Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Gary Wassermann and Zhendong Su UC Davis Slides from

Slides:



Advertisements
Similar presentations
Runtime Prevention & Recovery Protect existing applications Advantages: Prevents vulnerabilities from doing harm Safe mode for Web application execution.
Advertisements

Vulnerability Analysis of Web-Based Applications
Detecting Logic Vulnerabilities in E- Commerce Applications FANGQI SUN, LIANG XU, ZHENDONG SU UNIVERSITY OF CALIFORNIA, DAVIS NDSS (FEBRUARY,2014) 1.
Type-based Taint Analysis for Java Web Applications Wei Huang, Yao Dong and Ana Milanova Rensselaer Polytechnic Institute 1.
Lecture # 8 Chapter # 4: Syntax Analysis. Practice Context Free Grammars a) CFG generating alternating sequence of 0’s and 1’s b) CFG in which no consecutive.
Translator Architecture Code Generator ParserTokenizer string of characters (source code) string of tokens abstract program string of integers (object.
GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.
Part 2 Authors: Marco Cova, et al. Presented by Brett Parker.
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
The Essence of Command Injection Attacks in Web Applications Zhendong Su and Gary Wassermann Present by Alon Kremer April 2011.
E FFICIENT C HARACTER - LEVEL T AINT T RACKING FOR J AVA Erika Chin David Wagner UC Berkeley.
SOFTWARE SECURITY JORINA VAN MALSEN 1 FLAX: Systematic Discovery of Client-Side Validation Vulnerabilities in Rich Web Applications.
SQL Injection Attacks Prof. Jim Whitehead CMPS 183: Spring 2006 May 17, 2006.
Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Gary Wassermann Zhendong Su.
ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.
1 Document Structure Integrity: A Robust Basis for Cross-Site Scripting Defense Prateek Saxena UC Berkeley Yacin Nadji Illinois Institute Of Technology.
A String Constraint Solver for Detecting Web Application Vulnerability Xiang Fu Hofstra University Chung-Chih Li Illinois State University 07/03/2010SEKES.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
BİL744 Derleyici Gerçekleştirimi (Compiler Design)1.
1 Detecting Logic Vulnerabilities in E- Commerce Applications Presenter: Liu Yin Slides Adapted from Fangqi Sun Computer Science Department College of.
Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.
Summary on S CRIPT G ARD Automatic Context-Sensitive Sanitization for Large-Scale Legacy Web Applications William Ng Northwestern University Modified slides.
1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.
SQL Injection Attacks CS 183 : Hypermedia and the Web UC Santa Cruz.
Automatic Creation of SQL Injection and Cross-Site Scripting Attacks 2nd-order XSS attacks 1st-order XSS attacks SQLI attacks Adam Kiezun, Philip J. Guo,
D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.
SQL INJECTION COUNTERMEASURES &
Approaches to Application Security – DSM
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
Automatically Hardening Web Applications Using Precise Tainting Anh Nguyen-Tuong Salvatore Guarnieri Doug Greene Jeff Shirley David Evans University of.
Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities Nenad Jovanovic, Christopher Kruegel, Engin Kirda Secure Systems Lab Vienna.
AMNESIA: Analysis and Monitoring for NEutralizing SQL- Injection Attacks Published by Wiliam Halfond and Alessandro Orso Presented by El Shibani Omar CS691.
A Data-Centric Web Application Security Framework Jonathan Burket, Patrick Mutchler, Michael Weaver, Muzzammil Zaveri, and David Evans University of Virginia.
Preventing Web Application Injections with Complementary Character Coding Raymond Mui Phyllis Frankl Polytechnic Institute of NYU Presented at ESORICS.
Attacking Applications: SQL Injection & Buffer Overflows.
XSS-GUARD : Precise Dynamic Prevention of Cross Site Scripting (XSS) Attacks Prithvi Bisht ( Joint work with : V.N. Venkatakrishnan.
HAMPI A Solver for String Constraints Vijay Ganesh MIT (With Adam Kiezun, Philip Guo, Pieter Hooimeijer and Mike Ernst)
CSC-682 Cryptography & Computer Security Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Pompi Rotaru Based on an article.
RELATIONAL FAULT TOLERANT INTERFACE TO HETEROGENEOUS DISTRIBUTED DATABASES Prof. Osama Abulnaja Afraa Khalifah
Lecture # 9 Chap 4: Ambiguous Grammar. 2 Chomsky Hierarchy: Language Classification A grammar G is said to be – Regular if it is right linear where each.
SQL injection Figure 1 By Kaveri Bhasin. Motive of SQL Injection Obtain data from database Modify system functions Insert data in the backend database.
An Analysis Framework for Security in Web Applications Gary Wassermann and Zhendong Su University of California, Davis.
CS 363 Comparative Programming Languages Semantics.
Slide 1 Vitaly Shmatikov CS 380S Static Detection of Web Application Vulnerabilities.
Static Analysis James Walden Northern Kentucky University.
Finding Security Vulnerabilities in Java Applications with Static Analysis Reviewed by Roy Ford.
CPS 506 Comparative Programming Languages Syntax Specification.
Highly Scalable Distributed Dataflow Analysis Joseph L. Greathouse Advanced Computer Architecture Laboratory University of Michigan Chelsea LeBlancTodd.
By Davide Balzarotti Marco Cova Viktoria V. FelmetsgerGiovanni Vigna Presented by: Mostafa Saad.
Compiler Introduction 1 Kavita Patel. Outlines 2  1.1 What Do Compilers Do?  1.2 The Structure of a Compiler  1.3 Compilation Process  1.4 Phases.
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
Syntax Analyzer (Parser)
CSC312 Automata Theory Lecture # 26 Chapter # 12 by Cohen Context Free Grammars.
Concepts and Realization of a Diagram Editor Generator Based on Hypergraph Transformation Author: Mark Minas Presenter: Song Gu.
Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications Davide Balzarotti, Marco Cova, Vika Felmetsger, Nenad Jovanovic,
Chapter 4 Static Analysis. Summary (1) Building a model of the program:  Lexical analysis  Parsing  Abstract syntax  Semantic Analysis  Tracking.
CS416 Compiler Design1. 2 Course Information Instructor : Dr. Ilyas Cicekli –Office: EA504, –Phone: , – Course Web.
SQL Injection By Wenonah Abadilla. Topics What is SQL What is SQL Injection Damn Vulnerable Web App SQLI Demo Prepared Statements.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
LECTURE 10 Semantic Analysis. REVIEW So far, we’ve covered the following: Compilation methods: compilation vs. interpretation. The overall compilation.
SQL Injection Attacks.
Detecting Vulnerabilities in Web Code with concolic execution
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
Automatic Web Security Unit Testing: XSS Vulnerability Detection Mahmoud Mohammadi, Bill Chu, Heather Richter, Emerson Murphy-Hill Presenter:
SQL Injection.
Static Detection of Cross-Site Scripting Vulnerabilities
Theodore Lawson CSCE548 Student Presentation, Topic #2
Automata Based String Analysis for Vulnerability Detection
All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, Thanassis.
Automatically Hardening Web Applications Using Precise Tainting
Presentation transcript:

Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Gary Wassermann and Zhendong Su UC Davis Slides from Made some additions/clarifications!

SQL Injection Vulnerabilities 2006: 14% of CVEs were SQLCIVs (2 nd most) Percent of attacks likely much higher – Web applications are accessible – Databases hold valuable information Web browser Database Application User inputSQL Query

Example <? $sid = addslashes($_GET[‘sid’]); $query = “SELECT * FROM carts WHERE sid = ”.$sid; mysql_query($query); ?> On malicious input: SELECT * FROM carts WHERE sid = 78 OR 1 = 1 Result: Returns information from all shopping carts. (())

Informal Characterization [POPL’06] During runtime, we can see that the parse tree changed to a completely different structure from the one we had in mind.

Past Approaches Runtime checks – Benefits: easy to be precise – State of the Art: lexical or syntactic confinement Drawback: We pay many times the overhead of a correctly-placed check Static analysis – Benefits Early bug detection Analyze code fragments No runtime overhead – State of the Art: static taint analysis

Static Checking for SQLCIVs Dataflow GraphCode addslashes() $sid = addslashes($_GET[‘sid’]); $query = “SELECT…”.$sid; mysql_query($query);. $_GET[‘sid’] $sid $query SELECT…

Static Checking for SQLCIVs Static Taint AnalysisCode U T T T addslashes() Source Sink Sanitizer false negative! Integrity $sid = addslashes($_GET[‘sid’]); $query = “SELECT…”.$sid; mysql_query($query);.

Static Checking for SQLCIVs Static Taint AnalysisOur Goal U U’T T T addslashes() Source Sink Sanitizer U TU’ addslashes() Source Sink false negative! check against policy Transformation T Integrity (Integrity x String)* Set..

Static Checking for SQLCIVs Our Goal U’ U TU’ addslashes() Source Sink check against policy Transformation T (Integrity x String)* Set How can we: model semantics of transformation? track integrity classes through transformations? check the value at the sink against our policy?.

SQLCIV analysis Framework Static Taint AnalysisCompliance Check

$_GET[‘sid’] $sid $query SELECT… String Analysis addslashes() CFGs model string sets Construct extended CFG from dataflow graph GETsid !  * Sid ! addslashes(GETsid) C ! SELECT… Query ! C Sid [Min05].

SELECT…$sid $_GET[‘sid’] String Analysis U’ U TU’ addslashes() T CFGs model string sets Construct extended CFG from dataflow graph GETsid !  * Sid ! addslashes(GETsid) C ! SELECT… Query ! C Sid [Min05]. $query

Modeling String Transformations Finite State Transducers model string functions Use FSTs to turn extended CFG into CFG GETsid !  * Sid ! addslashes(GETsid) C ! SELECT… Query ! C Sid \ /  ' / ' A / \A \ / \ O\'Brian ! O'Brian stripslashes() B / B InputOutput A 2 b{'}A 2 b{'} B 2 b{\}B 2 b{\}

S ! a S ! S X X !  a*a* S 01 ! a X 11 ! [0-9] S 01 ! S 01 X 11 Tracking Integrity Classes 0 1 a-z 0-9 S 01 X 11 [a-z][0-9] * Find CFG-FSA intersection via CFL-reachability Propagate labels to corresponding nonterminals Use this algorithm to find CFG’s image over FST a[0-9] *

S ! a S ! S X X !  a  * S 01 ! a X 11 ! [0-9] S 01 ! S 01 X 11 Tracking Integrity Classes 0 1 a-z 0-9 S 01 X 11 [a-z][0-9] * Find CFG-FSA intersection via CFL-reachability Propagate labels to corresponding nonterminals Use this algorithm to find CFG’s image over FST a[0-9] *

S ! a S ! S X X !  a  * S 01 ! a X 11 ! [0-9] S 01 ! S 01 X 11 Tracking Integrity Classes 0 1 a-z 0-9 S 01 X 11 [a-z][0-9] * Find CFG-FSA intersection via CFL-reachability Propagate labels to corresponding nonterminals Use this algorithm to find CFG’s image over FST a[0-9] *

Policy Conformance Use SQL grammar as reference grammar Check “literals” case with regular languages Untrusted input – not in quoted context, not numeric, includes SQL code – DIRECT if immediately affected by user – INDIRECT if affected by previous query answer GETsid’ ! (  b {’} [ {\’} ) * Sid ! GETsid’ C ! SELECT * FROM users WHERE id = Query ! C Sid

Evaluation: Results Modified Minamide’s PHP String Analyzer Evaluated on 6 real-world PHP web apps Subject LinesTime (h:mm:ss)Errors String-Taint Policy Conformance DirectIndirect RealFalse Claroline169,4793:04:110:02: e107132,8621:08:050:01: EVE9040:00:010:00:04401 Tiger14,3503:14:073:27:50032 Utopia5,4380:13:100:00: Warp24,3650:00:520:04:49000

isset($_GET[‘userid’]) ? isset($_GET[‘userid’]) ? $userid = $_GET[‘userid’] : $userid = ‘’; if (!eregi(‘[0-9]+’, $userid)) { unp_msg(‘invalid user ID.’); exit; } $getuser = $DB-> query(“SELECT * FROM `unp_user` WHERE userid=‘$userid’”); Example Vulnerability Should be ‘^[0-9]+$’

False Positive CASTING PROBLEMS

Indirect Error Verified ? Returned from DB

Conclusions Achieved accurate checking for SQLCIVs by tracking string values and sources Successfully applied to real-world PHP programs and found subtle vulnerabilities Future work: – Improve error reports – Apply to XSS

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.