Presentation is loading. Please wait.

Presentation is loading. Please wait.

Xiang Fu Hofstra University Chung-Chih Li Illinois State University 04/13/20101NFM 2010.

Published byTrevon Daniel Modified over 10 years ago

Similar presentations

Presentation on theme: "Xiang Fu Hofstra University Chung-Chih Li Illinois State University 04/13/20101NFM 2010."— Presentation transcript:

1 Xiang Fu Hofstra University Chung-Chih Li Illinois State University 04/13/20101NFM 2010

2 Background Hacker Server malicious scripts Cool page! 04/13/2010NFM 20102 Problem? SufficientText Inputs Lack of Sufficient Sanitation of Text Inputs

3 One Typical Error 1 <?php 2 $msg = $_POST[msg]; 3 $sanitized = pregreplace( 4/\.*?\ / i, 5, 6$msg ) ; 7 savetodb($sanitized ) 8 ?> 04/13/20103NFM 2010 script>alert(a) Attackers Input alert(a) Reluctant Kleene Star

4 Bigger Picture Objective: Automatic Discovery of Vulnerabilities 04/13/20104NFM 2010 Symbolic Execution Test Replayer Bytecode Attack Pattern String Constraint Solver SUSHI

5 Our Contribution Atomic Replacement Constraints Consider Two Semantics Greedy Reluctant Modeling Using Finite State Transducer (FST) Compact Representation of FST Security Analysis 04/13/2010NFM 20105

6 Finite State Transducer Accepts Regular Relation Union, Concat, Composition Intersection, Complement Used for Modeling Rewriting Rules [Kaplan94, Karttunen96] 04/13/2010NFM 20106 ε:1 1 2 3 4 a:2 b:3 A (ab,123) L(A)

7 Hierarchical FST & Modeling Declarative Semantics 04/13/2010NFM 20107 Id(* - * r *)r : ω ε:εε:ε Id(* - * r *) 1 2 3 4 Identical Relation Any String not Containing patter r Goal: Regular Search Pattern Replacement

8 Modeling Reluctant Semantics 2 Steps Mark the beginning of pattern Do the replacement 04/13/2010NFM 20108 Goal: Key: Left-Most Matching

9 04/13/2010NFM 2010 9 a a b b c d a b c a b d Input Word a + b + c x Search Pattern #: ε reluc(r) # : ω ε: ε Id() f1f1 s1s1 s2s2 Begin Marker # a # a b b c d # a b c a b d x d x a b d

10 The Challenge: Begin Marker 04/13/2010NFM 201010 a a b b c d a b c a b d Input Word ### a + b + c x Search Pattern # Look-ahead Capability? Non-determinism 3 Steps: (1)End marker (2)Generic end marker (3)Begin marker

11 Preliminary End Marker 04/13/2010NFM 201011 1 c: c 5 234 b: b a: a ε:$ b : b a: a A1A1 a + b + c x Search Pattern Idea: Start with End Marker for Reverse of Search Pattern Problem: Input tape accepts cb + a + only! Reversed Pattern cb + a +

12 Generic End Marker 04/13/2010NFM 201012 1 1 2 2,1 3 3,1 4 4,1 5 5,1 c:cb:ba:aε:$ b:b a:a c:c a:a b:b c:cb:b A2A2 cb + a + Pattern c c b a a Input Word c c b a $ a $ Output Word Deterministic! a:a

13 Finally, the Begin Marker 04/13/2010NFM 201013 a + b + c x Search Pattern 1 1 2 2,1 3 3,1 4 4,1 5 5,1 c:c b:ba:aε:# b:b a:a c:c a:a b:b c:cb:b A3A3 0 ε:εε:ε ε:εε:ε ε:εε:ε

14 04/13/2010NFM 2010 14 a a b b c d a b c a b d Input Word a + b + c x Search Pattern #: ε reluc(r) # : ω ε: ε Id() f1f1 s1s1 s2s2 Begin Marker # a # a b b c d # a b c a b d x d x a b d

15 Greedy Semantics 04/13/2010NFM 201015 Goal: greedy Challenge: Look-ahead longest match

16 04/13/2010NFM 201016 Step 1: Begin Marker Step 2: ND End Marker Step 3: Pairing Markers Step 4: Checking Match Step 5: Check Longest Step 6: Replacement a + x Search Pattern aabab #a#ab#ab #a#a$b#ab #a$#a$b#a$b #a#a$b#a$b #aa$b#a$b xbxb #a#ab#a$b #aaba$b

17 Applications Solve String Constraints 04/13/2010NFM 201017 Login Servlet Input: user name After filtering single quote and length restriction

18 Solving Atomic Constraint 04/13/2010NFM 201018 Goal: A1Id(P) Project to Input Tape Solution

19 SUSHI Constraint Solver Solves Simple Linear String Constraints (SISE) Relies on dk.brics.automaton for FSA operations Self-made Java package for FST operations Supports 16-bit Unicode Compact Transition Representation 04/13/2010NFM 201019

20 Efficiency of Solver 04/13/2010NFM 201020 Benchmark Equations 1 2 3 4 Login Servlet 1.4 Seconds on 2Ghz PC Flex SDK XSS Attack Equation Size: 565 74 Seconds Shorter than Security Track #1022748

21 Related Work Forward String Analysis Christensen & Møller [SAS03] Wasserman & Su [PLDI07, ICSE08] Bjørner & Tillmann [TACAS09] Backward String Analysis Kiezun & Ganesh [ISSTA09] Yu & Bultan [SPIN08, ASE09] Fu [COMPSAC07, TAVWEB08] Natural Language Processing * Kaplan and Kay [CL1994] 04/13/2010NFM 201021 Our Contribution: Precise Modeling of Various Regular Substitution Semantics

22 Limitations SISE String Constraints All Variables Appear on LHS (Once) No Easy Solution for Equation System Yet No string length Future Directions Encoding string length in automata Finite model on bit-vector 04/13/2010NFM 201022

23 Questions? 04/13/2010NFM 201023

Download ppt "Xiang Fu Hofstra University Chung-Chih Li Illinois State University 04/13/20101NFM 2010."

Similar presentations

CS2303-THEORY OF COMPUTATION Closure Properties of Regular Languages

CS2303-THEORY OF COMPUTATION Closure Properties of Regular Languages
Information Security of Embedded Systems 9.1.2010: Design of Secure Systems Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer FIRST.

Information Security of Embedded Systems : Design of Secure Systems Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer FIRST.
Summary Overview of Vireo Student Submission of ETDs

Summary Overview of Vireo Student Submission of ETDs
Presentation at IEEE AWSITC, June 4, 20101 Energy-Efficient Communications via Network Coding Jos Weber Delft University of Technology The Netherlands.

Presentation at IEEE AWSITC, June 4, Energy-Efficient Communications via Network Coding Jos Weber Delft University of Technology The Netherlands.
Open Days 2010 D. Gubbels 06.10.20101 Professionalization within the range of volunteer work New challenges for volunteering organizations - Ehrenamt professionalisieren!

Open Days 2010 D. Gubbels Professionalization within the range of volunteer work New challenges for volunteering organizations - Ehrenamt professionalisieren!
January 12, 2010 Updated February 4, 2010. Starting in 2010-2011 TEA will collect Teacher Class Assignments and Student Course Completion data at the.

January 12, 2010 Updated February 4, Starting in TEA will collect Teacher Class Assignments and Student Course Completion data at the.
January 12, 2010 Updated April 9, 2010. Starting in 2010-2011 TEA will collect Teacher Class Assignments and Student Course Completion data at the classroom.

January 12, 2010 Updated April 9, Starting in TEA will collect Teacher Class Assignments and Student Course Completion data at the classroom.
Automata Theory Part 1: Introduction & NFA November 2002.

Automata Theory Part 1: Introduction & NFA November 2002.
Lexical Analysis Dragon Book: chapter 3.

Lexical Analysis Dragon Book: chapter 3.
® Microsoft Office 2010 Excel Tutorial 3: Working with Formulas and Functions.

® Microsoft Office 2010 Excel Tutorial 3: Working with Formulas and Functions.
Using www.startwithwater.org A series of training presentations How to list your project September, 20101.

Using A series of training presentations How to list your project September,
August 4, 2010. The following PEIMS reporting changes have been made to the 2010-2011 PEIMS Collection in order to collect the Classroom Link information.

August 4, The following PEIMS reporting changes have been made to the PEIMS Collection in order to collect the Classroom Link information.
Linked Lists in C and C++ CS-2303, C-Term 20101 Linked Lists in C and C++ CS-2303 System Programming Concepts (Slides include materials from The C Programming.

Linked Lists in C and C++ CS-2303, C-Term Linked Lists in C and C++ CS-2303 System Programming Concepts (Slides include materials from The C Programming.
Hash Tables and Constant Access Time CS-2303, C-Term 20101 Hash Tables and Constant Access Time CS-2303 System Programming Concepts (Slides include materials.

Hash Tables and Constant Access Time CS-2303, C-Term Hash Tables and Constant Access Time CS-2303 System Programming Concepts (Slides include materials.
Tutorial 1 Creating a Database

Tutorial 1 Creating a Database
ACOT Intro/Copyright Succeeding in Business with Microsoft Excel 2010: Chapter1.

ACOT Intro/Copyright Succeeding in Business with Microsoft Excel 2010: Chapter1.
® Microsoft Office 2010 Excel Tutorial 1: Getting Started with Excel.

® Microsoft Office 2010 Excel Tutorial 1: Getting Started with Excel.
User Working Group Yannis Ioannidis University of Athens, Greece DL.org All Working Groups Meeting, Rome, 26-28 May 2010.

User Working Group Yannis Ioannidis University of Athens, Greece DL.org All Working Groups Meeting, Rome, May 2010.
Collaboration Works! 10/20/20101 Planning Research Institutional Effectiveness.

Collaboration Works! 10/20/20101 Planning Research Institutional Effectiveness.
Quick Training Guide New SpringerLink, August 2010.

Quick Training Guide New SpringerLink, August 2010.

Similar presentations

Ads by Google