Presentation is loading. Please wait.

Presentation is loading. Please wait.

Securing Web Applications with Information Flow Tracking

Published byРоберт Ђуричић Modified over 5 years ago

Similar presentations

Presentation on theme: "Securing Web Applications with Information Flow Tracking"— Presentation transcript:

1 Securing Web Applications with Information Flow Tracking
Monica Lam Stanford University with Michael Martin, Benjamin Livshits, John Whaley, Michael Carbin, Dzin Avots, Chris Unkel

2 Web Application Vulnerabilities
50% databases had a security breach [Computer crime & security survey, 2002] 92% Web applications are vulnerable [Application Defense Center, 2004] 48% of all vulnerabilities Q3-Q4, 2004 [Symantec May, 2005]

3 Top Ten Security Flaws in Web Applications [OWASP]
Unvalidated Input Broken Access Control Broken Authentication and Session Management Cross Site Scripting (XSS) Flaws Buffer Overflows Injection Flaws Improper Error Handling Insecure Storage Denial of Service Insecure Configuration Management

4 Confidential information leak
Web Applications Evil Input Confidential information leak Hacker Browser Web App Database

5 Give me Bob’s credit card #
SQL Injection Errors Hacker Browser Web App Database Give me Bob’s credit card # Delete all records

6 Happy-go-lucky SQL Query
User supplies: name, password Java program: String query = “SELECT UserID, Creditcard FROM CCRec WHERE Name = ” + name + “ AND PW = ” + password

7 Fun with SQL “ — ”: “the rest are comments” in Oracle SQL
SELECT UserID, CreditCard FROM CCRec WHERE: Name = bob AND PW = foo Name = bob— AND PW = x Name = bob or 1=1— AND PW = x Name = bob; DROP CCRec— AND PW = x

8 Vulnerabilities in Web Applications
Inject Parameters Hidden fields Headers Cookie poisoning Exploit SQL injection Cross-site scripting HTTP splitting Path traversal X Cross-site scripting is an attack on applications that fail to fil- ter or quote HTML metacharacters in user input used in dynami- cally generated Web pages. HTTP response splitting is an attack on applications that fail to filter or quote newlines in header information. It enables vari- ous other attacks such as Web cache poisoning, cross user deface- ment, hijacking pages with sensitive user information, and cross- site scripting [21]. The crux of the HTTP response splitting technique is that the attacker may cause two HTTP responses to be generated in response to one maliciously constructed request. For HTTP splitting to be possible, the vulnerable application must include unchecked input as part of a response header sent back to the client. Path traversal vulnerabilities allow a hacker to access or con- trol files outside of the intended path [31, 40]. They occur when applications use unchecked user input in a path or file name; in- put normally arrives via URL input parameters, cookies, or HTTP request headers.

9 Key: Information Flow

10 A Simple SQL Injection Pattern
o = req.getParameter ( ); stmt.executeQuery ( o );

11 In Practice ParameterParser.java:586
String session.ParameterParser.getRawParameter(String name) public String getRawParameter(String name) throws ParameterNotFoundException { String[] values = request.getParameterValues(name); if (values == null) { throw new ParameterNotFoundException(name + " not found"); } else if (values[0].length() == 0) { throw new ParameterNotFoundException(name + " was empty"); } return (values[0]); ParameterParser.java:570 String session.ParameterParser.getRawParameter(String name, String def) public String getRawParameter(String name, String def) { try { return getRawParameter(name); } catch (Exception e) { return def; }

12 In Practice (II) ChallengeScreen.java:194
Element lessons.ChallengeScreen.doStage2(WebSession s) String user = s.getParser().getRawParameter( USER, "" ); StringBuffer tmp = new StringBuffer(); tmp.append("SELECT cc_type, cc_number from user_data WHERE userid = '“); tmp.append(user); tmp.append("'“); query = tmp.toString(); Vector v = new Vector(); try { ResultSet results = statement3.executeQuery( query ); ...

13 PQL: Program Query Language
o = req.getParameter ( ); stmt.executeQuery ( o ); Query on the dynamic behavior based on object entities Abstracting away information flow

14 Dynamic vs. Static Pattern
o = req.getParameter ( ); stmt.executeQuery (o); Dynamically: p1 = req.getParameter ( ); stmt.executeQuery (p2); Statically: p1 and p2 point to same object? Pointer alias analysis

15 Flow-Insensitive Pointer Analysis
Objects allocated by same line of code are given the same name. Datalog pts(p,o1) pts(q,o2) hpts(o1,f,o2) pts(r,o2) o1: p = new Object(); o2: q = new Object(); p.f = q; r = p.f; p o1 f q o2 r

16 Inference Rule in Datalog
Assignments: pts (v1, h1) :- “v1 = v2 ” & pts (v2, h1). v1 = v2; v2 h1 Now let me show you how we actually specify the algorithm. Here is the Datalog rule to handle assignment instructions. Datalog looks like Prolog, but operates on a relation at a time. What it says is if everything on the right hand side is true, then the left hand side is also true. What this rule says is this: (Read slowly:) © v1 points to h1 if there is an assignment instruction v1 = v2, and v2 points to h1. That’s it. So this is just transitive closure. Let’s take a look at another rule. v1

17 Inference Rule in Datalog
Stores: hpts(h1, f, h2) :- “v1.f = v2” & pts(v1, h1) & pts(v2, h2). v1.f = v2; v1 h1 Here is the Datalog rule to handle store instructions. What this rule says is: (Read slowly:) © H1.f points to h2 if there is a store instruction v1.f = v2, and v1 points to h1 and v2 points to h2. With me so far? OK f v2 h2

18 Inference Rule in Datalog
Loads: pts(v2, h2) :- “v2 = v1.f ” & pts(v1, h1) & hpts(h1, f, h2). v2 = v1.f; v1 h1 Here is the Datalog rule to handle load instructions. Very similar to the rule for store instructions. What this rule says is this: (Read slowly:) © v2 points to h2 if there is a load instruction v2 = v1.f, and v1 points to h1 and h1.f points to h2. f v2 h2

19 Pointer Analysis Rules
pts(v, h) :- “h: T v = new T()”; pts(v1, h1) :- “v1 = v2” & pts(v2, h1). hpts(h1, f, h2) :- “v1.f = v2” & pts(v1, h1) & pts(v2, h2). pts(v2, h2) :- “v2 = v1.f” & pts(v1, h1) & hpts(h1, f, h2).

20 Pointer Alias Analysis
Specified by a few Datalog rules Creation sites Assignments Stores Loads Apply rules until they converge

21 Context-Sensitive Pointer Analysis
L1: a=malloc(); a=id(a); id(x) id(x) {return x;} L2: b=malloc( ); b=id(b); context-sensitive a L1 x context-insensitive b L2 x

22 Even without recursion, # of Contexts is exponential!

23 Top 20 Sourceforge Java Apps
1016 1012 108 104 100

24 Costs of Context Sensitivity
Typical large program has ~1014 paths If you need 1 byte to represent a context: 100 terabytes of storage > 12 times size of Library of Congress Memory: $1.2 million Hard drive: $47,500 Time to read sequentially: 20 days

25 Cloning-Based Algorithm
Whaley&Lam, PLDI 2004 (best paper award) Create a “clone” for every context Apply context-insensitive algorithm to cloned call graph Lots of redundancy in result Exploit redundancy by clever use of BDDs (binary decision diagrams)

26 Automatic Analysis Generation
PQL Ptr analysis in 10 lines Datalog bddbddb (BDD-based deductive database) with Active Machine Learning 1000s of lines 1 year tuning BDD operations BDD: 10,000s-lines library

27 Benchmarks 9 large, widely used applications
Blogging/bulletin board applications Used at a variety of sites Open-source Java J2EE apps Available from SourceForge.net

28 Vulnerabilities Found
SQL injection HTTP splitting Cross-site scripting Path traversal Total Header 6 5 11 Parameter 2 13 Cookie 1 Non-Web 3 9 30

Download ppt "Securing Web Applications with Information Flow Tracking"

Similar presentations

Runtime Prevention & Recovery Protect existing applications Advantages: Prevents vulnerabilities from doing harm Safe mode for Web application execution.

Runtime Prevention & Recovery Protect existing applications Advantages: Prevents vulnerabilities from doing harm Safe mode for Web application execution.
Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Webgoat.

Webgoat.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.

Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
Infosec 2012 | 25/4/12 Application Performance Monitoring Ofer MAOR CTO Infosec 2012.

Infosec 2012 | 25/4/12 Application Performance Monitoring Ofer MAOR CTO Infosec 2012.
Finding Application Errors and Security Flaws Using PQL: a Program Query Language MICHAEL MARTIN, BENJAMIN LIVSHITS, MONICA S. LAM PRESENTED BY SATHISHKUMAR.

Finding Application Errors and Security Flaws Using PQL: a Program Query Language MICHAEL MARTIN, BENJAMIN LIVSHITS, MONICA S. LAM PRESENTED BY SATHISHKUMAR.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
OWASP WEBGOAT Alaa Darabseh Department of Computer Science

OWASP WEBGOAT Alaa Darabseh Department of Computer Science
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.

ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.
1 Static Analysis for Bug Finding Benjamin Livshits.

1 Static Analysis for Bug Finding Benjamin Livshits.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Context-Sensitive Program Analysis as Database Queries Team: John Whaley, Ben Livshits, Michael Martin, Dzintars Avots, Michael Carbin, Chris Unkel.

Context-Sensitive Program Analysis as Database Queries Team: John Whaley, Ben Livshits, Michael Martin, Dzintars Avots, Michael Carbin, Chris Unkel.
Web Application Security An Introduction. OWASP Top Ten Exploits *Unvalidated Input Broken Access Control Broken Authentication and Session Management.

Web Application Security An Introduction. OWASP Top Ten Exploits *Unvalidated Input Broken Access Control Broken Authentication and Session Management.
Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.

Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.
The 10 Most Critical Web Application Security Vulnerabilities

The 10 Most Critical Web Application Security Vulnerabilities
Web Application Security

Web Application Security

Similar presentations

Ads by Google