research-article

Efficient character-level taint tracking for Java

Authors:

Erika Chin,

David WagnerAuthors Info & Claims

SWS '09: Proceedings of the 2009 ACM workshop on Secure web services

Pages 3 - 12

https://doi.org/10.1145/1655121.1655125

Published: 13 November 2009 Publication History

Get Access

Abstract

Over 80% of web services are vulnerable to attack, and much of the danger arises from command injection vulnerabilities. We present an efficient character-level taint tracking system for Java web applications and argue that it can be used to defend against command injection vulnerabilities. Our approach involves modification only to Java library classes and the implementation of the Java servlets framework, so it requires only a one-time modification to the server without any subsequent modifications to a web application's bytecode or access to the web application's source code. This makes it easy to deploy our technique and easy to secure legacy web software. Our preliminary experiments with the JForum web application suggest that character-level taint tracking adds 0-15% runtime overhead.

References

[1]

W. Chang, B. Streiff, and C. Lin. Efficient and extensible security enforcement using dynamic data flow analysis. In Proceedings of the 15th ACM conference on Computer and communications security, pages 39--50. ACM New York, NY, USA, 2008.

Digital Library

Google Scholar

[2]

B. Chess and J. West. Dynamic taint propagation: Finding vulnerabilities without attacking. Information Security Technical Report, 13(1):33--39, 2008.

Digital Library

Google Scholar

[3]

A. Futoransky, E. Gutesman, and A. Waissbein. A dynamic technique for enhancing the security and privacy of web applications. Proc. Black Hat USA, 2007.

Google Scholar

[4]

J. Grossman. WhiteHat website security statistics report, Aug. 2008. http://www.whitehatsec.com/home/assets/WPstats0808.pdf.

Google Scholar

[5]

V. Haldar, D. Chandra, and M. Franz. Dynamic taint propagation for Java. In Annual Computer Security Applications Conference (ACSAC 2005), pages 303--311, 2005.

Digital Library

Google Scholar

[6]

W. Halfond, A. Orso, and P. Manolios. WASP: Protecting web applications using positive tainting and syntax-aware evaluation. IEEE Transactions on Software Engineering (TSE), 34(1):65--81, 2008.

Digital Library

Google Scholar

[7]

L. Lam and T. Chiueh. A general dynamic information flow tracking framework for security applications. In Annual Computer Security Applications Conference (ACSAC 2006), pages 463--472, 2006.

Digital Library

Google Scholar

[8]

A. Nguyen-Tuong, S. Guarnieri, D. Greene, J. Shirley, and D. Evans. Automatically hardening web applications using precise tainting. In 20th IFIP International Informations Security Conference (SEC 2005), pages 295--307. Springer, 2005.

Crossref

Google Scholar

[9]

T. Pietraszek and C. Berghe. Defending against injection attacks through context-sensitive string evaluation. In Recent Advances in Intrusion Detection (RAID 2005), volume 3858 of Lecture Notes in Computer Science, page 124. Springer, 2006.

Digital Library

Google Scholar

[10]

R. Sekar. An efficient black-box technique for defeating web application attacks. In Network and Distributed Systems Symposium (NDSS 2009), Feb. 2009.

Google Scholar

[11]

Web Application Security Consortium. Web Application Security Statistics Project 2007. http://www.webappsec.org/projects/statistics/wasc_wass_2007.pdf.

Google Scholar

[12]

W. Xu, S. Bhatkar, and R. Sekar. Taint-enhanced policy enforcement: A practical approach to defeat a wide range of attacks. In 15th USENIX Security Symposium, pages 121--136, August 2006.

Digital Library

Google Scholar

Cited By

View all

Rahman AParnin C(2023)Detecting and Characterizing Propagation of Security Weaknesses in Puppet-Based Infrastructure ManagementIEEE Transactions on Software Engineering10.1109/TSE.2023.326596249:6(3536-3553)Online publication date: 1-Jun-2023
https://dl.acm.org/doi/10.1109/TSE.2023.3265962
Pan ZChen YChen YShen YLi Y(2022)LogInjector: Detecting Web Application Log Injection VulnerabilitiesApplied Sciences10.3390/app1215768112:15(7681)Online publication date: 30-Jul-2022
https://doi.org/10.3390/app12157681
Wu JZhao JFu J(2022)A Static Method to Discover Deserialization Gadget Chains in Java ProgramsProceedings of the 2022 2nd International Conference on Control and Intelligent Robotics10.1145/3548608.3559310(800-805)Online publication date: 24-Jun-2022
https://dl.acm.org/doi/10.1145/3548608.3559310
Show More Cited By

Index Terms

Efficient character-level taint tracking for Java
1. Security and privacy
  1. Software and application security
    1. Software security engineering
  2. Systems security
    1. Information flow control
    2. Operating systems security
2. Software and its engineering
  1. Software organization and properties
    1. Software functional properties
      1. Correctness
        Access protection

Recommendations

Evaluating the Java Native Interface JNI: Leveraging Existing Native Code, Libraries and Threads to a Running Java Virtual Machine

This article aims to explore JNI features and to discover fundamental operations of the Java programming language, such as arrays, objects, classes, threads and exception handling, and to illustrate these by using various algorithms and code samples. ...
Evaluating the Java Native Interface JNI: Data Types and Strings

This article describes how the java native interface JNI is a powerful feature of the java platform that started to draw attention in the latter years as an efficient programming framework for building and delivering innovative technological ...
An efficient native function interface for Java
PPPJ '13: Proceedings of the 2013 International Conference on Principles and Practices of Programming on the Java Platform: Virtual Machines, Languages, and Tools

We present an efficient and dynamic approach for calling native functions from within Java. Traditionally, programmers use the Java Native Interface (JNI) to call such functions. This paper introduces a new mechanism which we tailored specifically ...

Comments

Information & Contributors

Information

Published In

SWS '09: Proceedings of the 2009 ACM workshop on Secure web services

November 2009

70 pages

ISBN:9781605587899

DOI:10.1145/1655121

Program Chairs:
Ernesto Damiani
Università degli Studi di Milano, Italy
,
Seth Proctor
Sun Labs, USA
,
Anoop Singal
NIST, USA

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 13 November 2009

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS '09

Sponsor:

SIGSAC

CCS '09: 16th ACM Conference on Computer and Communications Security 2009

November 13, 2009

Illinois, Chicago, USA

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

50
Total Citations
View Citations
458
Total Downloads

Downloads (Last 12 months)8
Downloads (Last 6 weeks)0

Reflects downloads up to 06 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

View all

Rahman AParnin C(2023)Detecting and Characterizing Propagation of Security Weaknesses in Puppet-Based Infrastructure ManagementIEEE Transactions on Software Engineering10.1109/TSE.2023.326596249:6(3536-3553)Online publication date: 1-Jun-2023
https://dl.acm.org/doi/10.1109/TSE.2023.3265962
Pan ZChen YChen YShen YLi Y(2022)LogInjector: Detecting Web Application Log Injection VulnerabilitiesApplied Sciences10.3390/app1215768112:15(7681)Online publication date: 30-Jul-2022
https://doi.org/10.3390/app12157681
Wu JZhao JFu J(2022)A Static Method to Discover Deserialization Gadget Chains in Java ProgramsProceedings of the 2022 2nd International Conference on Control and Intelligent Robotics10.1145/3548608.3559310(800-805)Online publication date: 24-Jun-2022
https://dl.acm.org/doi/10.1145/3548608.3559310
Hough KBell J(2021)A Practical Approach for Dynamic Taint Tracking with Control-flow RelationshipsACM Transactions on Software Engineering and Methodology10.1145/348546431:2(1-43)Online publication date: 24-Dec-2021
https://dl.acm.org/doi/10.1145/3485464
Kreindl JBonetta DStadler LLeopoldseder DMössenböck HKuchen HSinger J(2021)Low-overhead multi-language dynamic taint analysis on managed runtimes through speculative optimizationProceedings of the 18th ACM SIGPLAN International Conference on Managed Programming Languages and Runtimes10.1145/3475738.3480939(70-87)Online publication date: 29-Sep-2021
https://dl.acm.org/doi/10.1145/3475738.3480939
Wang MJung CAhad AKwon YKim YKim JVigna GShi E(2021)Spinner: Automated Dynamic Command Subsystem PerturbationProceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security10.1145/3460120.3484577(1839-1860)Online publication date: 12-Nov-2021
https://dl.acm.org/doi/10.1145/3460120.3484577
Skalka CAmir-Mohammadian SClark S(2020)Maybe tainted dataJournal of Computer Security10.3233/JCS-19134228:3(295-335)Online publication date: 1-Jan-2020
https://dl.acm.org/doi/10.3233/JCS-191342
Ashouri MSalvaneschi GAmin N(2020)Kaizen: a scalable concolic fuzzing tool for ScalaProceedings of the 11th ACM SIGPLAN International Symposium on Scala10.1145/3426426.3428487(25-32)Online publication date: 13-Nov-2020
https://dl.acm.org/doi/10.1145/3426426.3428487
Hough KWelearegai GHammer CBell JRothermel GBae D(2020)Revealing injection vulnerabilities by leveraging existing testsProceedings of the ACM/IEEE 42nd International Conference on Software Engineering10.1145/3377811.3380326(284-296)Online publication date: 27-Jun-2020
https://dl.acm.org/doi/10.1145/3377811.3380326
Loch FJohns MHecker MMohr MSnelting GHung CCerny TShin DBechini A(2020)Hybrid taint analysis for Java EEProceedings of the 35th Annual ACM Symposium on Applied Computing10.1145/3341105.3373887(1716-1725)Online publication date: 30-Mar-2020
https://dl.acm.org/doi/10.1145/3341105.3373887
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Cited By

Index Terms

Recommendations

Evaluating the Java Native Interface JNI: Leveraging Existing Native Code, Libraries and Threads to a Running Java Virtual Machine

Evaluating the Java Native Interface JNI: Data Types and Strings

An efficient native function interface for Java