Figure 4. 1 System architecture
4.1 TAINT TRACKER aspect
In TAINT TRACKER aspect, we adopted the concept of dflow pointcut and simulate the
dflow with existing pointcuts in Aspect. We utilized the characteristic of Java language, i.e.,
pass by reference, to keep track of each unchecked user input object (regarded as tainted object). In java language, objects are passed by reference and each object has its own object id in JVM at runtime. Once we record the object ID of the tainted string objects, we can trackpublic class MyServlet3 extends HttpServlet{
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException { String name = req.getParameter(“name”);
public class MyServlet2 extends HttpServlet{
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException { String name = req.getParameter(“name”);
public class MyServlet1 extends HttpServlet{
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException { String name = req.getParameter(“name”);
Figure 4. 2: Scenario of analysis using our tool
‧ 國
立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
these tainted objects along the program to see if they reached any sensitive program point that we concerns (i.e., sink statement). In our implementation, we use the function,
System.identityHashCode, to retrieve the unique ID for each tainted object in the JVM during
runtime. The following shows an example of retrieving the object ID.In order to completely simulate the ideas of dflow poincut, we categorize our designed pointcuts into source poincuts, sink poincuts, propagation pointcuts and sanitization pointcuts.
Source pointcuts specify untrusted methods and store the object ID of its returning object in a
data structure, named TainteSet. Sink pointcuts specify the sensitive output methods, i.e., to the database or the browser in the client side, which we concerns. Propagation pointcuts define the methods which will modify the object ID that is already in our tainted set and replace the old object ID with the new one. Sanitization pointcuts specify the method which will sanitize the tainted object into a clean one and remove the object id which has been sanitized from the TaintedSet.Source pointcuts
In a Java web application, the request from the client side will be packed into an object which implements the javax.servlet.http.HttpServletRequest interface by the web server container.
The web program can access the client input through this object and we have to monitor the methods applied by the object. Thus we designed three pointcuts to collect the needed information for these insecure methods as follows:
Source advice
pointcut SOURCEPCD1():call(String javax.servlet.http.HttpServletRequest.getParameter(String)) pointcut SOURCEPCD2():call(String javax.servlet.http.HttpServletRequest.getParameterMap(String)) pointcut SOURCEPCD3():call(String javax.servlet.http.HttpServletRequest. getParameterValues(String)) TaintedSet.add(System.identityHashCode(obj));
‧ 國
立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
Source advices capture the returned tainted objects from the methods monitored by the source pointcuts and add the tainted objects to an aspect scope data structure, named TaintedSet. We design three advices according to the souce pointcuts above as follows:
In the SOURCEPCD1, we simply take the returned string as tainted object and add it to the TaintedSet due to the getParameter method only return one string a time. In the SOURCEPCD2 and SOURCEPCD3, the two functions,
getParameterMap and getParameterValues, both return a data structure of tainted string. Thus we have to break
down the data structure into single string object and add each string object id to the TaintedSet.Obviously, these pointcuts and advice cannot describe the complete source point in a program.
An untrusted string can be obtained from a SQL query in a database Web application. Thus in our tool, we let developers to define their source pointcuts and advices to specify the program statements which they concern as a source statement in certain Web application.
Sink pointcut
In a web application, there are many sink statement that we concern, such as a writer print the content to the client side browser or execution of the SQL string to make a transaction to database in the back end. If a tainted string object involve with these operations, the web application becomes insecure. Obviously, different web applications may have different concerned sink point. In our sink pointcut design, we only write down the most commonly used insecure output methods as follows.
after() returning(String taint):SOURCEPCD1(){this.TaintedSet.add(System.identityHashCode(taint));}
after() returning(Map stringmap):SOURCEPCD2(){
for(String taint: stringmap.values()){this.TaintedSet.add(System.identityHashCode(taint));}
}
after() returning(String[] stringarray):SOURCEPCD3(){
for(String taint : stringarray ){ this.TaintedSet.add(System.identityHashCode(taint));}
}
‧
We also hope the developer can provide more sink statement in the program. Our tool will also let developers input other sink statements’ signature according to the specified web application.
Sink advice
In the sink advice, it examines all the arguments of the method and reports if the arguments contain the tainted objects. We design the sink advice as follows:
We design the isTainted helper function in the TaintTrackingAspcet to check if the input object’s id is in the TaintedSet. The sink advice use isTainted function for determining whether an argument of this function appears in the sink statement and regard as a vulnerable statement, i.e., a web application vulnerability.
Propagation pointcuts
Propagation pointcuts define the statement which might propagates a tainted object to other variables. In a Java program, we don’t have to record the right and left side of an assignment statement of two objects. If an object is passed to another object through assignment statement, it only changes the object reference id in the left-hand side. These two variables
before():SINKPCD1(){
for (Object ob : thisJoinPoint.getArgs()) {
if(this.isTainted(ob)){ //report as a vulnerability}
} }
private boolean isTainted(Object target){
for(Integer ob : TaintedSet){
if(ob.intValue() == System.identityHashCode(target)){return true;}
}
return false;
}
pointcut SINKPCD1():call(* *.println(..));
‧ 國
立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
still refer to the same object. In other words, the assignment statement only makes these two variable points to the same object. That is, if a variable refer to a tainted object and assign to another variable, we don’t have to change anything in the TaintedSet. Thus in this pointcut, we only concern the operation which might create or modify the tainted object id.
During runtime, String is an immutable object in the JVM. Thus every string operation listed below will make a new string after execution. We categorize these string operations by using return type into three groups: string, String[] and char[]. (CharSequence is an interface implemented by String, hence we regard the returned object as a String)
Signature Return Object
Constructor public String(String original) new String
Method public String concat(String str) new String
public String intern() new String
public String replace(char oldChar, char newChar) new String public String replace(Char Sequence target, Char Sequence replacement) new String public String replaceAll(String regex, String replacement) new String public String replaceFirst(String regex, String replacement) new String
public CharSequence subSequence(int beginIndex, int endIndex) new CharSequence public String substring(int beginIndex) new String
public String substring(int beginIndex,in t endIndex) new String
public String toLowerCase() new String
public String toLowerCase(Locale locale) new String
public String toString() new String
public String toUpperCase() new String
public String toUpperCase(Locale locale) new String
public String trim() new String
‧ 國
立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
public String[] split(String regex) new String[]
public String[] split(String regex, int limit) new String[]
public char[] toCharArray() new char[]
Figure 4. 3 String operations
Thus we have the pointcuts as follows:
The propagate1 pointcut intercepts the constructor call of string and the others specify different return type of string operations. In java language, there is still a string concatenation operator, “+” and the java compiler compiles it into a series of StringBuffer operation. For example:
It is compiled to the equivalent of:
There are two possible objects for compiler to transforms: StringBuilder and StringBuffer.
Stringbuilder is used when program is accessed by single thread and StringBuffer is used when the program is accessed by multiple threads. Thus we design another two poincuts to gather the information of StringBuilder and StringBuffer:
Finally, we have to avoid the string-liked objects (ie., char[], string[]) transforms into another new strings by using toString() method. So we have to add one more pointcut:
pointcut propagate1(Object target):call(String.new(String))&&args(target);
pointcut propagate2(Object target):call(String String.*(..))&&target(target);
pointcut propagate3(Object target):call(String[] String.*(..))&&target(target);
pointcut propagate4(Object target):call(char[] String.*(..))&&target(target);
String x = “a” + “b” +”c”+”3”;
x = new StringBuffer(“a”).append("b").append(“c”).append("3").toString()
pointcut propagate5(Object arg):call(StringBuffer.new(String))&&args(arg);
pointcut propagate6(Object arg):call(StringBuilder.new(String))&&args(arg);
pointcut propagate7(Object target):call(String *.toString())&&target(target);
pointcut propagate7(Object target):call(String *.toString())&&target(target);
‧
In summary, our entire qualified propagation pointcuts are listed below:
Propagation advices
Once a new string is produced after executing certain string operation on the tainted string object, we consider these new strings are also suspicious and regard them as tainted string conservatively. Thus, our propagation advices gather the new string object it and add the new tainted string object id to the TaintedSet. We have three advices associated with the propagation pointcuts:
pointcut propagate1(Object target):call(String.new(String))&&args(target)\;
pointcut propagate2(Object target):call(String String.*(..))&&target(target);
pointcut propagate3(Object target):call(String[] String.*(..))&&target(target);
pointcut propagate4(Object target):call(char[] String.*(..))&&target(target);
pointcut propagate5(Object arg):call(StringBuffer.new(String))&&args(arg);
pointcut propagate6(Object arg):call(StringBuilder.new(String))&&args(arg);
pointcut propagate7(Object target):call(String *.toString())&&target(target);
pointcut propagation1(Object target):propagate1(target)||propagate2(target)
after(Object target) returning(Object ret):propagation1(target){
if(this.isTainted(target)){
this.TaintedSet.add(System.identityHashCode(ret));
} }
@SuppressAjWarnings({"adviceDidNotMatch"})
after(Object arg) returning(Object ret):propagation3(arg){
if(this.isTainted(arg)){
this.TaintedSet.add(System.identityHashCode(ret));
} }
‧ 國
立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
Summary:
The TAINTTRACKER aspect is designed to simulate the Dflow pointcut. The semantic of Dataflow pointcut is trying to tag the tainted object and examine the tag in the sink point.
Since we can’t use AspectJ to weave the fundamental class with a tag field, i.e., java.lang.Object class, in the standard library, we use the unique object ID as a tag to track the tainted object. The propagation pointcuts are trying to prevent the lost of tracking tainted object due to the operations provided by String object. They replace the old object ID with a new one to continue to track the tainted object. We have considered all the operations on strings that possibly produced a new tainted string because the string object is immutable during the runtime. Furthermore, TAINT TRACKER is designed as a template class. Because these corresponding pointcuts (source, sink and sanitize) may different from one web application to another. Hence we also provide a flexible user interface for developers to define the source, sink and sanitization pointcuts according to specified Java Web Application.