Transcript of Prithvi Bisht, Timothy Hinrichs, Nazari Skrupsky, Radoslaw Bobrowicz, V.N. Venkatakrishnan...
- Slide 1
- Prithvi Bisht, Timothy Hinrichs, Nazari Skrupsky, Radoslaw
Bobrowicz, V.N. Venkatakrishnan University of Illinois at Chicago,
USA ACM CCS (Oct,2010) Prithvi Bisht, Timothy Hinrichs, Nazari
Skrupsky, Radoslaw Bobrowicz, V.N. Venkatakrishnan University of
Illinois at Chicago, USA ACM CCS (Oct,2010) A Presentation at
Advanced Defense Lab
- Slide 2
- Outline Introduction Architecture & Challenges
Implementation Evaluation Related Work Conclusion Advanced Defense
Lab2
- Slide 3
- Introduction A novel approach for automatically detecting
potential server-side vulnerabilities of parameter-tampering in
existing web applications. Advanced Defense Lab3
- Slide 4
- Introduction Advanced Defense Lab4
- Slide 5
- Introduction Attack 1: Negative quantities. Resulting in a
discount. Attack 2: Charging another users account. A malicious
user can purchase products and charge someone elses account. Attack
3: Pattern validation bypass. XSS and SQL injection. Advanced
Defense Lab5
- Slide 6
- Introduction Problem Description : the set of alphabet. I = * x
* x * x x * I -> { true, false } Pserver: constraint-checking
function on the server. Pclient: constraint-checking function on
the client. Pserver(I) = true -> Pclient(I) = true Pserver(I) =
true ^ Pclient(I) = false (BUG) Advanced Defense Lab6
- Slide 7
- Introduction Problem Description Fclient: a logical
representation of Pclient. Fserver: a logical representation of
Pserver. (hostile) h1,,hn such that Fclient(hi) = false for each i.
(benign) b1,,bm such that Fclient(bj) = true for each j. (hostile
responses from the server) H1,,Hn (benign responses from the
server) B1,,Bm The more similar a hostile response is to the benign
responses, the more likely the hostile input was successful.
Advanced Defense Lab7
- Slide 8
- Outline Introduction Architecture & Challenges
Implementation Evaluation Related Work Conclusion Advanced Defense
Lab8
- Slide 9
- ARCHITECTURE & CHALLENGES Advanced Defense Lab9
- Slide 10
- ARCHITECTURE & CHALLENGES Advanced Defense Lab10
- Slide 11
- ARCHITECTURE & CHALLENGES HTML/JS Analyzer To simulates an
environment similar to a JavaScript interpreter in a browser,
including the DOM (AJAX not supported). Executes all the init. Code
for the web form concretely. Advanced Defense Lab11
- Slide 12
- ARCHITECTURE & CHALLENGES HTML/JS Analyzer Identifying JS
validation code When a form is submitted. Each time the user enters
or changes data on the form. Analyzing JS validation code Employing
a mixed concrete-symbolic execution approach. Symbolic execution
provides coverage of all control paths. Concrete execution enables
NoTamper to ignore irrelevant code. Resolving DOM references
Constructing the pertinent portion of the DOM. Simulating DOM
functions that are used to modify the DOM structure. Advanced
Defense Lab12
- Slide 13
- ARCHITECTURE & CHALLENGES Input Generator Avoiding spurious
rejections Checking that all required variables have values of the
right type. (Manually overridden) Generating orthogonal hostile
inputs Converts Fclient to disjunctive normal form (DNF). Coping
with incomplete information Accepting hints (delta) from human that
guide the search for hostile and benign inputs. Addressing state
changes Providing a optional list of variables required to have
unique values. Advanced Defense Lab13
- Slide 14
- Outline Introduction Architecture & Challenges
Implementation Evaluation Related Work Conclusion Advanced Defense
Lab14
- Slide 15
- Implementation Advanced Defense Lab15
- Slide 16
- IMPLEMENTATION Client Constraint Extraction By collecting all
the event handlers (and associated scripts) and generating a single
function that invokes all those event handlers. Simulates a small
set of core methods getElementById() document.wite()
document.innerHTML() Advanced Defense Lab16
- Slide 17
- IMPLEMENTATION Client Constraint Extraction Advanced Defense
Lab17
- Slide 18
- IMPLEMENTATION Hostile Input Guidance Initial values Numbers
Hidden fields (Session identifier) Types The HTML widget associated
with ( ) Initial value Occurrence in arithmetic constraints
Required variables Analyzing the HTML (e.g., asterisks next to
field labels) Drop-down list Unique variables Advanced Defense
Lab18
- Slide 19
- IMPLEMENTATION Input Generation Benign inputs Converts Fclient
to DNF Finds one solution per disjunct (or). Hostile inputs
!Fclient Advanced Defense Lab19
- Slide 20
- IMPLEMENTATION Constraint Solving HAMPI[13] HAMPI Advanced
Defense Lab20
- Slide 21
- IMPLEMENTATION Constraint Solving Advanced Defense Lab21
- Slide 22
- IMPLEMENTATION HTML Response Comparison Advanced Defense Lab22
Compares the servers response against a response that is known to
have been generated by benign (valid) inputs. Edit distance
Ratcliff/Obsershelp algorithm. Ratcliff/Obsershelp Remove the noise
in B1 and B2 and produce C1. Remove the noise in B1 and Hi and
produce C2. Compare C1 and C2 and result in difference rank.
- Slide 23
- IMPLEMENTATION Advanced Defense Lab23 HTML analysis On top of
the APIs provided by the HTML Parser. JavaScript analysis Using a
modified Narcissus JavaScript engine-based symbolic evaluator.
Input Generator HAMPI Opportunity Detector Java-based module
relayed HTTTP requests to the test server.
- Slide 24
- Outline Introduction Architecture & Challenges
Implementation Evaluation Related Work Conclusion Advanced Defense
Lab24
- Slide 25
- Evaluation Selected 8 open source applications and 5 live
websites. http://opensourcescripts.com Testing Linux Apache web
server (2.8 GHz Dual Intel Xeon, 6.0 GB RAM) Ubuntu 9.10 (2.45 Ghz
Quad Intel, 2.0 GB RAM) NoTamper Advanced Defense Lab25
- Slide 26
- Evaluation Advanced Defense Lab26
- Slide 27
- Evaluation Advanced Defense Lab27
- Slide 28
- Evaluation Unauthorized money transfers www.selfreliance.com
Unlimited shopping rebates www.codemicro.com Fixed within 24 hours
Privilege escalation OpenIT By manipulating the userid parameter.
Advanced Defense Lab28
- Slide 29
- Evaluation False Positives Pertaining to the maxlength
constraints on form inputs that couldnt be exploited to any serious
vulnerability. Rewritten by the server without any observable
difference in HTML output. Advanced Defense Lab29
- Slide 30
- Evaluation Advanced Defense Lab30
- Slide 31
- Evaluation Advanced Defense Lab31
- Slide 32
- Evaluation Performance Input Generator Solved 315 formulas in a
total of 219 seconds. Giving an average time of 0.7 seconds per
input. HTML / JavaScript Run in under a second Opportunity Detector
Run in sub-second time for each application. Advanced Defense
Lab32
- Slide 33
- Outline Introduction Architecture & Challenges
Implementation Evaluation Related Work Conclusion Advanced Defense
Lab33
- Slide 34
- Related Work NoTamers goals are focusing on discovering
vulnerabilities in existing ( legacy ) applications. Advanced
Defense Lab34
- Slide 35
- Outline Introduction Architecture & Challenges
Implementation Evaluation Related Work Conclusion Advanced Defense
Lab35
- Slide 36
- Conclusion NoTampers results highlight a significant gap
between the server-side parameter validation that should occur and
the server- side validation that does occur in todays web
applications. Advanced Defense Lab36