Taint-enhanced policy enforcement: A practical approach to defeat a wide range of attacks

Taint-enhanced policy enforcement: A practical approach to defeat a wide range of attacks (2006)

Cached

Download Links

[seclab.cs.sunysb.edu]

Other Repositories/Bibliography

CiteULike

by Wei Xu , Eep Bhatkar , R. Sekar

Venue:	In 15th USENIX Security Symposium
Citations:	114 - 5 self

BibTeX

@INPROCEEDINGS{Xu06taint-enhancedpolicy,
    author = {Wei Xu and Eep Bhatkar and R. Sekar},
    title = {Taint-enhanced policy enforcement: A practical approach to defeat a wide range of attacks},
    booktitle = {In 15th USENIX Security Symposium},
    year = {2006},
    pages = {121--136}
}

Years of Citing Articles

Bookmark

OpenURL

Abstract

Policy-based confinement, employed in SELinux and specification-based intrusion detection systems, is a popular approach for defending against exploitation of vulnerabilities in benign software. To be effective, this approach requires the development of accurate application-specific security policies, which is a difficult task. Even if sufficient resources and expertise are expended for policy development, conventional access control policies (employed in these approaches) are inherently limited — they can only detect those attacks that involve resource accesses beyond what is legitimately needed by a victim application. They cannot detect attacks that “hijack ” legitimate access privileges granted to a program, e.g., an attack that subverts an FTP server to download the password file. (Note that FTP server would normally need to access the password file for performing used authentication.) Some of the common attack types reported today, such as SQL injection and cross-site scripting, involve such subversion of legitimate access privileges; others, such as buffer overflows and format string attacks, can be easily adapted to evade policy-based detection. In this paper, we develop a new approach that addresses these weaknesses by augmenting traditional security policies with information about the origin of each byte of data used in security-sensitive operations. With this information, our security policies can distinguish between accesses made by an application on its own accord, and accesses made on behalf of untrusted users. This distinction turns out to be crucial for accurate detection of most attacks, including buffer overflows, format-string vulnerabilities, integer overflows, SQL injection, cross-site scripting, command injection, and directory traversal. (These attack types account for about 2/3rd of vulnerabilities reported by CVE in 2003 and 2004.) Very simple, application-independent policies are sufficient for detecting these attacks. Moreover, detection overheads are below 10 % for server applications.

Citations

619	Security policies and security models - Goguen, Meseguer - 1982
458	Language-based information-flow security - Sabelfeld, Myers
380	Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software - Newsome, Song - 2005
379	Jflow: practical mostly-static information flow control - Myers - 1999
353	J.J.: Secure computer systems: mathematical foundations, Mitre technical report 2547 - Bell, Padula - 1973
348	Certification of programs for secure information flow - Denning, Denning - 1977
345	A sound type system for secure flow analysis - Volpano, Irvine, et al. - 1996
182	Detecting format string vulnerabilities with type qualifiers - SHANKAR, TALWAR, et al. - 2001
162	Address obfuscation: an efficient approach to combat a broad range of memory error exploits - Bhatkar, Varney, et al. - 2003
136	Securing Web Application Code by Static Analysis and Runtime Protection - Huang, Yu, et al. - 2004
132	A general theory of composition for trace sets closed under selective interleaving functions - McLean - 1994
122	D.: Automatically hardening web applications using precise tainting - Nguyen-Tuong, Guarnieri, et al.
120	FormatGuard: Automatic protection from printf format string vulnerabilities - Cowan - 2001
91	Finding security vulnerabilities in Java applications with static analysis - Livshits, Lam - 2005
68	SQLrand: Preventing SQL injection attacks - Boyd, Keromytis - 2004
67	Using CQUAL for static analysis of authorization hook placement - ZHANG, EDWARDS, et al. - 2002
66	Complete, safe information flow with decentralized labels - Myers, Liskov - 1998
61	Memoryless subsystems - Fenton - 1974
53	Srinivas Devadas. Secure program execution via dynamic information flow tracking - Suh, Lee, et al. - 2004
49	Finding user/kernel pointer bugs with type inference - Johnson, Wagner - 2004
44	Defeating Memory Corruption Attacks via Pointer Taintedness Detection - Chen, Xu, et al.
40	Vassilis Prevelakis. Countering Code-Injection Attacks with Instruction-Set Randomization - Kc, Keromytis - 2003
39	Stackguard: Automatic Detection and Prevention of Buffer-Overflow Attacks - Cowan, Pu, et al. - 1998
17	Building survivable systems: An integrated approach based on intrusion detection and damage containment - Bowen, Chee, et al.
12	CIL: Intermediate language and tools for C program analysis and transformation - McPeak, Necula, et al. - 2002
3	Experiences with specification based intrusion detection - Uppuluri, Sekar - 2001