An Analysis Framework for Security in Web Applications Gary Wassermann and Zhendong Su University of...
-
Upload
kevin-davis -
Category
Documents
-
view
217 -
download
1
Transcript of An Analysis Framework for Security in Web Applications Gary Wassermann and Zhendong Su University of...
![Page 1: An Analysis Framework for Security in Web Applications Gary Wassermann and Zhendong Su University of California, Davis.](https://reader036.fdocuments.us/reader036/viewer/2022062517/56649ee15503460f94bf1f44/html5/thumbnails/1.jpg)
An Analysis Framework for Security in Web Applications
Gary Wassermann and Zhendong Su
University of California, Davis
![Page 2: An Analysis Framework for Security in Web Applications Gary Wassermann and Zhendong Su University of California, Davis.](https://reader036.fdocuments.us/reader036/viewer/2022062517/56649ee15503460f94bf1f44/html5/thumbnails/2.jpg)
Web Application Architecture
Web browser
Application
Database
User input Database query
Application generates query based on user input
Result setWeb page
![Page 3: An Analysis Framework for Security in Web Applications Gary Wassermann and Zhendong Su University of California, Davis.](https://reader036.fdocuments.us/reader036/viewer/2022062517/56649ee15503460f94bf1f44/html5/thumbnails/3.jpg)
Command Injection Attacks
String query = “SELECT * FROM users WHERE username = ‘” + strUName + “’ AND password = ‘” + strPasswd + “’;”;
Expected input: SELECT * FROM users
WHERE username = ‘John’ AND password = ‘JohnsPass’;
Result: John logs in
![Page 4: An Analysis Framework for Security in Web Applications Gary Wassermann and Zhendong Su University of California, Davis.](https://reader036.fdocuments.us/reader036/viewer/2022062517/56649ee15503460f94bf1f44/html5/thumbnails/4.jpg)
Command Injection Attacks
Malicious input: SELECT * FROM users
WHERE username = ‘’ AND password = ‘’ OR ‘’ = ‘’;
Result: Malicious user logs in as first user identified in the database. Frequently, the administrator!
String query = “SELECT * FROM users WHERE username = ‘” + strUName + “’ AND password = ‘” + strPasswd + “’;”;
![Page 5: An Analysis Framework for Security in Web Applications Gary Wassermann and Zhendong Su University of California, Davis.](https://reader036.fdocuments.us/reader036/viewer/2022062517/56649ee15503460f94bf1f44/html5/thumbnails/5.jpg)
Motivation
~60% of web applications are vulnerable
Found vulnerable sites easily in web search
Many ways to regulate user inputs
Limit length of input
Filter out “bad” strings
Escape quotes, etc.
Are the regulations sufficient?
Goal: Check whether any “dangerous” queries, not user inputs, exist
![Page 6: An Analysis Framework for Security in Web Applications Gary Wassermann and Zhendong Su University of California, Davis.](https://reader036.fdocuments.us/reader036/viewer/2022062517/56649ee15503460f94bf1f44/html5/thumbnails/6.jpg)
Example: change admin password
Attacker registers online:
Username: admin’--
Password: password
INSERT INTO users VALUES(‘admin’’--’, ‘password’)
![Page 7: An Analysis Framework for Security in Web Applications Gary Wassermann and Zhendong Su University of California, Davis.](https://reader036.fdocuments.us/reader036/viewer/2022062517/56649ee15503460f94bf1f44/html5/thumbnails/7.jpg)
Attacker changes password:
Username: admin’--
OldPass: password
NewPass: backdoor
Example: change admin password
![Page 8: An Analysis Framework for Security in Web Applications Gary Wassermann and Zhendong Su University of California, Davis.](https://reader036.fdocuments.us/reader036/viewer/2022062517/56649ee15503460f94bf1f44/html5/thumbnails/8.jpg)
Application checks correctness of old password:
sql = “SELECT * FROM users WHERE username = ‘admin’’--’ AND password = ‘password’”;
rso.open( sql, cn );
if (rso.EOF) {...}
Example: change admin password
![Page 9: An Analysis Framework for Security in Web Applications Gary Wassermann and Zhendong Su University of California, Davis.](https://reader036.fdocuments.us/reader036/viewer/2022062517/56649ee15503460f94bf1f44/html5/thumbnails/9.jpg)
Admin’s password gets changed:
sql = “UPDATE users SET password = ‘” + newpass + “’ WHERE username = ‘” + rso(“username”) + “’”;
UPDATE users SET password = ‘backdoor’WHERE username = ‘admin’--’
Example: change admin password
![Page 10: An Analysis Framework for Security in Web Applications Gary Wassermann and Zhendong Su University of California, Davis.](https://reader036.fdocuments.us/reader036/viewer/2022062517/56649ee15503460f94bf1f44/html5/thumbnails/10.jpg)
Overview of Analysis Framework
Abstract Model of Generated Programs
Structure Discovery
Access Control
Ex: “customer” deletes inventory data
Tautologies
Ex: malicious user bypasses authentication
Application code
query =… Table lists
Conditional expressions
Select statement
![Page 11: An Analysis Framework for Security in Web Applications Gary Wassermann and Zhendong Su University of California, Davis.](https://reader036.fdocuments.us/reader036/viewer/2022062517/56649ee15503460f94bf1f44/html5/thumbnails/11.jpg)
String query = “SELECT * FROM stock WHERE ” + strID + “ = id”; for( int i = 0; i < dat.length(); i++)
query = query + “ AND ” + dat[i] + “ = “ + inp[i];
Example with cyclesString query = “SELECT * FROM stock WHERE ” + strID + “ = id”;
![Page 12: An Analysis Framework for Security in Web Applications Gary Wassermann and Zhendong Su University of California, Davis.](https://reader036.fdocuments.us/reader036/viewer/2022062517/56649ee15503460f94bf1f44/html5/thumbnails/12.jpg)
String query = “SELECT * FROM stock WHERE ” + strID + “ = id”; for( int i = 0; i < dat.length(); i++)
query = query + “ AND ” + dat[i] + “ = “ + inp[i];
Example with cycles
from dropdown menu
year
min
dat
![Page 13: An Analysis Framework for Security in Web Applications Gary Wassermann and Zhendong Su University of California, Davis.](https://reader036.fdocuments.us/reader036/viewer/2022062517/56649ee15503460f94bf1f44/html5/thumbnails/13.jpg)
String query = “SELECT * FROM stock WHERE ” + strID + “ = id”; for( int i = 0; i < dat.length(); i++)
query = query + “ AND ” + dat[i] + “ = “ + inp[i];
Example with cycles
from dropdown menu
from textbox
year
min
dat
2004
15
inp
![Page 14: An Analysis Framework for Security in Web Applications Gary Wassermann and Zhendong Su University of California, Davis.](https://reader036.fdocuments.us/reader036/viewer/2022062517/56649ee15503460f94bf1f44/html5/thumbnails/14.jpg)
String query = “SELECT * FROM stock WHERE ” + strID + “ = id”; for( int i = 0; i < dat.length(); i++)
query = query + “ AND ” + dat[i] + “ = “ + inp[i];
Example with cycles
year
min
dat
2004
15
inpFiltered with {“delete”, “xp\_”, “=”, “from”, “or”}
![Page 15: An Analysis Framework for Security in Web Applications Gary Wassermann and Zhendong Su University of California, Davis.](https://reader036.fdocuments.us/reader036/viewer/2022062517/56649ee15503460f94bf1f44/html5/thumbnails/15.jpg)
String query = “SELECT * FROM stock WHERE ” + strID + “ = id”; for( int i = 0; i < dat.length(); i++)
query = query + “ AND ” + dat[i] + “ = “ + inp[i];
Example with cycles
year
min
dat
2004
15
inp
SELECT * FROM stock WHERE
982 = id AND year = 2004 AND min = 15
Filtered with {“delete”, “xp\_”, “=”, “from”, “or”}
![Page 16: An Analysis Framework for Security in Web Applications Gary Wassermann and Zhendong Su University of California, Davis.](https://reader036.fdocuments.us/reader036/viewer/2022062517/56649ee15503460f94bf1f44/html5/thumbnails/16.jpg)
String query = “SELECT * FROM stock WHERE ” + strID + “ = id”; for( int i = 0; i < dat.length(); i++)
query = query + “ AND ” + dat[i] + “ = “ + inp[i];
Example with cycles
min
min
dat
14
15)
inp
SELECT * FROM stock WHERE
NOT(1 = id AND min = 14 AND min = 15)
Filtered with {“delete”, “xp\_”, “=”, “from”, “or”}
![Page 17: An Analysis Framework for Security in Web Applications Gary Wassermann and Zhendong Su University of California, Davis.](https://reader036.fdocuments.us/reader036/viewer/2022062517/56649ee15503460f94bf1f44/html5/thumbnails/17.jpg)
String Analysis (previous work)
)= zid=( x minANDNOT
stock
WHERE
FROMSELECT *
=minyε
SELECT * FROM stock WHERE
NOT(1 = id AND min = 14 AND min = 15)
![Page 18: An Analysis Framework for Security in Web Applications Gary Wassermann and Zhendong Su University of California, Davis.](https://reader036.fdocuments.us/reader036/viewer/2022062517/56649ee15503460f94bf1f44/html5/thumbnails/18.jpg)
Structure Discovery (previous work)
)= zid=( x minANDNOT
WHERE
=minyε
stockFROMSELECT *
Boolean expression
![Page 19: An Analysis Framework for Security in Web Applications Gary Wassermann and Zhendong Su University of California, Davis.](https://reader036.fdocuments.us/reader036/viewer/2022062517/56649ee15503460f94bf1f44/html5/thumbnails/19.jpg)
Tautology checking
)= zmin
WHERE
id=( x ANDNOT
=minyε
stockFROMSELECT *
NOT ( x = id and min = y and min = z )
Theorem: We discover a tautology over linear arithmetic iff the FSA accepts one.
![Page 20: An Analysis Framework for Security in Web Applications Gary Wassermann and Zhendong Su University of California, Davis.](https://reader036.fdocuments.us/reader036/viewer/2022062517/56649ee15503460f94bf1f44/html5/thumbnails/20.jpg)
Overview of Tautology Checking
Main idea: Generate finite number of validity queries from FSA
Challenges: Loops/cycles
Arithmetic
Boolean
![Page 21: An Analysis Framework for Security in Web Applications Gary Wassermann and Zhendong Su University of California, Davis.](https://reader036.fdocuments.us/reader036/viewer/2022062517/56649ee15503460f94bf1f44/html5/thumbnails/21.jpg)
Tautology Checking: Arithmetic Loops
W,X,Y,Z :
1 = W+X Æ X+W+Y = Y+Z Æ Z = 1
a,b,c
W×(a) + X×(b) + Y×(c) ≥ Z×(b+c)
+cb≥a
+c
bin = 1
W
X
Y
Z out = 1
{W,Y,Z ← 1; X ← 0}
b+c ≥ b+c
![Page 22: An Analysis Framework for Security in Web Applications Gary Wassermann and Zhendong Su University of California, Davis.](https://reader036.fdocuments.us/reader036/viewer/2022062517/56649ee15503460f94bf1f44/html5/thumbnails/22.jpg)
Tautology Checking: Boolean Loops
a
bb
OR
a
bb
a
bb
a
bb
a
bbOR OR OR
n+2 = 4
![Page 23: An Analysis Framework for Security in Web Applications Gary Wassermann and Zhendong Su University of California, Davis.](https://reader036.fdocuments.us/reader036/viewer/2022062517/56649ee15503460f94bf1f44/html5/thumbnails/23.jpg)
UPDATE users SET password = ‘backdoor’WHERE username = ‘admin’--’
Earlier Example Revisited
--
= ‘password
WHERE
SETUPDATE users ’
=username
w
‘’x ’
![Page 24: An Analysis Framework for Security in Web Applications Gary Wassermann and Zhendong Su University of California, Davis.](https://reader036.fdocuments.us/reader036/viewer/2022062517/56649ee15503460f94bf1f44/html5/thumbnails/24.jpg)
sql = “UPDATE users SET password = ‘” + newpass + “’ WHERE username = ‘”
+ rso(“username”) + “’”;
Earlier Example Revisited
This code may also generate a query with a tautology
UPDATE users SET password = ‘backdoor’ WHERE username = ‘’OR‘a’=‘a’;
![Page 25: An Analysis Framework for Security in Web Applications Gary Wassermann and Zhendong Su University of California, Davis.](https://reader036.fdocuments.us/reader036/viewer/2022062517/56649ee15503460f94bf1f44/html5/thumbnails/25.jpg)
Earlier Example Revisited
= ‘password
WHERE
SETUPDATE users ’
=username
w
‘ ’x = ‘ ’zOR ‘ ’y
UPDATE users SET password = ‘backdoor’ WHERE username = ‘’OR‘a’=‘a’;
![Page 26: An Analysis Framework for Security in Web Applications Gary Wassermann and Zhendong Su University of California, Davis.](https://reader036.fdocuments.us/reader036/viewer/2022062517/56649ee15503460f94bf1f44/html5/thumbnails/26.jpg)
Conclusions
Analysis Framework: Generate and analyze FSA model of all possible queries
Semantic analysis of generated programs
Not only types but values
Implementation in progress
Questions?
![Page 27: An Analysis Framework for Security in Web Applications Gary Wassermann and Zhendong Su University of California, Davis.](https://reader036.fdocuments.us/reader036/viewer/2022062517/56649ee15503460f94bf1f44/html5/thumbnails/27.jpg)
![Page 28: An Analysis Framework for Security in Web Applications Gary Wassermann and Zhendong Su University of California, Davis.](https://reader036.fdocuments.us/reader036/viewer/2022062517/56649ee15503460f94bf1f44/html5/thumbnails/28.jpg)
Why n+2?