Dynamic taint propagation for Java
作者: V. Haldar , D. Chandra , M. Franz
DOI: 10.1109/CSAC.2005.21
关键词:
摘要: Improperly validated user input is the underlying root cause for a wide variety of attacks on Web-based applications. Static approaches detecting this problem help at time development, but require source code and report number false positives. Hence, they are little use securing fully deployed rapidly evolving We propose dynamic solution that tags tracks runtime prevents its improper to maliciously affect execution program. Our implementation can be transparently applied Java classfiles, does not code. Benchmarks show overhead enforcement negligible prevent
vivekhaldar.com参考文章(11)
Tal Garfinkel, Mendel Rosenblum, Kevin Christopher, Ben Pfaff, Jim Chow, Understanding data lifetime via whole system simulation usenix security symposium. pp. 22- 22 ,(2004)
V. Benjamin Livshits, Monica S. Lam, Finding security vulnerabilities in java applications with static analysis usenix security symposium. pp. 18- 18 ,(2005)
Anh Nguyen-Tuong, Salvatore Guarnieri, Doug Greene, Jeff Shirley, David Evans, Automatically Hardening Web Applications Using Precise Tainting information security conference. pp. 295- 307 ,(2004) , 10.1007/0-387-25660-1_20
Nicholas Nethercote, Julian Seward, Valgrind: A Program Supervision Framework Electronic Notes in Theoretical Computer Science. ,vol. 89, pp. 44- 66 ,(2003) , 10.1016/S1571-0661(04)81042-9
David Wagner, Kunal Talwar, Jeffrey S. Foster, Umesh Shankar, Detecting format string vulnerabilities with type qualifiers usenix security symposium. pp. 16- 16 ,(2001)
Tadeusz Pietraszek, Chris Vanden Berghe, Defending Against Injection Attacks Through Context-Sensitive String Evaluation Lecture Notes in Computer Science. pp. 124- 145 ,(2006) , 10.1007/11663812_7
Yao-Wen Huang, Fang Yu, Christian Hang, Chung-Hung Tsai, Der-Tsai Lee, Sy-Yen Kuo, Securing web application code by static analysis and runtime protection Proceedings of the 13th conference on World Wide Web - WWW '04. pp. 40- 52 ,(2004) , 10.1145/988672.988679
A. Sabelfeld, A.C. Myers, Language-based information-flow security IEEE Journal on Selected Areas in Communications. ,vol. 21, pp. 5- 19 ,(2003) , 10.1109/JSAC.2002.806121
D. Evans, D. Larochelle, Improving security using extensible lightweight static analysis IEEE Software. ,vol. 19, pp. 42- 51 ,(2002) , 10.1109/52.976940
Andrew C. Myers, JFlow Proceedings of the 26th ACM SIGPLAN-SIGACT symposium on Principles of programming languages - POPL '99. pp. 228- 241 ,(1999) , 10.1145/292540.292561