ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.

Slides:



Advertisements
Similar presentations
Static Analysis for Security
Advertisements

Runtime Prevention & Recovery Protect existing applications Advantages: Prevents vulnerabilities from doing harm Safe mode for Web application execution.
Infosec 2012 | 25/4/12 Application Performance Monitoring Ofer MAOR CTO Infosec 2012.
Teachable Static Analysis Workbench by Igor Konnov, Dmitry Kozlov.
Type-based Taint Analysis for Java Web Applications Wei Huang, Yao Dong and Ana Milanova Rensselaer Polytechnic Institute 1.
Specification Inference for Explicit Information Flow Problems Benjamin Livshits, Aditya V. Nori, Sriram K. Rajamani Microsoft Research Anindya Banerjee.
Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
Finding Security Errors in Java Applications Using Lightweight Static Analysis Benjamin Livshits Computer Science Lab Stanford University.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
1 Static Analysis for Bug Finding Benjamin Livshits.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
Automatic Creation of SQL Injection and Cross-Site Scripting Attacks 2nd-order XSS attacks 1st-order XSS attacks SQLI attacks Adam Kiezun, Philip J. Guo,
Introducing LAMP: Linux, Apache, MySQL and PHP Track 2 Workshop PacNOG 7 July 1, 2010 Pago Pago, American Samoa.
Module 2: Using Transact-SQL Querying Tools. Overview SQL Query Analyzer Using the Object Browser Tool in SQL Query Analyzer Using Templates in SQL Query.
Secure Software Development Mini Zeng University of Alabama in Huntsville 1.
Secure Software Engineering: Input Vulnerabilities
Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.
CSCI 6962: Server-side Design and Programming Secure Web Programming.
Approaches to Application Security – DSM
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
Automatically Hardening Web Applications Using Precise Tainting Anh Nguyen-Tuong Salvatore Guarnieri Doug Greene Jeff Shirley David Evans University of.
Penetration Testing James Walden Northern Kentucky University.
Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities Nenad Jovanovic, Christopher Kruegel, Engin Kirda Secure Systems Lab Vienna.
November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 5 “Database and Cloud Security”.
A Data-Centric Web Application Security Framework Jonathan Burket, Patrick Mutchler, Michael Weaver, Muzzammil Zaveri, and David Evans University of Virginia.
OSI and TCP/IP Models And Some Vulnerabilities AfNOG th May 2011 – 10 th June 2011 Tanzania By Marcus K. G. Adomey.
Attacking Applications: SQL Injection & Buffer Overflows.
CGI Security COEN 351. CGI Security Security holes are exploited by user input. We need to check user input against Buffer overflows etc. that cause a.
CSC-682 Cryptography & Computer Security Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Pompi Rotaru Based on an article.
Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.
Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.
Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University
Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program.
Aniket Joshi Justin Thomas. Agenda Introduction to SQL Injection SQL Injection Attack SQL Injection Prevention Summary.
By Sean Rose and Erik Hazzard.  SQL Injection is a technique that exploits security weaknesses of the database layer of an application in order to gain.
Finding Security Vulnerabilities in Java Applications with Static Analysis Reviewed by Roy Ford.
Highly Scalable Distributed Dataflow Analysis Joseph L. Greathouse Advanced Computer Architecture Laboratory University of Michigan Chelsea LeBlancTodd.
By Davide Balzarotti Marco Cova Viktoria V. FelmetsgerGiovanni Vigna Presented by: Mostafa Saad.
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
OWASP Building Secure Web Applications And the OWASP top 10 vulnerabilities.
Michael Dalton, Christos Kozyrakis, and Nickolai Zeldovich MIT, Stanford University USENIX 09’ Nemesis: Preventing Authentication & Access Control Vulnerabilities.
Security Attacks CS 795. Buffer Overflow Problem Buffer overflow Analysis of Buffer Overflow Attacks.
JDBC CS 260 Database Systems. Overview  Introduction  JDBC driver types  Eclipse project setup  Programming with JDBC  Prepared statements  SQL.
Sairajiv Burugapalli. This chapter covers three main categories of classic software vulnerability: Buffer overflows Integer vulnerabilities Format string.
CHAPTER 7 Unexpected Input. INTRODUCTION What is Unexpected Input? Something (normally user-supplied data) that is unexpected happen to an application.
EECS 354: Network Security Group Members: Patrick Wong Eric Chan Shira Schneidman Web Attacks Project: Detecting XSS and SQL Injection Vulnerabilities.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Example – SQL Injection MySQL & PHP code: // The next instruction prompts the user is to supply an ID $personID = getIDstringFromUser(); $sqlQuery = "SELECT.
Chapter 4 Static Analysis. Summary (1) Building a model of the program:  Lexical analysis  Parsing  Abstract syntax  Semantic Analysis  Tracking.
SQL Injection By Wenonah Abadilla. Topics What is SQL What is SQL Injection Damn Vulnerable Web App SQLI Demo Prepared Statements.
Chapter 7 SQL Injection I: Identification
Web Security (cont.) 1. Referral issues r HTTP referer (originally referrer) – HTTP header that designates calling resource  Page on which a link is.
Detecting Vulnerabilities in Web Code with concolic execution
CMSC 345 Defensive Programming Practices from Software Engineering 6th Edition by Ian Sommerville.
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
Chapter 7: Identifying Advanced Attacks
SQL Injection.
Static Detection of Cross-Site Scripting Vulnerabilities
Secure Software Development: Theory and Practice
Security mechanisms and vulnerabilities in .NET
SUDS: An Infrastructure for Creating Bug Detection Tools
Software Security Lesson Introduction
Chapter 13 Security Methods Part 3.
Securing Web Applications with Information Flow Tracking
CS5123 Software Validation and Quality Assurance
Automatically Hardening Web Applications Using Precise Tainting
Presentation transcript:

ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults LAPSE: a Security Auditing Tool for Java Benjamin Livshits Stanford University, Computer Systems Lab  Security errors are common in today’s Java programs  Lead to stolen or corrupt data, system downtime  92% of Web apps are vulnerable to attack [Imperva]  Recent kinds of security attacks appeared  Parameter manipulation  Header manipulation  Cookie poisoning  Command-line params  What do we do? How do we protect our applications?  How do we prevent these vulnerabilities?  Our approach – tool called LAPSE  Lightweight Analysis for Program Security in Eclipse  Find the errors in the Java source code  Give the developer an automatic security auditing tool  Construct SQL queries based on user-provided input SELECT UserID, Creditcard FROM Records WHERE Name = ‘ + name + ’;  If name is user-controlled – danger, danger!!  How bad is this? Causes  Unauthorized information access  Deleted records  Taint problems–like taint mode in Perl, but static  Unchecked input propagates to sensitive methods in the program  Sources – data enters the Web app  Sinks – SQL execution statements, send data back to the user, file access operations, etc. Sources and Sinks  Form parameters  HTTP headers  Cookie values  Other types A source in Java code List of sources  SQL execute calls  Output statements  Redirect calls  File access routines Tracking Flow of Data between a Source and a Sink in LAPSE  Follow values through  Method parameters/return values  Local variables  String concatenation  Found 18 verified security errors  In 15 open-source Web apps from SourceForge  Most are blogging, bulletin-board programs  Widely used and deployed at many sites  Contain a total of  2,383 classes  Over 524,000 of code  Auditing of 15 apps takes under an hour  Auditing is pretty effective, however  Requires some manual effort  Not a complete solution – may miss errors  Some errors are hard to analyze  Sources and sinks are far apart  Often no source code available – only byte code  Working on a complete solution  Submitted a paper to Usenix Security 2005  Based on a heavy-weight sound static analysis  Pointer analysis  Sound – guaranteed to find all potential errors  Much longer analysis times  Working on a runtime protection solution  Detect errors at runtime  Cleanse the tainted values and proceed  Start at a sink  Propagate backwards  Can any source reach this sink?  Filter results  For speed  Not in source  SQL injections  Cross-site scripting  HTTP splitting  Path traversal  Security bugs in C (buffer overruns, format strings)  Static: LCLint, ITS4, Flawnder, Rats, Splint, BOON  Dynamic: StackGuard, CRED  To the best of our knowledge, we are the 1 st publically annonced Java code auditing security tool Sink Source Intermediate propagation steps  WHERE = `bob’  WHERE = `bob’ -- ’  WHERE bob’ or 1=1 -- ’  WHERE bob’; DROP Records; -- ’  bob  bob’ --  bob’ or 1=1 --  bob’; DROP Records; -- Set name to Resulting SQL  To analyze if a sink can is “dangerous” need to determine what can flow to it  Eclipse already allows to look up definitions of variables  We take this further:  Trace values backwards through parameters, assignments, function calls  If we encounter a source: stop, declare victory