Presentation is loading. Please wait.

Presentation is loading. Please wait.

Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Gary Wassermann Zhendong Su.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Gary Wassermann Zhendong Su."— Presentation transcript:

1 Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Gary Wassermann Zhendong Su

2 What is SQL injection attack ? An attacker exploits faulty application code to execute maliciously crafted database queries. In 2006, 14% of the reported vulnerabitilities were SQLCIVs, making SQL injection the second most frequently reported security threat.

3 An example $userid= “ 1';DROP TABLE unp_user; -- ” Executed query : SELECT * FROM `unp_user` WHERE userid='1'; DROP TABLE unp_user; --'

4 Existing Approaches Tainted information flow tracking  do not model the precise semantics of input sanitization routines  require manually written specifications  not fully automated and may require user intervention (e.g dynamic include in PHP) String analysis- based techniques  do not track the source of string values and therefore require specifications

5 Context Free Grammar (CFG) denotes “ derives in one step ” for example : if denotes “ drives in finite number of steps ”

6 Definition of web application

7 Definition of syntactic confinement

8 Definition of SQLCIV

9 The article ’ s approach 1)Model string values as CFG 2)Label nonterminals as “ direct ” or “ indirect ” if needed 3)Checks if all string in the language of the CFG are not SQLCIV according to definition

10 General scheme of implementation

11 Illustration of the algorithm For all sentential forms derivable from query GETuid is between quotes in a syntactic position of a string literal

12 Building the CFG (1)

13 Building the CFG (2) Not all string operations are concatenation and assignments what about x=escape_quotes(x) ? We need to model x escape_quotes(y) In order to model those cases we use Finite State Transducers (FST)

14 FST Finite-state machine whose output values are determined both by its current state and by the values of its inputs Has one or more final states May be non-deterministic

15 Example :modeling str_repalce with FST str_replace( “ ‘ ‘ “, “ ‘ “, $B)

16 The Problem with FST Cannot model all string functions in PHP –Preg_replace(pattern, replacement, subject ) Mohri and Sproat describe how approximate those functions using two FST

17 Intersection between FST and CFG

18 General scheme of implementation

19 Policy Conformance Analysis (1) If an untrusted substring has and odd number of quotes it cannot be syntactically confined. For each labeld X if Then X is not safe

20 Policy Conformance Analysis (2) If labeld X only occur in the syntactic position of string literals : –If any form that derives from X has unescaped quotes in it then X derives unconfined strings and X is not safe –Else X is safe

21 Policy Conformance Analysis (3) If X only derives numeric literals Then X is safe

22 Policy Conformance Analysis (4) If X can produce a non numeric string outside of quotes it likely represents an SQLCIV. To confirm this we check whether X derive any string that cannot be confined (e.g. “ drop where, ” “ -- “ ). If it can then X is unsafe

23 Policy Conformance Analysis (5) If each string, derives from the remaining labeld nonterminals, is derivable from some nonterminal in the SQL grammar then the remaining labeld nonterminals are safe.

24 Implementation Using modified Minamide ’ s String analyzer –Specifications for 243 PHP functions were added –Improvement in PHP dynamic includes support Check derivability using an extension of Earley ’ s parsing algorithm

25 Results False positive rate = 20.8% False negative rate = 0%

26 explanations for false positive rate Insufficient precision through type conversions ASCII functions

27 Future improvements Improve analyzing of helper functions in other files Analyzing only strings which affect the data base

28 Conclusions 1.Catch all SQLCIV 2.Could be very slow (but future improvements will make it faster ) 3.False positive rate a bit high but will be improved in next version

Download ppt "Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Gary Wassermann Zhendong Su."

Similar presentations

C O N T E X T - F R E E LANGUAGES ( use a grammar to describe a language) 1.

C O N T E X T - F R E E LANGUAGES ( use a grammar to describe a language) 1.
Translator Architecture Code Generator ParserTokenizer string of characters (source code) string of tokens abstract program string of integers (object.

Translator Architecture Code Generator ParserTokenizer string of characters (source code) string of tokens abstract program string of integers (object.
GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.

GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Injection Yuji Kosuga, Kenji Kono, Miyuki Hanaoka Keio University Miho Hishiyama,

Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Injection Yuji Kosuga, Kenji Kono, Miyuki Hanaoka Keio University Miho Hishiyama,
The Essence of Command Injection Attacks in Web Applications Zhendong Su and Gary Wassermann Present by Alon Kremer April 2011.

The Essence of Command Injection Attacks in Web Applications Zhendong Su and Gary Wassermann Present by Alon Kremer April 2011.
CS 330 Programming Languages 09 / 13 / 2007 Instructor: Michael Eckmann.

CS 330 Programming Languages 09 / 13 / 2007 Instructor: Michael Eckmann.
Decidable and undecidable problems deciding regular languages and CFL’s Undecidable problems.

Decidable and undecidable problems deciding regular languages and CFL’s Undecidable problems.
ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.

ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.
Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Gary Wassermann and Zhendong Su UC Davis Slides from

Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Gary Wassermann and Zhendong Su UC Davis Slides from
BİL744 Derleyici Gerçekleştirimi (Compiler Design)1.

BİL744 Derleyici Gerçekleştirimi (Compiler Design)1.
1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.

1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.
Automatic Creation of SQL Injection and Cross-Site Scripting Attacks 2nd-order XSS attacks 1st-order XSS attacks SQLI attacks Adam Kiezun, Philip J. Guo,

Automatic Creation of SQL Injection and Cross-Site Scripting Attacks 2nd-order XSS attacks 1st-order XSS attacks SQLI attacks Adam Kiezun, Philip J. Guo,
Lee CSCE 314 TAMU 1 CSCE 314 Programming Languages Syntactic Analysis Dr. Hyunyoung Lee.

Lee CSCE 314 TAMU 1 CSCE 314 Programming Languages Syntactic Analysis Dr. Hyunyoung Lee.
Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.

Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.
(CPSC620) Sanjay Tibile Vinay Deore. Agenda  Database and SQL  What is SQL Injection?  Types  Example of attack  Prevention  References.

(CPSC620) Sanjay Tibile Vinay Deore. Agenda  Database and SQL  What is SQL Injection?  Types  Example of attack  Prevention  References.
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.

Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
Automatically Hardening Web Applications Using Precise Tainting Anh Nguyen-Tuong Salvatore Guarnieri Doug Greene Jeff Shirley David Evans University of.

Automatically Hardening Web Applications Using Precise Tainting Anh Nguyen-Tuong Salvatore Guarnieri Doug Greene Jeff Shirley David Evans University of.
AMNESIA: Analysis and Monitoring for NEutralizing SQL- Injection Attacks Published by Wiliam Halfond and Alessandro Orso Presented by El Shibani Omar CS691.

AMNESIA: Analysis and Monitoring for NEutralizing SQL- Injection Attacks Published by Wiliam Halfond and Alessandro Orso Presented by El Shibani Omar CS691.
Exploitation: Buffer Overflow, SQL injection, Adobe files Source:

Exploitation: Buffer Overflow, SQL injection, Adobe files Source:
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 5 “Database and Cloud Security”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 5 “Database and Cloud Security”.

Similar presentations

Ads by Google