Preventing Web Application Injections with Complementary Character Coding Raymond Mui Phyllis Frankl Polytechnic Institute of NYU Presented at ESORICS 2011 Supported by NSF and CATT; Patent Pending

Web Application Injection Attacks Malicious user inputs cause unintended executions of commands Caused by improper input sanitization SQL injection and cross-site scripting rank among top application security threats (OWASP Top 10)OWASP Top 10

<?PHP $message = $_POST[’message’]; $username = $_POST[’username’]; … //welcome the user if(isset($username)) { echo "Welcome $username "; } // insert new message if(isset($message)) { $query = “insert into messages values(’$username’, ’$message’)"; mysql_query($query); } … // display all messages except the ones from admin $query = "select * from messages where not (user = ‘admin’)"; $result = mysql_query($query); echo ’ Your messages: ’; while($row=mysql_fetch_assoc($result)){ if($row[’username’] != $username) echo "you "; else echo " { $row[’username’] } "; echo "wrote: { $row[’message’] }"; } … ?> Example: Vulnerable PHP program Unsanitized user inputs

Web Server/ PHP Interpreter DBMS Alice Hello insert into messages values(‘Alice’,’hello’); usermessage AliceHello select * from messages … … Alice wrote Hello … Bonnie Normal Use

Web Server/ PHP Interpreter DBMS Alice hello’); drop table messages; -- insert into messages values(‘Alice’,’hello’); drop table messages; --’); usermessage AliceHello SQL Injection

Web Server/ PHP Interpreter DBMS Alice … insert into messages values(‘Alice’,’ …’); usermessage Alice … select * from messages … … Alice wrote … … Bonnie Persistent Cross-Site Scripting Browser/Javascript Execute script with privileges Of the origin site

Injection Attack Defenses Input sanitization Blacklist / whitelist In research –Dynamic tainting –Static analysis –Model checking –Instruction randomization –Machine learning –… [DT intro.]intro.

Weaknesses of Current Approaches to Dynamic Tainting Overhead –Code instrumentation –Storage and propagation of taint data –Sink checking Requires detailed knowledge of context at taint sinks: –SQL syntax (for particular SQL dialect) Taint propagation cannot cross component boundaries –Either the entire database is tainted or it is not –Persistent XSS

Our Approach: Complementary Character Coding Main idea –Turn dynamic tainting into a character coding Free taint storage Free taint propagation through execution Taint propagation across components –Between application and database –Between client and server over HTTP Complement Aware Components –Safe execution of unsanitized code against injection attacks –Backwards compatibility through HTTP content negotiation

Complementary Character Coding Two versions of every character Each character gets two code points instead of one Standard characters Complement characters Two flavors Complementary ASCII Complementary Unicode

Unicode Current version 6.0 Less than 25% code space used or reserved Allows possibility of having more than two versions of each character Future work

Complementary ASCII Standard characters Values 0 – 127 Same as standard ASCII characters Complement characters Values 128 – 255 Taint bit Data bits

Complementary Character Coding: Comparison Functions Value Comparison A standard character is equal to its complement Convert to standard character, and then compare all the bits Full Comparison Standard and complement versions of same character are not equal Compare all the bits

Dynamic Tainting with Complementary Character Coding Encode untrusted user inputs with complement characters –Explicitly converted by the server on entry Encode trusted developer code with standard characters Value comparison during execution –Functionality remains the same –Automatic taint propagation by execution –Taint propagation over database and HTTP Each complement aware component has complete picture of taint status during parsing

Complement Aware Components and Security Policy Allowed token set –Specified by each component individually for parsing –Defines tokens allowed to contain untrusted characters Default policy –Allowed token set = {numbers, string literals} –Prevents all possible injections Maybe too restrictive for web browsers More permissive policies –Browsers could allow tainted formatting tags –Allowed token set = {numbers, string literals,,, etc.} Enforcement –Match tokens in allowed token set with value comparison –Everything else (forbidden tokens) are matched with full comparison ( chart )

<?PHP … $message = $_POST[’message’]; $username = $_POST[’username’]; … //welcome the user if(isset($username)) { echo "Welcome $username "; } // insert new message if(isset($message)) { $query = “INSERT INTO messages VALUES(’$username’, ’$message’)"; MySQL_query($query); } … // display all messages except the ones from admin $query = "select * from messages where not (user = ‘admin’)”; $result = MySQL_query($query); echo ’ Your messages: ’; while($row=MySQL_fetch_assoc($result)){ if($row[’username’] != $username) echo "you"; else echo " {$row[’username’]} " ; echo " wrote: {$row[’message’]}"; } … ?> Example: Vulnerable PHP program Value comparison Used by DBMS And PHP interpreter here Untrusted inputs converted Into complement characters by server

Web Server/ PHP Interpreter DBMS Alice hello’); drop table messages; -- … insert into messages values(‘Alice’,’hello’); drop table messages;--’); usermessage Alicehello’); drop … SQL Injection with Complement Aware DBMS ‘ does not match ‘ ; does not match ; ) does not match ) drop does not match drop, etc. So DBMS stores literal rather than dropping table. Red denotes complement characters

Web Server/ PHP Interpreter DBMS Alice … insert into messages values(‘Alice’,’ …’); usermessage Alice … select * from messages … … Alice wrote … … Bonnie Persistent Cross-site scripting attack does not match, etc., so browser displays the characters rather than executing the script.

Web Server/ PHP Interpreter DBMS Browser, Javascript, … Alice Hello insert into messages values(‘Alice’,’ Hello ’); usermessage Alice Hello select * from messages … … Alice wrote Hello … Bonnie More permissive browser security policy: Allowed token set includes boldface tags Policy with allowed token set: {,, …} Boldface tags matched with value comparison, so browser renders Hello in bold.

Backwards Compatibility Take advantage of HTTP content negotiation mechanism Web browsers identify themselves through Accept- Charset header Complement aware browser –Send output in complementary character coding Non-complement aware browser –Route output through a filter that acts as a complement aware browser Apply security policy (e.g. default policy) Convert output into format specified by Accept-Charset header Extra overhead Gradually decrease as more people upgrade to complement aware browser

Prototype Implementation Done in complementary ASCII LAMP (Linux Apache MySQL PHP) Default policy Backwards compatible with standard browsers Firefox Customized security policies through defined allowed token sets Enough to run proof-of-concept experiments

Experimental Evaluation Evaluation objectives Effectiveness Possible Defects Overhead Benchmarks SQL Injection Application Testbed (Halfond et al)  ATTACK set  LEGIT set ARDILLA (Kieyzun et al)  Generated using automated technique  SQL injection, reflected XSS, and persistent XSS

Benchmarks LOC : Line Of Code

Results: Effectiveness Ran ATTACK set from SQL Injection Application Testbed using a script Checked database logs for SQL injection Manually executed ARDILLA test cases Found no signs of injections

Results: Possible Defects Set up original and complement aware web server with identical initial environments Ran LEGIT set from SQL Injection Application Testbed on both Compared output produced by both versions Resulting web pages identical by value comparison

Ran LEGIT set in SQL Injection Application Testbed and compared average over 100 runs Worse case overhead less than 2%

Conclusion and Future Work Complementary character coding Low overhead character level taint tracking Taint propagation across component boundaries Complement aware components Safe execution of unsanitized code against injection attacks Backwards compatibility with current browsers Future Work Implement complementary Unicode Explore other applications of complementary character coding Web standard

Questions?

Dynamic Tainting Propagation Taint Source External data that should be initialized as tainted e.g : GET, POST, Reading from DB or file… Propagation The tainted state of variables propagates via assignment or mathematical operation Taint Sink Points where sensitive operations are performed, and the taint status of variables is checked here. eg: SQL query, html output…

Dynamic Tainting Propagation ( cont. ) Example (ref)ref Assume a is tainted x is marked as tainted, since x is affected directly by a Namely, a propagate its taint state to x

Dynamic Tainting Analysis Procedure Add specific code at source and sink Instrumentation Testing Reporting Generate a vulnerability report via the log file or exception thrown during execution

Default Policy Untrusted data can be included. Use value comparison to match token String literal, number Forbidden tokens Trusted token only Use full comparison to match token Allowed token set Forbidden token set

Default Policy Example String literal number < ( ) Allowed token set Forbidden token set < Convert to complementary form