research-article

Hybrid taint analysis for Java EE

Authors:

Florian D. Loch,

Gregor SneltingAuthors Info & Claims

SAC '20: Proceedings of the 35th Annual ACM Symposium on Applied Computing

Pages 1716 - 1725

https://doi.org/10.1145/3341105.3373887

Published: 30 March 2020 Publication History

Abstract

We present a new approach to protect Java EE web applications against injection attacks, which can handle large commercial systems. We first describe a novel approach to taint analysis for Java EE, which can be characterized by "strings only", "taint ranges", and "no bytecode instrumentation". We then explain how to combine this method with static analysis, based on the JOANA IFC framework. The resulting hybrid analysis will boost scalability and precision, while guaranteeing protection against XSS. The approach has been implemented in the Juturna tool; application examples and measurements are discussed.

References

[1]

Jonathan Bell and Gail Kaiser. 2015. Dynamic Taint Tracking for Java with Phosphor (Demo). In Proc. ISSTA. 409--413.

Digital Library

[2]

Jonathan Bell and Gail E. Kaiser. 2014. Phosphor: illuminating dynamic data flow in commodity jvms. In Proc. OOPSLA. 83--101.

[3]

Simon Bischof, Joachim Breitner, Jürgen Graf, Martin Hecker, Martin Mohr, and Gregor Snelting. 2018. Low-Deterministic Security For Low-Deterministic Programs. Journal of Computer Security 26 (2018), 335--366.

Digital Library

[4]

Eric Bodden, Andreas Sewe, Jan Sinschek, Hela Oueslati, and Mira Mezini. 2011. Taming reflection: Aiding static analysis in the presence of reflection and custom class loaders. In Proc. ICSE. 241--250.

Digital Library

[5]

Joachim Breitner, Jürgen Graf, Martin Hecker, Martin Mohr, and Gregor Snelting. 2016. On Improvements Of Low-Deterministic Security. In Proc. Principles of Security and Trust (POST). Springer Berlin Heidelberg, 68--88.

[6]

Erika Chin and David Wagner. 2009. Efficient Character-level Taint Tracking for Java. In Proc. ACM Workshop on Secure Web Services (SWS '09). 3--12.

Digital Library

[7]

William Enck, Peter Gilbert, Byung-Gon Chun, Landon P. Cox, Jaeyeon Jung, Patrick D. McDaniel, and Anmol Sheth. 2014. TaintDroid: An Information Flow Tracking System for Real-time Privacy Monitoring on Smartphones. Commun. ACM 57, 3 (2014), 99--106.

Digital Library

[8]

R. Fielding and J. Reschke. 2014. Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content. RFC 7231. http://www.rfc-editor.org/rfc/rfc7231.txt

[9]

Dennis Giffhorn and Gregor Snelting. 2015. A New Algorithm For Low-Deterministic Security. International Journal of Information Security 14, 3 (April 2015), 263--287.

Digital Library

[10]

Jürgen Graf. 2016. Information Flow Control with System Dependence Graphs --- Improving Modularity, Scalability and Precision for Object Oriented Languages. Ph.D. Dissertation. Karlsruher Institut für Technologie, Fakultät für Informatik.

[11]

Jürgen Graf, Martin Hecker, Martin Mohr, and Gregor Snelting. 2015. Checking Applications using Security APIs with JOANA. 8th International Workshop on Analysis of Security APIs.

[12]

Jürgen Graf, Martin Hecker, Martin Mohr, and Gregor Snelting. 2016. Tool Demonstration: JOANA. In Proc. Principles of Security and Trust (POST 2016) (Lecture Notes in Computer Science), Vol. 9635. Springer Berlin Heidelberg, 89--93.

[13]

Vivek Haldar, Deepak Chandra, and Michael Franz. 2005. Dynamic taint propagation for Java. In Proc. Annual Computer Security Applications Conference, ACSAC. 303--311.

Digital Library

[14]

William G. J. Halfond and Alessandro Orso. 2005. AMNESIA: Analysis and Monitoring for NEutralizing SQL-injection Attacks. In Proceedings of the 20th IEEE/ACM International Conference on Automated Software Engineering (ASE '05). ACM, New York, NY, USA, 174--183.

Digital Library

[15]

William G J Halfond, Alessandro Orso, and Panagiotis Manolios. 2006. Using positive tainting and syntax-aware evaluation to counter SQL injection attacks. In Proceedings of the 14th ACM SIGSOFT international symposium on Foundations of software engineering - SIGSOFT '06/FSE-14. 175.

Digital Library

[16]

Christian Hammer. 2010. Experiences with PDG-based IFC. In Proc. ESSoS'10. 44--60.

Digital Library

[17]

Christian Hammer and Gregor Snelting. 2009. Flow-Sensitive, Context-Sensitive, and Object-sensitive Information Flow Control Based on Program Dependence Graphs. International Journal of Information Security 8, 6 (December 2009), 399--422.

Digital Library

[18]

Daniel Hedin and Andrei Sabelfeld. 2011. A Perspective on Information-Flow Control. Proceedings of the 2011 Marktoberdorf Summer School (2011). http://www.cse.chalmers.se/{~}andrei/mod11.pdf

[19]

Ralf Küsters, Enrico Scapin, Tomasz Truderung, and Jürgen Graf. 2014. Extending and Applying a Framework for the Cryptographic Verification of Java Programs. In Proc. POST (LNCS 8424). Springer, 220--239.

[20]

Ralf Küsters, Tomasz Truderung, Bernhard Beckert, Daniel Bruns, Michael Kirsten, and Martin Mohr. 2015. A Hybrid Approach for Proving Noninterference of Java Programs. In IEEE 28th Computer Security Foundations Symposium (CSF). 305--319.

Digital Library

[21]

Sebastian Lekies, Ben Stock, and Martin Johns. 2013. 25 Million Flows Later: Large-Scale Detection of DOM-based XSS. In Proc. ACM SIGSAC conference on Computer & communications security. ACM, 1193--1204.

Digital Library

[22]

Florian Loch. 2018. Juturna: Lightweight, Pluggable and Selective Taint Tracking for Java. Master's Thesis, KIT, Fakultät für Informatik.

[23]

Martin Mohr, Jürgen Graf, and Martin Hecker. 2015. JoDroid: Adding Android Support to a Static Information Flow Control Tool. In Proc. Software Engineering (CEUR Workshop Proceedings), Vol. 1337. 140--145.

[24]

M. Mongiovi, G. Giannone, A. Fornaia, G. Pappalardo, and E. Tramontana. 2015. Combining static and dynamic data flow analysis: a hybrid approach for detecting data leaks in Java applications. In Proc. 30th ACM Symposium on Applied Computing. 1573--1579.

[25]

The Open Web Application Security Project (OWASP). 2017. OWASP Top 10 - 2017 RC2. https://github.com/OWASP/Top10/raw/master/2017/OWASP%20Top%2010%202017%20RC2%20Final.pdf

[26]

Thomas Reps and Genevieve Rosay. 1995. Precise Interprocedural Chopping. In Proc. ACM SIGSOFT Symposium on Foundations of Software Engineering. 41--52.

Digital Library

[27]

A. Sabelfeld and A. Myers. 2003. Language-Based Information-Flow Security. IEEE Journal on Selected Areas in Communications 21, 1 (January 2003), 5--19.

Digital Library

[28]

Gregor Snelting, Dennis Giffhorn, Jürgen Graf, Christian Hammer, Martin Hecker, Martin Mohr, and Daniel Wasserrab. 2014. Checking Probabilistic Noninterference Using JOANA. it - Information Technology 56 (Nov. 2014), 280--287.

[29]

Omer Tripp, Marco Pistoia, Patrick Cousot, Radhia Cousot, and Salvatore Guarnieri. 2013. ANDROMEDA: Accurate and Scalable Security Analysis of Web Applications. In Proc. International Conference on Fundamental Approaches to Software Engineering (FASE'13). 210--225.

Digital Library

[30]

Omer Tripp, Marco Pistoia, Stephen J. Fink, Manu Sridharan, and Omri Weisman. 2009. TAJ: effective taint analysis of web applications. In Proc. PLDI. 87--97.

Digital Library

[31]

Daniel Wasserrab, Denis Lohner, and Gregor Snelting. 2009. On PDG-Based Noninterference and its Modular Proof. In Proc. PLAS '09. ACM.

Digital Library

[32]

Jingling Zhao, Junxin Qi, Liang Zhou, and Baojiang Cui. 2016. Dynamic taint tracking of web application based on static code analysis. Proc. 10th International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing (IMIS) (2016), 96--101.

Cited By

Xiang DLin SHuang KDing ZLiu GLi X(2025)A fine-grained approach for Android taint analysis based on labeled taint value graphsComputers & Security10.1016/j.cose.2024.104162148(104162)Online publication date: Jan-2025
https://doi.org/10.1016/j.cose.2024.104162
Yang A(2023)Cryptocurrency Security Study based on Static Taint AnalysisHighlights in Science, Engineering and Technology10.54097/hset.v39i.668439(962-970)Online publication date: 1-Apr-2023
https://doi.org/10.54097/hset.v39i.6684
Yernaux GVanhoof W(2023)A Dataflow Analysis for Comparing and Reordering Predicate ArgumentsElectronic Proceedings in Theoretical Computer Science10.4204/EPTCS.385.5385(41-54)Online publication date: 12-Sep-2023
https://doi.org/10.4204/EPTCS.385.5
Show More Cited By

Index Terms

Hybrid taint analysis for Java EE
1. Security and privacy
  1. Software and application security
    1. Software security engineering
    2. Web application security

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

SAC '20: Proceedings of the 35th Annual ACM Symposium on Applied Computing

March 2020

2348 pages

ISBN:9781450368667

DOI:10.1145/3341105

Conference Chairs:
Chih-Cheng Hung
Kennesaw State University
,
Tomas Cerny
Baylor University
,
Program Chairs:
Dongwan Shin
New Mexico Tech
,
Alessio Bechini
University of Pisa, Italy

Copyright © 2020 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGAPP: ACM Special Interest Group on Applied Computing

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 30 March 2020

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

SAC '20

Sponsor:

SIGAPP

SAC '20: The 35th ACM/SIGAPP Symposium on Applied Computing

March 30 - April 3, 2020

Brno, Czech Republic

Acceptance Rates

Overall Acceptance Rate 1,650 of 6,669 submissions, 25%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

5
Total Citations
View Citations
292
Total Downloads

Downloads (Last 12 months)28
Downloads (Last 6 weeks)1

Reflects downloads up to 09 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Xiang DLin SHuang KDing ZLiu GLi X(2025)A fine-grained approach for Android taint analysis based on labeled taint value graphsComputers & Security10.1016/j.cose.2024.104162148(104162)Online publication date: Jan-2025
https://doi.org/10.1016/j.cose.2024.104162
Yang A(2023)Cryptocurrency Security Study based on Static Taint AnalysisHighlights in Science, Engineering and Technology10.54097/hset.v39i.668439(962-970)Online publication date: 1-Apr-2023
https://doi.org/10.54097/hset.v39i.6684
Yernaux GVanhoof W(2023)A Dataflow Analysis for Comparing and Reordering Predicate ArgumentsElectronic Proceedings in Theoretical Computer Science10.4204/EPTCS.385.5385(41-54)Online publication date: 12-Sep-2023
https://doi.org/10.4204/EPTCS.385.5
Nguempnang RBerger BSohr K(2021)[Engineering] eNYPD—Entry Points Detector Jakarta Server Faces Use Case2021 IEEE 21st International Working Conference on Source Code Analysis and Manipulation (SCAM)10.1109/SCAM52516.2021.00013(30-35)Online publication date: Sep-2021
https://doi.org/10.1109/SCAM52516.2021.00013
Mateo Tudela FBermejo Higuera JBermejo Higuera JSicilia Montalvo JArgyros M(2020)On Combining Static, Dynamic and Interactive Analysis Security Testing Tools to Improve OWASP Top Ten Security Vulnerability Detection in Web ApplicationsApplied Sciences10.3390/app1024911910:24(9119)Online publication date: 20-Dec-2020
https://doi.org/10.3390/app10249119

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents