an analysis framework for security in web applications gary wassermann and zhendong su university of...
TRANSCRIPT
An Analysis Framework for Security in Web Applications
Gary Wassermann and Zhendong Su
University of California, Davis
Web Application Architecture
Web browser
Application
Database
User input Database query
Application generates query based on user input
Result setWeb page
Command Injection Attacks
String query = “SELECT * FROM users WHERE username = ‘” + strUName + “’ AND password = ‘” + strPasswd + “’;”;
Expected input: SELECT * FROM users
WHERE username = ‘John’ AND password = ‘JohnsPass’;
Result: John logs in
Command Injection Attacks
Malicious input: SELECT * FROM users
WHERE username = ‘’ AND password = ‘’ OR ‘’ = ‘’;
Result: Malicious user logs in as first user identified in the database. Frequently, the administrator!
String query = “SELECT * FROM users WHERE username = ‘” + strUName + “’ AND password = ‘” + strPasswd + “’;”;
Motivation
~60% of web applications are vulnerable
Found vulnerable sites easily in web search
Many ways to regulate user inputs
Limit length of input
Filter out “bad” strings
Escape quotes, etc.
Are the regulations sufficient?
Goal: Check whether any “dangerous” queries, not user inputs, exist
Example: change admin password
Attacker registers online:
Username: admin’--
Password: password
INSERT INTO users VALUES(‘admin’’--’, ‘password’)
Attacker changes password:
Username: admin’--
OldPass: password
NewPass: backdoor
Example: change admin password
Application checks correctness of old password:
sql = “SELECT * FROM users WHERE username = ‘admin’’--’ AND password = ‘password’”;
rso.open( sql, cn );
if (rso.EOF) {...}
Example: change admin password
Admin’s password gets changed:
sql = “UPDATE users SET password = ‘” + newpass + “’ WHERE username = ‘” + rso(“username”) + “’”;
UPDATE users SET password = ‘backdoor’WHERE username = ‘admin’--’
Example: change admin password
Overview of Analysis Framework
Abstract Model of Generated Programs
Structure Discovery
Access Control
Ex: “customer” deletes inventory data
Tautologies
Ex: malicious user bypasses authentication
Application code
query =… Table lists
Conditional expressions
Select statement
String query = “SELECT * FROM stock WHERE ” + strID + “ = id”; for( int i = 0; i < dat.length(); i++)
query = query + “ AND ” + dat[i] + “ = “ + inp[i];
Example with cyclesString query = “SELECT * FROM stock WHERE ” + strID + “ = id”;
String query = “SELECT * FROM stock WHERE ” + strID + “ = id”; for( int i = 0; i < dat.length(); i++)
query = query + “ AND ” + dat[i] + “ = “ + inp[i];
Example with cycles
from dropdown menu
year
min
dat
String query = “SELECT * FROM stock WHERE ” + strID + “ = id”; for( int i = 0; i < dat.length(); i++)
query = query + “ AND ” + dat[i] + “ = “ + inp[i];
Example with cycles
from dropdown menu
from textbox
year
min
dat
2004
15
inp
String query = “SELECT * FROM stock WHERE ” + strID + “ = id”; for( int i = 0; i < dat.length(); i++)
query = query + “ AND ” + dat[i] + “ = “ + inp[i];
Example with cycles
year
min
dat
2004
15
inpFiltered with {“delete”, “xp\_”, “=”, “from”, “or”}
String query = “SELECT * FROM stock WHERE ” + strID + “ = id”; for( int i = 0; i < dat.length(); i++)
query = query + “ AND ” + dat[i] + “ = “ + inp[i];
Example with cycles
year
min
dat
2004
15
inp
SELECT * FROM stock WHERE
982 = id AND year = 2004 AND min = 15
Filtered with {“delete”, “xp\_”, “=”, “from”, “or”}
String query = “SELECT * FROM stock WHERE ” + strID + “ = id”; for( int i = 0; i < dat.length(); i++)
query = query + “ AND ” + dat[i] + “ = “ + inp[i];
Example with cycles
min
min
dat
14
15)
inp
SELECT * FROM stock WHERE
NOT(1 = id AND min = 14 AND min = 15)
Filtered with {“delete”, “xp\_”, “=”, “from”, “or”}
String Analysis (previous work)
)= zid=( x minANDNOT
stock
WHERE
FROMSELECT *
=minyε
SELECT * FROM stock WHERE
NOT(1 = id AND min = 14 AND min = 15)
Structure Discovery (previous work)
)= zid=( x minANDNOT
WHERE
=minyε
stockFROMSELECT *
Boolean expression
Tautology checking
)= zmin
WHERE
id=( x ANDNOT
=minyε
stockFROMSELECT *
NOT ( x = id and min = y and min = z )
Theorem: We discover a tautology over linear arithmetic iff the FSA accepts one.
Overview of Tautology Checking
Main idea: Generate finite number of validity queries from FSA
Challenges: Loops/cycles
Arithmetic
Boolean
Tautology Checking: Arithmetic Loops
W,X,Y,Z :
1 = W+X Æ X+W+Y = Y+Z Æ Z = 1
a,b,c
W×(a) + X×(b) + Y×(c) ≥ Z×(b+c)
+cb≥a
+c
bin = 1
W
X
Y
Z out = 1
{W,Y,Z ← 1; X ← 0}
b+c ≥ b+c
Tautology Checking: Boolean Loops
a
bb
OR
a
bb
a
bb
a
bb
a
bbOR OR OR
n+2 = 4
UPDATE users SET password = ‘backdoor’WHERE username = ‘admin’--’
Earlier Example Revisited
--
= ‘password
WHERE
SETUPDATE users ’
=username
w
‘’x ’
sql = “UPDATE users SET password = ‘” + newpass + “’ WHERE username = ‘”
+ rso(“username”) + “’”;
Earlier Example Revisited
This code may also generate a query with a tautology
UPDATE users SET password = ‘backdoor’ WHERE username = ‘’OR‘a’=‘a’;
Earlier Example Revisited
= ‘password
WHERE
SETUPDATE users ’
=username
w
‘ ’x = ‘ ’zOR ‘ ’y
UPDATE users SET password = ‘backdoor’ WHERE username = ‘’OR‘a’=‘a’;
Conclusions
Analysis Framework: Generate and analyze FSA model of all possible queries
Semantic analysis of generated programs
Not only types but values
Implementation in progress
Questions?
Why n+2?