Presented at
AppSec USA 2017,
Sept. 21, 2017, 3:30 p.m.
(45 minutes).
The information security industry has a long history of challenges when it comes to ensuring the safety of user input data. User input must be escaped when using a template to build a string. Whether in HTML, SQL, or shell commands it is best practice to escape data from untrusted sources. Most of the time this is done by having the developer think through all possible code paths the string could have taken. This requires heroic effort and is still error-prone. Far more reliable is using a type or metadata system to tag the data and track it through the system, but this requires the designer of the system to consistently use the tagged string types, or have some additional runtime support to provide a tracking mechanism. Further, such techniques (explored extensively in academic research) have invariably encountered severe performance impacts, making them unpractical for runtime protection.
We propose a black-box taint tracking system in which we observe only the user inputs (http parameters) and system outputs (commands and SQL queries). By parsing the input and the output commands we can determine if an input data partition straddles an output data partition. This would indicate that the input data partition had injected information from the data portion of the input to the command portion of the output. Since we look only at the input and output of the application code, code complexity is arbitrary. Previously, if a system was not designed from the beginning to have taint tracking, introducing taint tracking was cost prohibitive. "Approximate taint tracking" allows after-the-fact introduction of these protections in a way that is cost-effective, and performant.
Presenters:
-
Boris Chen
- VP of Engineering - tCell.io, Inc.
Boris is co-founder and VP of Engineering at tCell, a security startup based in San Francisco. tCell's solution is the next generation of runtime attack monitoring and protection for web applications, covering the OWASP Top 10 and more. Boris's interest lies in the intersection of security and analytics, and has has an extensive track-record in leading engineering teams at companies such as Splunk, BEA Systems/WebLogic. He earned his BS in EECS at UC Berkeley.
Links:
Similar Presentations: