Team for Research in
Ubiquitous Secure Technology

Efficient Character-Level Taint Tracking for Java
Erika Chin

Citation
Erika Chin. "Efficient Character-Level Taint Tracking for Java". Talk or presentation, 30, November, 2009.

Abstract
Over 80% of web services are vulnerable to attack, and much of the danger arises from command injection vulnerabilities. We present an efficient character-level taint tracking system for Java web applications and argue that it can be used to defend against command injection vulnerabilities. Our approach involves modification only to Java library classes and the implementation of the Java servlets framework, so it requires only a one-time modification to the server without any subsequent modifications to a web application's bytecode or access to the web application's source code. This makes it easy to deploy our technique and easy to secure legacy web software. Our preliminary experiments with the JForum web application suggest that character-level taint tracking adds 0-15% runtime overhead.

Electronic downloads

  • 10%20-%20Chin.pptx · application/vnd.openxmlformats-officedocument.presentationml.pre · 216 kbytes
Citation formats  
  • HTML 
    Erika Chin. <a
href="http://www.truststc.org/pubs/640.html"
><i>Efficient Character-Level Taint Tracking for
Java</i></a>, Talk or presentation,  30,
November, 2009.
  • Plain text 
    Erika Chin. "Efficient Character-Level Taint Tracking
for Java". Talk or presentation,  30, November, 2009.
  • BibTeX 
    @presentation{Chin09_EfficientCharacterLevelTaintTrackingForJava,
    author = {Erika Chin},
    title = {Efficient Character-Level Taint Tracking for Java},
    day = {30},
    month = {November},
    year = {2009},
    abstract = {Over 80% of web services are vulnerable to attack,
              and much of the danger arises from command
              injection vulnerabilities. We present an efficient
              character-level taint tracking system for Java web
              applications and argue that it can be used to
              defend against command injection vulnerabilities.
              Our approach involves modification only to Java
              library classes and the implementation of the Java
              servlets framework, so it requires only a one-time
              modification to the server without any subsequent
              modifications to a web application's bytecode or
              access to the web application's source code. This
              makes it easy to deploy our technique and easy to
              secure legacy web software. Our preliminary
              experiments with the JForum web application
              suggest that character-level taint tracking adds
              0-15% runtime overhead.},
    URL = {http://www.truststc.org/pubs/640.html}
}

Posted by Larry Rohrbough on 5 Nov 2009.
For additional information, see the Publications FAQ or contact webmaster at www truststc org.

Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.