automatically repairing web application firewalls based on successful sql injection attacks
TRANSCRIPT
.lusoftware verification & validationVVS
Automatically Repairing Web Application Firewalls based on
Successful SQL Injection Attacks
Dennis Appelt, Annibale Panichella, Lionel Briand
1
Code Injection
Manipulated data structures
Collect and analyze information
Indicator
Employ probabilistic techniques
Manipulate system resources
Subvert access control
Abuse existing functionality
Engage in deceptive interactions 2 %2 %3 %3 %3 %4 %
9 %32 %
42 %
X-Force Threat Intelligence Index 2017
2
https://www.ibm.com/security/xforce/
More than 40% of all attacks were SQL injection (SQLi)
Rule Set Customization
6
Customization is error-prone: • Complex filter rules • Limited time and resources • Lack of automated tools
Rule customization is necessary: •To avoid false positives •To protect from new threats
Anatomy of SQLi attacks
8
‘ OR“a”=“a”#
Bypassing Attack<START>
<sq> <wsp> <sqliAttack> <cmt>
<boolAttack>
<opOR> <boolTrueExpr>
OR <bynaryTrue>
<dq> <ch> <dq> <opEq> <dq> <ch> <dq>
“ a ” = “ a ”
<sQuoteContext>
‘ #_
Decomposition Tree
‘ _ OR”a”=“a” #
S ={Attack Slices
Learning Attack Patterns
9
S1 S2 S3 S4 … Sn OutcomeA1 1 1 0 0 … 0 PassedA2 0 1 0 0 … 0 Blocked… … … … … … … …Am 1 1 1 1 … 1 Blocked
Training Set
Sn
PassedBlocked
S4
YesNo
YesNo
YesNo
S3
S1
S2
…
Decision Tree
Learning Attack Patterns
10
S1 S2 S3 S4 … Sn OutcomeA1 1 1 0 0 … 0 PassedA2 0 1 0 0 … 0 Blocked… … … … … … … …Am 1 1 1 1 … 1 Blocked
Sn
PassedBlocked
S4
YesNo
YesNo
YesNo
S3
S1
S2
…
Training Set Decision Tree
Regular ExpressionS2 ∧ ¬ Sn ∧ S1
Fixing Vulnerable WAFs
11
SQLi Attacks
Attacks Decomposition
Machine Learning (DT)
New Regular Expressions
Existing Rule Set
Fixed Rule Set
# Blocked Attacks
# Blocked Legitimate
Request
Multi-Objective Optimization
12
Problem: selecting a subset of the regular expressions produced by Decision Tree such as to (1) maximizing the recall (blocked
attacks) and (2) minimizing the false positive rate. Re
call
False Positive
Pareto Front
Multi-Objective Genetic Algorithms
13
Evaluation
Selection
Crossover
Mut
ation NSGA-II
Initial Solutions
Multi-Objective Genetic Algorithms
14
R1 R2 R2 R4 … Rk1 1 0 0 … 0
0 1 1 1 … 1
Initial Solutions
Evaluation
Selection
Crossover
Mut
ation NSGA-II
Initial Solutions
Solutions are evaluated and selected according to the Pareto Optimality
Research Questions
16
How effective are the found regular expressions in identifying bypassing attacks?RQ1
To which extent do the found regular expressions misclassify legitimate traffic as attacks?RQ2
How does NSGA-II compare to random search?RQ3
Case Studies
17
Study 1 (open-source)
1 http://www.cyclos.org
Protected System = Cyclos1
OWASP Core Rule Set = actively maintained by
security experts
Study 2 (industrial)
Target WAF = Proprietary
SOA system processing financial transactions
Target WAF = ModSecurity2
2 https://modsecurity.org
Rule set is maintained by security experts
Case Studies
18
Study 1 (open-source) Study 2 (industrial)
Operations # Benign Requests
#Bypassing Attacks
doPayment
1567
1234
expireTicket 1127
simulatePayment 1265
Operations # Benign Requests
# Bypassing Attacks
Op1
2600
943
Op2 19957
Op3 169
Op4 11462
D. Appelt, C. Nguyen, and L. Briand. “Behind an application firewall, are we safe from sql injection attacks?’ ICST 2015
Some Results
19
Target WAF: ModeSecurity OWASP Core Rule Set
Target Operation: doPayment()
# Attacks = 1234 # Benign Req = 1567
Hypevolume(NSGAII) >Hypevolume(RS)
Hypervolume Results
20
Hype
rvolu
me
0,00
0,25
0,50
0,75
1,00
Op1 Op2 Op3 Op3
NSGA-II Random
Hype
rvolu
me
0,00
0,25
0,50
0,75
1,00
doPayment expireTicket simulate-Payment
NSGA-II Random
ModSecurity Industrial WAF
Testing Against Unseen Requests
21
Proprietary WAF
Regexes with the lowest false positive rate
1 http://sqlmap.org/
New Requests 575 Benign requests (fun. tests) 222 New SQLi Attacks (SqlMap1)
Results False posit. = 0.86% - 1.92% Recall = 91.50% - 100%