Presentation is loading. Please wait.

Presentation is loading. Please wait.

Automatic Repair for Input Validation and Sanitization Bugs 1.

Published byLoraine Cleopatra Price Modified over 8 years ago

Similar presentations

Presentation on theme: "Automatic Repair for Input Validation and Sanitization Bugs 1."— Presentation transcript:

1 Automatic Repair for Input Validation and Sanitization Bugs 1

2 Classification of Input Validation and Sanitization Functions PureValidatorPureValidator Input Yes (valid) No (invalid) PureSanitizerPureSanitizer Input Output ValidatingSanitizerValidatingSanitizer Input Output No (invalid) 2

3 Overview Sanitizer Function Symbolic Forward Fix-Point Computation Symbolic Backward Fix-Point Computation String Analysis Post-Image (Post-Condition) Pre-Image (Pre-Condition) Negative Pre-Image (Pre-Condition for reject) 3

4 sanitizer(x){ if (x != “aa” && x != “bb” && x != “ab”) reject; x = replace(/^ab$/, “ba”,x); return x; } Sanitizers aa bb ab aab bbb........ aa bb T........ ba Σ* Σ* ∪ T........ 4 rejecting invalid inputs Σ = {a, b}

5 aa bb ab aab bbb........ aa bb T........ ba Σ* ∪ (Non) Preferred Output Pre-image Negative Pre-Image Reject Possible output (Post Image) Σ* Post-Image, Pre-Image and Negative Pre-Image b a,........ T sanitizer(x){ if (x != “aa” && x != “bb” && x != “ab”) reject; x = replace(/^ab$/, “ba”,x); return x; } 5

6 Attack Patterns For example: for detecting XSS and SQLI An attack pattern is negation of a Max policy –Attack patterns specify bad strings Example: –/. ∗ <script. ∗ / (for XSS) –Any string that contains the substring <script is bad 6

7 XSS Vulnerability Example 1:<?php 2: $www = $_GET[”www”]; 3: $l_otherinfo = ”URL”; 4: $www = preg_replace(”[^A-Za-z0-9.-@://]”, ””,$www); 5: echo ” ”. $l_otherinfo. ”: ”. $www. ” ”; 6:?> 7  [^A-Za-z0-9.-@://].-@ means all characters from. to @  This includes  XSS Vulnerability  [^A-Za-z0-9.-@://].-@ means all characters from. to @  This includes  XSS Vulnerability

8 Vulnerability Detection Σ* Σ* ∪ ∩ Post-Image (output) URL: foo Attack Pattern U R L : foo foo<bar Attack Pattern foo<bar T T Bad Output URL: < = 8 /.*<.*/

9 Vulnerability Signature Generation and Vulnerability Repair Σ* T Bad Output URL: < Vulnerability Signature All inputs that can exploit the vulnerability (or an over approximation of that set) Pre-Image (Bad Input) X min-cut is {<} reject Σ* ∪ T 9

10 Generated Patch 1: <?php P: if(preg match(’/[^ <]*<.*/’,$_GET[”www”])) $_GET[”www”] = preg replace(’<’,””,$_GET[”www”]); 2: $www = $_GET[”www”]; 3: $l_otherinfo = ”URL”; 4: $www = preg_replace(”[^A-Za-z0-9.-@://]”,””,$www); 5: echo ” ”. $l_otherinfo. ”: ”.$www. ” ”; 6: ?> min-cut is {<} 10 InputOriginal OutputNew Output FoobarURL: Foobar Foo<barURL: Foo<barURL: Foobar a<b<c<da<b<c<dURL: a<b<c<dURL: abcd

11 Patches from Vulnerability Signatures Ideally, we want to modify the input (as little as possible) so that it does not match the vulnerability signature Given a DFA, an alphabet cut is –a set of characters that after ”removing” the edges that are associated with the characters in the set, the modified DFA does not accept any non-empty string Finding a minimal alphabet cut of a DFA is an NP-hard problem (one can reduce the vertex cover problem to this problem) –We use a min-cut algorithm instead –The set of characters that are associated with the edges of the min cut is an alphabet cut but not necessarily the minimum alphabet cut 11

12 Experiments We evaluated our approach on five vulnerabilities from three open source web applications: (1)MyEasyMarket-4.1: A shopping cart program (2) BloggIT-1.0: A blog engine (3) proManager-0.72: A project management system We used the following XSS attack pattern: Σ ∗ <script Σ ∗ 12

13 Forward Analysis Results The dependency graphs of these benchmarks are simplified based on the sinks –Unrelated parts are removed using slicing InputResults #nodes#edges#sinks#inputsTime(s)Mem (kb)#states/# bdds 2120110.08259923/219 29 110.531363348/495 25 120.121955125/1200 2322110.124022133/1222 25 110.123387125/1200 13

14 Backward Analysis Results We use the backward analysis to generate the vulnerability signatures –Backward analysis starts from the vulnerable sinks identified during forward analysis InputResults #nodes#edges#sinks#inputsTime(s)Mem (kb)#states/# bdds 2120110.4629639/199 29 1141.031859767811/8389 25 122.35567320/302, 20/302 2322112.333203591/1127 25 115.021495820/302 14

15 Alphabet Cuts We generate cuts from the vulnerability signatures using a min- cut algorithm Problem: When there are two user inputs the patch will block everything and delete everything –Overlooks the relations among input variables (e.g., the concatenation of two inputs contains < SCRIPT) InputResults #nodes#edges#sinks#inputsAlphabet Cut 212011{<} 29 11{S,’,”} 25 12 Σ, Σ 232211{<,’,”} 25 11{<,’,”} Vulnerability signature depends on two inputs 15

16 Relational Vulnerability Signature Perform forward analysis using multi-track automata to generate relational vulnerability signatures Each track represents one user input –An auxiliary track represents the values of the current node –We intersect the auxiliary track with the attack pattern upon termination 16

17 Relational Vulnerability Signature Consider a simple example having multiple user inputs <?php 1: $www = $_GET[”www”]; 2: $url = $_GET[”url”]; 3: echo $url. $www; ?> Let the attack pattern be Σ ∗ < Σ ∗ 17

18 Relational Vulnerability Signature A multi-track automaton: ($url, $www, aux) Identifies the fact that the concatenation of two inputs contains < (a, λ, a), (b, λ, b), … (<, λ,<) ( λ, a,a), ( λ, b,b), … ( λ, a,a), ( λ, b,b), … ( λ,<,<) ( λ, a,a), ( λ, b,b), … ( λ, a,a), ( λ, b,b), … (a, λ, a), (b, λ, b), … 18

19 Relational Vulnerability Signature Project away the auxiliary variable Find the min-cut This min-cut identifies the alphabet cuts {<} for the first track ($url) and {<} for the second track ($www) (a, λ ), (b, λ ), … (<, λ ) ( λ, a), ( λ, b), … ( λ, a), ( λ, b), … ( λ,<) ( λ, a), ( λ, b), … ( λ, a), ( λ, b), … (a, λ ), (b, λ ), … min-cut is {<},{<} 19

20 Patch for Multiple Inputs Patch: If the inputs match the signature, delete its alphabet cut <?php if (preg match(’/[^ <]*<.*/’, $ GET[”url”].$ GET[”www”])) { $ GET[”url”] = preg replace(<,””,$ GET[”url”]); $ GET[”www”] = preg replace(<,””,$ GET[”www”]); } 1: $www = $ GET[”www”]; 2: $url = $ GET[”url”]; 3: echo $url. $www; ?> 20

21 Differential Analysis and Repair ?=?= Yes No Target Sanitizer Generate Patch String Analysis Reference Sanitizer 21

22 Why Differential? Submit DB unsupscribe.php php 22

23 A Javascript/Java Input Validation Function 23 function validateEmail(form) { var emailStr = form["email"].value; if(emailStr.length == 0) { return true; } var r1 = new RegExp("( )|(@.*@)|(@\\.)"); var r2 = new RegExp("^[\\w]+@([\\w]+\\. [\\w]{2,4})$"); if(!r1.test(emailStr) && r2.test(emailStr)) { return true; } return false; } public boolean validateEmail(Object bean, Field f,..) { String val = ValidatorUtils.getValueAsString(bean, f); Perl5Util u = new Perl5Util(); if (!(val == null || val.trim().length == 0)) { if ((!u.match("/( )|(@.*@)|(@\\.)/", val)) && u.match("/^[\\w]+@([\\w]+\\.[\\w]{2,4})$/”, val)){ return true; } else { return false; } return true; } public boolean validateEmail(Object bean, Field f,..) { String val = ValidatorUtils.getValueAsString(bean, f); Perl5Util u = new Perl5Util(); if (!(val == null || val.trim().length == 0)) { if ((!u.match("/( )|(@.*@)|(@\\.)/", val)) && u.match("/^[\\w]+@([\\w]+\\.[\\w]{2,4})$/”, val)){ return true; } else { return false; } return true; } “

24 1 st Step: Find Inconsistency Σ* T Σ* ∪ T Σ* T Σ* ∪ T Target Reference 24 Output difference: Strings returned by target but not by reference ?=?=

25 Differential Analysis Evaluation Analyzed a number of Java EE web applications –Only looking for differences (inconsistencies) 25 NameURL JGOSSIP http://sourceforge.net/projects/jgossipforum/ VEHICLE http://code.google.com/p/vehiclemanage/ MEODIST http://code.google.com/p/meodist/ MYALUMNI http://code.google.com/p/myalumni/ CONSUMER http://code.google.com/p/consumerbasedenforcement TUDU http://www.julien-dubois.com/tudu-lists JCRBIB http://code.google.com/p/jcrbib/

26 Analysis Phase Time Performance & Inconsistencies That We Found 26

27 Analysis Phase Memory Usage 27

28 2 nd Step: Differential Repair Σ* T Σ* ∪ T Σ* T Σ* ∪ T Target Reference Σ* T Σ* ∪ T Repaired Function 28 ≠

29 Composing Sanitizers? Can we run the two sanitizers one after the other? Does not work due to lack of Idempotency – Both sanitizers escape ’ with \ – Input ab’c – 1 st sanitizer  ab\’c – 2 nd sanitizer  ab\\’c Security problem (double escaping) We need to find the difference 29

30 How to repair? Σ* T Σ* ∪ T Σ* T Σ* ∪ T Target Reference X 30

31 function reference($x){ $x = preg_replace(“<“, “”, $x); if (strlen($x) < 4) return $x; else die(“error”); } function target($x){ $x = preg_replace(“’”, “\’”, $x);return $x; } Σ* T Σ* ∪ T Σ* T Σ* ∪ T X Output difference: Strings returned by target but not by reference 31

32 function reference($x){ $x = preg_replace(“<“, “”, $x); if (strlen($x) < 4) return $x; else die(“error”); } function target($x){ $x = preg_replace(“’”, “\’”, $x);return $x; } InputTargetReferenceDiff Type “<““<““<““<““”Sanitization “ ’’ ”“ \’\’ ”“ ’’ ”Sanitization + Length “ abcd ” Validation 32 Set of input strings that resulted in the difference ‘ ‘ ‘ T

33 Mincut results in deleting everything “foo”  “” Why? You can not remove a validation difference using a sanitization patch function reference($x){ $x = str_replace(“<“, “”, $x); if (strlen($x) < 4) return $x; else die(“error”); } function target($x){ $x = str_replace(“’”, “\’”, $x);return $x; } 33

34 (1) Validation Patch function reference($x){ $x = str_replace(“<“, “”, $x); if (strlen($x) < 4) return $x; else die(“error”); } function target($x){ $x = str_replace(“’”, “\’”, $x);return $x; } Σ* T Σ* ∪ T Σ* T Σ* ∪ T function valid_patch($x){ if (stranger_match1($x)) die(“error”); } Validation patch DFA 34

35 function reference($x){ $x = str_replace(“<“, “”, $x); if (strlen($x) < 4) return $x; else die(“error”); } function valid_patch($x){ if (stranger_match1($x)) die(“error”); } Σ* T Σ* ∪ T Σ* T Σ* ∪ T X MinCut = { ‘, <} “fo ’ ”  “fo\ ’ ” function target($x){ $x = str_replace(“’”, “\’”, $x);return $x; } 35

36 function reference($x){ $x = str_replace(“<“, “”, $x); if (strlen($x) < 4) return $x; else die(“error”); } Σ* T Σ* ∪ T Σ* T Σ* ∪ T function target($x){ $x = str_replace(“’”, “\’”, $x);return $x; } function valid_patch($x){ if (stranger_match1($x)) die(“error”); } function length_patch($x){ if (stranger_match2($x)) die(“error”); } function valid_patch($x){ if (stranger_match1($x)) die(“error”); } Length of Reference DFA Unwanted length in target caused by escape (2) Length Patch 36 Post-image R = {a, foo, baar} Len = Σ 1 ∪ Σ 3 ∪ Σ 4 Post-image T = {bb, car} Diff = {bb}

37 function reference($x){ $x = str_replace(“<“, “”, $x); if (strlen($x) < 4) return $x; else die(“error”); } Σ* T Σ* ∪ T Σ* T Σ* ∪ T function target($x){ $x = str_replace(“’”, “\’”, $x);return $x; } function valid_patch($x){ if (stranger_match1($x)) die(“error”); } function length_patch($x){ if (stranger_match2($x)) die(“error”); } X Length of Reference DFA Unwanted length in target caused by escape Target Restricted Length Target Restricted Length Reference Post-image (3) Sanitization Patch 37 Sanitization difference

38 function reference($x){ $x = str_replace(“<“, “”, $x); if (strlen($x) < 4) return $x; else die(“error”); } function target($x){ $x = preg_replace(‘”’, ‘\”’, $x);return $x; } function valid_patch($x){ if (stranger_match1($x)) die(“error”); } function length_patch($x){ if (stranger_match2($x)) die(“error”); } MinCut = {<} function target($x){ $x = str_replace(“’”, “\’”, $x);return $x; } function sanit_patch($x){ $x = str_replace(“<“, “”, $x);return $x; } (3) Sanitization Patch 38

39 MinCut Heuristics We use two heuristics for mincut Trim: – Only if mincut contain space character – Test if reference Post-Image is does not have space at the beginning and end – Assume it is trim () Escape: – Test if reference Post-Image escapes the mincut characters 39

40 Differential Repair Evaluation We ran the differential patching algorithm on 5 PHP web applications NameDescription PHPNews v1.3.0 News publishing software UseBB v1.0.16 forum software Snipe Gallery v3.1.5 Image management system MyBloggie v2.1.6 Weblog system Schoolmate v1.5.4 School administration software 40

41 Number of Patches Generated 41

42 Sanitization Patch Results 42

43 Time and Memory Performance of Differential Repair Algorithm 43

Download ppt "Automatic Repair for Input Validation and Sanitization Bugs 1."

Similar presentations

PHP Form and File Handling

PHP Form and File Handling
Hossain Shahriar Mohammad Zulkernine. One of the worst vulnerabilities in web applications It involves the generation of dynamic HTML contents with invalidated.

Hossain Shahriar Mohammad Zulkernine. One of the worst vulnerabilities in web applications It involves the generation of dynamic HTML contents with invalidated.
Deterministic Finite Automata (DFA)

Deterministic Finite Automata (DFA)
Finite Automata CPSC 388 Ellen Walker Hiram College.

Finite Automata CPSC 388 Ellen Walker Hiram College.
Differential String Analysis Tevfik Bultan (Joint work with Muath Alkhalaf, Fang Yu and Abdulbaki Aydin) 1 Verification Lab Department.

Differential String Analysis Tevfik Bultan (Joint work with Muath Alkhalaf, Fang Yu and Abdulbaki Aydin) 1 Verification Lab Department.
Finite Automata Great Theoretical Ideas In Computer Science Anupam Gupta Danny Sleator CS 15-251 Fall 2010 Lecture 20Oct 28, 2010Carnegie Mellon University.

Finite Automata Great Theoretical Ideas In Computer Science Anupam Gupta Danny Sleator CS Fall 2010 Lecture 20Oct 28, 2010Carnegie Mellon University.
1 FORMAL LANGUAGES, AUTOMATA AND COMPUTABILITY 15-453 (For next time: Read Chapter 1.3 of the book)

1 FORMAL LANGUAGES, AUTOMATA AND COMPUTABILITY (For next time: Read Chapter 1.3 of the book)
CS5371 Theory of Computation

CS5371 Theory of Computation
1 Approximate string matching using factor automata Jan Holub and Borivoj Melichar Theoretical Computer Science vol.249 p.305-311 Speaker: L. C. Chen Advisor:

1 Approximate string matching using factor automata Jan Holub and Borivoj Melichar Theoretical Computer Science vol.249 p Speaker: L. C. Chen Advisor:
61 Nondeterminism and Nodeterministic Automata. 62 The computational machine models that we learned in the class are deterministic in the sense that the.

61 Nondeterminism and Nodeterministic Automata. 62 The computational machine models that we learned in the class are deterministic in the sense that the.
Finite State Machines 1 95-771 Data Structures and Algorithms for Information Processing 1.

Finite State Machines Data Structures and Algorithms for Information Processing 1.
A String Constraint Solver for Detecting Web Application Vulnerability Xiang Fu Hofstra University Chung-Chih Li Illinois State University 07/03/2010SEKES.

A String Constraint Solver for Detecting Web Application Vulnerability Xiang Fu Hofstra University Chung-Chih Li Illinois State University 07/03/2010SEKES.
Eliminating Web Software Vulnerabilities with Automated Verification Tevfik Bultan Verification Lab Department of Computer Science University of California,

Eliminating Web Software Vulnerabilities with Automated Verification Tevfik Bultan Verification Lab Department of Computer Science University of California,
Javascript II Expressions and Data Types. 2 JavaScript Review programs executed by the web browser programs embedded in a web page using the script element.

Javascript II Expressions and Data Types. 2 JavaScript Review programs executed by the web browser programs embedded in a web page using the script element.
1 Pushdown Stack Automata Zeph Grunschlag. 2 Agenda Pushdown Automata Stacks and recursiveness Formal Definition.

1 Pushdown Stack Automata Zeph Grunschlag. 2 Agenda Pushdown Automata Stacks and recursiveness Formal Definition.
Finite Automata Chapter 5. Formal Language Definitions Why need formal definitions of language –Define a precise, unambiguous and uniform interpretation.

Finite Automata Chapter 5. Formal Language Definitions Why need formal definitions of language –Define a precise, unambiguous and uniform interpretation.
Topics Automata Theory Grammars and Languages Complexities

Topics Automata Theory Grammars and Languages Complexities
Automating Construction of Lexers. Example in javacc TOKEN: { ( | | _)* > | ( )* > | } SKIP: { | \n | \t } --> get automatically generated code.

Automating Construction of Lexers. Example in javacc TOKEN: { ( | | "_")* > | ( )* > | } SKIP: { " " | "\n" | "\t" } --> get automatically generated code.
Regular Expressions & Automata Fawzi Emad Chau-Wen Tseng Department of Computer Science University of Maryland, College Park.

Regular Expressions & Automata Fawzi Emad Chau-Wen Tseng Department of Computer Science University of Maryland, College Park.
Eliminating Web Software Vulnerabilities with Automated Verification Tevfik Bultan Verification Lab Department of Computer Science University of California,

Eliminating Web Software Vulnerabilities with Automated Verification Tevfik Bultan Verification Lab Department of Computer Science University of California,

Similar presentations

Ads by Google