Using HAZOP and FTA to Analyse Security Vulnerability

of Web Application and Infrastructure

Pumisake Snamchaiskul 1

and Thitinan Phanrattanachai 2 1 Computer Engineering Program, Phetchabun Rajabhat University, Phetchabun, Thailand.

2 Electronics Technology Program, Phetchabun Rajabhat University, Phetchabun, Thailand.

Abstract. Emerging from safety engineering, Hazard and Operating study (HAZOP) and Fault Tree

Analysis (FTA) are two approaches amongst others employed in analysis of safety-critical system to identify

hazard. This paper studies them, proposes some extension to cover security issues of web application, draws

up guidelines in order to apply them to web applications and infrastructure, and finally analyses the

effectiveness.

The result confirms that HAZOP can reveal some alternative insecure situation when the web application are

a part of system needed to interacted with the third party system and/or when there are manual operations

needed. HAZOP can also be extended to cover the common vulnerabilities found in web application: cross-

site scripting, SQL injection and script injection, although its application has not much contribution to

understanding and preventing those vulnerabilities. FTA when being applied to the common vulnerabilities

of web application also yields the similar result; it can be applied to but with a little contribution. However,

FTA can be helpfully applicable to structuring the vulnerabilities in web infrastructure.

Keywords: Web application, FTA, HAZOP, Vulnerability Analysis, Analytical Approach

1. Introduction

WWW is a type of information system widely used mainly over the Internet. Building applications on

the WWW system are chosen by many organisations to become the promising platform for business

application. Additionally, web applications are also the centres of internet communities. Public web

applications, e.g. free web-based mail; search engine and web portal, have the enormous number of user all

over the world.

Like any other information system, web application and infrastructure need to be ensure their integrity of

security. Risk of system should be analysed in order to plan the proper countermeasure. One known method

which is an ingredient of risk analysis is vulnerabilities analysis, the study of alternative system’s behaviours

which lead to security compromise. This kind of behaviours usually is overlooked by system analysis and

design method commonly used in software engineering.

The requirement of vulnerabilities analysis leads the information system researcher to looking for other

methodologies from other engineering discipline. Hazard and operating study and Fault Tree Analysis, the

two amongst the analytical approaches commonly used in safety engineering, have been examined and there

are literatures supporting their useful application when being applied to software and information system.

However, vulnerabilities in web application and infrastructure have their specific natures. The application of

those two approaches has been questioned. This paper is going to investigate this matter.

2. The Vulnerabilities in Web Application and Infrastructure

Web application are building from a text-based protocol called HTTP[1] which is originally designed to

transport hypertext file, i.e. HTML file across the Internet. It has been added some other facilities afterward

Corresponding author.

E-mail address: pumisake@agritech.pcru.ac.th

2014 3rd International Conference on Informatics, Environment, Energy and Applications

IPCBEE vol.66 (2014) © (2014) IACSIT Press, Singapore DOI: 10.7763/IPCBEE. 2014. V66. 6

26

in order to aid in development of web application, e.g. connecting with DBMS, client-side script, etc. The

interaction between those facilities cause some glitches found in web application and they can be exploited

by attacker.

The vulnerabilities in web applications commonly reported are: cross-site scripting[2], SQL injection[3]

and script/execute command injection. Three of them are basically caused by ill input validation. In cross-

site scripting, a malicious script will be secretly attached with input. The malicious script will be run on the

victims when they view the input in other module. The attack is commonly used to hijack session id of

victim. As a consequence, the attacker can do anything allowed by the victim’s privilege. In SQL injection,

the malicious SQL command will be attached to input that is used to generate the intended SQL command.

Instead of executing the intended SQL command specified by developer, the attacker’s command is

executing. As a consequence, the attacker can exploit this vulnerability to perform unauthorised modification

of database. In script/execute command injection, input is used as a part of executable command; or the

uploaded files repository allows executing. The attacker can exploit them to execute any command he want

in web server.

In web infrastructure which basically consists of OS, HTTP server and DBMS, the vulnerabilities can be

in any sub system. This is because they are separately developed by different organisation and they have

their own way to specify configuration. One of known causes can be mis-configuration of those entities. For

the other causes, their failure mechanisms are beyond the knowledge of web developer. Therefore, those

vulnerabilities just can be tracked by the vulnerability reports from software vendors, or security-focused

websites.

3. The Analytical Approaches

In safety engineering, system hazards have been studies in order to prevent them from endanger human

life or environment.[4] Hazard needs to be identified at the beginning in order to formulate the

countermeasure later on. There are two hazard finding approaches complementing one another: inductive

approach and deductive approach. In inductive approach, the sub system’s fault will be analysed and, as a

result, their effects to the other sub system or to the whole will be anticipate. On the other hand, in deductive

approach the fault of whole system will be specified and the system will be analysed to come up with the

causes situated in finer sub system, as a result. Two of those approaches, i.e. HAZOP from inductive side

and FTA from deductive side are going to be studied as follows.

3.1 Hazard and Operating Study (HAZOP)

HAZOP is an inductive approach emerging from chemical process industry [4]. It was later been applied

to other industry, e.g. oil, pharmaceutical and food processing industry.[5] It also has been reported to yield a

useful application when being employed to security context of information system [6-8]. The key method of

HAZOP used to identify hazard is the interpretation of guide words which are different from industry to

industry. For example, some of guide words and their interpretation used in chemical industry are shown in

Table 1.

Guide word Interpretation

NO The attribute change to be negative of intention.

AS WELL AS The other additional activity is also achieved.

OTHER THAN Some things other than intension are achieved.

MORE/LESS The increasing/decreasing of attribute.

PART OF Only some part of intention is achieved.

Table 1: some of interpretation in chemical industry [9]

Interpretation of guide word will be applied to the context of system, e.g. apply to attribute. It will lead

analyst’s mind to anticipate the deviation of system. Because the lists of guide words are suggested by

27

researches in particular industries, analyst can ensure to some extent that they will not overlook some

potential deviations.

3.2 Fault Tree Analysis (FTA)

FTA is, on the other hand, a deductive approach. It is widely used in electronics, airliner design and

nuclear power plant.[10] The consensus amongst researchers working in information system security is that

it can be used to analyse security matters in information system. [11-16] The key method of FTA is the use

of graphic notation to structurally present the composition of hazard, i.e. undesired event. The constructing

process starts from specify the known ultimate outcome as a top-event of the tree. After that, the top-event

will be analysed and, as a result, the causes of the event will be identified. The causes of given event will be

presenting as input of a graphic notation, gate. Gate will represent the composite logic, e.g. “and”, “or”, etc.,

combining the inputs to a predecessor event. The tree will be developed until the leaves are primary events.

Some of graphic notations and an example of fault tree are shown in figure 1.

Loss of

heating

Loss of

fuel supplyLoss of

electricity

Loss of

solid fuelLoss of

liquid fuel

Intermediate event

Undeveloped event

Basic event

INHIBIT gate with condition

AND gate

OR gate

Fig. 1: Graphic notations used in FTA and an example of fault tree

4. The Guidelines and Extension for Applying the Approaches to Web Application and Infrastructure

4.1 HAZOP Guidelines and Extension

In order to employ HAZOP to analyse web applications, the analysis should be able to detect the three

common vulnerabilities. Therefore, the interpretation of guide words should be extended to cover the matter.

The method of applying HAZOP to Use Case as design representation proposed by Srivatanakul et al.[8] are

suitable, if some of guide word interpretations are extended. Therefore, the two suitable guide words, i.e. AS

WELL AS and OTHER THAN are extended. AS WELL AS can be interpreted to mean that there are

malicious script attached with input. This can reveal cross-site scripting. The interpretation of OTHER

THAN also can be extended to mean that input is, instead of information, actually SQL command in the case

of SQL injection and executable command or script file in the case of script injection.

The method of constructing and interpreting guide words proposed by Winther et al [6] can also be

applied to web application , especially, when there are interaction with the third party entities, e.g. payment

gateway, or the manual operation are needed.

4.2 FTA Guidelines

Fault tree of web application vulnerabilities obviously can be constructed by specifying the top-event as

the three common vulnerabilities mentioned above. In case of cross-site scripting tree, the intermediate nodes

are modules or pages that display data input to the application. Leaves of tree are the modules or pages that

receive those inputs. In case of SQL injection, the successor nodes are the modules or pages that construct

SQL command with input. Similarly, the successor nodes of script injection are the modules or pages that

include input as execute command or those that perform uploading file.

Fault tree of web infrastructure can be constructed by specifying the top-event as the phrase “vulnerable

system”. The intermediate nodes are entities composing the system, e.g. HTTP server, DBMS, OS etc. and

the leaves node can be the vulnerabilities of those sub system published by software vendor or security-

focused website. The leave node can also represent the issue in configuration that commonly found mistake.

5. The Result of Scenarios-based Analysis of the Extension and Guidelines 28

The application of the proposed extension and guidelines are tested by scenarios picked up from

functionality normally found in web application, i.e. e-commerce site and community message board. The

results are as follows.

5.1 The Result of HAZOP

The HAZOP analysis by using the guide words and method suggested by Winther et al [6] can reveal

some alternative insecure situation of system in scenario “Order Checkout and payment” as shown in figure

2. The operation in this scenario needs to receive an e-mail from payment gateway to notify the success of

payment and manually update the order status by staff who receives the e-mail. An example of insecure

situations are the interpretation of guide word “Deliberated disclosure of mail due to outsider” which reveals

that e-mail can be eavesdropped and the interpretation of “Unintentional manipulation of order status due to

staff” which reveal the potential error in manual operation.

Customer Order Man. Order DB Payment Staff

Submit Order

Insert Order

Insert succeed

Redirect to Payment GW

Submit Payment

Payment Accept

Payment Succeeding Notification

Update Order Status

Update Order

Update Succeed

Update Succeed

Fig. 2: The sequence diagram of Order Checkout and Payment Scenario

The HAZOP analysis by using the extended version of the method proposed by Srivatanakul et al.[8] can

straightforwardly reveal the common vulnerabilities in web applications. However, the result does not have

much contribution to the understanding of those vulnerabilities due to the natures of web applications that

are caused by ill input validation. One can argue that instead of putting effort to HAZOP analysis, he better

improves the input validation method. Moreover, the effects of vulnerabilities which are yielded from the

analysis are too wide. The effects of SQL injection and Script injection are the security compromise of the

whole web server and database respectively. The effect of cross-site scripting typically leads to hijacking of

victim’s session ID which attacker can use those to do anything allowed in the victim privilege. The further

analysis of those deviations of sub-system has been blocked. This is considered to be useless for further

study of vulnerability.

5.2 The Result of FTA

The fault trees of SQL injection and Script injection are not better than the categorised list of page that

need input validation. This can be considered to have no contribution to the improvement of security. The

cross-site scripting fault tree, on the contrary, can give some flow of input to output. This can reveal some

potential problem. For example, cross-site scripting tree of scenario “browse product catalogue” when the

product information is input by staff and later is browsed by customer, can reveals that the internal staffs are

able perform cross-site scripting attack to customer. Therefore, even the product update page are used

internally, the counter-measure, i.e. input validation, should be in place.

When applying FTA to web infrastructure, fault tree can be used to organise the reported vulnerabilities.

This supports a suggestion that FTA can be “attack handbook” proposed by Brooke & Paige [16]. The tree

can be used by system administrators in order to keep track of vulnerabilities and their patch or work-around

solution. The tree can also be used to remind the system administrators to patch system or sub-system when

they are newly built. For example, when a new web server is added to the server farm to cope with the

increasing work load, system administrator can consult the fault tree in order to realise which part or sub-

system need to be carefully addressed.

29

6. Conclusion

HAZOP can be applicable when being applied to web application that has interaction with third party

and/or need manual operation by human. HAZOP can reveal alternative insecure situations which might not

be anticipated in common system design. It is also found out that by extending the interpretation of guide

words, HAZOP can foresee the common vulnerabilities of web application: cross-site scripting, SQL

injection and script injection, even though the study might not contribute much to preventing those

vulnerabilities.

Fault tree of web application can be constructed by specifying the top event as the common

vulnerabilities of web application. However, it is realised that constructing fault tree of vulnerabilities in web

applications does not yield much contribution to understand and prevent the vulnerabilities. This is because

the nature of those vulnerabilities that they can happen in any sub system, module or script page that need

input validation.

On the contrary, Analysis by FTA of web infrastructure is useful. Fault tree of vulnerabilities of sub

system in web infrastructure will present the structural list of vulnerabilities. System administrator can use it

to understand and keep track of vulnerabilities published by software vendors or security-focused web site.

7. References

[1] R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach, and T. Berners-Lee. RFC2616-- Hypertext

Transfer Protocol -- HTTP/1.1. http://www.ietf.org/rfc/rfc2616.txt. IETF, 1999.

[2] M. Samuel, P. Saxena, and D. Song. Context-sensitive auto-sanitization in web templating language using type

qualifiers, In:Y. Chen(eds.). 18th ACM Conference on Computer and Communications Security, Chicago. 2011,

pp. 587-600.

[3] J. Clark. SQL Injection Attacks and Defense. 2 ed. Syngress, 2012.

[4] N. Storey. Safety-critical Computer Systems. Addison Wesley, 1996.

[5] T. Kletz. Hazop and Hazan: Identifying and assessing process industry hazards. Institution of Chemical Engineers,

1999.

[6] R. Winther, O. Johnsen, and B. A. Gran. Security Assessments of Safety Critical Systems Using HAZOPs, In:U.

Voges(eds.). Proc. of the 20th International Conference on Computer Safety, Reliability and Security. 2001, pp.

14-24.

[7] K. Lano, D. Clark, and K. Androutsopoulos. Safety and Security Analysis of Object-Oriented Models, In:S.

Anderson(eds.). SAFECOMP2002: The 21st International Conference on Computer Safety, Reliability and

Security, Catania. 2002, pp. 82-93.

[8] T. Srivatanakul, J. Clark, and F. Polack. Effective Security Requirements Analysis: HAZOP and Use Cases, In:K.

Zhang, et al(eds.). Information Security: 7th International conference ISC 2004, CA, USA. 2004, pp. 416-427.

[9] F. Redmill, M. Chudleigh, and J. Catmur. System Safety: HAZOP and Software HAZOP. John Wiley & Sons, 1999.

[10] W. E. Vesely, F. F. Goldberg, N. H. Roberts, and D. F. Hassl. Fault Tree Handbook: NUREG-0492. U.S. Nuclear

Regulatory Commission, 1981.

[11] D. M. Kienzle and W. A. Wulf. A Practical Approach to Security Assessment, In:T. Haigh, et al(eds.). Proc. of the

1997 workshop on New security paradigms, Cumbria. 1997, pp. 5-16.

[12] B. Schneier. Attack Trees: Modeling security threats. Dr. Dobb's Journal. 1999, 1999(December): 21-29.

[13] R. Anderson. Security Engineer: A Guide to Building Dependable Distributed Systems. Willey, 2001.

[14] A. P. Moore, R. J. Ellison, and R. C. Linger. Attack Modelling for Information Security and Survivability:Tech.

Note. Carnegie Mellon University, 2001.

[15] G. Helmer, J. Wong, M. Slagell, V. Haonavar, and R. Lutz. A Software Fault Tree Approach to Requirements

Analysis of an Intrusion Detection System. Requirements Engineer. 2002, 2002(7): 207-220.

[16] P. J. Brooke and F. R. Paige. Fault Trees for Security System Design and Analysis. Compter & Security. 2003,

22(3): 256-264.

30