Team for Research in
Ubiquitous Secure Technology

Efficient Character-level Taint Tracking for Java
Erika Chin, David Wagner

Citation
Erika Chin, David Wagner. "Efficient Character-level Taint Tracking for Java". 2009 ACM Workshop on Secure Web Services, 13, November, 2009.

Abstract
Over 80% of web services are vulnerable to attack, and much of the danger arises from command injection vulnerabilities. We present an efficient character-level taint tracking system for Java web applications and argue that it can be used to defend against command injection vulnerabilities. Our approach involves modification only to Java library classes and the implementation of the Java servlets framework, so it requires only a one-time modification to the server without any subsequent modifications to a web application's bytecode or access to the web application's source code. This makes it easy to deploy our technique and easy to secure legacy web software. Our preliminary experiments with the JForum web application suggest that character-level taint tracking adds 0-15% runtime overhead.

Electronic downloads

Citation formats  
  • HTML
    Erika Chin, David Wagner. <a
    href="http://www.truststc.org/pubs/629.html"
    >Efficient Character-level Taint Tracking for
    Java</a>, 2009 ACM Workshop on Secure Web Services,
    13, November, 2009.
  • Plain text
    Erika Chin, David Wagner. "Efficient Character-level
    Taint Tracking for Java". 2009 ACM Workshop on Secure
    Web Services, 13, November, 2009.
  • BibTeX
    @inproceedings{ChinWagner09_EfficientCharacterlevelTaintTrackingForJava,
        author = {Erika Chin and David Wagner},
        title = {Efficient Character-level Taint Tracking for Java},
        booktitle = {2009 ACM Workshop on Secure Web Services},
        day = {13},
        month = {November},
        year = {2009},
        abstract = {Over 80% of web services are vulnerable to attack,
                  and much of the danger arises from command
                  injection vulnerabilities. We present an efficient
                  character-level taint tracking system for Java web
                  applications and argue that it can be used to
                  defend against command injection vulnerabilities.
                  Our approach involves modification only to Java
                  library classes and the implementation of the Java
                  servlets framework, so it requires only a one-time
                  modification to the server without any subsequent
                  modifications to a web application's bytecode or
                  access to the web application's source code. This
                  makes it easy to deploy our technique and easy to
                  secure legacy web software. Our preliminary
                  experiments with the JForum web application
                  suggest that character-level taint tracking adds
                  0-15% runtime overhead. },
        URL = {http://www.truststc.org/pubs/629.html}
    }
    

Posted by Erika Chin on 25 Aug 2009.
For additional information, see the Publications FAQ or contact webmaster at www truststc org.

Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.