Presentation is loading. Please wait.

Presentation is loading. Please wait.

A String Constraint Solver for Detecting Web Application Vulnerability Xiang Fu Hofstra University Chung-Chih Li Illinois State University 07/03/2010SEKES.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "A String Constraint Solver for Detecting Web Application Vulnerability Xiang Fu Hofstra University Chung-Chih Li Illinois State University 07/03/2010SEKES."— Presentation transcript:

1 A String Constraint Solver for Detecting Web Application Vulnerability Xiang Fu Hofstra University Chung-Chih Li Illinois State University 07/03/2010SEKES 20101

2 Outline  Motivation  General Context: Static Analysis + String Constraint Solving  Constraint Solving Technique  Regular Replacement  Application & Experimental Data  Conclusion 07/03/2010SEKES 20102

3 Vulnerable Web Applications  Web App. Successful for Decade!  Public Accessibility  Vulnerability 70% “ Today over 70% of attacks against a company’s website or web application come at the ‘Application Layer’ not the network or system layer.” - Gartner Group 07/03/2010SEKES 20103

4 SQL Injection Trick admin’--abc Example: uname “ admin’-- ”, pwd as “abc” SELECT uname, pwd FROM users WHERE uname = ’ ’AND pwd=’ ’ -- comments out rest Log-in w/o pwd! string sState = “SELECT uname, pwd FROM users \n” + ’ “WHERE uname = ’” + + ’’’ “’ ANDpwd =’” + + “’” admin’--abc tUname.txt tPwd.txt 07/03/2010SEKES 20104

5 Challenges  User Input Validation – the Cure? Programmers are Human Being! 07/03/2010SEKES 20105

6 String massage(String strInput) { String sOut = strInput.Replace("’","’’"); sOut = sOut.Substring(0,16); return sOut; } Input Validation Not Easy Generate Escaping Character of SINGLE QUOTE Limit String Size Chop off after 16 th char 07/03/2010SEKES 20106 Can you find an attack against massage?

7 Bugs! 123456789012345’ OR uname<>’ 16 String length: 16 user name password 07/03/2010SEKES 20107

8 The Cracking Process String massage(String strInput) { ’’’ String sOut = strInput.Replace("’","’’"); 16 sOut = sOut.Substring(0,16); return sOut; } 123456789012345’ 123456789012345’’ 123456789012345’ 07/03/2010SEKES 20108

9 SQL Statement Constructed SELECT uname,pwd FROM users WHERE uname=’123456789012345’’ AND pwd=’ OR uname<>’’ Treated as one single quote Condition 1 tautology! Condition 2 tautology! 07/03/2010SEKES 20109

10 Lessons Learned  Bugs  Delicate SQL Injection Vul.  Need Tools for Inspecting Security Holes Smartly and Automatically 07/03/2010SEKES 201010

11 General Approach: (COMPSAC’07) Symbolic Execution + String Solver Bytecode Instrumentor String Solver Test Case Generator Sym. Execution Engine Attack Pattern Library 001000 101010 010101 101010 bytecode 001000 101010 010101 101010 instrumented bytecode x + “zbc” = y? x=.. y=.. 07/03/2010SEKES 201011

12 SUSHI Constraint Solver 07/03/2010SEKES 201012 Undecidable! Application Expressiveness

13 Simple Linear String Equation String Expression = RegExp 07/03/2010SEKES 201013 Variables occur only on LHS Support all string freq ops: Substring, indexing, replacement, concatenation

14 Example (Password Bypass) 07/03/2010SEKES 201014 + + + + = RHS LHS Apply massage on x: replacement and substring

15 Solution Algorithm  (1) Break to Atomic Steps  (2) Represent in Finite State Transducer  (3) Symbolic Image Computation  (4) Chain Results => Solution Pool  (5) Solution Pool => Concrete Solution 07/03/2010SEKES 201015

16 Special Challenge (NFM’10)  Regular Replacement  Many Semantics! Greedy Reluctant Declarative …  Special Algorithm for Precise Modeling 07/03/2010SEKES 201016

17 Finite State Transducer  Accepts Regular Relation  Union, Concat, Composition  Intersection, Complement  Used for Modeling Rewriting Rules [Kaplan94, Karttunen96] 04/13/2010NFM 201017 ε:1 1 2 3 4 a:2 b:3 A (ab,123) ∈ L(A)

18 04/13/2010NFM 201018 Step 1: Begin Marker Step 2: ND End Marker Step 3: Pairing Markers Step 4: Checking Match Step 5: Check Longest Step 6: Replacement a +  x Search Pattern aabab #a#ab#ab #a#a$b#ab #a$#a$b#a$b #a#a$b#a$b #aa$b#a$b xbxb #a#ab#a$b #aaba$b One Input Word  One Output Word Modeling Greedy Semantics (NFM’2010)

19 Deal with Unicode Alphabet  Explicit Rep. of Transition Not Working!  Compact Representation Symbolic Transition Set Special Alg. For FST Composition etc. 04/13/2010NFM 201019

20 Efficiency of Solver 04/13/2010NFM 201020 Login Servlet 1.4 Seconds on 2Ghz PC Bench Mark Equations

21 More Applications: XSS Attack  Vul. Originally Reported in SecTrack #1022748  Adobe Flex SDK 3.3  SUSHI found Much Shorter Attack Signature 07/03/2010SEKES 201021 Equation Size: 565 74 Seconds

22 Related Work  Forward String Analysis Christensen & Møller [SAS’03] Wasserman & Su [PLDI’07, ICSE’08] Bjørner & Tillmann [TACAS’09]  Backward String Analysis Kiezun & Ganesh [ISSTA’09] Yu & Bultan [SPIN’08, ASE’09] Fu [COMPSAC’07, TAVWEB’08]  Natural Language Processing * Kaplan and Kay [CL’1994] 04/13/2010NFM 201022 Our Contribution: Precise Modeling of Various Regular Substitution Semantics  Precise Security Analysis ?? Compare with Bit- blasting??

23 Conclusion  FST based String Constraint Solving  Applied to Security Analysis SQL Injection XSS Attack More …  More Expressive Extension of SISE 07/03/2010SEKES 201023

24 Questions? 07/03/2010SEKES 201024

Download ppt "A String Constraint Solver for Detecting Web Application Vulnerability Xiang Fu Hofstra University Chung-Chih Li Illinois State University 07/03/2010SEKES."

Similar presentations

Xiang Fu Hofstra University Chung-Chih Li Illinois State University 04/13/20101NFM 2010.

Xiang Fu Hofstra University Chung-Chih Li Illinois State University 04/13/20101NFM 2010.
COS 320 Compilers David Walker. Outline Last Week –Introduction to ML Today: –Lexical Analysis –Reading: Chapter 2 of Appel.

COS 320 Compilers David Walker. Outline Last Week –Introduction to ML Today: –Lexical Analysis –Reading: Chapter 2 of Appel.
Compiler Baojian Hua bjhua@ustc.edu.cn Lexical Analysis (II) Compiler Baojian Hua bjhua@ustc.edu.cn.

Compiler Baojian Hua Lexical Analysis (II) Compiler Baojian Hua
Lecture 24 MAS 714 Hartmut Klauck

Lecture 24 MAS 714 Hartmut Klauck
Equivalence of Extended Symbolic Finite Transducers Presented By: Loris D’Antoni Joint work with: Margus Veanes.

Equivalence of Extended Symbolic Finite Transducers Presented By: Loris D’Antoni Joint work with: Margus Veanes.
-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.

-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.
The Essence of Command Injection Attacks in Web Applications Zhendong Su and Gary Wassermann Present by Alon Kremer April 2011.

The Essence of Command Injection Attacks in Web Applications Zhendong Su and Gary Wassermann Present by Alon Kremer April 2011.
Dr. Xiang Fu Assistant Professor Department of Computer Science Hofstra University.

Dr. Xiang Fu Assistant Professor Department of Computer Science Hofstra University.
Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Gary Wassermann Zhendong Su.

Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Gary Wassermann Zhendong Su.
Input Validation For Free Text Fields Project Members: Hagar Offer &Ran Mor Academic Advisor: Dr Gera Weiss Technical Advisors: Raffi Lipkin & Nadav Attias.

Input Validation For Free Text Fields Project Members: Hagar Offer &Ran Mor Academic Advisor: Dr Gera Weiss Technical Advisors: Raffi Lipkin & Nadav Attias.
COS 320 Compilers David Walker. Outline Last Week –Introduction to ML Today: –Lexical Analysis –Reading: Chapter 2 of Appel.

COS 320 Compilers David Walker. Outline Last Week –Introduction to ML Today: –Lexical Analysis –Reading: Chapter 2 of Appel.
1 Performing packet content inspection by longest prefix matching technology Authors: Nen-Fu Huang, Yen-Ming Chu, Yen-Min Wu and Chia- Wen Ho Publisher:

1 Performing packet content inspection by longest prefix matching technology Authors: Nen-Fu Huang, Yen-Ming Chu, Yen-Min Wu and Chia- Wen Ho Publisher:
Automatic Creation of SQL Injection and Cross-Site Scripting Attacks 2nd-order XSS attacks 1st-order XSS attacks SQLI attacks Adam Kiezun, Philip J. Guo,

Automatic Creation of SQL Injection and Cross-Site Scripting Attacks 2nd-order XSS attacks 1st-order XSS attacks SQLI attacks Adam Kiezun, Philip J. Guo,
Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.

Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.
On the Use of Regular Expressions for Searching Text Charles L.A. Clarke and Gordon V. Cormack Fast Text Searching.

On the Use of Regular Expressions for Searching Text Charles L.A. Clarke and Gordon V. Cormack Fast Text Searching.
Lesson 3 – Regular Expressions Sandeepa Harshanganie Kannangara MBCS | B.Sc. (special) in MIT.

Lesson 3 – Regular Expressions Sandeepa Harshanganie Kannangara MBCS | B.Sc. (special) in MIT.
Check That Input Preventing SQL Injection Attacks By Andrew Morton For CS 410.

Check That Input Preventing SQL Injection Attacks By Andrew Morton For CS 410.
CS 290C: Formal Models for Web Software Lectures 17: Analyzing Input Validation and Sanitization in Web Applications Instructor: Tevfik Bultan.

CS 290C: Formal Models for Web Software Lectures 17: Analyzing Input Validation and Sanitization in Web Applications Instructor: Tevfik Bultan.
Smten: Automatic Translation of High-level Symbolic Computations into SMT Queries Richard Uhler (MIT-CSAIL) and Nirav Dave (SRI International) CAV 2013.

Smten: Automatic Translation of High-level Symbolic Computations into SMT Queries Richard Uhler (MIT-CSAIL) and Nirav Dave (SRI International) CAV 2013.
CSCI 6962: Server-side Design and Programming Secure Web Programming.

CSCI 6962: Server-side Design and Programming Secure Web Programming.

Similar presentations

Ads by Google