Making Java programs safe through static flow analyses and dynamic checks .

InspectorJ is a tool that combines static flow analyses with dynamic checks in Java programs to automatically detect security vulnerabilities. The tool is able to handle subtyping polymorphism and is able to detect timing and command injection attacks. Our tool provides users with an API allowing them to produce rich graphs showing how information flows throughout the program. Also, the tool inserts instrumentation in Java programs to prevent the execution of unsafe parts of the code.

Timing Attack

Timing attack is an attack that exploits the execution time variation of a program. It is possible to discover a confidential information, such as a password, varying the input and measuring the execution time, and after observing the variations. Those variations occur when confidential information controls the flow of the program.

Command Injection

Command injection is an attack whose purpose is to execute commands on the client operating system through a vulnerable application. This attack is possible when an application transfers data provided by the user to a system shell. In this attack, the operating system commands provided by the attacker usually run with the privileges of the vulnerable application.

Subtyping Polymorphism

Subtyping polymorphism occurs when a given object is defined with a type that has several subtypes, in which the subtype will be defined at instantiation time. An example of this is when a class has several subclasses that extend it, or when an interface is implemented by several classes.

Architecture

Properties File
Properties File

To use the tool, it is necessary to provide as input a Java program and an appropriately configured properties file. In this file, the user must supply some additional information, such as which are the source and sinks. These determine the flow of confidential data in the program, and which type of analysis will take place. For example, in a timing attack the source is the password and the sinks are the conditionals.

Transformation
Intermediate Representation

With the inputs provided, the Java program is transformed into Shimple - an intermediate representation of the Soot compiler in Static Single Assignment form (SSA) format - in which all program variables have one definition. From the Shimple code, InspectorJ begins the analysis, creating the dependence graph.

Dependence Graph
Dependence Graph

A dependence graph represents the data and control dependences relationships between the variables of the program. Data dependence: if the code has an instruction that defines a variable a and uses a variable b, such as a=b+1. Control dependence: if the code has a conditional branch, such as if p==0 then a=b+1 else a=b-1, the value of the variable a depends on the value of the variable p. The nodes represent the variables of the program and the sinks, and the edges represent the dependences.

Tainted Flow
Tainted Flow

To detect a vulnerability, the tool searches the graph looking for paths between the source and the sinks. These paths characterize tainted flows, and whenever these exist, there is a vulnerability in the code. The tool highlights these paths in red to show the user where the problem is in the code. For timing attacks, InspectorJ searches for paths between the password and conditional branches. The variables are represented by squares, the source by an X and the sinks by differents figures, such as triangles and diamonds.

Interactive Graph
Interactive Graph

The tool provides as output a rich graph that shows how information flows throughout the program. There are several functionalities: save an image from the graph; generate a video that traverses the graph showing the tainted flow, passing through all the variables that belong to it; zoom in on certain parts of the graph to better visualize them; among other features.

Instrumentation
Instrumentation

In addition to static analyses, the tool performs a dynamic check. If the code has subtyping polymorphism and dynamic dispatching, the type of the instantiated object can be defined only at execution time. If the static analysis detects that one method of any of the possible types of this object is unsafe, the tool inserts a guard in the Java program in points that unsafe methods could be called. Thus, the tool prevents the execution of unsafe parts of the code through instrumentation.

Results

Timing Attack detected

We have incorporated InspectorJ into the production environment of Prodemge, the IT company of Minas Gerais’ State Government. The tool was used in one of Prodemge’s internal products with the aim of detecting if there was any failure that makes the system susceptible to timing attacks. One failure was detected, leading to code patching. The next image shows the graph generated by the tool referring to the internal product code, as well as the tainted flow detected.

Command Injection detected

The tool detected an occurrence of a command injection attack in a GitHub project, a Flickr application, which uses subtyping polymorphism and dynamic dispatching. This program analyzes which operational system the user is using, Windows, OSX or Linux, to know which Browser it has to open. For each SO, it calls a specific method to open a Browser. InspectorJ detected a command injection in the Windows-specific method and it was able to instrument the code to prevent the execution of the unsafe method, without hindering the call of the other methods.

Publications in Conferences

Carina Capelão de Oliveira, Glauco Gonçalves Cardoso and Fernando Magno Quintão Pereira. InspectorJ: Uma Ferramenta de Análise Estática para Dectar Código não Isócrono em Programas Java, Fortaleza, CBSoft Tools,Brasil, 2017 (Best Paper!).

Carina Capelão de Oliveira, Glauco Gonçalves Cardoso and Fernando Magno Quintão Pereira. Aplicação Dinâmica de Políticas Estáticas de Fluxo, Brasília, SBSeg,Brasil, 2017.

Our Team

Carina Capelão
UFMG

Glauco Cardoso
PRODEMGE

Fernando Pereira
UFMG