Presentation is loading. Please wait.

Presentation is loading. Please wait.

HAMPI A Solver for String Constraints Vijay Ganesh MIT (With Adam Kiezun, Philip Guo, Pieter Hooimeijer and Mike Ernst)

PublishFlorence Black Modified over 9 years ago

Similar presentations

Presentation on theme: "HAMPI A Solver for String Constraints Vijay Ganesh MIT (With Adam Kiezun, Philip Guo, Pieter Hooimeijer and Mike Ernst)"— Presentation transcript:

1 HAMPI A Solver for String Constraints Vijay Ganesh MIT (With Adam Kiezun, Philip Guo, Pieter Hooimeijer and Mike Ernst)

2 The Problem HAMPI String Solver HAMPI String Solver Context-free Grammars, Regular expressions, string variable StringUNSAT Emptiness problem for an intersection of Context-free Grammars s in ( L 1 ∩ … ∩L N ) where s is bounded s contains some substring Extended Backus-Naur Form Different from string matching

3 A Problem Instance HAMPI String Solver HAMPI String Solver Context-free Grammars, Regular expressions, string variable StringUNSAT var v:4; cfg E := "()" | E E | "(" E ")”; val q := concat(”(“, v,“)”); assert q contains “()()"; “ Find a 4-character string v, such that: (v) has balanced parentheses, and (v) contains substring ()()” HAMPI finds satisfying assignment v = )()( Hence, q = ()()()

4 HAMPI A Novel String Solver Analysis HAMPI String constraints constraint solutions Program solution Analyses of string programs Formal Methods Testing Program Analysis Efficient Expressive Robust and easy to use Tested on many diverse apps Applied to important and hard problems

5 void main(char[] in){ int count=0; if (in[0] == ’b’) count++; if (in[1] == ’a’) count++; if (in[2] == ’d’) count++; if (count == 3) ERROR; } xyzxydxazxazbyzxadbydbydbazbad Concolic testing creates inputs for all program paths (assuming finite loops) HAMPI for Dynamic Symbolic Testing

6 HAMPI for Concolic Testing ✔ Key to success: Efficient, expressive constraint solver ✔ HAMPI can also be used to produce structured inputs that skip parsing and penetrate deep during concolic testing ✔ Godefroid et al. (DART,SAGE) ✔ EXE, KLEE, CUTE, CREST, SmartFuzz etc. ✔ Key to success: Efficient, expressive constraint solver ✔ HAMPI can also be used to produce structured inputs that skip parsing and penetrate deep during concolic testing ✔ Godefroid et al. (DART,SAGE) ✔ EXE, KLEE, CUTE, CREST, SmartFuzz etc.

7 Typical HAMPI Applications Constraints generated by symbolic Analyses of string programs –Concolic Testing –Formal Methods –Program Analysis –Checking whether input sanitation code actually works –Applied to PHP scripts, JavaScript, C/Java etc. Automatic generation of structured inputs with constraints –String inputs for programs –Document files, e.g. PDF, to test PDF reader –SQL commands with attack vectors –Programming language source files

8 HAMPI Results Summary ✔ Expressive: Supports context-free grammars, regular expression operations ✔ Efficient: ~7x faster on-average, and Often 100s of times faster than CFGAnalyzer ✔ Effectively enabled dynamic systematic testing (concolic testing) of real-world string-manipulating programs ✔ Already plugged into important analysis infrastructures, such as NASA Java PathFinder ✔ Expressive: Supports context-free grammars, regular expression operations ✔ Efficient: ~7x faster on-average, and Often 100s of times faster than CFGAnalyzer ✔ Effectively enabled dynamic systematic testing (concolic testing) of real-world string-manipulating programs ✔ Already plugged into important analysis infrastructures, such as NASA Java PathFinder

9 HAMPI Results Summary ✔ SQL injection vulnerability detection using static analysis ✔ SQL injection vulnerability generation using dynamic analysis (Ardilla tool, ICSE 2009) ✔ 60 attacks (23 SQL injection, 37 XSS) on 5 PHP applications (300K+ LOC) ✔ Automatic generation of structured inputs for Klee concolic tester, improved code coverage and bug finding ✔ Classic decision problems for context-free grammars ✔ SQL injection vulnerability detection using static analysis ✔ SQL injection vulnerability generation using dynamic analysis (Ardilla tool, ICSE 2009) ✔ 60 attacks (23 SQL injection, 37 XSS) on 5 PHP applications (300K+ LOC) ✔ Automatic generation of structured inputs for Klee concolic tester, improved code coverage and bug finding ✔ Classic decision problems for context-free grammars

10 HAMPI Internals string constraints core string constraints Normalizer Encoder Decoder bit-vector solution HAMPI bit-vector constraints string solution STP Bounding CFGs And Regular Expressions

11 HAMPI: Bounding is GOOD Key HAMPI idea: 1.Bound length of strings for high expressiveness, efficiency 2.Typical applications require short solutions context-freeL 1 ∩ … ∩L N Undecidable regularR 1 ∩ … ∩R N PSPACE-complete bounded regular r 1 ∩ … ∩r N NP-complete more expressive more tractable bounded regularbound(any language) 

12 HAMPI Example Constraints var v:4; cfg E := "()" | E E | "(" E ")"; val q := concat(”(“, v,“)”); assert q in bound(E, 6); assert q contains “()()"; “Find a 4-character string v, such that: (v) has balanced parentheses, and (v) contains substring ()()” HAMPI finds satisfying assignment v = )()( string constraints core string constraints Normalizer Encoder Decoder bit-vector solution HAMPI bit-vector constraints string solution STP

13 HAMPI Normalizer string constraints core string constraints Normalizer Encoder Decoder bit-vector solution HAMPI bit-vector constraints string solution STP Core string constraint have only regular expressions Expand grammars to regexps expand nonterminals eliminate inconsistencies enumerate choices exhaustively sub-expression sharing ( [ ()() + (()) ] ) + () [ ()() + (()) ] + [ ()() + (()) ] () bound(E, 6)  cfg E := "(" E ")” | E E | "()”;

14 010101 Bit vector B (length 6 bits) (B[0:1] = B[2:3]) ∧ (B[1:3] = 101) Bit Vectors Are Ordered, Fixed-Size, Sets Of Bits string constraints core string constraints Normalizer Encoder Decoder bit-vector solution HAMPI bit-vector constraints string solution STP

15 HAMPI Encodes Input As Bit-Vectors string constraints core string constraints Normalizer Encoder Decoder bit-vector solution HAMPI bit-vector constraints string solution STP Map alphabet Σ to bit-vector constants: (  0 )  1 Compute size of bit-vector B: (1+4+1) * 1 bit = 6 bits ( v ) ∈ () [ ()() + (()) ] + [ ()() + (()) ] () + ( [ ()() + (()) ] )

16 HAMPI Encodes Regular Expressions Recursively string constraints core string constraints Normalizer Encoder Decoder bit-vector solution HAMPI bit-vector constraints string solution STP ( v ) ∈ () [ ()() + (()) ] + [ ()() + (()) ] () + ( [ ()() + (()) ] ) Formula Φ 1 ∨ Formula Φ 2 ∨ Formula Φ 3 B[0]=0 ∧ B[1]=1 ∧ { B[2]=0 ∧ B[3]=1 ∧ B[4]=0 ∧ B[5]=1 ∨ …

17 HAMPI Uses STP Solver And Decodes Solution string constraints core string constraints Normalizer Encoder Decoder bit-vector solution HAMPI bit-vector constraints string solution STP bit-vector constraints B = 010101 Bit-vector Solver STP Bit-vector Solver STP B = ()()() v = )()( Decoder Maps bits back to alphabet Σ

18 Result 1: HAMPI Is Effective In Static SQL Injection Analysis 1367 string constraints from [Wassermann PLDI’07] HAMPI solved 99.7% of constraints in < 1 sec per constraint All solvable constraints had short solutions N≤4 HAMPI scales to large grammars

19 Result 2: HAMPI helps Ardilla Find New Vulnerabilities (Dynamic Analysis) 60 attacks on 5 PHP applications (300K+ LOC) 23 SQL injection 29 XSS 216 HAMPI constraints solved 46% of constraints in < 1 second per constraint 100% of constraints in < 10 seconds per constraint 4 cases of data corruption 19 cases of information leak

20 Result 3: HAMPI helps Klee Concolic Tester Find New Bugs Problem: For programs with highly structured inputs, concolic testers can spend too long in the parser The reason: We may not know which part of input to mark symbolic, and hence mark too much It is better to generate valid highly structured inputs Penetrate deep into the program’s semantic core

21 Result 3: HAMPI helps Klee Concolic Tester Find New Bugs Program NameMarking Input Symbolic Klee style (imperative) legal /total inputs Generated (1 hour) Marking Input Symbolic HAMPI-2-Klee style (declarative) legal /total inputs generated (1 hour) Cueconvert (music format converter) 0/14146/146 Logictree (SAT solver) 70/11098/98 Bc (calculator) 2/27198/198 Improved Code Coverage dramatically (from 30 to 50% with 1 hour work) Found 3 new errors in Logictree

22 Result 4: HAMPI Is Faster Than The CFGAnalyzer Solver CFGAnalyzer encodes bounded grammar problems in SAT –Encodes CYK Parse Table as SAT Problem [Axelsson et al ICALP’08] average time (sec.) string size (characters) For size 50, HAMPI is 6.8x faster on average (up to 3000x faster)

23 HAMPI Supports Rich String Constraints HAMPI CFGAnalyzer Wassermann Bjorner Hooijmeier Emmi MONA context-free grammars regular expressions string concatenation stand-alone tool unbounded length full support partial support

24 Conclusions ✔ HAMPI: A Novel Solver for String Constraints ✔ Efficient ✔ Rich Input Language ✔ Widely applicable: Formal Methods, Testing, Analysis ✔ Already tested in many real-world apps ✔ Part of well-known infrastructure: e.g., NASA Java PathFinder ✔ Download Source + All Experimental Data ✔ http://people.csail.mit.edu/akiezun/hampi http://people.csail.mit.edu/akiezun/hampi ✔ http://people.csail.mit.edu/vganesh/stp.html ✔ HAMPI: A Novel Solver for String Constraints ✔ Efficient ✔ Rich Input Language ✔ Widely applicable: Formal Methods, Testing, Analysis ✔ Already tested in many real-world apps ✔ Part of well-known infrastructure: e.g., NASA Java PathFinder ✔ Download Source + All Experimental Data ✔ http://people.csail.mit.edu/akiezun/hampi http://people.csail.mit.edu/akiezun/hampi ✔ http://people.csail.mit.edu/vganesh/stp.html

25 Moral of the Story ✔ USE HAMPI and STP ✔ Download Source + All Experimental Data ✔ http://people.csail.mit.edu/akiezun/hampi http://people.csail.mit.edu/akiezun/hampi ✔ http://people.csail.mit.edu/vganesh/stp.html ✔ USE HAMPI and STP ✔ Download Source + All Experimental Data ✔ http://people.csail.mit.edu/akiezun/hampi http://people.csail.mit.edu/akiezun/hampi ✔ http://people.csail.mit.edu/vganesh/stp.html

26 Analysis for SQL Injection Attacks $my_topicid = $_GET[‘topicid’]; $sqlstmt = “SELECT msg FROM messages WHERE topicid = ‘$my_topicid’; $result = mysql_query($sqlstmt); WHILE ($row = mysql_fetch_assoc($result)) { echo “Message “. $row[‘msg’]; } PHP Program as part of a website: http://www.mysite.com/?topicid=1 Access Database with command: SELECT msg FROM messages WHERE topicid = 1 Attacker can reveal the entire database by URL: http://www.mysite.com/?topicid http://www.mysite.com/?topicid=‘ OR ‘1’=‘1

27 var v : 12; cfg SqlSmall := "SELECT ” [a-z]+ " FROM ” [a-z]+ " WHERE " Cond; cfg Cond := Val "=" Val | Cond " OR " Cond; cfg Val := [a-z]+ | "'” [a-z0-9]* "'" | [0-9]+; reg SqlSmallBounded := bound(SqlSmall, 53); val q := concat("SELECT msg FROM messages WHERE topicid='", v, "'"); assert q in SqlSmallBounded; assert q contains "OR ‘1'=‘1'"; SQL grammar bounded SQL grammar user input string SQL query SQLI attack conditions “q is a valid SQL query” “q contains an attack tautology” HAMPI Constraints That Create SQL Injection Attacks HAMPI finds an attack input: v  1’ OR ‘1’=‘1 SELECT msg FROM messages WHERE topicid=1’ OR ‘1’=‘1’ HAMPI finds an attack input: v  1’ OR ‘1’=‘1 SELECT msg FROM messages WHERE topicid=1’ OR ‘1’=‘1’

Download ppt "HAMPI A Solver for String Constraints Vijay Ganesh MIT (With Adam Kiezun, Philip Guo, Pieter Hooimeijer and Mike Ernst)"

Similar presentations

Semantics Static semantics Dynamic semantics attribute grammars

Semantics Static semantics Dynamic semantics attribute grammars
Finding bugs: Analysis Techniques & Tools Symbolic Execution & Constraint Solving CS161 Computer Security Cho, Chia Yuan.

Finding bugs: Analysis Techniques & Tools Symbolic Execution & Constraint Solving CS161 Computer Security Cho, Chia Yuan.
Symbolic Execution with Mixed Concrete-Symbolic Solving

Symbolic Execution with Mixed Concrete-Symbolic Solving
PHP Hypertext Preprocessor Information Systems 337 Prof. Harry Plantinga.

PHP Hypertext Preprocessor Information Systems 337 Prof. Harry Plantinga.
CS7100 (Prasad)L16-7AG1 Attribute Grammars Attribute Grammar is a Framework for specifying semantics and enables Modular specification.

CS7100 (Prasad)L16-7AG1 Attribute Grammars Attribute Grammar is a Framework for specifying semantics and enables Modular specification.
1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)

1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)
The Essence of Command Injection Attacks in Web Applications Zhendong Su and Gary Wassermann Present by Alon Kremer April 2011.

The Essence of Command Injection Attacks in Web Applications Zhendong Su and Gary Wassermann Present by Alon Kremer April 2011.
1 Introduction to Computability Theory Lecture12: Decidable Languages Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture12: Decidable Languages Prof. Amos Israeli.
C. Varela; Adapted w/permission from S. Haridi and P. Van Roy1 Declarative Computation Model Defining practical programming languages Carlos Varela RPI.

C. Varela; Adapted w/permission from S. Haridi and P. Van Roy1 Declarative Computation Model Defining practical programming languages Carlos Varela RPI.
C. FlanaganSAS’04: Type Inference Against Races1 Type Inference Against Races Cormac Flanagan UC Santa Cruz Stephen N. Freund Williams College.

C. FlanaganSAS’04: Type Inference Against Races1 Type Inference Against Races Cormac Flanagan UC Santa Cruz Stephen N. Freund Williams College.
Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Gary Wassermann Zhendong Su.

Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Gary Wassermann Zhendong Su.
CS 302: Discrete Math II A Review. An alphabet Σ is a finite set (e.g., Σ = {0,1}) A string over Σ is a finite-length sequence of elements of Σ For x.

CS 302: Discrete Math II A Review. An alphabet Σ is a finite set (e.g., Σ = {0,1}) A string over Σ is a finite-length sequence of elements of Σ For x.
CS 330 Programming Languages 09 / 13 / 2007 Instructor: Michael Eckmann.

CS 330 Programming Languages 09 / 13 / 2007 Instructor: Michael Eckmann.
Decidable and undecidable problems deciding regular languages and CFL’s Undecidable problems.

Decidable and undecidable problems deciding regular languages and CFL’s Undecidable problems.
CS 330 Programming Languages 09 / 18 / 2007 Instructor: Michael Eckmann.

CS 330 Programming Languages 09 / 18 / 2007 Instructor: Michael Eckmann.
Chapter 3 Describing Syntax and Semantics Sections 1-3.

Chapter 3 Describing Syntax and Semantics Sections 1-3.
Prof. Bodik CS 164 Lecture 61 Building a Parser II CS164 3:30-5:00 TT 10 Evans.

Prof. Bodik CS 164 Lecture 61 Building a Parser II CS164 3:30-5:00 TT 10 Evans.
Chapter 3 Program translation1 Chapt. 3 Language Translation Syntax and Semantics Translation phases Formal translation models.

Chapter 3 Program translation1 Chapt. 3 Language Translation Syntax and Semantics Translation phases Formal translation models.
A String Constraint Solver for Detecting Web Application Vulnerability Xiang Fu Hofstra University Chung-Chih Li Illinois State University 07/03/2010SEKES.

A String Constraint Solver for Detecting Web Application Vulnerability Xiang Fu Hofstra University Chung-Chih Li Illinois State University 07/03/2010SEKES.
Chapter 3 Describing Syntax and Semantics Sections 1-3.

Chapter 3 Describing Syntax and Semantics Sections 1-3.

Similar presentations

Ads by Google