Errors in the sanitization of user inputs lead to serious security vulnerabilities. Many applications contain such errors, making them vulnerable to input sanitization exploits. Therefore, internet worms via exploiting vulnerabilities in applications infect hundreds of thousands of users in a matter of short time, causing hundreds of millions of dollars in damages. To successfully counter internet worm attacks, we need automatic detection and defense mechanisms. First, we need automatic detection mechanisms that can detect runtime attacks for vulnerabilities. A disclosure mechanism should be simple to deploy, resulting in few false positives and few false negatives. In this paper we present Tainer, an automatic dynamic taint analysis framework to detect and generate exploits for sanitization based vulnerabilities for Java web applications. Particularly, our method is based on tracking the flow of taint information from untrusted input the application sensitive methods (such as console, file, network, database or another program). Our proposed framework is portable, quick, accurate, and does not need the source code of applications. We demonstrate the usefulness of the framework by detecting several zero-day actual vulnerabilities in popular Java applications.
CITATION STYLE
Ashouri, M. (2019). Practical Dynamic Taint Tracking for Exploiting Input Sanitization Error in Java Applications. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 11547 LNCS, pp. 494–513). Springer Verlag. https://doi.org/10.1007/978-3-030-21548-4_27
Mendeley helps you to discover research relevant for your work.