Please insert a figure in the master transparency. KIT – University of the State of Baden-Wuerttemberg and National Research Center of the Helmholtz Association Certifiable Trustworthy IT Systems SPaCiTE – Web Application Testing Engine Matthias Büchler, Johan Oudinet, and Alexander Pretschner April 21, 2012
M. Büchler, J. Oudinet, A. Pretschner 2 SPaCiTE – Web Application Testing Engine Motivation / Purpose of the Tool Secure Model: M ⊨ φ Is Web Application Secure ? Web Application How does a secure model help to answer this question?
M. Büchler, J. Oudinet, A. Pretschner 3 SPaCiTE – Web Application Testing Engine Motivation / Purpose of the Tool Client SideServer Side
M. Büchler, J. Oudinet, A. Pretschner 4 SPaCiTE – Web Application Testing Engine Motivation / Purpose of the Tool
M. Büchler, J. Oudinet, A. Pretschner 5 SPaCiTE – Web Application Testing Engine SPaCiTE Workflow How SPaCiTE executes test cases (attack traces) based on secure models
M. Büchler, J. Oudinet, A. Pretschner 6 SPaCiTE – Web Application Testing Engine The Secure Model – Abstract Messages
M. Büchler, J. Oudinet, A. Pretschner 7 SPaCiTE – Web Application Testing Engine The Secure Model – Horn Clauses
M. Büchler, J. Oudinet, A. Pretschner 8 SPaCiTE – Web Application Testing Engine The Secure Model – The Honest User
M. Büchler, J. Oudinet, A. Pretschner 9 SPaCiTE – Web Application Testing Engine The Secure Model – The Server
M. Büchler, J. Oudinet, A. Pretschner 10 SPaCiTE – Web Application Testing Engine The Secure Model – Secrecy Goal
M. Büchler, J. Oudinet, A. Pretschner 11 SPaCiTE – Web Application Testing Engine Model-Based Flaw Injection Library isAuthorizedTo*
M. Büchler, J. Oudinet, A. Pretschner 12 SPaCiTE – Web Application Testing Engine Model Checking SATMC CL-ATSE OFMC Reuse AVANTSSAR Backends
M. Büchler, J. Oudinet, A. Pretschner 13 SPaCiTE – Web Application Testing Engine Abstract Attack Trace ->*webServer : login(tom,password(tom,webServer)) webServer-> : listStaffOf(tom) *->webServer : viewProfileOf(jerry) webServer*->* : profileOf(jerry)
M. Büchler, J. Oudinet, A. Pretschner 14 SPaCiTE – Web Application Testing Engine Transform AAT to WAAL Configuration Information How are abstract messages translated into actions How is a viewProfileOf message generated in the browser?
M. Büchler, J. Oudinet, A. Pretschner 15 SPaCiTE – Web Application Testing Engine Transform AAT to WAAL How are abstract messages translated into actions
M. Büchler, J. Oudinet, A. Pretschner 16 SPaCiTE – Web Application Testing Engine Transform AAT to WAAL Translate WAAL actions to Java source code Embed them into a test execution engine skeleton
M. Büchler, J. Oudinet, A. Pretschner 17 SPaCiTE – Web Application Testing Engine Execution Execute the test case Recovery actions might be needed
M. Büchler, J. Oudinet, A. Pretschner 18 SPaCiTE – Web Application Testing Engine Example of a Recovery Action
M. Büchler, J. Oudinet, A. Pretschner 19 SPaCiTE – Web Application Testing Engine
M. Büchler, J. Oudinet, A. Pretschner 20 SPaCiTE – Web Application Testing Engine Verdict
M. Büchler, J. Oudinet, A. Pretschner 21 SPaCiTE – Web Application Testing Engine Conclusion Semi-automatic security testing of web applications Automatic at browser level May request help from a test expert at HTTP level Interesting abstract attack traces were generated by injecting relevant source code level faults into the model Relevant fault = known vulnerability that have been exploited to violate any security goal in the secure model. We were able to reproduce all 4 Abstract Attack Traces coming from 2 RBAC and 2 XSS models
M. Büchler, J. Oudinet, A. Pretschner 22 SPaCiTE – Web Application Testing Engine Future Work Target different vulnerabilities and security goals Address side effects during recovery actions Extend the tool when global observation is not possible Integration work as part of SPaCiOS EU project * Demo on request, or visit:
M. Büchler, J. Oudinet, A. Pretschner 23 SPaCiTE – Web Application Testing Engine Model-Based Flaw Injection Library Mutation Operator represent vulnerabilities at model level They combine a security property and a vulnerability
M. Büchler, J. Oudinet, A. Pretschner 24 SPaCiTE – Web Application Testing Engine Assumptions and Limitations Secure model must exist → If not, try to make use of model inference Each abstract message must be mappable to WAAL actions that means every abstract message must be expressed in terms of generating and/or verifying actions at browser level that doesn’t imply that action must be performed in browser → see Recovery Actions → If not, WAAL actions can be bypassed and abstract message is directly mapped to protocol level messages (no guidance by SPaCiTE) Used model checker considers the Dolev Yao Model for the intruder behavior Intruder is the network (Every component must be wrapped by a Proxy to have global observation property) No side effects during recovery actions Deterministic system