LAPSE a Security Auditing Tool for Java Benjamin

LAPSE: a Security Auditing Tool for Java Benjamin Livshits Stanford University, Computer Systems Lab Introduction q q Security errors are common in today’s Java programs Lead to stolen or corrupt data, system downtime 92% of Web apps are vulnerable to attack [Imperva] Recent kinds of security attacks appeared q SQL injections q Cross-site scripting q HTTP splitting q Path traversal q Parameter manipulation q Header manipulation q Cookie poisoning q Command-line params q What do we do? How do we protect our applications? q How do we prevent these vulnerabilities? q Our approach – tool called LAPSE q Lightweight Analysis for Program Security in Eclipse q Find the errors in the Java source code q Give the developer an automatic security auditing tool q Taint problems–like taint mode in Perl, but static q Unchecked input propagates to sensitive methods in the program q Sources – data enters the Web app q Sinks – SQL execution statements, send data back to the user, file access operations, etc. q q Form parameters HTTP headers Cookie values Other types q If name is user-controlled – danger, danger!! q q bob’ -bob’ or 1=1 -bob’; DROP Records; -- WHERE = `bob’ -- ’ WHERE bob’ or 1=1 -- ’ WHERE bob’; DROP Records; -- ’ q How bad is this? Causes q Unauthorized information access q Deleted records q q List of sources SQL execute calls Output statements Redirect calls File access routines 1 q Start at a sink q Propagate backwards q Can any source reach this sink? 2 q Follow values through q Method parameters/return values q Local variables q String concatenation Resulting SQL q q A source in Java code Tracking Flow of Data between a Source and a Sink in LAPSE q Construct SQL queries based on user-provided input SELECT User. ID, Creditcard FROM Records WHERE Name = ‘ + name + ’; Found 18 verified security errors In 15 open-source Web apps from Source. Forge Most are blogging, bulletin-board programs Widely used and deployed at many sites Contain a total of q 2, 383 classes q Over 524, 000 of code q Auditing of 15 apps takes under an hour q q q Sources and Sinks Vulnerability Example: SQL injection Set name to Results LAPSE: a Security Auditing Tool for Eclipse 3 q Filter results q For speed q Not in source q To analyze if a sink can is “dangerous” need to determine what can flow to it q Eclipse already allows to look up definitions of variables q We take this further: q Trace values backwards through parameters, assignments, function calls q If we encounter a source: stop, declare victory Intermediate propagation steps Sink Source Discussion q Auditing is pretty effective, however q Requires some manual effort q Not a complete solution – may miss errors q Some errors are hard to analyze q Sources and sinks are far apart q Often no source code available – only byte code q Working on a complete solution q Submitted a paper to Usenix Security 2005 q Based on a heavy-weight sound static analysis q Pointer analysis q Sound – guaranteed to find all potential errors q Much longer analysis times q Working on a runtime protection solution q Detect errors at runtime q Cleanse the tainted values and proceed References q Security bugs in C (buffer overruns, format strings) q Static: LCLint, ITS 4, Flawnder, Rats, Splint, BOON q Dynamic: Stack. Guard, CRED q To the best of our knowledge, we are the 1 st publically annonced Java code auditing security tool