Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications Davide Balzarotti, Marco Cova, Vika Felmetsger, Nenad Jovanovic,

Slides:

Advertisements

Similar presentations

Analyzing Regression Test Selection Techniques

Advertisements

Closing the Gap: Analyzing the Limitations of Web Application Vulnerability Scanners David Shelly Randy Marchany Joseph Tront Virginia Polytechnic Institute.

Part 2 Authors: Marco Cova, et al. Presented by Brett Parker.

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Sean Ford, Macro Cova, Christopher Kruegel, Giovanni Vigna University of California, Santa Barbara ACSAC 2009.

AUTOMATED DISCOVERY OF PARAMETER POLLUTION VULNERABILITIES IN WEB APPLICATIONS Marco Balduzzi, Carmen Torrano Gimenez, Davide Balzarotti, and Engin Kirda,

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Effective and Efficient Malware Detection at the End Host Clemens Kolbitsch, Paolo Milani TU Vienna Christopher UCSB Engin Kirda.

Software Security Lecture 0 Fang Yu Dept. of MIS National Chengchi University Spring 2011.

Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Gary Wassermann Zhendong Su.

Using Interfaces to Analyze Compositionality Haiyang Zheng and Rachel Zhou EE290N Class Project Presentation Dec. 10, 2004.

ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Chapter 1 Principles of Programming and Software Engineering.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Gary Wassermann and Zhendong Su UC Davis Slides from

1 Detecting Logic Vulnerabilities in E- Commerce Applications Presenter: Liu Yin Slides Adapted from Fangqi Sun Computer Science Department College of.

© 2006 Pearson Addison-Wesley. All rights reserved2-1 Chapter 2 Principles of Programming & Software Engineering.

Testing Static Analysis Tools using Exploitable Buffer Overflows from Open Source Code Zitser, Lippmann & Leek Presented by: José Troche.

BUILDING A SECURE STANDARD LIBRARY Information Assurance Project I MN Tajuddin hj. Tappe Supervisor Mdm. Rasimah Che Mohd Yusoff ASP.NET TECHNOLOGY.

Automatic Creation of SQL Injection and Cross-Site Scripting Attacks 2nd-order XSS attacks 1st-order XSS attacks SQLI attacks Adam Kiezun, Philip J. Guo,

Jarhead Analysis and Detection of Malicious Java Applets Johannes Schlumberger, Christopher Kruegel, Giovanni Vigna University of California Annual Computer.

JSP Standard Tag Library

Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.

SQL INJECTION COUNTERMEASURES &

NDSS 2007 Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, Giovanni Vigna.

Automatically Hardening Web Applications Using Precise Tainting Anh Nguyen-Tuong Salvatore Guarnieri Doug Greene Jeff Shirley David Evans University of.

Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities Nenad Jovanovic, Christopher Kruegel, Engin Kirda Secure Systems Lab Vienna.

AMNESIA: Analysis and Monitoring for NEutralizing SQL- Injection Attacks Published by Wiliam Halfond and Alessandro Orso Presented by El Shibani Omar CS691.

Behavior-based Spyware Detection By Engin Kirda and Christopher Kruegel Secure Systems Lab Technical University Vienna Greg Banks, Giovanni Vigna, and.

The Program Development Cycle

1 A Static Analysis Approach for Automatically Generating Test Cases for Web Applications Presented by: Beverly Leung Fahim Rahman.

nd Joint Workshop between Security Research Labs in JAPAN and KOREA Profile-based Web Application Security System Kyungtae Kim High Performance.

XSS-GUARD : Precise Dynamic Prevention of Cross Site Scripting (XSS) Attacks Prithvi Bisht ( Joint work with : V.N. Venkatakrishnan.

Chapter 8 Cookies And Security JavaScript, Third Edition.

CSC-682 Cryptography & Computer Security Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Pompi Rotaru Based on an article.

OWASP Top Ten #1 Unvalidated Input. Agenda What is the OWASP Top 10? Where can I find it? What is Unvalidated Input? What environments are effected? How.

Defending Browsers against Drive-by Downloads:Mitigating Heap-Spraying Code Injection Attacks Authors:Manuel Egele, Peter Wurzinger, Christopher Kruegel,

Jose Sanchez 1 o Tielei Wang†, TaoWei†, Zhiqiang Lin‡, Wei Zou†. o Purdue University & Peking University o Proceedings of NDSS'09: Network and Distributed.

1 Swaddler: An Approach for the Anomaly-based Detection of State Violations in Web Application Marco Cova, Davide Balzarotti, Viktoria Felmetsger, and.

Christopher Kruegel University of California Engin Kirda Institute Eurecom Clemens Kolbitsch Thorsten Holz Secure Systems Lab Vienna University of Technology.

Program Development Cycle Modern software developers base many of their techniques on traditional approaches to mathematical problem solving. One such.

nd Joint Workshop between Security Research Labs in JAPAN and KOREA Marking Scheme for Semantic- aware Web Application Security HPC.

Slide 1 Vitaly Shmatikov CS 380S Static Detection of Web Application Vulnerabilities.

By Davide Balzarotti Marco Cova Viktoria V. FelmetsgerGiovanni Vigna Presented by: Mostafa Saad.

© 2006 Pearson Addison-Wesley. All rights reserved2-1 Chapter 2 Principles of Programming & Software Engineering.

nd Joint Workshop between Security Research Labs in JAPAN and KOREA Polymorphic Worm Detection by Instruction Distribution Kihun Lee HPC Lab., Postech.

Michael Dalton, Christos Kozyrakis, and Nickolai Zeldovich MIT, Stanford University USENIX 09’ Nemesis: Preventing Authentication & Access Control Vulnerabilities.

Concepts and Realization of a Diagram Editor Generator Based on Hypergraph Transformation Author: Mark Minas Presenter: Song Gu.

EECS 354: Network Security Group Members: Patrick Wong Eric Chan Shira Schneidman Web Attacks Project: Detecting XSS and SQL Injection Vulnerabilities.

MOPS: an Infrastructure for Examining Security Properties of Software Authors Hao Chen and David Wagner Appears in ACM Conference on Computer and Communications.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

A Review of Software Testing - P. David Coward

Web Application Vulnerabilities, Detection Mechanisms, and Defenses

Automatic Web Security Unit Testing: XSS Vulnerability Detection Mahmoud Mohammadi, Bill Chu, Heather Richter, Emerson Murphy-Hill Presenter:

TriggerScope: Towards Detecting Logic Bombs in Android Applications

Automatic Network Protocol Analysis

Static Detection of Cross-Site Scripting Vulnerabilities

String Analysis for Dependable Input Validation

Graph Coverage for Specifications CS 4501 / 6501 Software Testing

Automata Based String Analysis for Vulnerability Detection

TriggerScope Towards detecting logic bombs in android applications

High Coverage Detection of Input-Related Security Faults

Defense in Depth Web Server Custom HTTP Handler Input Validation

Graph Coverage for Specifications CS 4501 / 6501 Software Testing

Test Case Test case Describes an input Description and an expected output Description. Test case ID Section 1: Before execution Section 2: After execution.

CS5123 Software Validation and Quality Assurance

IntScope: Automatically Detecting Integer overflow vulnerability in X86 Binary Using Symbolic Execution Tielei Wang, TaoWei, ZhingiangLin, weiZou Purdue.

Exploring DOM-Based Cross Site Attacks

Presentation transcript:

Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications Davide Balzarotti, Marco Cova, Vika Felmetsger, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, Giovanni Vigna 2008 IEEE Symposium on Security and Privacy 1

OUTLINE 1. Introduction 2. Motivation 3. Approach 4. Evaluation 5. Conclusions 2

1. Introduction  Out of the 2,526 vulnerabilities, 66% affected web applications. A report published by Symantec in March  OWASP’s Top Ten Project, unvalidated input as the number one cause of vulnerabilities in web applications. 3

1. Introduction(cont.)  A particular type of input validation is sanitization.  If a sanitization operation is performed on all paths from sources (the application’s inputs) to sinks (security-relevant operations), then the application is secure. 4

1. Introduction(cont.)  They combine static and dynamic analysis techniques, a novel approach to analyze the correctness of the sanitization process.  Saner, a prototype that analyzes PHP applications. 5

2. Motivation  Input Validation and Sanitization  Sensitive sinks  SQL injection vulnerability  XSS vulnerability  Two options when such invalid values are found 6

2. Motivation(cont.)  Static Analysis and Proper Sanitization  The input sanitization depends on the type of sink that consumes the input  Specify all sanitization operations a priori is difficult 7

2. Motivation(cont.)  Current static analysis systems typically disregard the use of custom sanitization routines.  A technique that can handle the use of custom sanitization routines and properly track the effect of functions that manipulate and modify program input. 8

3. Approach  The static analysis component is based on the open-source web vulnerability scanner called Pixy.  The goal of the dynamic phase is to examine all those program paths from input sources to sensitive sinks that the static analysis has identified as suspicious. 9

3. Approach(cont.)  Sanitization-Aware Static Analysis  Testing Sanitization Routines 10

3. Approach(cont.)  Basic String Automata  Finite automata are used as acceptors. That is, they are applied for deciding whether string values belong to a certain language. 11

3. Approach(cont.)  Dependence Graphs  Dependence analysis is a data flow analysis that computes a dependence graph for every program point and each variable. 12

3. Approach(cont.)  Computing Automata 13

3. Approach(cont.)  Cyclic Dependence Graphs  To replace strongly connected components (SCCs) in the dependence graph with special SCC nodes. 14

3. Approach(cont.)  Discussion  The use of string literals  The concatenation of two strings  The use of a built-in function  Saner do not handle the manipulation of strings through indexing 15

3. Approach(cont.)  Precise Function Modeling  Introduce a precise modeling of string- modifying functions (such as str_replace ) and replacement functions using regular expressions ( ereg_replace and preg_replace ). 16

3. Approach(cont.)  Vulnerability Detection Through Intersection  Intersecting the automaton that represents the sink’s input with an automaton that encodes the set of undesired strings. 17

3. Approach(cont.)  Implicit Taint Propagation  False positives  Strings that are statically embedded into the application by the programmer are replaced by the empty string.  Checking whether the second parameter of str_replace is tainted. 18

3. Approach(cont.)  Providing Information to Dynamic Analysis  The detection of routines that perform insufficient custom sanitization.  The information is extracted from the dependence graphs that static analysis uses internally. 19

3. Approach(cont.)  Sanitization-Aware Static Analysis  Testing Sanitization Routines 20

3. Approach(cont.)  Dynamic analysis  To test the effectiveness of the sanitization routines.  A vulnerability may be exploited only if the application is in a certain, well-defined state. 21

3. Approach(cont.)  Extracting the Sanitization Graph  The sanitization graph is a subgraph of the interprocedural dataflow graph of the application. 22

3. Approach(cont.)  Testing the Effectiveness of the Sanitization Routines  Infeasible paths  A large number of test cases  Oracle functions 23

4. Evaluation  To evaluate Saner on five popular, publicly- available PHP applications that contain custom sanitization routines. 24

4. Evaluation(cont.)  Discussion of Sanitization Errors  The sanitization can contain programming errors.  The sanitization process can be bug-free but insufficient. 25

4. Evaluation(cont.)  Jetbox 26 dummy

4. Evaluation(cont.)  PBLGuestbook: 27 malicious code< code

4. Evaluation(cont.)  Discussion of Effectiveness and Efficiency  The combination of static and dynamic techniques proved to be effective. 28

5. Conclusion  Web applications perform mission-critical tasks and handle sensitive information.  Saner, a novel approach to the evaluation of the sanitization process in web applications.  Novel vulnerabilities that stem from incorrect or incomplete sanitization is identified. 29