skip to main content
10.1145/2429069.2429115acmconferencesArticle/Chapter ViewAbstractPublication PagespoplConference Proceedingsconference-collections
research-article

Towards fully automatic placement of security sanitizers and declassifiers

Published: 23 January 2013 Publication History

Abstract

A great deal of research on sanitizer placement, sanitizer correctness, checking path validity, and policy inference, has been done in the last five to ten years, involving type systems, static analysis and runtime monitoring and enforcement. However, in pretty much all work thus far, the burden of sanitizer placement has fallen on the developer. However, sanitizer placement in large-scale applications is difficult, and developers are likely to make errors, and thus create security vulnerabilities.
This paper advocates a radically different approach: we aim to fully automate the placement of sanitizers by analyzing the ow of tainted data in the program. We argue that developers are better off leaving out sanitizers entirely instead of trying to place them.
This paper proposes a fully automatic technique for sanitizer placement. Placement is static whenever possible, switching to run time when necessary. Run-time taint tracking techniques can be used to track the source of a value, and thus apply appropriate sanitization. However, due to the runtime overhead of run-time taint tracking, our technique avoids it wherever possible.

Supplementary Material

JPG File (r2d2_talk6.jpg)
MP4 File (r2d2_talk6.mp4)

References

[1]
A. V. Aho, M. Lam, R. Sethi, and J. D. Ullman. Compilers: Principles, Techniques, and Tools. Addison-Wesley, 2007.
[2]
D. Avots, M. Dalton, B. Livshits, and M. S. Lam. Improving software security with a C pointer analysis. In Proceedings of the International Conference on Software Engineering, May 2005.
[3]
D. Balzarotti, M. Cova, V. Felmetsger, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna. Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications. In Proceedings of the IEEE Symposium on Security and Privacy, May 2008.
[4]
D. Bates, A. Barth, and C. Jackson. Regular expressions considered harmful in client-side XSS filters. In Proceedings of the International World Wide Web Conference, 2010.
[5]
P. Briggs and K. D. Cooper. Effective partial redundancy elimination. In Proceedings of the Conference on Programming Language Design and Implementation, 1994.
[6]
B. Chess and J. West. Dynamic taint propagation: Finding vulnerabilities without attacking. Information Security Technical Reports, 13, January 2008.
[7]
E. Chin and D. Wagner. Efficient character-level taint tracking for Java. In Proceedings of the Workshop on Secure Web Services, 2009.
[8]
S. Chong, K. Vikram, and A. C. Myers. Sif: enforcing confidentiality and integrity in Web applications. In phProceedings of Usenix Security Symposium, 2007.
[9]
M. Egele, C. Kruegel, E. Kirda, and G. Vigna. PiOS: Detecting privacy leaks in iOS applications. In Proceedings of the Annual Network and Distributed System Security Symposium, Feb. 2011.
[10]
W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth. TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In Proceedings of the Usenix Conference on Operating Systems Design and Implementation, 2010.
[11]
V. Haldar, D. Chandra, and M. Franz. Dynamic taint propagation for Java. In Proceedings of the Annual Computer Security Applications Conference, Dec. 2005.
[12]
C. Hammer and G. Snelting. Flow-sensitive, context-sensitive, and object-sensitive information flow control based on program dependence graphs. International Journal of Information Security, 8 (6): 399--422, Dec. 2009.
[13]
C. Hammer, J. Krinke, and F. Nodes. Intransitive noninterference in dependence graphs. In 2nd International Symposium on Leveraging Application of Formal Methods, Verification and Validation, Nov. 2006.
[14]
C. Hammer, J. Krinke, and G. Snelting. Information flow control for java based on path conditions in dependence graphs. In IEEE International Symposium on Secure Software Engineering, Mar. 2006.
[15]
P. Hooimeijer, B. Livshits, D. Molnar, P. Saxena, and M. Veanes. Fast and precise sanitizer analysis with BEK. In Proceedings of the Usenix Security Symposium, Aug. 2011.
[16]
A. L. Hosking, N. Nystrom, D. Whitlock, Q. Cutts, and A. Diwan. Partial redundancy elimination for access path expressions. Software Practice and Experience, 31, May 2001.
[17]
Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D.-T. Lee, and S.-Y. Kuo. Securing Web application code by static analysis and runtime protection. In Proceedings of the International Conference on World Wide Web, 2004.
[18]
N. Jovanovic, C. Kruegel, and E. Kirda. Pixy: A static analysis tool for detecting Web application vulnerabilities (short paper). In Proceedings of the IEEE Symposium on Security and Privacy, 2006.
[19]
D. King, S. Jha, D. Muthukumaran, T. Jaeger, S. Jha, and S. A. Seshia. Automating security mediation placement. In Proceedings of the European Symposium on Programming, 2010.
[20]
J. Knoop, O. Rüthing, and B. Steffen. Lazy code motion. SIGPLAN Notes, 39: 460--472, April 2004.
[21]
T. Kremenek, P. Twohey, G. Back, A. Y. Ng, and D. R. Engler. From uncertainty to belief: Inferring the specification within. In Symposium on Operating Systems Design and Implementation, Nov. 2006.
[22]
B. Livshits and M. S. Lam. Finding security errors in Java programs with static analysis. In Proceedings of the Usenix Security Symposium, 2005.
[23]
B. Livshits, A. V. Nori, S. K. Rajamani, and A. Banerjee. Merlin: Specification inference for explicit information flow problems. In Proceedings of the Conference on Programming Language Design and Implementation, June 2009.
[24]
M. Martin, B. Livshits, and M. S. Lam. Finding application errors and security flaws using PQL: a program query language. In Proceedings of the Conference on Object Oriented Programming Systems Languages and Applications, pages 365--383, 2005.
[25]
M. Martin, B. Livshits, and M. S. Lam. SecuriFly: runtime vulnerability protection for Web applications. Technical report, Stanford University, 2006.
[26]
Microsoft Code Analysis Tool .NET (CAT.NET). http://www.microsoft.com/en-us/download/details.aspx?id=19968, 3 2009.
[27]
Microsoft web protection library. http://wpl.codeplex.com/, 2012.
[28]
N. Mitchell, G. Sevitsky, and H. Srinivasan. The diary of a datum: an approach to modeling runtime complexity in framework-based applications. In Proceedings of the European Conference on Object-Oriented Programming, Systems, Languages, and Applications, 2005.
[29]
A. Nguyen-Tuong, S. Guarnieri, D. Greene, J. Shirley, and D. Evans. Automatically hardening Web applications using precise tainting. In Proceedings of the IFIP International Information Security Conference, 2005.
[30]
OWASP. OWASP-Java-HTML-sanitizer. http://code.google.com/p/owasp-java-html-sanitizer/, 2011.
[31]
T. Pietraszek and C. V. Berghe. Defending against injection attacks through context-sensitive string evaluation. In Proceedings of the Recent Advances in Intrusion Detection, Sept. 2005.
[32]
W. Robertson and G. Vigna. Static enforcement of web application integrity through strong typing. In Proceedings of the Usenix Security Symposium, 2009\natexlaba.
[33]
W. Robertson and G. Vigna. Static enforcement of web application integrity through strong typing. In Proceedings of the Usenix Security Symposium, Aug. 2009\natexlabb.
[34]
RSnake. XSS cheat sheet for filter evasion. http://ha.ckers.org/xss.html.
[35]
O. Rüthing, J. Knoop, and B. Steffen. Sparse code motion. In Proceedings of the Symposium on Principles of Programming Languages, 2000.
[36]
A. Sabelfeld and A. C. Myers. Language-based information-flow security. IEEE Journal on Selected Areas in Communications, 21 (1): 5--19, Jan. 2003.
[37]
A. Sabelfeld and D. Sands. Dimensions and principles of declassification. In Proceedings of the 18th IEEE Computer Security Foundations Workshop, pages 255--269. IEEE Computer Society, June 2005.
[38]
M. Samuel, P. Saxena, and D. Song. Context-sensitive auto-sanitization in web templating languages using type qualifiers. In Proceedings of the Conference on Computer and Communications Security, Oct. 2011.
[39]
P. Saxena, D. Molnar, and B. Livshits. ScriptGard: Automatic context-sensitive sanitization for large-scale legacy web applications. In Proceedings of the Conference on Computer and Communications Security, Oct. 2011.
[40]
B. Scholz, C. Zhang, and C. Cifuentes. User-input dependence analysis via graph reachability. Technical Report 2008--171, Sun Microsystems Labs, 2008.
[41]
V. Srivastava, M. D. Bond, K. S. McKinley, and V. Shmatikov. A security policy oracle: detecting security holes using multiple API implementations. In Proceedings of the Conference on Programming Language Design and Implementation, 2011.
[42]
Z. Su and G. Wassermann. The essence of command injection attacks in Web applications. In phProceedings of the Symposium on Principles of Programming Languages, 2006.
[43]
O. Tripp, M. Pistoia, S. J. Fink, M. Sridharan, and O. Weisman. TAJ: effective taint analysis of web applications. In Proceedings of the Conference on Programming Language Design and Implementation, 2009.
[44]
J. Vaughan and S. Chong. Inference of expressive declassification policies. In phProceedings of IEEE Symposium on Security and Privacy, May 2011.
[45]
M. Veanes, P. Hooimeijer, B. Livshits, D. Molnar, and N. Bjorner. Symbolic finite state transducers: Algorithms and applications. In Proceedings of the Sympolisium on Principles of Programming Languages, Jan. 2012.
[46]
J. Weinberger, P. Saxena, D. Akhawe, M. Finifter, R. Shin, and D. Song. A systematic analysis of XSS sanitization in web application frameworks. In phProceedings of the European Symposium on Research in Computer Security, Sept. 2011.
[47]
Y. Xie and A. Aiken. Static detection of security vulnerabilities in scripting languages. In Proceedings of the Usenix Security Symposium, 2006.
[48]
E. Z. Yang. HTML purifier. http://code.google.com/p/owasp-java-html-sanitizer/, 2011.

Cited By

View all
  • (2023)Scanner++: Enhanced Vulnerability Detection of Web Applications with Attack Intent SynchronizationACM Transactions on Software Engineering and Methodology10.1145/351703632:1(1-30)Online publication date: 13-Feb-2023
  • (2022)Statically identifying XSS using deep learningScience of Computer Programming10.1016/j.scico.2022.102810219(102810)Online publication date: Jul-2022
  • (2020)Maybe tainted data: Theory and a case studyJournal of Computer Security10.3233/JCS-191342(1-41)Online publication date: 1-Apr-2020
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
POPL '13: Proceedings of the 40th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
January 2013
586 pages
ISBN:9781450318327
DOI:10.1145/2429069
  • cover image ACM SIGPLAN Notices
    ACM SIGPLAN Notices  Volume 48, Issue 1
    POPL '13
    January 2013
    561 pages
    ISSN:0362-1340
    EISSN:1558-1160
    DOI:10.1145/2480359
    Issue’s Table of Contents
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

In-Cooperation

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 23 January 2013

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. security analysis
  2. vulnerability prevention

Qualifiers

  • Research-article

Conference

POPL '13
Sponsor:

Acceptance Rates

Overall Acceptance Rate 860 of 4,328 submissions, 20%

Upcoming Conference

POPL '26

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)15
  • Downloads (Last 6 weeks)2
Reflects downloads up to 19 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2023)Scanner++: Enhanced Vulnerability Detection of Web Applications with Attack Intent SynchronizationACM Transactions on Software Engineering and Methodology10.1145/351703632:1(1-30)Online publication date: 13-Feb-2023
  • (2022)Statically identifying XSS using deep learningScience of Computer Programming10.1016/j.scico.2022.102810219(102810)Online publication date: Jul-2022
  • (2020)Maybe tainted data: Theory and a case studyJournal of Computer Security10.3233/JCS-191342(1-41)Online publication date: 1-Apr-2020
  • (2020)Revealing injection vulnerabilities by leveraging existing testsProceedings of the ACM/IEEE 42nd International Conference on Software Engineering10.1145/3377811.3380326(284-296)Online publication date: 27-Jun-2020
  • (2020)TaintMan: An ART-Compatible Dynamic Taint Analysis Framework on Unmodified and Non-Rooted Android DevicesIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2017.274016917:1(209-222)Online publication date: 1-Jan-2020
  • (2019)Security Certification in Payment Card IndustryProceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security10.1145/3319535.3363195(481-498)Online publication date: 6-Nov-2019
  • (2018)Smart XSS Attack Surveillance System for OSN in Virtualized Intelligence Network of Nodes of Fog ComputingFog Computing10.4018/978-1-5225-5649-7.ch017(332-364)Online publication date: 2018
  • (2018)PONDInternational Journal of Innovative Computing and Applications10.1504/IJICA.2018.0925889:2(116-129)Online publication date: 1-Jan-2018
  • (2018)Enhancing Android Security Through App SplittingSecurity and Privacy in Communication Networks10.1007/978-3-319-78813-5_2(24-44)Online publication date: 11-Apr-2018
  • (2017)Smart XSS Attack Surveillance System for OSN in Virtualized Intelligence Network of Nodes of Fog ComputingInternational Journal of Web Services Research10.4018/IJWSR.201710010114:4(1-32)Online publication date: 1-Oct-2017
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media