sound and precise analysis of web applications for injection vulnerabilities
DESCRIPTION
Sound and Precise Analysis of Web Applications for Injection Vulnerabilities. Gary Wassermann Zhendong Su. What is SQL injection attack ?. An attacker exploits faulty application code to execute maliciously crafted database queries. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Sound and Precise Analysis of Web Applications for Injection Vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022070403/56813a11550346895da1e959/html5/thumbnails/1.jpg)
Sound and Precise Analysis of Web Applications for Injection
Vulnerabilities
Gary Wassermann Zhendong Su
![Page 2: Sound and Precise Analysis of Web Applications for Injection Vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022070403/56813a11550346895da1e959/html5/thumbnails/2.jpg)
What is SQL injection attack?
• An attacker exploits faulty application code to execute maliciously crafted database queries.
• In 2006, 14% of the reported vulnerabitilities were SQLCIVs, making SQL injection the second most frequently reported security threat.
![Page 3: Sound and Precise Analysis of Web Applications for Injection Vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022070403/56813a11550346895da1e959/html5/thumbnails/3.jpg)
An example
$userid= “1';DROP TABLE unp_user”-- ;
Executed query :
SELECT * FROM `unp_user` WHERE userid='1;'DROP TABLE unp_user ;'--
![Page 4: Sound and Precise Analysis of Web Applications for Injection Vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022070403/56813a11550346895da1e959/html5/thumbnails/4.jpg)
Existing Approaches
• Tainted information flow tracking do not model the precise semantics of input
sanitization routines require manually written specifications not fully automated and may require user
intervention (e.g dynamic include in PHP)
• String analysis- based techniques do not track the source of string values and
therefore require specifications
![Page 5: Sound and Precise Analysis of Web Applications for Injection Vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022070403/56813a11550346895da1e959/html5/thumbnails/5.jpg)
Context Free Grammar (CFG)
denotes “derives in one step ”
for example:
if
denotes “drives in finite number of steps”
![Page 6: Sound and Precise Analysis of Web Applications for Injection Vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022070403/56813a11550346895da1e959/html5/thumbnails/6.jpg)
Definition of web application
![Page 7: Sound and Precise Analysis of Web Applications for Injection Vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022070403/56813a11550346895da1e959/html5/thumbnails/7.jpg)
Definition of syntactic confinement
![Page 8: Sound and Precise Analysis of Web Applications for Injection Vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022070403/56813a11550346895da1e959/html5/thumbnails/8.jpg)
Definition of SQLCIV
![Page 9: Sound and Precise Analysis of Web Applications for Injection Vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022070403/56813a11550346895da1e959/html5/thumbnails/9.jpg)
The article’s approach
1) Model string values as CFG
2) Label nonterminals as “direct” or “indirect” if needed
3) Checks if all string in the language of the CFG are not SQLCIV according to definition
![Page 10: Sound and Precise Analysis of Web Applications for Injection Vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022070403/56813a11550346895da1e959/html5/thumbnails/10.jpg)
General scheme of implementation
![Page 11: Sound and Precise Analysis of Web Applications for Injection Vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022070403/56813a11550346895da1e959/html5/thumbnails/11.jpg)
Illustration of the algorithm
For all sentential forms derivable from query GETuid is between quotes in a syntactic
position of a string literal
![Page 12: Sound and Precise Analysis of Web Applications for Injection Vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022070403/56813a11550346895da1e959/html5/thumbnails/12.jpg)
Building the CFG (1)
![Page 13: Sound and Precise Analysis of Web Applications for Injection Vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022070403/56813a11550346895da1e959/html5/thumbnails/13.jpg)
Building the CFG (2)
• Not all string operations are concatenation and assignments
what about x=escape_quotes(x) ?
• We need to model x escape_quotes(y)
• In order to model those cases we use Finite State Transducers (FST)
![Page 14: Sound and Precise Analysis of Web Applications for Injection Vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022070403/56813a11550346895da1e959/html5/thumbnails/14.jpg)
FST
• Finite-state machine whose output values are determined both by its current state and by the values of its inputs
• Has one or more final states
• May be non-deterministic
![Page 15: Sound and Precise Analysis of Web Applications for Injection Vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022070403/56813a11550346895da1e959/html5/thumbnails/15.jpg)
Example :modeling str_repalce with FST
str_replace(“ ‘ ‘ “, “ ‘ “, $B)
![Page 16: Sound and Precise Analysis of Web Applications for Injection Vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022070403/56813a11550346895da1e959/html5/thumbnails/16.jpg)
The Problem with FST
• Cannot model all string functions in PHP– Preg_replace(pattern , replacement, subject )
• Mohri and Sproat describe how approximate those functions using two FST
![Page 17: Sound and Precise Analysis of Web Applications for Injection Vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022070403/56813a11550346895da1e959/html5/thumbnails/17.jpg)
Intersection between FST and CFG
![Page 18: Sound and Precise Analysis of Web Applications for Injection Vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022070403/56813a11550346895da1e959/html5/thumbnails/18.jpg)
General scheme of implementation
![Page 19: Sound and Precise Analysis of Web Applications for Injection Vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022070403/56813a11550346895da1e959/html5/thumbnails/19.jpg)
Policy Conformance Analysis (1)
• If an untrusted substring has and odd number of quotes it cannot be syntactically confined.
For each labeld X if
Then X is not safe
![Page 20: Sound and Precise Analysis of Web Applications for Injection Vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022070403/56813a11550346895da1e959/html5/thumbnails/20.jpg)
Policy Conformance Analysis (2)
• If labeld X only occur in the syntactic position of string literals :– If any form that derives from X has unescaped
quotes in it then X derives unconfined strings and X is not safe
– Else X is safe
![Page 21: Sound and Precise Analysis of Web Applications for Injection Vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022070403/56813a11550346895da1e959/html5/thumbnails/21.jpg)
Policy Conformance Analysis (3)
• If X only derives numeric literals
Then X is safe
![Page 22: Sound and Precise Analysis of Web Applications for Injection Vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022070403/56813a11550346895da1e959/html5/thumbnails/22.jpg)
Policy Conformance Analysis (4)
• If X can produce a non numeric string outside of quotes it likely represents an SQLCIV . To confirm this we check whether X derive any string that cannot be confined (e.g. “drop where,” “-- “ ). If it can then X is unsafe
![Page 23: Sound and Precise Analysis of Web Applications for Injection Vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022070403/56813a11550346895da1e959/html5/thumbnails/23.jpg)
Policy Conformance Analysis (5)
• If each string, derives from the remaining labeld nonterminals, is derivable from some nonterminal in the SQL grammar then the remaining labeld nonterminals are safe.
![Page 24: Sound and Precise Analysis of Web Applications for Injection Vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022070403/56813a11550346895da1e959/html5/thumbnails/24.jpg)
Implementation
• Using modified Minamide’s String analyzer– Specifications for 243 PHP functions were
added– Improvement in PHP dynamic includes support
• Check derivability using an extension of Earley’s parsing algorithm
![Page 25: Sound and Precise Analysis of Web Applications for Injection Vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022070403/56813a11550346895da1e959/html5/thumbnails/25.jpg)
Results
False positive rate = 20.8%
False negative rate = 0%
![Page 26: Sound and Precise Analysis of Web Applications for Injection Vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022070403/56813a11550346895da1e959/html5/thumbnails/26.jpg)
explanations for false positive rate
• Insufficient precision through type conversions
• ASCII functions
![Page 27: Sound and Precise Analysis of Web Applications for Injection Vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022070403/56813a11550346895da1e959/html5/thumbnails/27.jpg)
Future improvements
• Improve analyzing of helper functions in other files
• Analyzing only strings which affect the data base
![Page 28: Sound and Precise Analysis of Web Applications for Injection Vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022070403/56813a11550346895da1e959/html5/thumbnails/28.jpg)
Conclusions
1. Catch all SQLCIV
2. Could be very slow (but future improvements will make it faster )
3. False positive rate a bit high but will be improved in next version