Dynamic taint propagation for Java

21st Annual Computer Security Applications Conference (ACSAC'05) Pub Date : 2005-12-05 DOI:10.1109/CSAC.2005.21
Vivek Haldar, Deepak Chandra, M. Franz
{"title":"Dynamic taint propagation for Java","authors":"Vivek Haldar, Deepak Chandra, M. Franz","doi":"10.1109/CSAC.2005.21","DOIUrl":null,"url":null,"abstract":"Improperly validated user input is the underlying root cause for a wide variety of attacks on Web-based applications. Static approaches for detecting this problem help at the time of development, but require source code and report a number of false positives. Hence, they are of little use for securing fully deployed and rapidly evolving applications. We propose a dynamic solution that tags and tracks user input at runtime and prevents its improper use to maliciously affect the execution of the program. Our implementation can be transparently applied to Java classfiles, and does not require source code. Benchmarks show that the overhead of this runtime enforcement is negligible and can prevent a number of attacks","PeriodicalId":422994,"journal":{"name":"21st Annual Computer Security Applications Conference (ACSAC'05)","volume":"98 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2005-12-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"252","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"21st Annual Computer Security Applications Conference (ACSAC'05)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/CSAC.2005.21","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 252

Abstract

Improperly validated user input is the underlying root cause for a wide variety of attacks on Web-based applications. Static approaches for detecting this problem help at the time of development, but require source code and report a number of false positives. Hence, they are of little use for securing fully deployed and rapidly evolving applications. We propose a dynamic solution that tags and tracks user input at runtime and prevents its improper use to maliciously affect the execution of the program. Our implementation can be transparently applied to Java classfiles, and does not require source code. Benchmarks show that the overhead of this runtime enforcement is negligible and can prevent a number of attacks
查看原文
分享 分享
微信好友 朋友圈 QQ好友 复制链接
本刊更多论文
Java的动态污染传播
未经正确验证的用户输入是针对基于web的应用程序的各种攻击的根本原因。用于检测此问题的静态方法在开发时很有帮助,但需要源代码并报告许多误报。因此,它们对于保护完全部署和快速发展的应用程序几乎没有用处。我们提出了一个动态的解决方案,在运行时标记和跟踪用户输入,并防止其被不当使用来恶意影响程序的执行。我们的实现可以透明地应用于Java类文件,并且不需要源代码。基准测试表明,这种运行时强制执行的开销可以忽略不计,并且可以防止许多攻击
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 去求助
来源期刊
21st Annual Computer Security Applications Conference (ACSAC'05)
21st Annual Computer Security Applications Conference (ACSAC'05)
自引率
0.00%
发文量
0
期刊最新文献
User-centered security: stepping up to the grand challenge Countering trusting trust through diverse double-compiling Automatic generation of buffer overflow attack signatures: an approach based on program behavior models Evolving successful stack overflow attacks for vulnerability testing Replay attack in TCG specification and solution
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
0
微信
客服QQ
Book学术公众号 扫码关注我们
反馈
×
意见反馈
请填写您的意见或建议
请填写您的手机或邮箱
已复制链接
已复制链接
快去分享给好友吧!
我知道了
×
扫码分享
扫码分享
Book学术官方微信
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术
文献互助 智能选刊 最新文献 互助须知 联系我们:info@booksci.cn
Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。
Copyright © 2023 Book学术 All rights reserved.
ghs 京公网安备 11010802042870号 京ICP备2023020795号-1