Presentation is loading. Please wait.

Presentation is loading. Please wait.

Prithvi Bisht, Timothy Hinrichs, Nazari Skrupsky, Radoslaw Bobrowicz, V.N. Venkatakrishnan University of Illinois at Chicago, USA ACM CCS (Oct,2010) Prithvi.

Similar presentations


Presentation on theme: "Prithvi Bisht, Timothy Hinrichs, Nazari Skrupsky, Radoslaw Bobrowicz, V.N. Venkatakrishnan University of Illinois at Chicago, USA ACM CCS (Oct,2010) Prithvi."— Presentation transcript:

1 Prithvi Bisht, Timothy Hinrichs, Nazari Skrupsky, Radoslaw Bobrowicz, V.N. Venkatakrishnan University of Illinois at Chicago, USA ACM CCS (Oct,2010) Prithvi Bisht, Timothy Hinrichs, Nazari Skrupsky, Radoslaw Bobrowicz, V.N. Venkatakrishnan University of Illinois at Chicago, USA ACM CCS (Oct,2010) A Presentation at Advanced Defense Lab

2 Outline Introduction Architecture & Challenges Implementation Evaluation Related Work Conclusion Advanced Defense Lab2

3 Introduction A novel approach for automatically detecting potential server-side vulnerabilities of parameter-tampering in existing web applications. Advanced Defense Lab3

4 Introduction Advanced Defense Lab4

5 Introduction Attack 1: Negative quantities. Resulting in a “discount”. Attack 2: Charging another user’s account. A malicious user can purchase products and charge someone else’s account. Attack 3: Pattern validation bypass. XSS and SQL injection. Advanced Defense Lab5

6 Introduction – Problem Description ∑: the set of alphabet. I = ∑* x ∑* x ∑* x … x ∑* I -> { true, false } Pserver: constraint-checking function on the server. Pclient: constraint-checking function on the client. Pserver(I) = true -> Pclient(I) = true Pserver(I) = true ^ Pclient(I) = false (BUG) Advanced Defense Lab6

7 Introduction – Problem Description Fclient: a logical representation of Pclient. Fserver: a logical representation of Pserver. (hostile) h1,…,hn such that Fclient(hi) = false for each i. (benign) b1,…,bm such that Fclient(bj) = true for each j. (hostile responses from the server) H1,…,Hn (benign responses from the server) B1,…,Bm The more similar a hostile response is to the benign responses, the more likely the hostile input was successful. Advanced Defense Lab7

8 Outline Introduction Architecture & Challenges Implementation Evaluation Related Work Conclusion Advanced Defense Lab8

9 ARCHITECTURE & CHALLENGES Advanced Defense Lab9

10 ARCHITECTURE & CHALLENGES Advanced Defense Lab10

11 ARCHITECTURE & CHALLENGES HTML/JS Analyzer To simulates an environment similar to a JavaScript interpreter in a browser, including the DOM (AJAX not supported). Executes all the init. Code for the web form concretely. Advanced Defense Lab11

12 ARCHITECTURE & CHALLENGES HTML/JS Analyzer Identifying JS validation code When a form is submitted. Each time the user enters or changes data on the form. Analyzing JS validation code Employing a mixed concrete-symbolic execution approach. Symbolic execution provides coverage of all control paths. Concrete execution enables NoTamper to ignore irrelevant code. Resolving DOM references Constructing the pertinent portion of the DOM. Simulating DOM functions that are used to modify the DOM structure. Advanced Defense Lab12

13 ARCHITECTURE & CHALLENGES Input Generator Avoiding spurious rejections Checking that all “required” variables have values of the right type. (Manually overridden) Generating orthogonal hostile inputs Converts Fclient to disjunctive normal form (DNF). Coping with incomplete information Accepting hints (delta) from human that guide the search for hostile and benign inputs. Addressing state changes Providing a optional list of variables required to have unique values. Advanced Defense Lab13

14 Outline Introduction Architecture & Challenges Implementation Evaluation Related Work Conclusion Advanced Defense Lab14

15 Implementation Advanced Defense Lab15

16 IMPLEMENTATION Client Constraint Extraction By collecting all the event handlers (and associated scripts) and generating a single function that invokes all those event handlers. Simulates a small set of core methods getElementById() document.wite() document.innerHTML() Advanced Defense Lab16

17 IMPLEMENTATION Client Constraint Extraction Advanced Defense Lab17

18 IMPLEMENTATION Hostile Input Guidance Initial values Numbers Hidden fields (Session identifier) Types The HTML widget associated with ( ) Initial value Occurrence in arithmetic constraints Required variables Analyzing the HTML (e.g., asterisks next to field labels) Drop-down list Unique variables Advanced Defense Lab18

19 IMPLEMENTATION Input Generation Benign inputs Converts Fclient to DNF Finds one solution per disjunct (or). Hostile inputs !Fclient Advanced Defense Lab19

20 IMPLEMENTATION Constraint Solving HAMPI[13] HAMPI Advanced Defense Lab20

21 IMPLEMENTATION Constraint Solving Advanced Defense Lab21

22 IMPLEMENTATION HTML Response Comparison Advanced Defense Lab22 Compares the server’s response against a response that is known to have been generated by benign (valid) inputs. Edit distance Ratcliff/Obsershelp algorithm. Ratcliff/Obsershelp Remove the noise in B1 and B2 and produce C1. Remove the noise in B1 and Hi and produce C2. Compare C1 and C2 and result in “difference rank”.

23 IMPLEMENTATION Advanced Defense Lab23 HTML analysis On top of the APIs provided by the HTML Parser. JavaScript analysis Using a modified Narcissus JavaScript engine-based symbolic evaluator. Input Generator HAMPI Opportunity Detector Java-based module relayed HTTTP requests to the test server.

24 Outline Introduction Architecture & Challenges Implementation Evaluation Related Work Conclusion Advanced Defense Lab24

25 Evaluation Selected 8 open source applications and 5 live websites. http://opensourcescripts.com Testing Linux Apache web server (2.8 GHz Dual Intel Xeon, 6.0 GB RAM) Ubuntu 9.10 (2.45 Ghz Quad Intel, 2.0 GB RAM) NoTamper Advanced Defense Lab25

26 Evaluation Advanced Defense Lab26

27 Evaluation Advanced Defense Lab27

28 Evaluation Unauthorized money transfers www.selfreliance.com Unlimited shopping rebates www.codemicro.com Fixed within 24 hours Privilege escalation OpenIT By manipulating the userid parameter. Advanced Defense Lab28

29 Evaluation False Positives Pertaining to the maxlength constraints on form inputs that couldn’t be exploited to any serious vulnerability. Rewritten by the server without any observable difference in HTML output. Advanced Defense Lab29

30 Evaluation Advanced Defense Lab30

31 Evaluation Advanced Defense Lab31

32 Evaluation Performance Input Generator Solved 315 formulas in a total of 219 seconds. Giving an average time of 0.7 seconds per input. HTML / JavaScript Run in under a second Opportunity Detector Run in sub-second time for each application. Advanced Defense Lab32

33 Outline Introduction Architecture & Challenges Implementation Evaluation Related Work Conclusion Advanced Defense Lab33

34 Related Work NoTamer’s goals are focusing on discovering vulnerabilities in existing ( legacy ) applications. Advanced Defense Lab34

35 Outline Introduction Architecture & Challenges Implementation Evaluation Related Work Conclusion Advanced Defense Lab35

36 Conclusion NoTamper’s results highlight a significant gap between the server-side parameter validation that should occur and the server- side validation that does occur in today’s web applications. Advanced Defense Lab36


Download ppt "Prithvi Bisht, Timothy Hinrichs, Nazari Skrupsky, Radoslaw Bobrowicz, V.N. Venkatakrishnan University of Illinois at Chicago, USA ACM CCS (Oct,2010) Prithvi."

Similar presentations


Ads by Google