國
立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
Summary:
The TAINTTRACKER aspect is designed to simulate the Dflow pointcut. The semantic of Dataflow pointcut is trying to tag the tainted object and examine the tag in the sink point.
Since we can’t use AspectJ to weave the fundamental class with a tag field, i.e., java.lang.Object class, in the standard library, we use the unique object ID as a tag to track the tainted object. The propagation pointcuts are trying to prevent the lost of tracking tainted object due to the operations provided by String object. They replace the old object ID with a new one to continue to track the tainted object. We have considered all the operations on strings that possibly produced a new tainted string because the string object is immutable during the runtime. Furthermore, TAINT TRACKER is designed as a template class. Because these corresponding pointcuts (source, sink and sanitize) may different from one web application to another. Hence we also provide a flexible user interface for developers to define the source, sink and sanitization pointcuts according to specified Java Web Application.
4.2 Online taint dataflow analysis
The ONLINE ANALYZER module is developed with Soot framework. We choose to use JIMPLE as our intermediate representation. In our system, ONLINE ANALYZER module has
@SuppressAjWarnings({"adviceDidNotMatch"})
after(Object target) returning(Object[] ret):propagation2(target){
if(this.isTainted(target)){
this.TaintedSet.add(System.identityHashCode(ret));
for(Object tmp : ret){
this.TaintedSet.add(System.identityHashCode(tmp));
} } }
‧ 國
立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
two purposes. One is to help PROGRAM EXECUTOR module to collect the key information of the HTML forms hardcoded in the program. This part will be explained in the next section.
The other one is to collocate with our designed aspect to perform the online taint dataflow analysis. The ONLINE ANALYZER analyze flow diagram is shown in Figure 4.4
4.2.1 Collect the information from instrumentation
Online analysis gradually examines the code which has been executed. Hence, providing the gradual information to ONLINE ANALYZER is necessary. We designed a pointcut, named
OnlineAnalysisPCD, to collect needed information for ONLINE ANALYZER. Before online
analyzing, ONLINE ANALYZER needs to build the call graph along the executing program.The following example shows the part of OnlineAnalysisPCD definition:
Figure 4. 4: Online analysis flow diagram Loading associated class and method body
Class and method information from designed pointcut
Raw information of the associated class and method Compile the raw information into JIMPLE
intermediate representation
Associated class and method in JIMPLE form
Perform taint dataflow analysis to fixed point
Analysis Result Build / update Call-graph
‧ 國
立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
There are two major protocols for client to request the resource in the back-end: GET and POST. Hence doGet method and doPost are two possible entry methods for a Java servlet web application. In the pointcut definition above, we illustrate the pointcut definition of GET protocol. The entry method is bound to be the head node in the call graph of every execution path. In the OnlineAnalysisPCD pointcut, we use cflowbelow pointcut to confine the join points for call out methods from the entry method in the program. The cflowbelow pointcut can capture all join points encountered within the program control flow after the initiating join point selected by a separate pointcut we defined, ie.,
execution(* doGet(..)) . The callgraphPCD pointcut uses another two pointcuts, (!call(* java..*.*(..))) and (!call(*
javax..*.*(..)))
, to reduce unnecessary weaving to the methods in Java Standard Library. We only focus on the business logic part of the application. The OnlineAnalysisPCD advice is defined as follows:The advice of OnlineAnalysisPCD advice provides the caller and callee information to the ONLINE ANALYZER when it encountered the newly loaded class and method during runtime. Thus the ONLINE ANALYZER can load the associated class and method information by using SOOT class loader and ready for analyzing the loaded code.
pointcut CallGraphPCD():OnlineAnalysisPCD (execution(* doGet(..)))&&
if(thisJoinPoint.getKind().equals(\"method-call\"))&&
!call(* java..*.*(..))&&!call(* javax..*.*(..))&&!call(*.new(..))
before():OnlineAnalysisPCD(){
ONLINEANALYZER.makeCallEdge(
thisEnclosingJoinPointStaticPart.getSignature().getDeclaringType().toString(), thisEnclosingJoinPointStaticPart.getSignature().getName(),
thisJoinPoint.getSignature().getDeclaringType().toString(), thisJoinPoint.getSignature().getName());
}
‧ 國
立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
4.2.2 Online Taint Dataflow Analysis
After building the call graph of the program, OLINE ANALYZER examines if there has a branch structure in the current execution path. If so, the ONLINE ANALYZER starts to do the online taint dataflow analysis from the head node of the call graph. By this way, we can reduce the numbers of code to be analyzed. Because if there is no branch structure along in current call graph, it is impossible to produce potential vulnerabilities from original code.
That is, we can let the TAINT TRACKER aspect to do the entire analysis along current execution path and preserve the analysis time by the ONLINE ANALYZER. ONLINE ANALYZER performs the inter-process taint dataflow analysis. Dataflow analysis is a technique for computing the possible values at arbitrary program points and performs on the program’s control flow graph (CFG). Thus we must have the program’s CFG before the data flow analysis. The CFG is a data structure built on top of the intermediate code representation abstracting the control flow behavior of compiled function. It is an oriented graph where nodes are basic blocks and edges represent possible control flows from one basic block to another. Here we compute the CFG by using the module provided by SOOT framework. Like TAINT TRACKER aspect, we need to make rules to decide whether a variable is tainted or not. These rules are source rules, sink rules, propagation rules and sanitization rules. Fig.
depicts the relationship of rules and function names.
Rules Function Names
Source getParameter(String), getParameterMap(String)…
Sink println(String), query(String)…
Propagation concat(String), substring(..),split(..)…
Sanitization Defined by developers
Figure 4. 5: Online taint dataflow analysis rules
SOOT framework covers the low level task for us. We can choose to use different algorithms
‧ 國
立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
(e.g., Iter, alias, worklist) to be the propagator for the flow analysis. In our ONLINE ANALYER, we choose Worklist algorithm to be our propagator. Because of it is an efficiency algorithm for program analysis. ONLINE ANALYER module provides its own analysis results. The results produced by ONLINE ANALYZER may contain the false positive alarms.
We regard the results as potential vulnerabilities and compare them with TAINT TRACKER’s result.