craxweb: automatic exploit generation for web applications

Lehrstuhl für Informatik 4

1/161/2012 <Title> <Name LastName> Seminar in Computer Science

Kip IrvineCRAXweb: Automatic Web Application Testing and Attack Generation1

Shih-Kun Huang ,Han-Lin Lu, Wai-Meng Leong ,Huan LiuNational Chiao Tung University

Presented byAung Thu Rha Hein

5536871

1 “CRAXWweb:Automatic Web Application Testing and Attack Generation”, Software Security and Reliability (SERE), June 2013 IEEE 7th International Conference.

Outline

1. Introduction2. Background

-What is an exploit?-Dynamic Analysis-Semantic Execution

2. CRAXWeb: Automatic Web Application Testing and Attack Generation4. Conclusions5. References

● Software bugs are common● Especially in web applications● Some bugs are more harmful● It is difficult to detect manually● Static analysis gives developer confusion and false

positives● Manual testing is not effective

Introduction

Motivation

●Challenge●How to find exploits, shellcode in the program

●Source code analysis alone is not enough

●Finding exploitable paths among program execution paths

Introduction

Problem Statements

● To generate exploits for web-applications

Introduction

Research Objectives

●Exploits techniques vary upon OS architectures●Type of Exploits

● Stack Overflow Exploit● Heap Corruption Exploit● Format String Attack

●Attack Methodologies● Remote Exploit● Local Exploit● Two Stage Exploit

●Tools for writing Exploits: LibExploit, Metasploit, CANVAS

Background: Exploits

What is an exploit?

Stack Overflow Exploit Example

#include <string.h>void foo (char *bar){ char c[12]; strcpy(c, bar);}int main (int argc, char **argv){ foo(argv[1]); }

Stack Overflow Exploit Example

Background: Dynamic analysis

Introduction

●Monitor code as it executes●Usefulness of Dynamic analysis

● Precision of information● Dependence on program inputs

●Four common dynamic analysis techniques:● Dynamic taint analysis● Forward symbolic execution● Frequency Spectrum Analysis ● Coverage Concept Analysis ...

Dynamic Taint Analysis

●To exploit program execution, ● use values from a trusted source● attackers overwrite, tainted these values

● Taint Analysis Process1. mark input data from untrusted sources tainted2. monitor program execution to track how they

propagated3. check when tainted data is used in dangerous ways

Dynamic Taint Analysis

Attack detected using TaintCheck

Background:Dynamic analysis

Symbolic Execution

●Key idea: generalize testing by using unknown●symbolic variables in evaluation

● int f(1, 2)= int f(α1 , α2)

●Allows unknown symbolic variables in evaluation● y = α; assert(f(y) == 2*y-1);

●If execution path depends on unknown, conceptuallyfork symbolic executor● int f(int x) {if(x > 0) then return 2*x - 1; else return 10;}

Symbolic Execution Example

Symbolic Execution: Purpose

●E.g. Particular program points reachable?●E.g. Is array access a[i] out of bounds?●E.g. Generate concrete inputs that execute same paths

● With constraints solvers● E.g. Z3, Yices, STP

Symbolic Execution Limitations

●Scalability Issue when execution paths are large●Source code, or equivalent is required●Limitations in solving constraints

● cannot handle non-linear and very complex constraints

Research Paper

CRAXweb: Automatic Web Application Testing and Attack Generation

Research Paper

●Implement AEG for large-scaled web applications●Focus on XSS and SQLi attacks●Based on Symbolic Socket or symbolic execution ●Single path concolic mode is used to reduce path- explosion●Selective Symbolic Execution(S2E)

● Provide the ability to execute a specific part of program

●Simple Theorem Prover(STP) as a constraint solver●Acunetix as web crawler

Overview of CRAXweb

Research Paper

●Generate test cases and exploits

Exploit Generation: Constraint Solving

Research Paper

Exploit Generation:Constraint Solving

x- exploitf(x)- expected attack script

Research Paper

● To reduce overhead caused by symbolic execution● Explore one path at a time

Single Path Concolic Mode

Research Paper

Flow diagram of automatic process

Research Paper

● S2E as symbolic environment

Implementation:Symbolic Socket

Research Paper

● Overall architecture for automatic exploit generator

Implementation: Architecture

Research Paper

Implementation: Symbolic Response and Query Handler

● From Web Crawler to Symbolic Request

Research Paper

Implementation: Symbolic Response and Query Handler

● From symbolic response or query to exploit generator

Research Paper

Implementation: Exploit Generation

Research Paper

Implementation: Exploit Generation

● Algorithm to solve the exploit constraint

Research Paper

Results: Experiment Environment

● Host OS- Ubuntu 10.10● Guest Environment- emulated by Qemu● Qemu- hosted Debian 5.07 and Windows XP● Softwares- S2E 1.0 and MySQL as database handler

Research Paper

Results: Evaluation for different platforms

Research Paper

Results: Evaluation for Exploit Generation

● With test cases from Ardilla

Research Paper

● With test cases from Ardilla

Research Paper

● With Real world Applications

Research Paper

Results: Related works

Conclusions

● AEG is possible for web applications● CRAXWeb uses

● Symbolic execution ● Concolic Testing

● However,Still have rooms for development● for more exploit types● to integration with browser

References

Shih-Kun Huang,Han-Lin Lu ; Wai-Meng Leong ; Huan Liu, ”CRAXweb: Automatic Web Application Testing and Attack Generation”, Software Security and Reliability (SERE),IEEE 7th International Conference, June 2013

Shih-Kun Huang,Min-Hsiang Huang ; Po-Yen Huang ; Chung-Wei Lai ; Han-Lin Lu ; Wai-Meng Leong, “CRAX: Software Crash Analysis for Automatic Exploit Generation by Modeling Attacks as Symbolic Continuations” ,Software Security and Reliability (SERE), 2012 IEEE Sixth International Conference, June 2012

Thanassis Avgerinos and Sang Kil Cha and Brent Lim Tze Hao and David Brumley, “AEG: Automatic Exploit Generation”,Network and Distributed System Security Symposium, Feb 2012

References

James Newsome,Dawn Song,”Dynamic Taint Analysis for Automatic Detection,An alysis, and Signature Generation of Exploitson Commodity Software”, Network and Distributed System Security Symposium, 2005

Cristian Cadar, Daniel Dunbar, Dawson Engler, “KLEE: Unassisted and Automatic Generation of High-CoverageTests for Complex Systems Programs”, USENIX Symposium on Operating Systems Design and Implementation, December 2008

craxweb: automatic exploit generation for web applications

computer science

automatic

attack generation

exploit generation

software security

symbolic response

lin lu

meng leong

Technology

automatic generation of polynomial invariants for...

automatic generation control algorithm

automatic problem generation

simulink automatic generation control

a semantic framework for automatic generation of...

automatic generation of indoor navigable space … ·...

fuze: towards facilitating exploit generation for kernel...

variations of module generation manual, semi-automatic,...

automatic library generation

automatic metadata generation

towards automated exploit signature generation using...

automatic generation control

baab (bug as a backdoor) through automatic exploit...

security verification via automatic hardware-aware exploit...

next generation web scanning presentation - exploit database

automatic texture atlas generation

fuze: towards facilitating exploit generation for kernel...

semfuzz: semantics-based automatic generation of proof-of...

automatic generation of volume conductor models … ·...

automatic database schema generation