Detecting Vulnerabilities in Web Code with concolic execution

Slides:



Advertisements
Similar presentations
Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Advertisements

Nick Feamster CS 6262 Spring 2009
Hossain Shahriar Mohammad Zulkernine. One of the worst vulnerabilities in web applications It involves the generation of dynamic HTML contents with invalidated.
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
PHP Hypertext Preprocessor Information Systems 337 Prof. Harry Plantinga.
Type-based Taint Analysis for Java Web Applications Wei Huang, Yao Dong and Ana Milanova Rensselaer Polytechnic Institute 1.
GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.
1 Project 2: Web App Security Collin Jackson CS 155 Spring 2007.
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.
Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.
WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.
Automatic Creation of SQL Injection and Cross-Site Scripting Attacks 2nd-order XSS attacks 1st-order XSS attacks SQLI attacks Adam Kiezun, Philip J. Guo,
Prevent Cross-Site Scripting (XSS) attack
+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.
CSCI 6962: Server-side Design and Programming Secure Web Programming.
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
Automatically Hardening Web Applications Using Precise Tainting Anh Nguyen-Tuong Salvatore Guarnieri Doug Greene Jeff Shirley David Evans University of.
Penetration Testing James Walden Northern Kentucky University.
1 PHP and MySQL. 2 Topics  Querying Data with PHP  User-Driven Querying  Writing Data with PHP and MySQL PHP and MySQL.
November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Exploitation: Buffer Overflow, SQL injection, Adobe files Source:
Preventing Web Application Injections with Complementary Character Coding Raymond Mui Phyllis Frankl Polytechnic Institute of NYU Presented at ESORICS.
HAMPI A Solver for String Constraints Vijay Ganesh MIT (With Adam Kiezun, Philip Guo, Pieter Hooimeijer and Mike Ernst)
CSC-682 Cryptography & Computer Security Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Pompi Rotaru Based on an article.
Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.
NMD202 Web Scripting Week3. What we will cover today Includes Exercises PHP Forms Exercises Server side validation Exercises.
By Sean Rose and Erik Hazzard.  SQL Injection is a technique that exploits security weaknesses of the database layer of an application in order to gain.
Web Application Vulnerabilities ECE 4112 Internetwork Security, Spring 2005 Chris Kelly Chris Lewis April 28, 2005 ECE 4112 Internetwork Security, Spring.
Presented By: Chandra Kollipara. Cross-Site Scripting: Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected.
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
Michael Dalton, Christos Kozyrakis, and Nickolai Zeldovich MIT, Stanford University USENIX 09’ Nemesis: Preventing Authentication & Access Control Vulnerabilities.
© 2011 IBM Corporation Hybrid Analysis for JavaScript Security Assessment Omer Tripp Omri Weisman Salvatore Guarnieri IBM Software Group Sep 2011.
Module: Software Engineering of Web Applications Chapter 3 (Cont.): user-input-validation testing of web applications 1.
EECS 354: Network Security Group Members: Patrick Wong Eric Chan Shira Schneidman Web Attacks Project: Detecting XSS and SQL Injection Vulnerabilities.
INFO 344 Web Tools And Development CK Wang University of Washington Spring 2014.
SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.
Introduction SQL Injection is a very old security attack. It first came into existence in the early 1990's ex: ”Hackers” movie hero does SQL Injection.
Web Security (cont.) 1. Referral issues r HTTP referer (originally referrer) – HTTP header that designates calling resource  Page on which a link is.
Database and Cloud Security
Google’s Gruyere1 : An XSS Example Presented by: Terry Gregory
Group 18: Chris Hood Brett Poche
Web Application Security
Module: Software Engineering of Web Applications
CSCE 548 Student Presentation Ryan Labrador
The STEM Academy Data Solution
Presentation by: Naga Sri Charan Pendyala
Module: Software Engineering of Web Applications
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
Introduction to Dynamic Web Programming
Static Detection of Cross-Site Scripting Vulnerabilities
CS 371 Web Application Programming
Theodore Lawson CSCE548 Student Presentation, Topic #2
SQL Injection Attacks Many web servers have backing databases
Cross-Site Forgery
Secure Software Development: Theory and Practice
Web Systems Development (CSC-215)
PHP: Security issues FdSc Module 109 Server side scripting and
All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, Thanassis.
Foundations of Network and Computer Security
Web DB Programming: PHP
HYPERTEXT PREPROCESSOR BY : UMA KAKKAR
CS5123 Software Validation and Quality Assurance
Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems
Automatically Hardening Web Applications Using Precise Tainting
Exploring DOM-Based Cross Site Attacks
Presentation transcript:

Detecting Vulnerabilities in Web Code with concolic execution Suman Jana *slides are adapted from Adam Kiezun, Philip J. Guo, Karthick Jayaraman, and Michael D. Ernst

Automatic Creation of SQL Injection and Cross-Site Scripting Attacks SQLI attacks Automatic Creation of SQL Injection and Cross-Site Scripting Attacks PHP Source Code Reflected XSS attacks Stored XSS attacks Briefly describe diagram and VERY HIGH-LEVEL overview of our tool - INPUT and OUTPUT Ardilla by Kiezun et al. [ ICSE 2009 ]

Overview Problem: Approach: Results: Automatically generate inputs Finding security vulnerabilities (SQLI and XSS) in Web applications Approach: Automatically generate inputs Dynamically track taint Mutate inputs to produce exploits Results: 60 unique new vulnerabilities in 5 PHP applications first to create 2nd-order XSS, no false positives Don’t read the slide - mention that it’s an OFFLINE DYNAMIC ANALYSIS Also mention how this will only be a preview of the paper, don’t have room to discuss some of our contributions in-depth

PHP Web applications $_GET[] <HTML> … <script> PHP application $_POST[] http://www.example.com/register.php?name=Bob&age=25 Describe in terms of INPUTS and OUTPUTS GET and POST are mappings Data HTML PHP on webserver SQL URL Database Web browser

Example: Message board (add mode) if ($_GET['mode'] == "add") addMessageForTopic(); else if ($_GET[‘mode’] == “display”) displayAllMessagesForTopic(); else die(“Error: invalid mode”); function addMessageForTopic() { $my_msg = $_GET['msg']; $my_topicID = $_GET['topicID']; $my_poster = $_GET['poster']; $sqlstmt = ” INSERT INTO messages VALUES('$my_msg’ , '$my_topicID') "; $result = mysql_query($sqlstmt); echo "Thanks for posting, $my_poster”; } $_GET[]: mode = “add” msg = “hi there” topicID = 42 poster = “Bob” Thanks for posting, Bob

Example: Message board (display mode) if ($_GET['mode'] == "add") addMessageForTopic(); else if ($_GET[‘mode’] == “display”) displayAllMessagesForTopic(); else die(“Error: invalid mode”); function displayAllMessagesForTopic() { $my_topicID = $_GET['topicID']; $sqlstmt = ” SELECT msg FROM messages WHERE topicID='$my_topicID’ "; $result = mysql_query($sqlstmt); while($row = mysql_fetch_assoc($result)) { echo "Message: " . $row['msg']; } } $_GET[]: mode = “display” topicID = 42545646546 Message: hi there

SQL injection attack if ($_GET['mode'] == "add") addMessageForTopic(); mode = “display” topicID = 1' OR '1'='1 if ($_GET['mode'] == "add") addMessageForTopic(); else if ($_GET[‘mode’] == “display”) displayAllMessagesForTopic(); else die(“Error: invalid mode”); function displayAllMessagesForTopic() { $my_topicID = $_GET['topicID']; $sqlstmt = ” SELECT msg FROM messages WHERE topicID='$my_topicID’ "; $result = mysql_query($sqlstmt); while($row = mysql_fetch_assoc($result)) { echo "Message: " . $row['msg']; } } SELECT msg FROM messages WHERE topicID='1' OR '1'='1'

Thanks for posting, uh oh Reflected XSS attack if ($_GET['mode'] == "add") addMessageForTopic(); $_GET[]: mode = “add” msg = “hi there” topicID = 42 poster = “uh oh<script>alert(‘XSS’)</script>” function addMessageForTopic() { $my_poster = $_GET['poster']; […] echo "Thanks for posting, $my_poster"; } Talk about the need for social engineering - somebody could trick you into clicking on a malicious link with script code in GET, and then email your cookies or session info to attacker Thanks for posting, uh oh

Stored XSS attack $_GET[]: mode = “add” msg = “uh oh<script>alert(‘XSS’)</script>” topicID = 42 poster = “Attacker” addMessageForTopic() PHP application Database Mention that victims are INNOCENT and that MANY victims can be harmed by one malicious db entry Attacker’s input

Stored XSS attack Message: uh oh $_GET[]: mode = “add” msg = “uh oh<script>alert(‘XSS’)</script>” topicID = 42 poster = “Attacker” addMessageForTopic() PHP application Database Mention that victims are INNOCENT and that MANY victims can be harmed by one malicious db entry Attacker’s input displayAllMessagesForTopic() echo() $_GET[]: mode = “display” topicID = 42 Message: uh oh Victim’s input

Database with taint-tracking Attack Generator/Checker Architecture Input Generator inputs PHP Source Code Database with taint-tracking Taint Propagator taint sets Describe each component - why and how Attack Generator/Checker Ardilla Malicious inputs

Input generation Input Generator inputs PHP Source Code Goal: Create a set of concrete inputs (_$GET[] & _$POST[]) based on concolic execution Could theoretically use any input generator - we just need to take a program and generate a bunch of inputs, could even be manual test suite

Input generation: concolic execution if ($_GET['mode'] == "add") addMessageForTopic(); else if ($_GET[‘mode’] == “display”) displayAllMessagesForTopic(); else die(“Error: invalid mode”); PHP Source Code Input Generator inputs $_GET[]: mode = “1” msg = “1” topicID = 1 poster = “1” $_GET[]: mode = “add” msg = “1” topicID = 1 poster = “1” $_GET[]: mode = “display” msg = “1” topicID = 1 poster = “1”

Example: SQL injection attack 1. Generate inputs until program reaches an SQL statement SELECT msg FROM messages WHERE topicID='$my_topicID‘ function displayAllMessagesForTopic() { $my_topicID = $_GET['topicID']; $sqlstmt = ” SELECT msg FROM messages WHERE topicID='$my_topicID’ "; $result = mysql_query($sqlstmt); $_GET[]: mode = “display” msg = “1” topicID = 1 poster = “1”

Taint propagation inputs PHP Source Code Database with taint tracking Taint Propagator taint sets Goal: Determine which input variables affect each potentially dangerous value inputs Technique: Execute and track data-flow from input variables to sensitive sinks Sensitive sinks: mysql_query(), echo(), print()

Taint propagation: data-flow inputs inputs PHP Source Code Database with taint tracking Taint Propagator Each value has a taint set, which contains input variables whose values flow into it taint sets function displayAllMessagesForTopic() { $my_topicID = $_GET['topicID']; $sqlstmt = ” SELECT msg FROM messages WHERE topicID='$my_topicID’ "; $result = mysql_query($sqlstmt); /* {‘topicID’} */ Mention that we only care about taint sets for values that flow into SENSITIVE SINKS! Taint propagation Assignments: $my_poster = $_GET[“poster”] String concatenation: $full_n = $first_n . $last_n PHP built-in functions: $z = foo($x, $y) Database operations (for stored XSS) Sensitive sink Taint set

Example: SQL injection attack 1. Generate inputs until program reaches an SQL statement SELECT msg FROM messages WHERE topicID='$my_topicID‘ 2. Collect taint sets for values in sensitive sinks: { ’topicID’ } function displayAllMessagesForTopic() { $my_topicID = $_GET['topicID']; $sqlstmt = “SELECT msg FROM messages WHERE topicID=‘$my_topicID’ “; $result = mysql_query($sqlstmt); /* {‘topicID’} */ Mention that the XSS attacks are similar and are described more in the paper Sensitive sink Taint set

Attack generation and checking PHP Source Code Goal: Generate attacks for each sensitive sink inputs taint sets Attack Generator/Checker Malicious inputs Technique: Mutate inputs into candidate attacks Replace tainted input variables with shady strings developed by security professionals: e.g., “1’ or ‘1’=‘1”, “<script>code</script>” Alternative: Use a string constraint solver

Attack generation and checking Given a program, an input i, and taint sets for each var that reaches any sensitive sink: res = exec(program, i) for shady in shady_strings: mutated_input = i.replace(var, shady) mutated_res = exec(program, mutated_input) Attack generation ‘reaches’ means that it’s in the TAINT SET of the value that enters a sensitive sink if mutated_res DIFFERS FROM res: report mutated_input as attack Attack checking

Attack generation: mutating inputs res = exec(program, i) for shady in shady_strings: mutated_input = i.replace(var, shady) mutated_res = exec(program, mutated_input) if mutated_res DIFFERS FROM res: report mutated_input as attack $_GET[]: mode = “display” topicID = 1' OR '1'='1 $_GET[]: mode = “display” topicID = 1

Example: SQL injection attack 1. Generate inputs until program reaches an SQL statement SELECT msg FROM messages WHERE topicID='$my_topicID‘ 2. Collect taint sets for values in sensitive sinks: { ’topicID’ } 3. Generate attack candidate by picking a shady string Mention that the XSS attacks are similar and are described more in the paper $_GET[]: mode = “display” topicID = 1' OR '1'='1 $_GET[]: mode = “display” topicID = 1

Attack checking: diffing outputs res = exec(program, i) for shady in shady_strings: mutated_input = i.replace(var, shady) mutated_res = exec(program, mutated_input) if mutated_res DIFFERS FROM res: report mutated_input as attack What is a significant difference? For SQLI: compare SQL parse tree structure For XSS: compare HTML for additional script-inducing elements (<script>) Avoids false positives from input sanitizing and filtering

Example: SQL injection attack 1. Generate inputs until program reaches an SQL statement SELECT msg FROM messages WHERE topicID='$my_topicID‘ 2. Collect taint sets for values in sensitive sinks: { ’topicID’ } 3. Generate attack candidate by picking a shady string 4. Check by mutating input and comparing SQL parse trees: innocuous: SELECT msg FROM messages WHERE topicID=‘1’ mutated: SELECT msg FROM messages WHERE topicID=‘1’ OR ‘1’=‘1’ 5. Report an attack since SQL parse tree structure differs Mention that the XSS attacks are similar and are described more in the paper

SourceForge Downloads Reached sensitive sinks Experimental results Name Type LOC SourceForge Downloads SchoolMate School administration 8,181 6,765 WebChess Online chess 4,722 38,457 FaqForge Document creator 1,712 15,355 EVE activity tracker Game player tracker 915 1,143 geccBBlite Bulletin board 326 366 Vulnerability Kind Sensitive sinks Reached sensitive sinks Unique attacks SQLI 366 91 23 1st-order XSS 274 97 29 2nd-order XSS 66 8 In theory, FPs could arise due to those not being truly exploitable attacks Main limitation: concolic input generator Line coverage < 50% Inability to simulate user sessions and cookies Total: 60 Main limitation: input generator

Comparison with other approaches Defensive coding: + : can completely solve problem if done properly - : must re-write existing code Static analysis: + : can potentially prove absence of errors - : false positives, does not produce concrete attacks Dynamic monitoring: + : can prevent all attacks - : runtime overhead, false positives affect app. behavior Random fuzzing: + : easy to use, produces concrete attacks - : creates mostly invalid inputs - Defensive coding means to use special libraries - We feel that our tool hits a sweet-spot that wasn’t previously covered

Summary Automatically create SQLI and XSS attacks Technique Dynamically track taint through both program and database Input mutation and output comparison Implementation and evaluation Found 60 new vulnerabilities, no false positives