Download presentation
Presentation is loading. Please wait.
Published byРоберт Ђуричић Modified over 6 years ago
1
Securing Web Applications with Information Flow Tracking
Monica Lam Stanford University with Michael Martin, Benjamin Livshits, John Whaley, Michael Carbin, Dzin Avots, Chris Unkel
2
Web Application Vulnerabilities
50% databases had a security breach [Computer crime & security survey, 2002] 92% Web applications are vulnerable [Application Defense Center, 2004] 48% of all vulnerabilities Q3-Q4, 2004 [Symantec May, 2005]
3
Top Ten Security Flaws in Web Applications [OWASP]
Unvalidated Input Broken Access Control Broken Authentication and Session Management Cross Site Scripting (XSS) Flaws Buffer Overflows Injection Flaws Improper Error Handling Insecure Storage Denial of Service Insecure Configuration Management
4
Confidential information leak
Web Applications Evil Input Confidential information leak Hacker Browser Web App Database
5
Give me Bob’s credit card #
SQL Injection Errors Hacker Browser Web App Database Give me Bob’s credit card # Delete all records
6
Happy-go-lucky SQL Query
User supplies: name, password Java program: String query = “SELECT UserID, Creditcard FROM CCRec WHERE Name = ” + name + “ AND PW = ” + password
7
Fun with SQL “ — ”: “the rest are comments” in Oracle SQL
SELECT UserID, CreditCard FROM CCRec WHERE: Name = bob AND PW = foo Name = bob— AND PW = x Name = bob or 1=1— AND PW = x Name = bob; DROP CCRec— AND PW = x
8
Vulnerabilities in Web Applications
Inject Parameters Hidden fields Headers Cookie poisoning Exploit SQL injection Cross-site scripting HTTP splitting Path traversal X Cross-site scripting is an attack on applications that fail to fil- ter or quote HTML metacharacters in user input used in dynami- cally generated Web pages. HTTP response splitting is an attack on applications that fail to filter or quote newlines in header information. It enables vari- ous other attacks such as Web cache poisoning, cross user deface- ment, hijacking pages with sensitive user information, and cross- site scripting [21]. The crux of the HTTP response splitting technique is that the attacker may cause two HTTP responses to be generated in response to one maliciously constructed request. For HTTP splitting to be possible, the vulnerable application must include unchecked input as part of a response header sent back to the client. Path traversal vulnerabilities allow a hacker to access or con- trol files outside of the intended path [31, 40]. They occur when applications use unchecked user input in a path or file name; in- put normally arrives via URL input parameters, cookies, or HTTP request headers.
9
Key: Information Flow
10
A Simple SQL Injection Pattern
o = req.getParameter ( ); stmt.executeQuery ( o );
11
In Practice ParameterParser.java:586
String session.ParameterParser.getRawParameter(String name) public String getRawParameter(String name) throws ParameterNotFoundException { String[] values = request.getParameterValues(name); if (values == null) { throw new ParameterNotFoundException(name + " not found"); } else if (values[0].length() == 0) { throw new ParameterNotFoundException(name + " was empty"); } return (values[0]); ParameterParser.java:570 String session.ParameterParser.getRawParameter(String name, String def) public String getRawParameter(String name, String def) { try { return getRawParameter(name); } catch (Exception e) { return def; }
12
In Practice (II) ChallengeScreen.java:194
Element lessons.ChallengeScreen.doStage2(WebSession s) String user = s.getParser().getRawParameter( USER, "" ); StringBuffer tmp = new StringBuffer(); tmp.append("SELECT cc_type, cc_number from user_data WHERE userid = '“); tmp.append(user); tmp.append("'“); query = tmp.toString(); Vector v = new Vector(); try { ResultSet results = statement3.executeQuery( query ); ...
13
PQL: Program Query Language
o = req.getParameter ( ); stmt.executeQuery ( o ); Query on the dynamic behavior based on object entities Abstracting away information flow
14
Dynamic vs. Static Pattern
o = req.getParameter ( ); stmt.executeQuery (o); Dynamically: p1 = req.getParameter ( ); stmt.executeQuery (p2); Statically: p1 and p2 point to same object? Pointer alias analysis
15
Flow-Insensitive Pointer Analysis
Objects allocated by same line of code are given the same name. Datalog pts(p,o1) pts(q,o2) hpts(o1,f,o2) pts(r,o2) o1: p = new Object(); o2: q = new Object(); p.f = q; r = p.f; p o1 f q o2 r
16
Inference Rule in Datalog
Assignments: pts (v1, h1) :- “v1 = v2 ” & pts (v2, h1). v1 = v2; v2 h1 Now let me show you how we actually specify the algorithm. Here is the Datalog rule to handle assignment instructions. Datalog looks like Prolog, but operates on a relation at a time. What it says is if everything on the right hand side is true, then the left hand side is also true. What this rule says is this: (Read slowly:) © v1 points to h1 if there is an assignment instruction v1 = v2, and v2 points to h1. That’s it. So this is just transitive closure. Let’s take a look at another rule. v1
17
Inference Rule in Datalog
Stores: hpts(h1, f, h2) :- “v1.f = v2” & pts(v1, h1) & pts(v2, h2). v1.f = v2; v1 h1 Here is the Datalog rule to handle store instructions. What this rule says is: (Read slowly:) © H1.f points to h2 if there is a store instruction v1.f = v2, and v1 points to h1 and v2 points to h2. With me so far? OK f v2 h2
18
Inference Rule in Datalog
Loads: pts(v2, h2) :- “v2 = v1.f ” & pts(v1, h1) & hpts(h1, f, h2). v2 = v1.f; v1 h1 Here is the Datalog rule to handle load instructions. Very similar to the rule for store instructions. What this rule says is this: (Read slowly:) © v2 points to h2 if there is a load instruction v2 = v1.f, and v1 points to h1 and h1.f points to h2. f v2 h2
19
Pointer Analysis Rules
pts(v, h) :- “h: T v = new T()”; pts(v1, h1) :- “v1 = v2” & pts(v2, h1). hpts(h1, f, h2) :- “v1.f = v2” & pts(v1, h1) & pts(v2, h2). pts(v2, h2) :- “v2 = v1.f” & pts(v1, h1) & hpts(h1, f, h2).
20
Pointer Alias Analysis
Specified by a few Datalog rules Creation sites Assignments Stores Loads Apply rules until they converge
21
Context-Sensitive Pointer Analysis
L1: a=malloc(); a=id(a); id(x) id(x) {return x;} L2: b=malloc( ); b=id(b); context-sensitive a L1 x context-insensitive b L2 x
22
Even without recursion, # of Contexts is exponential!
23
Top 20 Sourceforge Java Apps
1016 1012 108 104 100
24
Costs of Context Sensitivity
Typical large program has ~1014 paths If you need 1 byte to represent a context: 100 terabytes of storage > 12 times size of Library of Congress Memory: $1.2 million Hard drive: $47,500 Time to read sequentially: 20 days
25
Cloning-Based Algorithm
Whaley&Lam, PLDI 2004 (best paper award) Create a “clone” for every context Apply context-insensitive algorithm to cloned call graph Lots of redundancy in result Exploit redundancy by clever use of BDDs (binary decision diagrams)
26
Automatic Analysis Generation
PQL Ptr analysis in 10 lines Datalog bddbddb (BDD-based deductive database) with Active Machine Learning 1000s of lines 1 year tuning BDD operations BDD: 10,000s-lines library
27
Benchmarks 9 large, widely used applications
Blogging/bulletin board applications Used at a variety of sites Open-source Java J2EE apps Available from SourceForge.net
28
Vulnerabilities Found
SQL injection HTTP splitting Cross-site scripting Path traversal Total Header 6 5 11 Parameter 2 13 Cookie 1 Non-Web 3 9 30
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.