Presentation is loading. Please wait.

Presentation is loading. Please wait.

Eliminating Bugs In MVC-Style Web Applications Tevfik Bultan Verification Lab (Vlab),

Published byKatrina Jennings Modified over 9 years ago

Similar presentations

Presentation on theme: "Eliminating Bugs In MVC-Style Web Applications Tevfik Bultan Verification Lab (Vlab),"— Presentation transcript:

1 Eliminating Bugs In MVC-Style Web Applications Tevfik Bultan Verification Lab (Vlab), CS@UCSB bultan@cs.ucsb.edu http://www.cs.ucsb.edu/~vlab

2 Joint work with my students & postdocs Fang Yu Muath Alkhalaf Jaideep Nijjar Sylvain Halle

3 Web software everywhere Commerce, entertainment, social interaction We will rely on web apps more in the future Web apps + cloud will make desktop apps obsolete

4 One major road block Web applications are not trustworthy –They are notorious for security vulnerabilities and unreliable behavior Web applications are hard to program –Distributed behavior, interaction among many components and many languages We applications are hard to test –Highly dynamic behavior and concurrency Testing accounts for 50% of the development costs and software failures cost USA 60 billion annually

5 Why are web applications error prone? Script-oriented programming –A collection of scripts with no explicit control flow Extensive string manipulation –User input comes in string form, output (html, SQL) is generated via string manipulation Complex interactions –User interaction via browsers, client-side server-side interaction, interaction with the backend database Distributed system –Many components have to coordinate

6 VLab Research Agenda Improve dependability of web applications –How? By eliminating bugs –How? »Use automated verification By eliminating bugs I do not mean debugging –Debugging is done after the bug is found Finding the bug is the hard part Our goal is to find the bugs automatically –and eliminate them before the software is deployed we do this using automated verification

7 We have a hammer Automated Verification

8 Actually, we have several hammers Automated Verification Techniques Bounded verification via SAT solvers Symbolic execution via SMT solvers String analysis Model checking

9 Unfortunately, life is complicated Automated verification techniques Web application problems

10 Automated verification is hard If it wasn’t, everybody would be using it It is hard because software systems are too complex In order to make automated verification feasible –we need to focus our attention

11 Making automated verification feasible We focus our attention by –Abstraction Hide details that do not involve the things we are checking –Modularity We focus on one part of the system at a time –Separation of concerns We focus on one property at a time It turns out these are also the main principles of software design –We should be able to exploit the design structure in automated verification!

12 Separation of concerns First, we need to identify our concerns –What should we be concerned with if we want to eliminate the bugs in web applications Here are some concerns: –Input validation Errors in input validation are a major cause of security vulnerabilities in web applications –Navigation Many web applications do not handle unexpected user requests appropriately –Data model Integrity of the data model is essential for correctness of web applications

13 Why care about input validation? String related web application vulnerabilities as a percentage of all vulnerabilities (reported by CVE) OWASP Top 10 in 2007: 1.Cross Site Scripting 2.Injection Flaws OWASP Top 10 in 2010: 1.Injection Flaws 2.Cross Site Scripting

14 Why care about navigation?

15

16

17 Why care about data model? The data in the back-end database is the most important resource for most web applications Integrity and consistency of this data is crucial for dependability of the web application

18 Separation of concerns By focusing on one problem at a time: –Input validation errors –Navigation errors –Data modeling errors We are more likely to develop feasible verification techniques Still, we need more help!

19 Modularity: Model-View-Controller Model-view-controller (MVC) architecture has become the standard way to structure web applications –Ruby on Rails, Zend Framework for PHP, CakePHP, Spring Framework for Java, Struts Framework for Java, Django for Python, … MVC architecture separates –where and how the data is stored (the model) – from how it is presented (the views)

20 Model-View-Controller (MVC) architecture MVC consists of three modules –Model represents the data –View is its presentation to the user –Controller defines the way the application reacts to user input a=50% b=30% c=20% model views

21 MVC framework for web applications Model: –An abstract representation of the data stored in the backend database –Uses an object-relational mapping to map the application class structure to the back-end database tables Views: –Responsible for rendering of the web pages, i.e., how is the data presented in user’s browser Controllers: –Event handlers that process incoming user requests –They can update the data model, and create a new view to be presented to the user

22 Exploiting MVC for verification Modularity provided by MVC can be exploited in verification For checking navigation properties –Focus on controllers For checking input validation –Focus on controllers For checking data model properties –Focus on the model

23 Still, need more help Even with –the separation of concerns check one type of property at a time (navigation, input validation, data model) –and modularity focus on only one component at a time (controller or the model) we still need more help! To completely automate the verification process –We need to find a way to map the code written in a programming language to something that an automated verification tool can check We have a verification model problem!

24 How to get verification models? The verification model is an abstraction of the behavior of the application We obtain this abstraction using two basic approaches: 1.When possible we automatically extract a verification model from the code using automated abstraction + static analysis Automated model extraction 2.If we cannot automatically extract the model, we ask the developer to write a model. In this case we have to enforce the specified model at runtime Automated model enforcement

25 Three verification techniques 1.Concern: Input validation checking –Module: Controller –Verification model extraction via abstraction: Dependency analysis to extract dependency graph –Verification technique: String analysis 2.Concern: Navigation correctness –Module: Controller –Verification model specification by developer: Automated enforcement of navigation model at runtime –Verification technique: Model checking 3.Concern: Data model integrity –Module: Data model –Verification model extraction via abstraction: –Verification technique: Bounded SAT based verification

26 Making it work String analysis Input validation Separation of concerns + modularity + abstraction Model checking Bounded SAT based verification Navigation correctness Data integrity

27 Input validation verificationParser/ Taint Analysis Vulnerability Analysis Signature Generation Attack Patterns Application/ Scripts Vulnerability Signature (Tainted) Dependency Graphs Patch Synthesis Sanitization Statements Reachable Attack Strings

28 An example XSS vulnerability A PHP Example: 1:<?php 2: $www = $_GET[”www”]; 3: $l_otherinfo = ”URL”; 4: $www = preg_replace(”[^A-Za-z0-9.-@://]”,””,$www); 5: echo ” ”. $l_otherinfo. ”: ”. $www. ” ”; 6:?> Line 4 removes all characters that are not in {A-Za-z0-9.- @:/} However, “.-@” denotes all characters between “.” and “@” (including “ ”) Our string analysis automatically detects that there is a XSS vulnerability in line 5

29 Automatically generated patch Our string analysis generates a vulnerability signature that characterizes all possible input strings that can exploit the vulnerability Our patch generation algorithm automatically generates a patch that removes the vulnerability 1: <?php P: if(preg match(’/[^ <]*<.*/’,$_GET[”www”])) $_GET[”www”] = preg replace(<,””,$_GET[”www”]); 2: $www = $_GET[”www”]; 3: $l_otherinfo = ”URL”; 4: $www = preg_replace(”[^A-Za-z0-9.-@://]”,””,$www); 5: echo ” ”. $l_otherinfo. ”: ”.$www. ” ”; 6: ?>

30 Experiments We applied our analysis to three open source PHP applications Webches 0.9.0 (a server for playing chess over the internet) EVE 1.0 (a tracker for player activity for an online game) Faqforge 1.3.2 (a document management tool) Attack patterns: –Σ ∗ <script Σ ∗ (for XSS) –Σ ∗ or 1=1 Σ ∗ (for SQLI) Application#FilesLOC# XSS Sinks # SQLI Sinks 1Webchess 0.9.0 233375421140 2EVE 1.0890611417 3Faqforge 1.3.2 10534375133

31 Verification Results Type# Vulnerabilities (single, 2, 3, 4) Time (s) total fwdbwdrelational Memory (KB) average 1. XSS SQL (24, 3, 0, 0) (43, 3, 1, 2 ) 46.08 110.7 1.73 4.87 0.92 12.04 6.30 38.03 16850 136790 2. XSS SQL (0, 0, 8, 0) (8, 3, 0, 0) 288.50 23.9 6.80 1.5 - 8.47 127.80 5.2 125382 17280 3. XSS SQL (20, 0, 0, 0) (0, 0, 0, 0) 7.87 6.7 0.22 - 0.22 - ---- 9948 <1  We use (single, 2, 3, 4) indicates the number of detected vulnerabilities that have single input, two inputs, three inputs and four inputs

32 Making it work String analysis Input validation Separation of concerns + modularity + abstraction Model checking Bounded SAT based verification Navigation correctness Data integrity

33 Navigation verification We ask developer to specify the high level navigation behavior as a navigation state machine MVC frameworks typically use a hierarchical structure where actions are combined in the controllers and controllers are grouped into modules –We exploit this hierarchy to specify the navigation state machines as hierarchical state machines

34 Navigation verification Navigation Properties Static Verification Runtime Enforcement Navigation State Machine Translator SMV Verified Counter-example behavior NSM Plugin (NSM Interpreter)

35 Navigation verification experiments We studied three real-world, freely available web applications: –BambooInvoice: invoice management application 159,000 lines of code, 60 actions –Capstone: student project management system 41,000 lines of code, 33 actions –Digitalus: content management system 401,000 lines of code, 26 actions

36 Specifying the NSM We specified the NSMs manually, by exploring potential error sequences in applications –Amount of effort: Half a day per application (including taking screenshots, drawing the graph, etc.) ApplicationStatesTransitionsVariables Digitalus32487 BambooInvoice63808 Capstone8161

37 Model checking NSMs We used an existing model checker (SMV) to statically check navigation properties of NSMs Some example navigation properties: –Once you login, the only way to go back to the login page is by traversing the logout page –Each controller has the 'index' action as its only entry point from other controllers We can statically verify the NSMs with SMV model checker –Verification uses less than 4.4 MB of memory and takes less than 1 second

38 Runtime enforcement of NSMs PHP plugin for enforcement of NSMs at runtime –Intercepts page requests in an MVC application and validates them against the NSM –One line of code to insert in the application –Simple: 1,100 lines of PHP code (3% of the smallest application) Average processing time when an action conforms to the NSM: ApplicationTime without plugin (ms) Time with plugin (ms) Digitalus1112 BambooInvoice183199 Capstone90122

39 Runtime enforcement of NSMs Processing time when an action provokes a PHP warning (which the NSM-enabled application blocks):...and when an action provokes a PHP error: ApplicationActionTime without plugin (ms) Time with plugin (ms) DigitalusCreate folder2826 DigitalusUpload media1832 BambooInvoiceNew invoice938574 ApplicationActionTime without plugin (ms) Time with plugin (ms) DigitalusEdit page41632 DigitalusDelete folder42436 BambooInvoiceView invoice564594

40 Making it work String analysis Input validation Separation of concerns + modularity + abstraction Model checking Bounded SAT based verification Navigation correctness Data integrity

41 Data model verification We worked on verification of static data model properties in Ruby-on-Rails applications Rails uses active records for object-relational mapping There are many options in active records declarations that can be used to specify constraints about the data model Our goal: –Automatically analyze the active records files in Rails applications to check if the data model satisfies some properties that we expect it to satisfy Approach: –Bounded SAT based verification –We automatically search for data model errors within a given scope

42 Data Model VerificationTranslator Data Model Properties Active Records Alloy Specification Alloy Analyzer Verified Counter-example data model instance

43 Data Model Verification Experiments We used two open source Rails applications in our experiments: –TRACKS: An application to manage things-to-do lists 6062 lines of code, 44 classes, 13 data model classes Alloy translation: 301 lines –Fat Free CRM: Customer Relations Management software 12069 lines of code, 54 classes, 20 data model classes Alloy translation: 1082 lines

44 Types of properties we checked Relationship cardinality –Is it possible to have two accounts for one user? Transitive relations –A book’s author is the same as the book’s edition’s author Deletion properties –Deleting a user does not create orphan orders We wrote 10 properties for TRACKS and 20 properties for Fat Free CRM

45 Data Model Verification Experiments Of the 30 properties we checked 7 of them failed For example, in TRACKS Note’s User can be different than Note’s Project’s User

46 Conclusions Web application dependability is a very important problem Using automated verification we can find and remove errors in web application before they are deployed In order to develop feasible automated verification techniques we exploit the MVC architecture and the principles of modularity, abstraction and separation of concerns At minimum, the developer has to specify the correctness properties (e.g. attack patterns) –In some cases, the developer may also need to specify desired behavior (e.g. navigation)

47 Future work Handle more concerns Maximize automation Mobile applications

Download ppt "Eliminating Bugs In MVC-Style Web Applications Tevfik Bultan Verification Lab (Vlab),"

Similar presentations

Advantage Data Dictionary. agenda Creating and Managing Data Dictionaries –Tables, Indexes, Fields, and Triggers –Defining Referential Integrity –Defining.

Advantage Data Dictionary. agenda Creating and Managing Data Dictionaries –Tables, Indexes, Fields, and Triggers –Defining Referential Integrity –Defining.
Eliminating Navigation Errors in Web Applications via Model Checking and Runtime Enforcement of Navigation State Machines Sylvain Halle, Taylor Ettema,

Eliminating Navigation Errors in Web Applications via Model Checking and Runtime Enforcement of Navigation State Machines Sylvain Halle, Taylor Ettema,
Software Engineering COMP 201

Software Engineering COMP 201
15 Chapter 15 Web Database Development Database Systems: Design, Implementation, and Management, Fifth Edition, Rob and Coronel.

15 Chapter 15 Web Database Development Database Systems: Design, Implementation, and Management, Fifth Edition, Rob and Coronel.
CS 290C: Formal Models for Web Software Lecture 10: Language Based Modeling and Analysis of Navigation Errors Instructor: Tevfik Bultan.

CS 290C: Formal Models for Web Software Lecture 10: Language Based Modeling and Analysis of Navigation Errors Instructor: Tevfik Bultan.
B.Sc. Multimedia ComputingMedia Technologies Database Technologies.

B.Sc. Multimedia ComputingMedia Technologies Database Technologies.
Database Management: Getting Data Together Chapter 14.

Database Management: Getting Data Together Chapter 14.
CS 290C: Formal Models for Web Software Lecture 9: MVC Architecture and Navigation Analysis Based on the MVC Architecture Instructor: Tevfik Bultan.

CS 290C: Formal Models for Web Software Lecture 9: MVC Architecture and Navigation Analysis Based on the MVC Architecture Instructor: Tevfik Bultan.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
CS 290C: Formal Models for Web Software Lecture 1: Introduction Instructor: Tevfik Bultan.

CS 290C: Formal Models for Web Software Lecture 1: Introduction Instructor: Tevfik Bultan.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
Application Architectures Vijayan Sugumaran Department of DIS Oakland University.

Application Architectures Vijayan Sugumaran Department of DIS Oakland University.
C++ fundamentals.

C++ fundamentals.
Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.

Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.
UNIT-V The MVC architecture and Struts Framework.

UNIT-V The MVC architecture and Struts Framework.
CS 290C: Formal Models for Web Software Lecture 9: Analyzing Data Models Using Alloy Analyzer and SMT-Solvers Instructor: Tevfik Bultan.

CS 290C: Formal Models for Web Software Lecture 9: Analyzing Data Models Using Alloy Analyzer and SMT-Solvers Instructor: Tevfik Bultan.
CSCI 6962: Server-side Design and Programming Course Introduction and Overview.

CSCI 6962: Server-side Design and Programming Course Introduction and Overview.
Architecture Of ASP.NET. What is ASP?  Server-side scripting technology.  Files containing HTML and scripting code.  Access via HTTP requests.  Scripting.

Architecture Of ASP.NET. What is ASP?  Server-side scripting technology.  Files containing HTML and scripting code.  Access via HTTP requests.  Scripting.
Data Model Analysis Tevfik Bultan University of California Santa Barbara Joint work with Jaideep Nijjar and Ivan Bocic.

Data Model Analysis Tevfik Bultan University of California Santa Barbara Joint work with Jaideep Nijjar and Ivan Bocic.
A Scalable Application Architecture for composing News Portals on the Internet Serpil TOK, Zeki BAYRAM. Eastern MediterraneanUniversity Famagusta Famagusta.

A Scalable Application Architecture for composing News Portals on the Internet Serpil TOK, Zeki BAYRAM. Eastern MediterraneanUniversity Famagusta Famagusta.

Similar presentations

Ads by Google