Java
  • About This Book
  • 🍖Prerequisites
    • 反射
      • 反射基本使用
      • 高版本JDK反射绕过
      • 反射调用命令执行
      • 反射构造HashMap
      • 方法句柄
    • 类加载
      • 动态加载字节码
      • 双亲委派模型
      • BCEL
      • SPI
    • RMI & JNDI
      • RPC Intro
      • RMI
      • JEP 290
      • JNDI
    • Misc
      • Unsafe
      • 代理模式
      • JMX
      • JDWP
      • JPDA
      • JVMTI
      • JNA
      • Java Security Manager
  • 👻Serial Journey
    • URLDNS
    • SerialVersionUID
    • Commons Collection 🥏
      • CC1-TransformedMap
      • CC1-LazyMap
      • CC6
      • CC3
      • CC2
    • FastJson 🪁
      • FastJson-Basic Usage
      • FastJson-TemplatesImpl
      • FastJson-JdbcRowSetImpl
      • FastJson-BasicDataSource
      • FastJson-ByPass
      • FastJson与原生反序列化(一)
      • FastJson与原生反序列化(二)
      • Jackson的原生反序列化利用
    • Other Components
      • SnakeYaml
      • C3P0
      • AspectJWeaver
      • Rome
      • Spring
      • Hessian
      • Hessian_Only_JDK
      • Kryo
      • Dubbo
  • 🌵RASP
    • JavaAgent
    • JVM
    • ByteCode
    • JNI
    • ASM 🪡
      • ASM Intro
      • Class Generation
      • Class Transformation
    • Rasp防御命令执行
    • OpenRASP
  • 🐎Memory Shell
    • Tomcat-Architecture
    • Servlet API
      • Listener
      • Filter
      • Servlet
    • Tomcat-Middlewares
      • Tomcat-Valve
      • Tomcat-Executor
      • Tomcat-Upgrade
    • Agent MemShell
    • WebSocket
    • 内存马查杀
    • IDEA本地调试Tomcat
  • ✂️JDBC Attack
    • MySQL JDBC Attack
    • H2 JDBC Attack
  • 🎨Templates
    • FreeMarker
    • Thymeleaf
    • Enjoy
  • 🎏MessageQueue
    • ActiveMQ CNVD-2023-69477
    • AMQP CVE-2023-34050
    • Spring-Kafka CVE-2023-34040
    • RocketMQ CVE-2023-33246
  • 🛡️Shiro
    • Shiro Intro
    • Request URI ByPass
    • Context Path ByPass
    • Remember Me反序列化 CC-Shiro
    • CB1与无CC依赖的反序列化链
  • 🍺Others
    • Deserialization Twice
    • A New Blazer 4 getter RCE
    • Apache Commons Jxpath
    • El Attack
    • Spel Attack
    • C3P0原生反序列化的JNDI打法
    • Log4j
    • Echo Tech
      • SpringBoot Under Tomcat
    • CTF 🚩
      • 长城杯-b4bycoffee (ROME反序列化)
      • MTCTF2022(CB+Shiro绕过)
      • CISCN 2023 西南赛区半决赛 (Hessian原生JDK+Kryo反序列化)
      • CISCN 2023 初赛 (高版本Commons Collections下其他依赖的利用)
      • CISCN 2021 总决赛 ezj4va (AspectJWeaver写字节码文件到classpath)
      • D^3CTF2023 (新的getter+高版本JNDI不出网+Hessian异常toString)
      • WMCTF2023(CC链花式玩法+盲读文件)
      • 第六届安洵杯网络安全挑战赛(CB PriorityQueue替代+Postgresql JDBC Attack+FreeMarker)
  • 🔍Code Inspector
    • CodeQL 🧶
      • Tutorial
        • Intro
        • Module
        • Predicate
        • Query
        • Type
      • CodeQL 4 Java
        • Basics
        • DFA
        • Example
    • SootUp ✨
      • Intro
      • Jimple
      • DFA
      • CG
    • Tabby 🔦
      • install
    • Theory
      • Static Analysis
        • Intro
        • IR & CFG
        • DFA
        • DFA-Foundation
        • Interprocedural Analysis
        • Pointer Analysis
        • Pointer Analysis Foundation
        • PTA-Context Sensitivity
        • Taint Anlysis
        • Datalog
Powered by GitBook
On this page
  • Information Flow Security
  • Confidentiality and Integrity
  • Explicit Flows and Convert Channels
  • Taint Analysis

Was this helpful?

  1. 🔍Code Inspector
  2. Theory
  3. Static Analysis

Taint Anlysis

PreviousPTA-Context SensitivityNextDatalog

Last updated 11 months ago

Was this helpful?

Information Flow Security

  • Access Control(a standard way to protect sensitive data)

    • checks if the program has the right/permissions to access certain information

    • concerns how information is accessed

  • Information flow security(end-2-end)

    • tracks how information flows through the program to make sure that the program handles the information securely

    • concerns how information is propagated

"A practical system needs both access and flow control to satisfy all security requirements." ——— D. Denning, 1976

Both access control and flow control complement each other. We are not sure how information is used after accessed. So we need information flow control to keep the information under watch.

Information Flow: if the information in variable x is transfered to variable y, then there is information flow x->y

how to connect information flow to security ?

  • Classifies program variables into different security levels

  • Specifies permissible flows between these levels,i.e.,information flow policy

The most basic model is two-level policy, i.e., a variable is classified into one of two security levels(high security and low security)

Security levels can be modeled as lattice L≤H

information flow policy restricts how information flows between different security levels.

Noninterference policy

  • requires the information of high variable have no effect on the information of low variables

  • that is, not able to conclude anything about high information by observing low variables

As seen above, low variables can override high variables which cannot provide integrity of high security information.

Confidentiality and Integrity

Confidentiality

  • Prevent secret information from being leaked

Integrity

  • Prevent untrusted information from corrupting (trusted) critical information

  • i.e., Injection attack

Explicit Flows and Convert Channels

We have seen how information flows through direct copying.This is called explicit flow.(XL=YH)

but there are also some implicit flows.

It may arise when the control flow is affected by secret information.

Any differences in side effects under secret control encode information about the control, which may be publicly observable and leak secret informatio

(convert channel: 隐蔽信道)

However, explicit flows generally carry more information than covert channels, so we focus on explicit flow.

Taint Analysis

Taint analysis is the most common information flow analysis. It classifies program data into two kinds:

  • Data of interest, some kinds of labels are associated with the data, called tainted data

  • Other data, called untainted data

Sources of tainted data is called sources. In practice, tainted data usually come from the return values of some methods (regarded as sources).

Taint analysis tracks how tainted data flow through the program and observes if they can flow to locations of interest (called sinks). In practice, sinks are usually some sensitive methods.

taint analysis and pointer analysis are very alike.

image-20240425114724965
image-20240425115625005
image-20240425115840424
image-20240425120828412
image-20240425124013664
image-20240425124216698
image-20240425130905185
image-20240425130948601
image-20240425131015660
image-20240425131033164
image-20240425131122278
image-20240425131144815
image-20240425131211770