a string constraint solver for detecting web application vulnerability
DESCRIPTION
A String Constraint Solver for Detecting Web Application Vulnerability. Xiang Fu Hofstra University Chung-Chih Li Illinois State University. Outline. Motivation General Context: Static Analysis + String Constraint Solving Constraint Solving Technique Regular Replacement - PowerPoint PPT PresentationTRANSCRIPT
A String Constraint Solver for Detecting Web Application Vulnerability
Xiang FuHofstra University
Chung-Chih LiIllinois State University
07/03/2010 SEKES 2010 1
Outline
Motivation General Context: Static Analysis + String Constraint
Solving Constraint Solving Technique Regular Replacement Application & Experimental Data Conclusion
07/03/2010 SEKES 2010 2
Vulnerable Web Applications
Web App. Successful for Decade! Public Accessibility Vulnerability
“Today over 70%70% of attacks against
a company’s website or web application come at the ‘Application Layer’ not the network or system layer.”
- Gartner Group
07/03/2010 SEKES 2010 3
SQL Injection Trick
Example: uname “admin’--admin’--”, pwd as “abcabc”
SELECT uname, pwd FROM usersWHERE uname = ’ ’AND pwd=’ ’
-- comments out restLog-in w/o pwd!
string sState = “SELECT uname, pwd FROM users \n” + “WHERE uname = ’’” + + “’’ AND pwd =’’” + + “’’”
admin’--admin’-- abcabc
tUname.txttPwd.txt
07/03/2010 SEKES 2010 4
Challenges
User Input Validation – the Cure?
Programmers are Human Being!Programmers are Human Being!
07/03/2010 SEKES 2010 5
String massage(String strInput){
String sOut = strInput.Replace("’","’’"); sOut = sOut.Substring(0,16); return sOut;}
Input Validation Not Easy
Generate Escaping
Character of SINGLE QUOTE
Limit String SizeChop off after
16th char
07/03/2010 SEKES 2010 6
Can you find an attack Can you find an attack against massage?against massage?
The Cracking Process
String massage(String strInput){
String sOut = strInput.Replace("’’","’’’’"); sOut = sOut.Substring(0,1616); return sOut;}
123456789012345’
123456789012345’’
123456789012345’
07/03/2010 SEKES 2010 8
SQL Statement Constructed
SELECT uname,pwd FROM users WHEREuname=’123456789012345’’ AND pwd=’ OR uname<>’’
Treated as one single
quote
Condition 1Condition 2
tautology!tautology!
07/03/2010 SEKES 2010 9
Lessons Learned
Bugs Delicate SQL Injection Vul. Need Tools for Inspecting Security Holes
Smartly and AutomaticallySmartly and Automatically
07/03/2010 SEKES 2010 10
General Approach: (COMPSAC’07)
Symbolic Execution + String Solver
Bytecode Instrumentor
String Solver
Test Case Generator
Sym. Execution Engine
Attack PatternLibrary
001000101010010101010101010101101010
bytecode
001000101010010101010101010101101010
instrumentedbytecode
x + “zbc” = y?x=..y=..
07/03/2010 SEKES 2010 11
SUSHI Constraint SolverSUSHI Constraint Solver
07/03/2010 SEKES 2010 12
Undecidable!
ApplicationExpressiveness
Simple Linear String Equation
String Expression = RegExp
07/03/2010 SEKES 2010 13
Variables occur only on LHS
Support all string freq ops:
Substring, indexing, replacement, concatenation
Example (Password Bypass)
07/03/2010 SEKES 2010 14
+
+
+
+
=
RHS
LHS
Apply massage on x: replacement and
substring
Solution Algorithm
(1) Break to Atomic Steps (2) Represent in Finite State Transducer (3) Symbolic Image Computation (4) Chain Results => Solution Pool (5) Solution Pool => Concrete Solution
07/03/2010 SEKES 2010 15
Special Challenge (NFM’10)
Regular Replacement Many Semantics!
Greedy Reluctant Declarative …
Special Algorithm for Precise Modeling
07/03/2010 SEKES 2010 16
Finite State Transducer
Accepts Regular Relation Union, Concat, Composition Intersection, Complement
Used for Modeling Rewriting Rules [Kaplan94, Karttunen96]
04/13/2010 NFM 2010 17
ε:11 2
34
a:2
b:3
A
(ab,123) ∈ L(A)
04/13/2010 NFM 2010 18
Step 1: Begin Marker
Step 2: ND End Marker
Step 3: Pairing Markers
Step 4: Checking Match
Step 5: Check Longest
Step 6: Replacement
a+ x
Search Pattern
aabab
#a#ab#ab
#a#a$b#ab#a$#a$b#a$b
#a$#a$b#a$b
#a#a$b#a$b
#aa$b#a$b
xbxb
#a#ab#a$b
#aaba$b
One Input Word One Output Word
Modeling Greedy Semantics(NFM’2010)
Deal with Unicode Alphabet
Explicit Rep. of Transition Not Working! Compact Representation
Symbolic Transition Set Special Alg. For FST Composition etc.
04/13/2010 NFM 2010 19
Type I Type II Type III
(I,I) (II,I) (III,II)
Efficiency of Solver
04/13/2010 NFM 2010 20
Login Servlet
1.4 Seconds on 2Ghz PC
Bench Mark Equations
More Applications: XSS Attack
Vul. Originally Reported in SecTrack #1022748 Adobe Flex SDK 3.3 SUSHI found Much Shorter Attack Signature
07/03/2010 SEKES 2010 21
Equation Size: 56574 Seconds
Related Work
Forward String Analysis Christensen & Møller [SAS’03] Wasserman & Su [PLDI’07, ICSE’08] Bjørner & Tillmann [TACAS’09]
Backward String Analysis Kiezun & Ganesh [ISSTA’09] Yu & Bultan [SPIN’08, ASE’09] Fu [COMPSAC’07, TAVWEB’08]
Natural Language Processing * Kaplan and Kay [CL’1994]
04/13/2010 NFM 2010 22
Our Contribution:
Precise Modeling of Various Regular
Substitution Semantics
Precise Security Analysis
?? Compare with Bit-blasting??
Conclusion
FST based String Constraint Solving Applied to Security Analysis
SQL Injection XSS Attack More …
More Expressive Extension of SISE
07/03/2010 SEKES 2010 23
Questions?
07/03/2010 SEKES 2010 24