Presentation is loading. Please wait.

Presentation is loading. Please wait.

Differential String Analysis Tevfik Bultan (Joint work with Muath Alkhalaf, Fang Yu and Abdulbaki Aydin) 1 Verification Lab Department.

Published byEdmund Hutchinson Modified over 9 years ago

Similar presentations

Presentation on theme: "Differential String Analysis Tevfik Bultan (Joint work with Muath Alkhalaf, Fang Yu and Abdulbaki Aydin) 1 Verification Lab Department."— Presentation transcript:

1 Differential String Analysis Tevfik Bultan (Joint work with Muath Alkhalaf, Fang Yu and Abdulbaki Aydin) 1 bultan@cs.ucsb.edu Verification Lab Department of Computer Science University of California, Santa Barbara http://www.cs.ucsb.edu/~vlab

2 Anatomy of a Web Application Submit unsupscribe.php DB php 2

3 Web Application Inputs are Strings 3 Submit DB unsupscribe.php php

4 Input Needs to be Validated and/or Sanitized 4 Submit DB unsupscribe.php php

5 Web Applications are Full of Bugs 5 2007 1.XSS 2.Injection Flaws 3.Malicious File Exec. 2010 1.Injection Flaws 2.XSS 3.Broken Auth. Session M. 2013 1.Injection Flaws 2.Broken Auth. Session M. 3.XSS ● OWASP Top 10 Web Application Vulnerabilities Source: IBM X-Force report

6 Vulnerabilities in Web Applications There are many well-known security vulnerabilities that exist in many web applications. Here are some examples: –Malicious file execution: where a malicious user causes the server to execute malicious code –SQL injection: where a malicious user executes SQL commands on the back-end database by providing specially formatted input –Cross site scripting (XSS): causes the attacker to execute a malicious script at a user’s browser These vulnerabilities are typically due to –errors in user input validation and sanitization or –lack of user input validation and sanitization 6

7 Why Is Input Validation & Sanitization Error-prone? Extensive string manipulation: –Web applications use extensive string manipulation To construct html pages, to construct database queries in SQL, etc. –The user input comes in string form and must be validated and sanitized before it can be used This requires the use of complex string manipulation functions such as string-replace –String manipulation is error prone 7

8 String Related Vulnerabilities String related web application vulnerabilities occur when: a sensitive function is passed a malicious string input from the user This input contains an attack It is not properly sanitized before it reaches the sensitive function String analysis: Discover these vulnerabilities automatically 8

9 String Manipulation Operations Concatenation – “ 1 ” + “ 2 ”  “ 12 ” – “Foo” + “bAaR”  “FoobAaR” Replacement – replace(“a”, “A”) – replace (“2”,””) (delete) – toUpperCase (multiple replace) bAAR bAaR 34 234 ABC abC 9

10 String Filtering Operations Branch conditions length < 4 ? “Foo” “bAaR” match(/^[0-9]+$/) ? “234” “a3v%6” substring(2, 4) == “aR” ? ”bAaR” “Foo” 10

11 function validateEmail(inputField, helpText){ if (!/.+/.test(inputField.value)) { if (helpText != null) helpText.innerHTML = "Please enter a value."; return false; } else { if (helpText != null) helpText.innerHTML = ""; if( !/ˆ[a-zA-Z0-9\.-_\+]+@[a-zA-Z0-9-]+(\.[a-z A-Z0-9]{2,3})+$/.test(inputField.value)) { if (helpText != null) helpText.innerHTML = “enter a valid email”; return false; } else { if (helpText != null) helpText.innerHTML = ""; return true; }}} Javascript Input Validation 11

12 foo=;bar@bar.com function validateEmail(inputField, helpText){ if (!/.+/.test(inputField.value)) { if (helpText != null) helpText.innerHTML = "Please enter a value."; return false; } else { if (helpText != null) helpText.innerHTML = ""; if( !/ˆ[a-zA-Z0-9\.-_\+]+@[a-zA-Z0-9-]+(\.[a-z A-Z0-9]{2,3})+$/.test(inputField.value)) { if (helpText != null) helpText.innerHTML = “enter a valid email"; return false; } else { if (helpText != null) helpText.innerHTML = ""; return true; }}}  [a-zA-Z0-9\.-_\+].-_ means all characters from. to _  This includes ; and =  [a-zA-Z0-9\.-_\+].-_ means all characters from. to _  This includes ; and = Input Validation Error 12

13 GOAL Automatically Find and Repair Bugs CAUSED BY String filtering and manipulation operations IN Input validation and sanitization code IN Web applications 13

14 Differential Analysis: Verification without Specification 14 Client-side Server-side

15 Sanitization Code is Complex function validate() {... switch(type) { case "time": var highlight = true; var default_msg = "Please enter a valid time."; time_pattern = /^[1-9]\:[0-5][0-9]\s*(\AM|PM|am|pm?)\s*$/; time_pattern2 = /^[1-1][0-2]\:[0-5][0-9]\s*(\AM|PM|am|pm?)\s*$/; time_pattern3 = /^[1-1][0-2]\:[0-5][0-9]\:[0-5][0-9]\s*(\AM|PM| am|pm?)\s*$/; time_pattern4 = /^[1-9]\:[0-5][0-9]\:[0-5][0-9]\s*(\AM|PM| am|pm?)\s*$/; if (field.value != "") { if (!time_pattern.test(field.value) && !time_pattern2.test(field.value) && !time_pattern3.test(field.value) && !time_pattern4.test(field.value)) { error = true; } break; case "email": error = isEmailInvalid(field); var highlight = true; var default_msg = "Please enter a valid email address."; break; case "date": var highlight = true; var default_msg = "Please enter a valid date."; date_pattern = /^(\d{1}|\d{2})\/(\d{1}|\d{2})\/(\d{2}|\d{4})\s*$/; if (field.value != "") if (!date_pattern.test(field.value)||!isDateValid(field.value)) error = true; break;... if (alert_msg == "" || alert_msg == null) alert_msg = default_msg; if (error) { any_error = true; total_msg = total_msg + alert_msg + "|"; } if (error && highlight) { field.setAttribute("class","error"); field.setAttribute("className","error"); // For IE }... } 1)Mixed input validation and sanitization for multiple HTML input fields 2) Lots of event handling and error reporting code 15

16 Modular Verification Process Extraction String Analysis Bug Detection and Repair 16 Web App Sanitizer Functions Symbolic representation of attack strings and vulnerability signatures

17 Classification of Input Validation and Sanitization Functions 17 PureValidatorPureValidator Input Yes (valid) No (invalid) PureSanitizerPureSanitizer Input Output ValidatingSanitizerValidatingSanitizer Input Output No (invalid)

18 Static Extraction for PHP 18 Sink mysql_query(……) Sources printf …… $_POST[“email”] $_POST[“username”] ValidatingSanitizerValidatingSanitizer Input Output No (invalid) Static extraction using Pixy -Augmented to handle path conditions Static dependency analysis Output is a dependency graph -Contains all validation and sanitization operations between sources and sink

19 Dynamic Extraction for Javascript 19 ValidatingSanitizerValidatingSanitizer Input Output No (invalid) Sink submit xmlhttp.send() Source Enter email: Run application on a number of inputs –Inputs are selected heuristically Instrument execution –HtmlUnit: browser simulator –Rhino: JS interpreter –Convert all accesses on objects and arrays to accesses on memory locations Dynamic dependency tracking Source: IBM X-Force report

20 String Analysis & Repair 20 Yes No Target Sanitizer Generate Patch Automata-based String Analysis Reference Sanitizer Length Patch Validation Patch Sanitization Patch

21 Automata-Based String Analysis Sanitizer Function Symbolic Forward Fix-Point Computation Symbolic Backward Fix-Point Computation String Analysis Post-Image (Post-Condition) Pre-Image (Pre-Condition) Negative Pre-Image (Pre-Condition for reject) 21

22 sanitizer(x){ if (x != “aa” && x != “bb” && x != “ab”) reject; x = replace(/^ab$/, “ba”,x); return x; } 22 Sanitizers aa bb ab aab bbb........ aa bb T........ ba Σ* Σ* ∪ T rejecting invalid inputs Σ = {a, b}........

23 aa bb ab aab bbb........ aa bb T........ ba Σ* ∪ (Non) Preferred Output Pre-image Negative Pre-Image Reject Possible output (Post Image) Σ* Post-Image, Pre-Image and Negative Pre-Image 23 b a, T........ sanitizer(x){ if (x != “aa” && x != “bb” && x != “ab”) reject; x = replace(/^ab$/, “ba”,x); return x; }

24 Symbolic Automata Explicit DFA representation Symbolic DFA representation 0 1 2.............................. 24

25 1 st Step: Find Inconsistency 25 Σ* T Σ* ∪ T Σ* T Σ* ∪ T Target Reference Output difference: Strings returned by target but not by reference ?⊆?⊆

26 2 nd Step: Differential Repair 26 Σ* T Σ* ∪ T Σ* T Σ* ∪ T Target Reference Σ* T Σ* ∪ T Repaired Function ⊈

27 Composing Sanitizers? Can we run the two sanitizers one after the other? Does not work due to lack of Idempotency – Both sanitizers escape ’ with \ – Input ab’c – 1 st sanitizer  ab\’c – 2 nd sanitizer  ab\\’c Security problem (double escaping) We need to find the difference 27

28 28 function reference($x){ $x = preg_replace(“<“, “”, $x); if (strlen($x) < 4) return $x; else die(“error”); } function target($x){ $x = preg_replace(“’”, “\’”, $x);return $x; } Σ* T Σ* ∪ T Σ* T Σ* ∪ T X Output difference: Strings returned by target but not by reference reject sanitize

29 29 function reference($x){ $x = preg_replace(“<“, “”, $x); if (strlen($x) < 4) return $x; else die(“error”); } function target($x){ $x = preg_replace(“’”, “\’”, $x);return $x; } InputTargetReferenceDiff Type “<““<““<““<““”Sanitization “ ’’ ”“ \’\’ ”“ ’’ ”Sanitization + Length “ abcd ” Validation Set of input strings that resulted in the difference: input difference automaton ‘ ‘ ‘ T

30 How to Generate a Sanitization Patch? Basic Idea: Modify the input strings so that they do not cause a difference How? Make sure that the modified input strings do not go from the start state to an accept state in the input difference automaton How? 1) Find a min-cut that separates the start state from all the accepting states in the input difference automaton, and 2) Delete all the characters in the cut 30

31 For the example above: Min-Cut results in deleting everything “foo”  “” Min-Cut is too conservative! Why? You can not remove a validation difference using a sanitization patch 31 function reference($x){ $x = preg_replace(“<“, “”, $x); if (strlen($x) < 4) return $x; else die(“error”); } function target($x){ $x = preg_replace(“’”, “\’”, $x);return $x; } Input difference automaton ‘ ‘ ‘ Min-Cut = Σ

32 (1) Validation Patch 32 function reference($x){ $x = preg_replace(“<“, “”, $x); if (strlen($x) < 4) return $x; else die(“error”); } function target($x){ $x = preg_replace(“’”, “\’”, $x);return $x; } Σ* T Σ* ∪ T Σ* T Σ* ∪ T function valid_patch($x){ if (semrep_match1($x)) die(“error”); } Validation patch DFA

33 function reference($x){ $x = preg_replace(“<“, “”, $x); if (strlen($x) < 4) return $x; else die(“error”); } function valid_patch($x){ if (semrep_match1($x)) die(“error”); } Σ* T Σ* ∪ T Σ* T Σ* ∪ T X Min-Cut = { ‘, <} “fo ’ ”  “fo\ ’ ” function target($x){ $x = preg_replace(“’”, “\’”, $x);return $x; } 33

34 function reference($x){ $x = preg_replace(“<“, “”, $x); if (strlen($x) < 4) return $x; else die(“error”); } Σ* T Σ* ∪ T Σ* T Σ* ∪ T function target($x){ $x = preg_replace(“’”, “\’”, $x);return $x; } function valid_patch($x){ if (semrep_match1($x)) die(“error”); } function length_patch($x){ if (semrep_match2($x)) die(“error”); } function valid_patch($x){ if (semrep_match1($x)) die(“error”); } Length DFA Unwanted length in target caused by escape (2) Length Patch 34

35 function reference($x){ $x = preg_replace(“<“, “”, $x); if (strlen($x) < 4) return $x; else die(“error”); } Σ* T Σ* ∪ T Σ* T Σ* ∪ T function target($x){ $x = preg_replace(“’”, “\’”, $x);return $x; } function valid_patch($x){ if (semrep_match1($x)) die(“error”); } function length_patch($x){ if (semrep_match2($x)) die(“error”); } Length DFA Unwanted length in target caused by escape Length Restricted Post-image Length Restricted Post-image Reference Post-image (3) Sanitization Patch 35 Sanitization difference X

36 function reference($x){ $x = preg_replace(“<“, “”, $x); if (strlen($x) < 4) return $x; else die(“error”); } function target($x){ $x = preg_replace(‘”’, ‘\”’, $x);return $x; } function valid_patch($x){ if (semrep_match1($x)) die(“error”); } function length_patch($x){ if (semrep_match2($x)) die(“error”); } Min-Cut = {<} function target($x){ $x = preg_replace(“’”, “\’”, $x);return $x; } function sanit_patch($x){ $x = semrep_sanit(“<“, $x); return $x; } (3) Sanitization Patch 36

37 Min-Cut Heuristics We use two heuristics for mincut Trim: – Only if min-cut contain space character – Test if reference Post-Image is does not have space at the beginning and end – Assume it is trim () Escape: – Test if reference Post-Image escapes the mincut characters 37

38 Experimental Results 38

39 Differential Repair Evaluation We ran the differential patching algorithm on 5 PHP web applications 39 NameDescription PHPNews v1.3.0 News publishing software UseBB v1.0.16 Forum software Snipe Gallery v3.1.5 Image management system MyBloggie v2.1.6 Weblog system Schoolmate v1.5.4 School administration software

40 Number of Patches Generated 40

41 Sanitization Patch Results 41

42 Time and Memory Performance of Differential Repair Algorithm 42

43 SemRep: Differential Repair Tool https://github.com/vlab-cs-ucsb http://www.cs.ucsb.edu/~vlab 43

44 Publications on Differential String Analysis Muath Alkhalaf, Abdulbaki Aydin, and Tevfik Bultan. "Semantic Differential Repair for Input Validation and Sanitization." Proceedings of the 2014 International Symposium on Software Testing and Analysis (ISSTA 2014), pages 225-236, San Jose, California, USA, July 21-25, 2014. Muath Alkhalaf, Shauvik Roy Choudhary, Mattia Fazzini, Tevfik Bultan, Alessandro Orso and Christopher Kruegel. "ViewPoints: Differential String Analysis for Discovering Client and Server-Side Input Validation Inconsistencies." Proceedings of the 2012 International Symposium on Software Testing and Analysis (ISSTA 2012), pages 56-66, Minneapolis, USA, July 15- 20, 2012. 44

Download ppt "Differential String Analysis Tevfik Bultan (Joint work with Muath Alkhalaf, Fang Yu and Abdulbaki Aydin) 1 Verification Lab Department."

Similar presentations

PHP Form and File Handling

PHP Form and File Handling
PHP I.

PHP I.
JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.

JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.
Differential String Analysis Tevfik Bultan (Joint work with Muath Alkhalaf, Fang Yu and Abdulbaki Aydin) 1 Verification Lab Department.

Differential String Analysis Tevfik Bultan (Joint work with Muath Alkhalaf, Fang Yu and Abdulbaki Aydin) 1 Verification Lab Department.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
CS 290C: Formal Models for Web Software Lecture 1: Introduction Instructor: Tevfik Bultan.

CS 290C: Formal Models for Web Software Lecture 1: Introduction Instructor: Tevfik Bultan.
Eliminating Web Software Vulnerabilities with Automated Verification Tevfik Bultan Verification Lab Department of Computer Science University of California,

Eliminating Web Software Vulnerabilities with Automated Verification Tevfik Bultan Verification Lab Department of Computer Science University of California,
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.

Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.
© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 14 Implementation Flaws Part 2: Malicious Input and Data Validation Issues.

© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 14 Implementation Flaws Part 2: Malicious Input and Data Validation Issues.
PHP Server-side Programming. PHP  PHP stands for PHP: Hypertext Preprocessor  PHP is interpreted  PHP code is embedded into HTML code  interpreter.

PHP Server-side Programming. PHP  PHP stands for PHP: Hypertext Preprocessor  PHP is interpreted  PHP code is embedded into HTML code  interpreter.
Muath Alkhalaf 1 Shauvik Roy Choudhary 2 Mattia Fazzini 2 Tevfik Bultan 1 Alessandro Orso 2 Christopher Kruegel 1 1 UC Santa Barbara 2 Georgia Tech.

Muath Alkhalaf 1 Shauvik Roy Choudhary 2 Mattia Fazzini 2 Tevfik Bultan 1 Alessandro Orso 2 Christopher Kruegel 1 1 UC Santa Barbara 2 Georgia Tech.
Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.

Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.
Automatic Creation of SQL Injection and Cross-Site Scripting Attacks 2nd-order XSS attacks 1st-order XSS attacks SQLI attacks Adam Kiezun, Philip J. Guo,

Automatic Creation of SQL Injection and Cross-Site Scripting Attacks 2nd-order XSS attacks 1st-order XSS attacks SQLI attacks Adam Kiezun, Philip J. Guo,
Preventing SQL Injection ~example of SQL injection $user = $_POST[‘user’]; $pass = $_POST[‘pass’]; $query = DELETE FROM Users WHERE user = ‘$user’ AND.

Preventing SQL Injection ~example of SQL injection $user = $_POST[‘user’]; $pass = $_POST[‘pass’]; $query = DELETE FROM Users WHERE user = ‘$user’ AND.
Stupid Browser Tricks with PHP and JavaScript By Chris Winikka.

Stupid Browser Tricks with PHP and JavaScript By Chris Winikka.
Web forms in PHP Forms Recap  Way of allowing user interaction  Allows users to input data that can then be processed by a program / stored in a back-end.

Web forms in PHP Forms Recap  Way of allowing user interaction  Allows users to input data that can then be processed by a program / stored in a back-end.
CS 290C: Formal Models for Web Software Lectures 17: Analyzing Input Validation and Sanitization in Web Applications Instructor: Tevfik Bultan.

CS 290C: Formal Models for Web Software Lectures 17: Analyzing Input Validation and Sanitization in Web Applications Instructor: Tevfik Bultan.
Prevent Cross-Site Scripting (XSS) attack

Prevent Cross-Site Scripting (XSS) attack

Similar presentations

Ads by Google