Example: Vulnerable PHP program Unsanitized user inputs"> Example: Vulnerable PHP program Unsanitized user inputs">

Presentation is loading. Please wait.

Presentation is loading. Please wait.

Preventing Web Application Injections with Complementary Character Coding Raymond Mui Phyllis Frankl Polytechnic Institute of NYU Presented at ESORICS.

Published byMalcolm Henry Modified over 8 years ago

Similar presentations

Presentation on theme: "Preventing Web Application Injections with Complementary Character Coding Raymond Mui Phyllis Frankl Polytechnic Institute of NYU Presented at ESORICS."— Presentation transcript:

1 Preventing Web Application Injections with Complementary Character Coding Raymond Mui Phyllis Frankl Polytechnic Institute of NYU Presented at ESORICS 2011 Supported by NSF and CATT; Patent Pending

2 Web Application Injection Attacks Malicious user inputs cause unintended executions of commands Caused by improper input sanitization SQL injection and cross-site scripting rank among top application security threats (OWASP Top 10)OWASP Top 10

3 <?PHP $message = $_POST[’message’]; $username = $_POST[’username’]; … //welcome the user if(isset($username)) { echo "Welcome $username "; } // insert new message if(isset($message)) { $query = “insert into messages values(’$username’, ’$message’)"; mysql_query($query); } … // display all messages except the ones from admin $query = "select * from messages where not (user = ‘admin’)"; $result = mysql_query($query); echo ’ Your messages: ’; while($row=mysql_fetch_assoc($result)){ if($row[’username’] != $username) echo "you "; else echo " { $row[’username’] } "; echo "wrote: { $row[’message’] }"; } … ?> Example: Vulnerable PHP program Unsanitized user inputs

4 Web Server/ PHP Interpreter DBMS Alice Hello insert into messages values(‘Alice’,’hello’); usermessage AliceHello select * from messages … … Alice wrote Hello … Bonnie Normal Use

5 Web Server/ PHP Interpreter DBMS Alice hello’); drop table messages; -- insert into messages values(‘Alice’,’hello’); drop table messages; --’); usermessage AliceHello SQL Injection

6 Web Server/ PHP Interpreter DBMS Alice … insert into messages values(‘Alice’,’ …’); usermessage Alice … select * from messages … … Alice wrote … … Bonnie Persistent Cross-Site Scripting Browser/Javascript Execute script with privileges Of the origin site

7 Injection Attack Defenses Input sanitization Blacklist / whitelist In research –Dynamic tainting –Static analysis –Model checking –Instruction randomization –Machine learning –… [DT intro.]intro.

8 Weaknesses of Current Approaches to Dynamic Tainting Overhead –Code instrumentation –Storage and propagation of taint data –Sink checking Requires detailed knowledge of context at taint sinks: –SQL syntax (for particular SQL dialect) Taint propagation cannot cross component boundaries –Either the entire database is tainted or it is not –Persistent XSS

9 Our Approach: Complementary Character Coding Main idea –Turn dynamic tainting into a character coding Free taint storage Free taint propagation through execution Taint propagation across components –Between application and database –Between client and server over HTTP Complement Aware Components –Safe execution of unsanitized code against injection attacks –Backwards compatibility through HTTP content negotiation

10 Complementary Character Coding Two versions of every character Each character gets two code points instead of one Standard characters Complement characters Two flavors Complementary ASCII Complementary Unicode

11 Unicode Current version 6.0 Less than 25% code space used or reserved Allows possibility of having more than two versions of each character Future work

12 Complementary ASCII Standard characters Values 0 – 127 Same as standard ASCII characters Complement characters Values 128 – 255 Taint bit --------------------------------------Data bits---------------------------- 0 1000011

13 Complementary Character Coding: Comparison Functions Value Comparison A standard character is equal to its complement Convert to standard character, and then compare all the bits Full Comparison Standard and complement versions of same character are not equal Compare all the bits

14 Dynamic Tainting with Complementary Character Coding Encode untrusted user inputs with complement characters –Explicitly converted by the server on entry Encode trusted developer code with standard characters Value comparison during execution –Functionality remains the same –Automatic taint propagation by execution –Taint propagation over database and HTTP Each complement aware component has complete picture of taint status during parsing

15 Complement Aware Components and Security Policy Allowed token set –Specified by each component individually for parsing –Defines tokens allowed to contain untrusted characters Default policy –Allowed token set = {numbers, string literals} –Prevents all possible injections Maybe too restrictive for web browsers More permissive policies –Browsers could allow tainted formatting tags –Allowed token set = {numbers, string literals,,, etc.} Enforcement –Match tokens in allowed token set with value comparison –Everything else (forbidden tokens) are matched with full comparison ( chart )

16 <?PHP … $message = $_POST[’message’]; $username = $_POST[’username’]; … //welcome the user if(isset($username)) { echo "Welcome $username "; } // insert new message if(isset($message)) { $query = “INSERT INTO messages VALUES(’$username’, ’$message’)"; MySQL_query($query); } … // display all messages except the ones from admin $query = "select * from messages where not (user = ‘admin’)”; $result = MySQL_query($query); echo ’ Your messages: ’; while($row=MySQL_fetch_assoc($result)){ if($row[’username’] != $username) echo "you"; else echo " {$row[’username’]} " ; echo " wrote: {$row[’message’]}"; } … ?> Example: Vulnerable PHP program Value comparison Used by DBMS And PHP interpreter here Untrusted inputs converted Into complement characters by server

17 Web Server/ PHP Interpreter DBMS Alice hello’); drop table messages; -- … insert into messages values(‘Alice’,’hello’); drop table messages;--’); usermessage Alicehello’); drop … SQL Injection with Complement Aware DBMS ‘ does not match ‘ ; does not match ; ) does not match ) drop does not match drop, etc. So DBMS stores literal rather than dropping table. Red denotes complement characters

18 Web Server/ PHP Interpreter DBMS Alice … insert into messages values(‘Alice’,’ …’); usermessage Alice … select * from messages … … Alice wrote … … Bonnie Persistent Cross-site scripting attack does not match, etc., so browser displays the characters rather than executing the script.

19 Web Server/ PHP Interpreter DBMS Browser, Javascript, … Alice Hello insert into messages values(‘Alice’,’ Hello ’); usermessage Alice Hello select * from messages … … Alice wrote Hello … Bonnie More permissive browser security policy: Allowed token set includes boldface tags Policy with allowed token set: {,, …} Boldface tags matched with value comparison, so browser renders Hello in bold.

20 Backwards Compatibility Take advantage of HTTP content negotiation mechanism Web browsers identify themselves through Accept- Charset header Complement aware browser –Send output in complementary character coding Non-complement aware browser –Route output through a filter that acts as a complement aware browser Apply security policy (e.g. default policy) Convert output into format specified by Accept-Charset header Extra overhead Gradually decrease as more people upgrade to complement aware browser

21

22 Prototype Implementation Done in complementary ASCII LAMP (Linux Apache MySQL PHP) Default policy Backwards compatible with standard browsers Firefox Customized security policies through defined allowed token sets Enough to run proof-of-concept experiments

23 Experimental Evaluation Evaluation objectives Effectiveness Possible Defects Overhead Benchmarks SQL Injection Application Testbed (Halfond et al)  ATTACK set  LEGIT set ARDILLA (Kieyzun et al)  Generated using automated technique  SQL injection, reflected XSS, and persistent XSS

24 Benchmarks LOC : Line Of Code

25 Results: Effectiveness Ran ATTACK set from SQL Injection Application Testbed using a script Checked database logs for SQL injection Manually executed ARDILLA test cases Found no signs of injections

26 Results: Possible Defects Set up original and complement aware web server with identical initial environments Ran LEGIT set from SQL Injection Application Testbed on both Compared output produced by both versions Resulting web pages identical by value comparison

27 Ran LEGIT set in SQL Injection Application Testbed and compared average over 100 runs Worse case overhead less than 2%

28 Conclusion and Future Work Complementary character coding Low overhead character level taint tracking Taint propagation across component boundaries Complement aware components Safe execution of unsanitized code against injection attacks Backwards compatibility with current browsers Future Work Implement complementary Unicode Explore other applications of complementary character coding Web standard

29 Questions?

30 Dynamic Tainting Propagation Taint Source External data that should be initialized as tainted e.g : GET, POST, Reading from DB or file… Propagation The tainted state of variables propagates via assignment or mathematical operation Taint Sink Points where sensitive operations are performed, and the taint status of variables is checked here. eg: SQL query, html output…

31 Dynamic Tainting Propagation ( cont. ) Example (ref)ref Assume a is tainted x is marked as tainted, since x is affected directly by a Namely, a propagate its taint state to x

32 Dynamic Tainting Analysis Procedure Add specific code at source and sink Instrumentation Testing Reporting Generate a vulnerability report via the log file or exception thrown during execution

33 Default Policy Untrusted data can be included. Use value comparison to match token String literal, number Forbidden tokens Trusted token only Use full comparison to match token Allowed token set Forbidden token set

34 Default Policy Example 1011 1100 String literal number < (00111100) Allowed token set Forbidden token set < 0011 1100 Convert to complementary form

Download ppt "Preventing Web Application Injections with Complementary Character Coding Raymond Mui Phyllis Frankl Polytechnic Institute of NYU Presented at ESORICS."

Similar presentations

Chapter 6 Server-side Programming: Java Servlets

Chapter 6 Server-side Programming: Java Servlets
Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
PHP I.

PHP I.
Preventing Web Application Injections with Complementary Character Coding Raymond Mui Phyllis Frankl Polytechnic Institute of NYU Presented at ESORICS.

Preventing Web Application Injections with Complementary Character Coding Raymond Mui Phyllis Frankl Polytechnic Institute of NYU Presented at ESORICS.
Hossain Shahriar Mohammad Zulkernine. One of the worst vulnerabilities in web applications It involves the generation of dynamic HTML contents with invalidated.

Hossain Shahriar Mohammad Zulkernine. One of the worst vulnerabilities in web applications It involves the generation of dynamic HTML contents with invalidated.
PHP Hypertext Preprocessor Information Systems 337 Prof. Harry Plantinga.

PHP Hypertext Preprocessor Information Systems 337 Prof. Harry Plantinga.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Gary Wassermann Zhendong Su.

Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Gary Wassermann Zhendong Su.
© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 14 Implementation Flaws Part 2: Malicious Input and Data Validation Issues.

© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 14 Implementation Flaws Part 2: Malicious Input and Data Validation Issues.
1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.

1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.

Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Automatic Creation of SQL Injection and Cross-Site Scripting Attacks 2nd-order XSS attacks 1st-order XSS attacks SQLI attacks Adam Kiezun, Philip J. Guo,

Automatic Creation of SQL Injection and Cross-Site Scripting Attacks 2nd-order XSS attacks 1st-order XSS attacks SQLI attacks Adam Kiezun, Philip J. Guo,
PHP Security.

PHP Security.
INFM 603: Information Technology and Organizational Context Jimmy Lin The iSchool University of Maryland Thursday, October 18, 2012 Session 7: PHP.

INFM 603: Information Technology and Organizational Context Jimmy Lin The iSchool University of Maryland Thursday, October 18, 2012 Session 7: PHP.
CHAPTER 12 COOKIES AND SESSIONS. INTRO HTTP is a stateless technology Each page rendered by a browser is unrelated to other pages – even if they are from.

CHAPTER 12 COOKIES AND SESSIONS. INTRO HTTP is a stateless technology Each page rendered by a browser is unrelated to other pages – even if they are from.

Similar presentations

Ads by Google