Presentation is loading. Please wait.

Presentation is loading. Please wait.

Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Gary Wassermann Zhendong Su.

Similar presentations


Presentation on theme: "Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Gary Wassermann Zhendong Su."— Presentation transcript:

1 Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Gary Wassermann Zhendong Su

2 What is SQL injection attack ? An attacker exploits faulty application code to execute maliciously crafted database queries. In 2006, 14% of the reported vulnerabitilities were SQLCIVs, making SQL injection the second most frequently reported security threat.

3 An example $userid= “ 1';DROP TABLE unp_user; -- ” Executed query : SELECT * FROM `unp_user` WHERE userid='1'; DROP TABLE unp_user; --'

4 Existing Approaches Tainted information flow tracking  do not model the precise semantics of input sanitization routines  require manually written specifications  not fully automated and may require user intervention (e.g dynamic include in PHP) String analysis- based techniques  do not track the source of string values and therefore require specifications

5 Context Free Grammar (CFG) denotes “ derives in one step ” for example : if denotes “ drives in finite number of steps ”

6 Definition of web application

7 Definition of syntactic confinement

8 Definition of SQLCIV

9 The article ’ s approach 1)Model string values as CFG 2)Label nonterminals as “ direct ” or “ indirect ” if needed 3)Checks if all string in the language of the CFG are not SQLCIV according to definition

10 General scheme of implementation

11 Illustration of the algorithm For all sentential forms derivable from query GETuid is between quotes in a syntactic position of a string literal

12 Building the CFG (1)

13 Building the CFG (2) Not all string operations are concatenation and assignments what about x=escape_quotes(x) ? We need to model x escape_quotes(y) In order to model those cases we use Finite State Transducers (FST)

14 FST Finite-state machine whose output values are determined both by its current state and by the values of its inputs Has one or more final states May be non-deterministic

15 Example :modeling str_repalce with FST str_replace( “ ‘ ‘ “, “ ‘ “, $B)

16 The Problem with FST Cannot model all string functions in PHP –Preg_replace(pattern, replacement, subject ) Mohri and Sproat describe how approximate those functions using two FST

17 Intersection between FST and CFG

18 General scheme of implementation

19 Policy Conformance Analysis (1) If an untrusted substring has and odd number of quotes it cannot be syntactically confined. For each labeld X if Then X is not safe

20 Policy Conformance Analysis (2) If labeld X only occur in the syntactic position of string literals : –If any form that derives from X has unescaped quotes in it then X derives unconfined strings and X is not safe –Else X is safe

21 Policy Conformance Analysis (3) If X only derives numeric literals Then X is safe

22 Policy Conformance Analysis (4) If X can produce a non numeric string outside of quotes it likely represents an SQLCIV. To confirm this we check whether X derive any string that cannot be confined (e.g. “ drop where, ” “ -- “ ). If it can then X is unsafe

23 Policy Conformance Analysis (5) If each string, derives from the remaining labeld nonterminals, is derivable from some nonterminal in the SQL grammar then the remaining labeld nonterminals are safe.

24 Implementation Using modified Minamide ’ s String analyzer –Specifications for 243 PHP functions were added –Improvement in PHP dynamic includes support Check derivability using an extension of Earley ’ s parsing algorithm

25 Results False positive rate = 20.8% False negative rate = 0%

26 explanations for false positive rate Insufficient precision through type conversions ASCII functions

27 Future improvements Improve analyzing of helper functions in other files Analyzing only strings which affect the data base

28 Conclusions 1.Catch all SQLCIV 2.Could be very slow (but future improvements will make it faster ) 3.False positive rate a bit high but will be improved in next version


Download ppt "Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Gary Wassermann Zhendong Su."

Similar presentations


Ads by Google