Presentation is loading. Please wait.

Presentation is loading. Please wait.

Slide 1 0x1A Great Papers in Computer Security Vitaly Shmatikov CS 380S

Published byJuliet Sherman Modified over 9 years ago

Similar presentations

Presentation on theme: "Slide 1 0x1A Great Papers in Computer Security Vitaly Shmatikov CS 380S"— Presentation transcript:

1 slide 1 0x1A Great Papers in Computer Security Vitaly Shmatikov CS 380S http://www.cs.utexas.edu/~shmat/courses/cs380s/

2 slide 2 uBig trend: software as a Web-based service Online banking, shopping, government, bill payment, tax prep, customer relationship management, etc. Cloud computing uApplications hosted on Web servers Written in a mixture of PHP, Java, Perl, Python, C, ASP uSecurity is rarely the main concern Poorly written scripts with inadequate input validation Sensitive data stored in world-readable files Recent push from Visa and Mastercard to improve security of data management (PCI standard) Web Applications

3 slide 3 uRuns on a Web server or application server uTakes input from remote users uInteracts with back-end databases and third parties uPrepares and outputs results for users Dynamically generated HTML pages Content from many different sources, often including users themselves –Blogs, social networks, photo-sharing websites… Typical Web Application Design

4 Dynamic Web Application Browser Web server GET / HTTP/1.0 HTTP/1.1 200 OK index.php Database server slide 4

5 PHP: Hypertext Preprocessor uServer scripting language with C-like syntax uCan intermingle static HTML and code > uCan embed variables in double-quote strings $user = “world”; echo “Hello $user!”; or$user = “world”; echo “Hello”. $user. “!”; uForm data in global arrays $_GET, $_POST, … slide 5

6 SQL uWidely used database query language uFetch a set of records SELECT * FROM Person WHERE Username=‘Vitaly’ uAdd data to the table INSERT INTO Key (Username, Key) VALUES (‘Vitaly’, 3611BBFF) uModify data UPDATE Keys SET Key=FA33452D WHERE PersonID=5 uQuery syntax (mostly) independent of vendor slide 6

7 Sample Code $selecteduser = $_GET['user']; $sql = "SELECT Username, Key FROM Key ". "WHERE Username='$selecteduser'"; $rs = $db->executeQuery($sql); uWhat if ‘user’ is a malicious string that changes the meaning of the query? slide 7

8 SQL Injection: Basic Idea Victim server Victim SQL DB Attacker post malicious form unintended query receive data from DB 1 2 3 slide 8 uThis is an input validation vulnerability Unsanitized user input in an SQL query to back- end database changes the meaning of query uSpecific case of command injection

9 Typical Login Prompt slide 9

10 User Input Becomes Part of Query Web server Web browser (Client) DB SELECT passwd FROM USERS WHERE uname IS ‘$user’ slide 10 Enter Username and Password

11 Enter Username and Password Normal Login Web server Web browser (Client) DB SELECT passwd FROM USERS WHERE uname IS ‘smith’ slide 11

12 Malicious User Input slide 12

13 Enter Username and Password SQL Injection Attack Web server Web browser (Client) DB SELECT passwd FROM USERS WHERE uname IS ‘’; DROP TABLE USERS; -- ’ slide 13 Eliminates all user accounts

14 slide 14 Exploits of a Mom http://xkcd.com/327/

15 slide 15 Authentication with Back-End DB uset UserFound=execute( “SELECT * FROM UserTable WHERE username=‘ ” & form(“user”) & “ ′ AND password= ‘ ” & form(“pwd”) & “ ′ ” ); User supplies username and password, this SQL query checks if user/password combination is in the database uIf not UserFound.EOF Authentication correct else Fail Only true if the result of SQL query is not empty, i.e., user/pwd is in the database

16 slide 16 Using SQL Injection to Log In uUser gives username ′ OR 1=1 -- uWeb server executes query set UserFound=execute( SELECT * FROM UserTable WHERE username=‘’ OR 1=1 -- … ); uNow all records match the query, so the result is not empty  correct “authentication”! Always true! Everything after -- is ignored!

17 slide 17 Another SQL Injection Example uTo authenticate logins, server runs this SQL command against the user database: SELECT * WHERE user=‘name’ AND pwd=‘passwd’ uUser enters ’ OR WHERE pwd LIKE ‘% as both name and passwd uServer executes SELECT * WHERE user=‘’ OR WHERE pwd LIKE ‘%’ AND pwd=‘’ OR WHERE pwd LIKE ‘%’ uLogs in with the credentials of the first person in the database (typically, administrator!) [From “The Art of Intrusion”] Wildcard matches any password

18 Pull Data From Other Databases uUser gives username ’ AND 1=0 UNION SELECT cardholder, number, exp_month, exp_year FROM creditcards uResults of two queries are combined uEmpty table from the first query is displayed together with the entire contents of the credit card database slide 18

19 More SQL Injection Attacks uCreate new users ’; INSERT INTO USERS (‘uname’,‘passwd’,‘salt’) VALUES (‘hacker’,‘38a74f’, 3234); uReset password ’; UPDATE USERS SET email=hcker@root.org WHERE email=victim@yahoo.com slide 19

20 Second-Order SQL Injection uSecond-order SQL injection: data stored in database is later used to conduct SQL injection uFor example, user manages to set uname to admin’ -- This vulnerability could exist if string escaping is applied inconsistently (e.g., strings not escaped) UPDATE USERS SET passwd=‘cracked’ WHERE uname=‘admin’ --’ why does this work? uSolution: treat all parameters as dangerous slide 20

21 CardSystems Attack (June 2005) uCardSystems was a major credit card processing company uPut out of business by a SQL injection attack Credit card numbers stored unencrypted Data on 263,000 accounts stolen 43 million identities exposed slide 21

22 SQL Injection in the Real World uOklahoma Department of Corrections divulges thousands of social security numbers (2008) Sexual and Violent Offender Registry for Oklahoma Data repository lists both offenders and employees u“Anyone with a web browser and the knowledge from Chapter One of SQL for Dummies could have easily accessed – and possibly, changed – any data within the DOC's databases" slide 22 http://www.ireport.com/docs/DOC-11831

23 Attack on Microsoft IIS (April 2008) slide 23

24 Main Steps in April 2008 Attack uUse Google to find sites using a particular ASP style vulnerable to SQL injection uUse SQL injection to modify the pages to include a link to a Chinese site nihaorr1.com Do not visit that site – it serves JavaScript that exploits vulnerabilities in IE, RealPlayer, QQ Instant Messenger uAttack used automatic tool; can be configured to inject whatever you like into vulnerable sites uThere is some evidence that hackers may get paid for each victim’s visit to nihaorr1.com slide 24

25 Part of the SQL Attack String DECLARE @T varchar(255),@C varchar(255) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=rtrim(convert(varchar,['+@C+']))+'‘ ''') FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor; DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST( %20AS%20NVARCHAR(4000));EXEC(@S);-- slide 25

26 Preventing SQL Injection uInput validation Filter –Apostrophes, semicolons, percent symbols, hyphens, underscores, … –Any character that has special meanings Check the data type (e.g., make sure it’s an integer) uWhitelisting Blacklisting “bad” characters doesn’t work –Forget to filter out some characters –Could prevent valid input (e.g., last name O’Brien) Allow only well-defined set of safe values –Set implicitly defined through regular expressions slide 26

27 Escaping Quotes uFor valid string inputs use escape characters to prevent the quote becoming part of the query Example: escape(o’connor) = o’’connor Convert ’ into \’ uOnly works for string inputs uDifferent databases have different rules for escaping slide 27

28 Prepared Statements uMetacharacters such as ’ in queries provide distinction between data and control uIn most injection attacks data are interpreted as control – this changes the semantics of a query or a command uBind variables: ? placeholders guaranteed to be data (not control) uPrepared statements allow creation of static queries with bind variables → preserves the structure of intended query slide 28

29 Prepared Statement: Example PreparedStatement ps = db.prepareStatement("SELECT pizza, toppings, quantity, order_day " + "FROM orders WHERE userid=? AND order_month=?"); ps.setInt(1, session.getCurrentUserId()); ps.setInt(2, Integer.parseInt(request.getParamenter("month"))); ResultSet res = ps.executeQuery(); Bind variable (data placeholder) uQuery parsed without parameters uBind variables are typed (int, string, …) slide 29 http://java.sun.com/docs/books/tutorial/jdbc/basics/prepared.html

30 uBuilds SQL queries by properly escaping args Replaces ′ with \′ SqlCommand cmd = new SqlCommand( “SELECT * FROM UserTable WHERE username = @User AND password = @Pwd”, dbConnection); cmd.Parameters.Add(“@User”, Request[“user”] ); cmd.Parameters.Add(“@Pwd”, Request[“pwd”] ); cmd.ExecuteReader(); Parameterized SQL in ASP.NET slide 30

31 slide 31 G. Wassermann and Z. Su Sound and Precise Analysis of Web Applications for Injection Vulnerabilities (PLDI 2007)

32 slide 32 Wassermann-Su Approach uFocuses on SQL injection vulnerabilities uSoundness Tool is guaranteed to find all vulnerabilities uPrecision Models semantics of sanitization functions Models the structure of the SQL query into which untrusted user inputs are fed

33 slide 33 “Essence” of SQL Injection uWeb app provides a template for the SQL query uAttack = any query in which user input changes the intended structure of SQL query uModel strings as context-free grammars (CFG) Track non-terminals representing tainted input uModel string operations as language tranducers Example: str_replace(“ ’ ’ “, “ ’ “, $input) A matches any char except “ ’ “

34 slide 34 Phase One: Grammar Production uGenerate annotated CFG representing set of all query strings that program can generate Direct: data directly from users (e.g., GET parameters) Indirect: second-order tainted data (means what?)

35 slide 35 String Analysis + Taint Analysis uConvert program into static single assignment form, then into CFG Reflects data dependencies uModel PHP filters as string transducers Some filters are more complex: preg_replace(“/a([0-9]*)b/”, “x\\1\\1y”, “a01ba3b”) produces “x0101yx33y” uPropagate taint annotations

36 slide 36 Phase Two: Checking Safety uCheck whether the language represented by CFG contains unsafe queries Is it syntactically contained in the language defined by the application’s query template? This non-terminal represents tainted input For all sentences of the form  1 GETUID  2 derivable from query, GETUID is between quotes in the position of an SQL string literal (means what?) Safety check: Does the language rooted in GETUID contain unescaped quotes?

37 slide 37 Tainted Substrings as SQL Literals uTainted substrings that cannot be syntactically confined in any SQL query Any string with an odd # of unescaped quotes (why?) uNonterminals that occur only in the syntactic position of SQL string literals Can an unconfined string be derived from it? uNonterminals that derive numeric literals only uRemaining nonterminals in literal position can produce a non-numeric string outside quotes Probably an SQL injection vulnerability Test if it can derive DROP WHERE, --, etc.

38 slide 38 Taints in Non-Literal Positions uRemaining tainted nonterminals appear as non- literals in SQL query generated by the application This is rare (why?) uAll derivable strings should be proper SQL statements Context-free language inclusion is undecidable Approximate by checking whether each derivable string is also derivable from a nonterminal in the SQL grammar –Variation on a standard algorithm

39 Evaluation uTesting on five real-world PHP applications uDiscovered previously unknown vulnerabilities, including non-trivial ones Vulnerability in e107 content management system: a field is read from a user-modifiable cookie, used in a query in a different file u21% false positive rate What are the sources of false positives?

40 slide 40 Example of a False Positive

Download ppt "Slide 1 0x1A Great Papers in Computer Security Vitaly Shmatikov CS 380S"

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
PHP I.

PHP I.
PHP Hypertext Preprocessor Information Systems 337 Prof. Harry Plantinga.

PHP Hypertext Preprocessor Information Systems 337 Prof. Harry Plantinga.
The Essence of Command Injection Attacks in Web Applications Zhendong Su and Gary Wassermann Present by Alon Kremer April 2011.

The Essence of Command Injection Attacks in Web Applications Zhendong Su and Gary Wassermann Present by Alon Kremer April 2011.
Slide 1 Vitaly Shmatikov CS 345 Security of Web Applications.

Slide 1 Vitaly Shmatikov CS 345 Security of Web Applications.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Gary Wassermann Zhendong Su.

Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Gary Wassermann Zhendong Su.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Chapter 7 Managing Data Sources. ASP.NET 2.0, Third Edition2.

Chapter 7 Managing Data Sources. ASP.NET 2.0, Third Edition2.
David Evans CS200: Computer Science University of Virginia Computer Science Class 29: Vocational Skills How to Build a.

David Evans CS200: Computer Science University of Virginia Computer Science Class 29: Vocational Skills How to Build a.
1 SQL injection: attacks and defenses Dan Boneh CS 142 Winter 2009.

1 SQL injection: attacks and defenses Dan Boneh CS 142 Winter 2009.
2440: 141 Web Site Administration Web Server-Side Programming Professor: Enoch E. Damson.

2440: 141 Web Site Administration Web Server-Side Programming Professor: Enoch E. Damson.
 2004 Prentice Hall, Inc. All rights reserved. Chapter 25 – Perl and CGI (Common Gateway Interface) Outline 25.1 Introduction 25.2 Perl 25.3 String Processing.

 2004 Prentice Hall, Inc. All rights reserved. Chapter 25 – Perl and CGI (Common Gateway Interface) Outline 25.1 Introduction 25.2 Perl 25.3 String Processing.
1 IS 2150 / TEL 2810 Introduction to Security James Joshi Associate Professor, SIS Lecture 12.1 Nov 20, 2012 SQL Injection Cross-Site Scripting.

1 IS 2150 / TEL 2810 Introduction to Security James Joshi Associate Professor, SIS Lecture 12.1 Nov 20, 2012 SQL Injection Cross-Site Scripting.
Preventing SQL Injection ~example of SQL injection $user = $_POST[‘user’]; $pass = $_POST[‘pass’]; $query = DELETE FROM Users WHERE user = ‘$user’ AND.

Preventing SQL Injection ~example of SQL injection $user = $_POST[‘user’]; $pass = $_POST[‘pass’]; $query = DELETE FROM Users WHERE user = ‘$user’ AND.
Check That Input Preventing SQL Injection Attacks By Andrew Morton For CS 410.

Check That Input Preventing SQL Injection Attacks By Andrew Morton For CS 410.
Secure Software Engineering: Input Vulnerabilities

Secure Software Engineering: Input Vulnerabilities
PHP Security.

PHP Security.
+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.

+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.
(CPSC620) Sanjay Tibile Vinay Deore. Agenda  Database and SQL  What is SQL Injection?  Types  Example of attack  Prevention  References.

(CPSC620) Sanjay Tibile Vinay Deore. Agenda  Database and SQL  What is SQL Injection?  Types  Example of attack  Prevention  References.

Similar presentations

Ads by Google