A String Constraint Solver for Detecting Web Application Vulnerability Xiang Fu Hofstra University Chung-Chih Li Illinois State University 07/03/2010SEKES.

Slides:



Advertisements
Similar presentations
Xiang Fu Hofstra University Chung-Chih Li Illinois State University 04/13/20101NFM 2010.
Advertisements

COS 320 Compilers David Walker. Outline Last Week –Introduction to ML Today: –Lexical Analysis –Reading: Chapter 2 of Appel.
Compiler Baojian Hua Lexical Analysis (II) Compiler Baojian Hua
Lecture 24 MAS 714 Hartmut Klauck
Equivalence of Extended Symbolic Finite Transducers Presented By: Loris D’Antoni Joint work with: Margus Veanes.
-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.
The Essence of Command Injection Attacks in Web Applications Zhendong Su and Gary Wassermann Present by Alon Kremer April 2011.
Dr. Xiang Fu Assistant Professor Department of Computer Science Hofstra University.
Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Gary Wassermann Zhendong Su.
Input Validation For Free Text Fields Project Members: Hagar Offer &Ran Mor Academic Advisor: Dr Gera Weiss Technical Advisors: Raffi Lipkin & Nadav Attias.
COS 320 Compilers David Walker. Outline Last Week –Introduction to ML Today: –Lexical Analysis –Reading: Chapter 2 of Appel.
1 Performing packet content inspection by longest prefix matching technology Authors: Nen-Fu Huang, Yen-Ming Chu, Yen-Min Wu and Chia- Wen Ho Publisher:
Automatic Creation of SQL Injection and Cross-Site Scripting Attacks 2nd-order XSS attacks 1st-order XSS attacks SQLI attacks Adam Kiezun, Philip J. Guo,
Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.
On the Use of Regular Expressions for Searching Text Charles L.A. Clarke and Gordon V. Cormack Fast Text Searching.
Lesson 3 – Regular Expressions Sandeepa Harshanganie Kannangara MBCS | B.Sc. (special) in MIT.
Check That Input Preventing SQL Injection Attacks By Andrew Morton For CS 410.
CS 290C: Formal Models for Web Software Lectures 17: Analyzing Input Validation and Sanitization in Web Applications Instructor: Tevfik Bultan.
Smten: Automatic Translation of High-level Symbolic Computations into SMT Queries Richard Uhler (MIT-CSAIL) and Nirav Dave (SRI International) CAV 2013.
CSCI 6962: Server-side Design and Programming Secure Web Programming.
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
AMNESIA: Analysis and Monitoring for NEutralizing SQL- Injection Attacks Published by Wiliam Halfond and Alessandro Orso Presented by El Shibani Omar CS691.
Lexical Analysis CSE 340 – Principles of Programming Languages Fall 2015 Adam Doupé Arizona State University
The string data type String. String (in general) A string is a sequence of characters enclosed between the double quotes "..." Example: Each character.
Dimensions in Synthesis Part 3: Ambiguity (Synthesis from Examples & Keywords) Sumit Gulwani Microsoft Research, Redmond May 2012.
1 Outline Informal sketch of lexical analysis –Identifies tokens in input string Issues in lexical analysis –Lookahead –Ambiguities Specifying lexers –Regular.
HAMPI A Solver for String Constraints Vijay Ganesh MIT (With Adam Kiezun, Philip Guo, Pieter Hooimeijer and Mike Ernst)
Lexical Analysis - An Introduction Copyright 2003, Keith D. Cooper, Ken Kennedy & Linda Torczon, all rights reserved. Students enrolled in Comp 412 at.
CSC-682 Cryptography & Computer Security Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Pompi Rotaru Based on an article.
CANDID : Preventing SQL Injection Attacks Using Dynamic Candidate Evaluations V. N. Venkatakrishnan Assistant Professor, Computer Science University of.
An Analysis Framework for Security in Web Applications Gary Wassermann and Zhendong Su University of California, Davis.
1 Computability Five lectures. Slides available from my web page There is some formality, but it is gentle,
Attacking Data Stores Brad Stancel CSCE 813 Presentation 11/12/2012.
COP 4620 / 5625 Programming Language Translation / Compiler Writing Fall 2003 Lecture 3, 09/11/2003 Prof. Roy Levow.
Aniket Joshi Justin Thomas. Agenda Introduction to SQL Injection SQL Injection Attack SQL Injection Prevention Summary.
Regular Expressions Chapter 6 1. Regular Languages Regular Language Regular Expression Finite State Machine L Accepts 2.
Regular Expressions This work is licensed under the Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. To view a copy of this.
CPS 506 Comparative Programming Languages Syntax Specification.
COMP9321 Web Application Engineering Semester 2, 2015 Dr. Amin Beheshti Service Oriented Computing Group, CSE, UNSW Australia Week 9 1COMP9321, 15s2, Week.
Michael Dalton, Christos Kozyrakis, and Nickolai Zeldovich MIT, Stanford University USENIX 09’ Nemesis: Preventing Authentication & Access Control Vulnerabilities.
Solving Linear Systems by Substitution
EECS 354: Network Security Group Members: Patrick Wong Eric Chan Shira Schneidman Web Attacks Project: Detecting XSS and SQL Injection Vulnerabilities.
Models of Computing Regular Expressions 1. Formal models of computation What can be computed? What is a valid program? What is a valid name of a variable.
Lecture 2 Overview Topics What I forgot from last lecture Proof techniques continued Alphabets, strings, languages Automata June 2, 2015 CSCE 355 Foundations.
Chapter 2 Scanning. Dr.Manal AbdulazizCS463 Ch22 The Scanning Process Lexical analysis or scanning has the task of reading the source program as a file.
Overview of Previous Lesson(s) Over View  A token is a pair consisting of a token name and an optional attribute value.  A pattern is a description.
1 Compiler Construction (CS-636) Muhammad Bilal Bashir UIIT, Rawalpindi.
MOPS: an Infrastructure for Examining Security Properties of Software Authors Hao Chen and David Wagner Appears in ACM Conference on Computer and Communications.
ADVANCED SQL.  The SQL ORDER BY Keyword  The ORDER BY keyword is used to sort the result-set by one or more columns.  The ORDER BY keyword sorts the.
Decision Procedures for String Constraints Pieter Hooimeijer 2.
Zac Fenigshtien  Introduction: 3 Tier Architecture  SQL Injection ◦ Parameter Sandboxing ◦ Blacklisting, Whitelisting.
Introduction SQL Injection is a very old security attack. It first came into existence in the early 1990's ex: ”Hackers” movie hero does SQL Injection.
Group 18: Chris Hood Brett Poche
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
Static Detection of Cross-Site Scripting Vulnerabilities
Lexical Analysis CSE 340 – Principles of Programming Languages
Chapter 2 Scanning – Part 1 June 10, 2018 Prof. Abdelaziz Khamis.
String Analysis for Dependable Input Validation
@#? Text Search g ~ A R B n f u j u q e ! 4 k ] { u "!"
RegExps & DFAs CS 536.
Automata Based String Analysis for Vulnerability Detection
PHP: Security issues FdSc Module 109 Server side scripting and
Solve a system of linear equation in two variables
Solving Systems of Equations using Substitution
Systems of equations.
Building Finite-State Machines
Instructor: Aaron Roth
Decidability continued….
Chapter 9 Lesson 4 Solve Linear Systems By Substitution
CSCE 355 Foundations of Computation
Presentation transcript:

A String Constraint Solver for Detecting Web Application Vulnerability Xiang Fu Hofstra University Chung-Chih Li Illinois State University 07/03/2010SEKES 20101

Outline  Motivation  General Context: Static Analysis + String Constraint Solving  Constraint Solving Technique  Regular Replacement  Application & Experimental Data  Conclusion 07/03/2010SEKES 20102

Vulnerable Web Applications  Web App. Successful for Decade!  Public Accessibility  Vulnerability 70% “ Today over 70% of attacks against a company’s website or web application come at the ‘Application Layer’ not the network or system layer.” - Gartner Group 07/03/2010SEKES 20103

SQL Injection Trick admin’--abc Example: uname “ admin’-- ”, pwd as “abc” SELECT uname, pwd FROM users WHERE uname = ’ ’AND pwd=’ ’ -- comments out rest Log-in w/o pwd! string sState = “SELECT uname, pwd FROM users \n” + ’ “WHERE uname = ’” + + ’’’ “’ ANDpwd =’” + + “’” admin’--abc tUname.txt tPwd.txt 07/03/2010SEKES 20104

Challenges  User Input Validation – the Cure? Programmers are Human Being! 07/03/2010SEKES 20105

String massage(String strInput) { String sOut = strInput.Replace("’","’’"); sOut = sOut.Substring(0,16); return sOut; } Input Validation Not Easy Generate Escaping Character of SINGLE QUOTE Limit String Size Chop off after 16 th char 07/03/2010SEKES Can you find an attack against massage?

Bugs! ’ OR uname<>’ 16 String length: 16 user name password 07/03/2010SEKES 20107

The Cracking Process String massage(String strInput) { ’’’ String sOut = strInput.Replace("’","’’"); 16 sOut = sOut.Substring(0,16); return sOut; } ’ ’’ ’ 07/03/2010SEKES 20108

SQL Statement Constructed SELECT uname,pwd FROM users WHERE uname=’ ’’ AND pwd=’ OR uname<>’’ Treated as one single quote Condition 1 tautology! Condition 2 tautology! 07/03/2010SEKES 20109

Lessons Learned  Bugs  Delicate SQL Injection Vul.  Need Tools for Inspecting Security Holes Smartly and Automatically 07/03/2010SEKES

General Approach: (COMPSAC’07) Symbolic Execution + String Solver Bytecode Instrumentor String Solver Test Case Generator Sym. Execution Engine Attack Pattern Library bytecode instrumented bytecode x + “zbc” = y? x=.. y=.. 07/03/2010SEKES

SUSHI Constraint Solver 07/03/2010SEKES Undecidable! Application Expressiveness

Simple Linear String Equation String Expression = RegExp 07/03/2010SEKES Variables occur only on LHS Support all string freq ops: Substring, indexing, replacement, concatenation

Example (Password Bypass) 07/03/2010SEKES = RHS LHS Apply massage on x: replacement and substring

Solution Algorithm  (1) Break to Atomic Steps  (2) Represent in Finite State Transducer  (3) Symbolic Image Computation  (4) Chain Results => Solution Pool  (5) Solution Pool => Concrete Solution 07/03/2010SEKES

Special Challenge (NFM’10)  Regular Replacement  Many Semantics! Greedy Reluctant Declarative …  Special Algorithm for Precise Modeling 07/03/2010SEKES

Finite State Transducer  Accepts Regular Relation  Union, Concat, Composition  Intersection, Complement  Used for Modeling Rewriting Rules [Kaplan94, Karttunen96] 04/13/2010NFM ε: a:2 b:3 A (ab,123) ∈ L(A)

04/13/2010NFM Step 1: Begin Marker Step 2: ND End Marker Step 3: Pairing Markers Step 4: Checking Match Step 5: Check Longest Step 6: Replacement a +  x Search Pattern aabab #a#ab#ab #a#a$b#ab #a$#a$b#a$b #a#a$b#a$b #aa$b#a$b xbxb #a#ab#a$b #aaba$b One Input Word  One Output Word Modeling Greedy Semantics (NFM’2010)

Deal with Unicode Alphabet  Explicit Rep. of Transition Not Working!  Compact Representation Symbolic Transition Set Special Alg. For FST Composition etc. 04/13/2010NFM

Efficiency of Solver 04/13/2010NFM Login Servlet 1.4 Seconds on 2Ghz PC Bench Mark Equations

More Applications: XSS Attack  Vul. Originally Reported in SecTrack #  Adobe Flex SDK 3.3  SUSHI found Much Shorter Attack Signature 07/03/2010SEKES Equation Size: Seconds

Related Work  Forward String Analysis Christensen & Møller [SAS’03] Wasserman & Su [PLDI’07, ICSE’08] Bjørner & Tillmann [TACAS’09]  Backward String Analysis Kiezun & Ganesh [ISSTA’09] Yu & Bultan [SPIN’08, ASE’09] Fu [COMPSAC’07, TAVWEB’08]  Natural Language Processing * Kaplan and Kay [CL’1994] 04/13/2010NFM Our Contribution: Precise Modeling of Various Regular Substitution Semantics  Precise Security Analysis ?? Compare with Bit- blasting??

Conclusion  FST based String Constraint Solving  Applied to Security Analysis SQL Injection XSS Attack More …  More Expressive Extension of SISE 07/03/2010SEKES

Questions? 07/03/2010SEKES

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.