Presentation is loading. Please wait.

Presentation is loading. Please wait.

Automatically Hardening Web Applications Using Precise Tainting Anh Nguyen-Tuong Salvatore Guarnieri Doug Greene Jeff Shirley David Evans University of.

Published byAlexander Willis Modified over 9 years ago

Similar presentations

Presentation on theme: "Automatically Hardening Web Applications Using Precise Tainting Anh Nguyen-Tuong Salvatore Guarnieri Doug Greene Jeff Shirley David Evans University of."— Presentation transcript:

1 Automatically Hardening Web Applications Using Precise Tainting Anh Nguyen-Tuong Salvatore Guarnieri Doug Greene Jeff Shirley David Evans University of Virginia

2 2 phpBB Worm December 21, 2004 Over 40,000 sites defaced PHP injection Loads Perl scripts to spread itself Uses Google to search for other phpBB sites

3 3 phpBB Vulnerability $words = explode (' ', trim (htmlspecialchars (urldecode ($HTTP_GET_VARS ['highlight']))));... $highlight_match[] =... $words[$i]...;... … preg_replace (... $highlight_match...) Original user input: '_%2527_attack User input after HTTP_GET_VARS call: \'_%27_attack User input after explicit urldecode call: \'_'_attack

4 4 Classes of Attacks Code injection –Cause user provided data to be executed while data is being processed PHP injection (phpBB worm) SQL injection Output generation –Cause user provided data to be displayed to visitors of the website: Cross Site Scripting

5 5 SQL Injection Attacker constructs data that injects database commands Example: $res = executeQuery ("SELECT real_name FROM users WHERE user = '". $user. "'AND pwd = '". $pwd. "' ");

6 6 Cross Site Scripting Inserts user provided data onto a webpage that may include JavaScript Executes with permissions of hosting website Simple example: Hello

7 7

8 8 Importance Over 12% of Secunia Advisories 4 of last 10 advisories from FrSIRT Cross Site Scripting and Code Injection are responsible for many attacks on the internet It is very hard to write bug free code

9 9 Previous Approaches Static techniques Dynamic techniques before deployment Dynamic techniques during deployment

10 10 Static Static analyzers [Shanker+ 01] Code inspections [Fagan76] SQL prepared statements [Fisk04, Php05] Pros –No runtime overhead –Can be done before website is released to the public Cons –Coding practices may need to change –Inspections are only as good as the inspector –Many false positives

11 11 Dynamic Before Deployment Automated Test Suites: [Huang+ 04], [Tenable05], [Kavado05], [Offutt+ 04], [Watchfire05], [SPI05] Human testing Pros –Coding practices do not need to change –Attempts to simulate real world attacking conditions Cons –Only tests known attacks, cannot show absence of vulnerability –Requires developer effort to fix security holes

12 12 Automated Dynamic: Firewalls Incoming [Scott, Sharp 02] Incoming and Outgoing [Watchfire04], [Kavado05], [Teros04] Pros –No need to modify web service Cons –Only prevent recognized attacks –Coarse policies without knowing application semantics

13 13 Automated: Magic Quotes Escape all quotes supplied by a user Implemented in PHP and other scripting languages Extremely successful –Do not require the programmer to do anything –Prevent many SQL injection attacks –But, prevent only a specific class of attacks

14 14 Previous Work Limitations Being precise about what constitutes an attack is a lot of work Automated techniques suffer from not exploiting the application semantics We want a system that works as effortlessly as magic quotes, but prevents a wider class of attacks

15 15 Our Approach Fully automated Aware of application semantics Replace PHP interpreter with a modified interpreter that: –Keeps track of which information comes from untrusted sources (precise tainting) –Checks how untrusted input is used

16 16 HTTP Server PHP Interpreter 1 8 2 3 4 5 File System file.php Database Client Web Server System APIs 6 7 PHPrevent

17 17 Coarse Grain Tainting Provided by many scripting languages (Perl, Ruby) Untrusted input is tainted Everything touched by tainted data becomes tainted $query = "SELECT real_name FROM users WHERE user = '". $user. "'AND pwd = '". $pwd. "' "; Entire $query string is tainted

18 18 Precise Tainting $query = "SELECT real_name FROM users WHERE user = '". $user. "'AND pwd = '". $pwd. "' ";  $query = "SELECT real_name FROM users WHERE user = '' OR 1 = 1; -- ';'AND pwd = '' "; Untrusted input is tainted Taint markings are maintained at character level –Depends on semantics of program Only really tainted data is tainted

19 19 Precise Checking Wrappers around PHP functions that handle updating and checking precise taint information Conservative: no false negatives while minimizing false positives –Behavior only changes when an attack is likely

20 20 Preventing SQL Injection Parse the query using the Postgres SQL parser: identify interpreted text Disallow SQL keywords or delimiters in interpreted text that is tainted –Query is not sent to database –Error response it returned "SELECT real_name FROM users WHERE user = '' OR 1 = 1; -- ';' AND pwd = '' ";

21 21 Preventing PHP Injection Disallow tainted data to be used in functions that treat input strings as PHP code or manipulate system state –We place wrappers around these functions to enforce this rule phpBB attack prevented by wrappers around preg_replace

22 22 Preventing Cross Site Scripting Wrappers around output functions –Buffer output and then parse the tainted output with HTML Tidy Check the parsed HTML against a white list to ensure there is no dangerous output –Dangerous content was determined by examining HTML grammar –Sanitize it by removing tags Hello  Safe Hello  Unsafe

23 23 Current Status Modified PHP interpreter: PHPrevent –Prevents PHP injection, SQL injection and cross site scripting attacks –Overly conservative: we have not specified precise semantics for most PHP functions Performance –Initial measurements indicate performance overhead is acceptable

24 24 Future Work: Theory and Analysis End-to-end information flow security Replace ad-hoc taint marking with principled mechanism –Analyze data flow at interpreter level –Infer taint specifications for PHP functions using dynamic analysis Verify that taint marking in PHP specification is consistent with interpreter implementation

25 25 Future Work: Implementation Full implementation of precise tainting for PHP APIs Handle persistent state –Track tainting through database store Multiple tainting types with different checking rules Incorporate modifications into main PHP distribution

26 26 Summary Many websites are prone to attacks even after using current methods Our method: –Fully automated –Prevents large classes of attacks –Easy to deploy

27 27 Thank You www.cs.virginia.edu/sammyg

Download ppt "Automatically Hardening Web Applications Using Precise Tainting Anh Nguyen-Tuong Salvatore Guarnieri Doug Greene Jeff Shirley David Evans University of."

Similar presentations

PHP Form and File Handling

PHP Form and File Handling
PHP I.

PHP I.
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.

GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
Blackbox Reversing of XSS Filters Alexander Sotirov ekoparty 2008.

Blackbox Reversing of XSS Filters Alexander Sotirov ekoparty 2008.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Server-Side vs. Client-Side Scripting Languages

Server-Side vs. Client-Side Scripting Languages
Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Gary Wassermann Zhendong Su.

Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Gary Wassermann Zhendong Su.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.

1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.
Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.

Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Automatic Creation of SQL Injection and Cross-Site Scripting Attacks 2nd-order XSS attacks 1st-order XSS attacks SQLI attacks Adam Kiezun, Philip J. Guo,

Automatic Creation of SQL Injection and Cross-Site Scripting Attacks 2nd-order XSS attacks 1st-order XSS attacks SQLI attacks Adam Kiezun, Philip J. Guo,
D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.

D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.
Overview of JSP Technology. The need of JSP With servlets, it is easy to – Read form data – Read HTTP request headers – Set HTTP status codes and response.

Overview of JSP Technology. The need of JSP With servlets, it is easy to – Read form data – Read HTTP request headers – Set HTTP status codes and response.
Preventing SQL Injection ~example of SQL injection $user = $_POST[‘user’]; $pass = $_POST[‘pass’]; $query = DELETE FROM Users WHERE user = ‘$user’ AND.

Preventing SQL Injection ~example of SQL injection $user = $_POST[‘user’]; $pass = $_POST[‘pass’]; $query = DELETE FROM Users WHERE user = ‘$user’ AND.
Java Security. Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security Manager.

Java Security. Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security Manager.
FALL 2005CSI 4118 – UNIVERSITY OF OTTAWA1 Part 4 Web technologies: HTTP, CGI, PHP,Java applets)

FALL 2005CSI 4118 – UNIVERSITY OF OTTAWA1 Part 4 Web technologies: HTTP, CGI, PHP,Java applets)
JavaScript & jQuery the missing manual Chapter 11

JavaScript & jQuery the missing manual Chapter 11

Similar presentations

Ads by Google