ESORICS). Springer.

[34]

Koushik Sen, Swaroop Kalasapur, Tasneem G. Brutch, and Simon Gibbs 2013. Jalangi: a selective record-replay and dynamic analysis framework for JavaScript Special Interest Group on Software Engineering (SIGSOFT). ACM, 488--498.

[35]

Manu Sridharan, Shay Artzi, Marco Pistoia, Salvatore Guarnieri, Omer Tripp, and Ryan Berg. 2011. F4F: taint analysis of framework-based web applications Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA). ACM, 1053--1068. https://doi.org/10.1145/2048066.2048145

[36]

Deian Stefan, Edward Z. Yang, Petr Marchenko, Alejandro Russo, David Herman, Brad Karp, and David Mazières 2014. Protecting Users by Confining JavaScript with COWL Symposium on Operating Systems Design and Implementation, OSDI »14, Broomfield, CO, USA, October 6--8, 2014. USENIX Association, 131--146.

[37]

Ben Stock, Sebastian Lekies, Tobias Mueller, Patrick Spiegel, and Martin Johns 2014. Precise Client-side Protection against DOM-based Cross-Site Scripting USENIX Security Symposium. USENIX Association, 655--670.

[38]

Zhendong Su and Gary Wassermann 2006. The essence of command injection attacks in web applications Symposium on Principles of Programming Languages (POPL). ACM, 372--382. https://doi.org/10.1145/1111037.1111070

[39]

Omer Tripp, Pietro Ferrara, and Marco Pistoia. 2014. Hybrid security analysis of web JavaScript code via dynamic partial evaluation International Symposium on Software Testing and Analysis, ISSTA. ACM, 49--59. https://doi.org/10.1145/2610384.2610385

[40]

Omer Tripp, Marco Pistoia, Stephen J. Fink, Manu Sridharan, and Omri Weisman. 2009. TAJ: effective taint analysis of web applications Conference on Programming Language Design and Implementation (PLDI). ACM, 87--97.

[41]

Petar Tsankov, Marco Pistoia, Omer Tripp, Martin T. Vechev, and Pietro Ferrara 2016. FASE: functionality-aware security enforcement. Annual Computer Security Applications Conference (ACSAC). IEEE, 471--483.

Digital Library

[42]

Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Krügel, and Giovanni Vigna 2007. Cross-Site Scripting Prevention with Dynamic Data Tainting and Static Analysis Network and Distributed System Security Symposium (NDSS).

[43]

Shiyi Wei and Barbara G. Ryder 2013. Practical blended taint analysis for JavaScript. International Symposium on Software Testing and Analysis, ISSTA. ACM, 336--346.

Digital Library

[44]

Shiyi Wei, Omer Tripp, Barbara G. Ryder, and Julian Dolby. 2016. Revamping JavaScript static analysis via localization and remediation of root causes of imprecision. In Special Interest Group on Software Engineering (SIGSOFT). ACM, 487--498. https://doi.org/10.1145/2950290.2950338

Digital Library

[45]

Wei Xu, Sandeep Bhatkar, and R. Sekar 2006. Taint-Enhanced Policy Enforcement: A Practical Approach to Defeat a Wide Range of Attacks USENIX Security Symposium. USENIX Association. endthebibliography

Cited By

KC DFerra TMorrison C(2023)Neural Machine Translation for Recovering ASTs from Binaries2023 IEEE 3rd International Conference on Software Engineering and Artificial Intelligence (SEAI)10.1109/SEAI59139.2023.10217602(80-85)Online publication date: 16-Jun-2023
https://doi.org/10.1109/SEAI59139.2023.10217602
Hough KBell J(2021)A Practical Approach for Dynamic Taint Tracking with Control-flow RelationshipsACM Transactions on Software Engineering and Methodology10.1145/348546431:2(1-43)Online publication date: 24-Dec-2021
https://dl.acm.org/doi/10.1145/3485464
Hough KWelearegai GHammer CBell JRothermel GBae D(2020)Revealing injection vulnerabilities by leveraging existing testsProceedings of the ACM/IEEE 42nd International Conference on Software Engineering10.1145/3377811.3380326(284-296)Online publication date: 27-Jun-2020
https://dl.acm.org/doi/10.1145/3377811.3380326
Show More Cited By

Index Terms

Using Precise Taint Tracking for Auto-sanitization
1. Security and privacy
  1. Software and application security
    1. Web application security
  2. Systems security
    1. Browser security
    2. Information flow control

Recommendations

P/Taint: unified points-to and taint analysis

Static information-flow analysis (especially taint-analysis) is a key technique in software security, computing where sensitive or untrusted data can propagate in a program. Points-to analysis is a fundamental static program analysis, computing what ...
Practical blended taint analysis for JavaScript
ISSTA 2013: Proceedings of the 2013 International Symposium on Software Testing and Analysis

JavaScript is widely used in Web applications because of its flexibility and dynamic features. However, the latter pose challenges to static analyses aimed at finding security vulnerabilities, (e.g., taint analysis).

We present blended taint analysis,...
Static analysis for detecting taint-style vulnerabilities in web applications

The number and the importance of web applications have increased rapidly over the last years. At the same time, the quantity and impact of security vulnerabilities in such applications have grown as well. Since manual code reviews are time-consuming, ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

PLAS '17: Proceedings of the 2017 Workshop on Programming Languages and Analysis for Security

October 2017

128 pages

ISBN:9781450350990

DOI:10.1145/3139337

Program Chairs:
Nataliia Bielova
INRIA, France
,
Marco Gaboardi
University at Buffalo, SUNY, USA

Copyright © 2017 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 30 October 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS '17

Sponsor:

SIGSAC

CCS '17: 2017 ACM SIGSAC Conference on Computer and Communications Security

October 30, 2017

Texas, Dallas, USA

Acceptance Rates

PLAS '17 Paper Acceptance Rate 8 of 10 submissions, 80%;

Overall Acceptance Rate 43 of 77 submissions, 56%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

8
Total Citations
View Citations
196
Total Downloads

Downloads (Last 12 months)9
Downloads (Last 6 weeks)1

Reflects downloads up to 14 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

KC DFerra TMorrison C(2023)Neural Machine Translation for Recovering ASTs from Binaries2023 IEEE 3rd International Conference on Software Engineering and Artificial Intelligence (SEAI)10.1109/SEAI59139.2023.10217602(80-85)Online publication date: 16-Jun-2023
https://doi.org/10.1109/SEAI59139.2023.10217602
Hough KBell J(2021)A Practical Approach for Dynamic Taint Tracking with Control-flow RelationshipsACM Transactions on Software Engineering and Methodology10.1145/348546431:2(1-43)Online publication date: 24-Dec-2021
https://dl.acm.org/doi/10.1145/3485464
Hough KWelearegai GHammer CBell JRothermel GBae D(2020)Revealing injection vulnerabilities by leveraging existing testsProceedings of the ACM/IEEE 42nd International Conference on Software Engineering10.1145/3377811.3380326(284-296)Online publication date: 27-Jun-2020
https://dl.acm.org/doi/10.1145/3377811.3380326
Welearegai GSchlueter MHammer CHung CPapadopoulos G(2019)Static security evaluation of an industrial web applicationProceedings of the 34th ACM/SIGAPP Symposium on Applied Computing10.1145/3297280.3297471(1952-1961)Online publication date: 8-Apr-2019
https://dl.acm.org/doi/10.1145/3297280.3297471
Karim RTip FSochurkova ASen K(2019)Platform-Independent Dynamic Taint Analysis for JavaScriptIEEE Transactions on Software Engineering10.1109/TSE.2018.2878020(1-1)Online publication date: 2019
https://doi.org/10.1109/TSE.2018.2878020
Ashouri M(2019)Detecting Input Sanitization Errors in Scala2019 Seventh International Symposium on Computing and Networking Workshops (CANDARW)10.1109/CANDARW.2019.00062(313-319)Online publication date: Nov-2019
https://doi.org/10.1109/CANDARW.2019.00062
Chaliasos SMetaxopoulos GArgyros GMitropoulos D(2019)Mime Artist: Bypassing Whitelisting for the Web with JavaScript Mimicry AttacksComputer Security – ESORICS 201910.1007/978-3-030-29962-0_27(565-585)Online publication date: 15-Sep-2019
https://doi.org/10.1007/978-3-030-29962-0_27
Piccolboni LDi Guglielmo GCarloni L(2018)PAGURUS: Low-Overhead Dynamic Information Flow Tracking on Loosely Coupled AcceleratorsIEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems10.1109/TCAD.2018.285732137:11(2685-2696)Online publication date: Nov-2018
https://doi.org/10.1109/TCAD.2018.2857321

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents