sound and precise analysis of web applications for injection vulnerabilities
DESCRIPTION
Sound and Precise Analysis of Web Applications for Injection Vulnerabilities. Gary Wassermann and Zhendong Su UC Davis Slides from http://wwwcsif.cs.ucdavis.edu/~wassermg/research/ Made some additions/clarifications!. SQL Injection Vulnerabilities. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Sound and Precise Analysis of Web Applications for Injection Vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022062423/56814d61550346895dbaaa61/html5/thumbnails/1.jpg)
Sound and Precise Analysis of Web Applications for Injection Vulnerabilities
Gary Wassermann and Zhendong SuUC Davis
Slides from http://wwwcsif.cs.ucdavis.edu/~wassermg/research/ Made some additions/clarifications!
![Page 2: Sound and Precise Analysis of Web Applications for Injection Vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022062423/56814d61550346895dbaaa61/html5/thumbnails/2.jpg)
SQL Injection Vulnerabilities
• 2006: 14% of CVEs were SQLCIVs (2nd most)• Percent of attacks likely much higher
– Web applications are accessible– Databases hold valuable information
Web browser DatabaseApplication
User input SQL Query
![Page 3: Sound and Precise Analysis of Web Applications for Injection Vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022062423/56814d61550346895dbaaa61/html5/thumbnails/3.jpg)
Example<?
$sid = addslashes($_GET[‘sid’]);
$query = “SELECT * FROM carts WHERE sid = ”.$sid;
mysql_query($query);
?>
On malicious input: SELECT * FROM carts
WHERE sid = 78 OR 1 = 1
Result: Returns information from all shopping carts.
( () )
![Page 4: Sound and Precise Analysis of Web Applications for Injection Vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022062423/56814d61550346895dbaaa61/html5/thumbnails/4.jpg)
Informal Characterization[POPL’06]
During runtime, we can see that the parse tree changed to a completely different structure from the one we had in mind.
![Page 5: Sound and Precise Analysis of Web Applications for Injection Vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022062423/56814d61550346895dbaaa61/html5/thumbnails/5.jpg)
Past Approaches
• Runtime checks– Benefits: easy to be precise– State of the Art: lexical or syntactic confinement
• Drawback: We pay many times the overhead of a correctly-placed check
• Static analysis– Benefits
• Early bug detection • Analyze code fragments• No runtime overhead
– State of the Art: static taint analysis
![Page 6: Sound and Precise Analysis of Web Applications for Injection Vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022062423/56814d61550346895dbaaa61/html5/thumbnails/6.jpg)
Static Checking for SQLCIVs
Dataflow Graph Code
addslashes()
$sid = addslashes($_GET[‘sid’]);
$query = “SELECT…”.$sid;
mysql_query($query);
.
$_GET[‘sid’]
$sid
$query
SELECT…
![Page 7: Sound and Precise Analysis of Web Applications for Injection Vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022062423/56814d61550346895dbaaa61/html5/thumbnails/7.jpg)
Static Checking for SQLCIVs
Static Taint Analysis Code
U
T
T
T
addslashes()
Source
Sink
Sanitizer
false negative!
Integrity
$sid = addslashes($_GET[‘sid’]);
$query = “SELECT…”.$sid;
mysql_query($query);
.
![Page 8: Sound and Precise Analysis of Web Applications for Injection Vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022062423/56814d61550346895dbaaa61/html5/thumbnails/8.jpg)
Static Checking for SQLCIVs
Static Taint Analysis Our Goal
U
U’T
T
T
addslashes()
Source
Sink
Sanitizer U
TU’
addslashes()
Source
Sink
false negative!
check against policy
Transformation
T
Integrity (Integrity x String)* Set
. .
![Page 9: Sound and Precise Analysis of Web Applications for Injection Vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022062423/56814d61550346895dbaaa61/html5/thumbnails/9.jpg)
Static Checking for SQLCIVs
Our Goal
U’
U
TU’
addslashes()
Source
Sinkcheck against policy
Transformation
T
(Integrity x String)* Set
How can we:• model semantics of
transformation?• track integrity classes
through transformations?• check the value at the sink
against our policy?.
![Page 10: Sound and Precise Analysis of Web Applications for Injection Vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022062423/56814d61550346895dbaaa61/html5/thumbnails/10.jpg)
SQLCIV analysis Framework
Static Taint Analysis Compliance Check
![Page 11: Sound and Precise Analysis of Web Applications for Injection Vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022062423/56814d61550346895dbaaa61/html5/thumbnails/11.jpg)
$_GET[‘sid’]
$sid
$query
SELECT…
String Analysis
addslashes()
• CFGs model string sets• Construct extended CFG
from dataflow graph
GETsid ! *
Sid ! addslashes(GETsid)C ! SELECT…Query ! C Sid
[Min05]
.
![Page 12: Sound and Precise Analysis of Web Applications for Injection Vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022062423/56814d61550346895dbaaa61/html5/thumbnails/12.jpg)
SELECT… $sid
$_GET[‘sid’]
String Analysis
U’
U
TU’
addslashes()
T
• CFGs model string sets• Construct extended CFG
from dataflow graph
GETsid ! *
Sid ! addslashes(GETsid)C ! SELECT…Query ! C Sid
[Min05]
.
$query
![Page 13: Sound and Precise Analysis of Web Applications for Injection Vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022062423/56814d61550346895dbaaa61/html5/thumbnails/13.jpg)
Modeling String Transformations
• Finite State Transducers model string functions
• Use FSTs to turn extended CFG into CFG
GETsid ! *
Sid ! addslashes(GETsid)C ! SELECT…Query ! C Sid
\ /
' / '
A / \A
\ / \
O\'Brian ! O'Brian
stripslashes()
B / B
Input Output
A 2 b{'}B 2 b{\}
![Page 14: Sound and Precise Analysis of Web Applications for Injection Vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022062423/56814d61550346895dbaaa61/html5/thumbnails/14.jpg)
S ! a S ! S XX !
a*
S01 ! aX11 ! [0-9]S01 ! S01 X11
Tracking Integrity Classes
0 1a-z0-9
S01X11
[a-z][0-9]*
• Find CFG-FSA intersection via CFL-reachability
• Propagate labels to corresponding nonterminals
• Use this algorithm to find CFG’s image over FST
a[0-9]*
![Page 15: Sound and Precise Analysis of Web Applications for Injection Vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022062423/56814d61550346895dbaaa61/html5/thumbnails/15.jpg)
S ! a S ! S XX !
a*
S01 ! aX11 ! [0-9]S01 ! S01 X11
Tracking Integrity Classes
0 1a-z0-9
S01X11
[a-z][0-9]*
• Find CFG-FSA intersection via CFL-reachability
• Propagate labels to corresponding nonterminals
• Use this algorithm to find CFG’s image over FST
a[0-9]*
![Page 16: Sound and Precise Analysis of Web Applications for Injection Vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022062423/56814d61550346895dbaaa61/html5/thumbnails/16.jpg)
S ! a S ! S XX !
a*
S01 ! a X11 ! [0-9]S01 ! S01 X11
Tracking Integrity Classes
0 1a-z0-9
S01X11
[a-z][0-9]*
• Find CFG-FSA intersection via CFL-reachability
• Propagate labels to corresponding nonterminals
• Use this algorithm to find CFG’s image over FST
a[0-9]*
![Page 17: Sound and Precise Analysis of Web Applications for Injection Vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022062423/56814d61550346895dbaaa61/html5/thumbnails/17.jpg)
Policy Conformance• Use SQL grammar as reference grammar• Check “literals” case with regular languages
• Untrusted input – not in quoted context, not numeric, includes SQL code– DIRECT if immediately affected by user– INDIRECT if affected by previous query answer
GETsid’ ! ( b{’} [ {\’} )*
Sid ! GETsid’C ! SELECT * FROM users WHERE id =Query ! C Sid
![Page 18: Sound and Precise Analysis of Web Applications for Injection Vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022062423/56814d61550346895dbaaa61/html5/thumbnails/18.jpg)
Evaluation: Results
• Modified Minamide’s PHP String Analyzer• Evaluated on 6 real-world PHP web apps
Subject
Lines Time (h:mm:ss) Errors
String-TaintPolicy
Conformance
Direct Indirect
Real False
Claroline 169,479 3:04:11 0:02:22 30 11 24
e107 132,862 1:08:05 0:01:39 4 8 15
EVE 904 0:00:01 0:00:04 4 0 1
Tiger 14,350 3:14:07 3:27:50 0 3 2
Utopia 5,438 0:13:10 0:00:48 14 2 12
Warp 24,365 0:00:52 0:04:49 0 0 0
![Page 19: Sound and Precise Analysis of Web Applications for Injection Vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022062423/56814d61550346895dbaaa61/html5/thumbnails/19.jpg)
issetisset(($$_GET_GET[[‘userid’‘userid’])]) ?? $userid = $_GET[‘userid’] :
$userid = ‘’;
if (!eregi(‘[0-9]+’, $userid)) {
unp_msg(‘invalid user ID.’);
exit;
}
$getuser = $DB-> query(“SELECT * FROM `unp_user` WHERE userid=‘$userid’”);
Example Vulnerability
Should be ‘^[0-9]+$’
![Page 20: Sound and Precise Analysis of Web Applications for Injection Vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022062423/56814d61550346895dbaaa61/html5/thumbnails/20.jpg)
False Positive
CASTING PROBLEMS
![Page 21: Sound and Precise Analysis of Web Applications for Injection Vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022062423/56814d61550346895dbaaa61/html5/thumbnails/21.jpg)
Indirect Error
Verified
?Returned from DB
![Page 22: Sound and Precise Analysis of Web Applications for Injection Vulnerabilities](https://reader035.vdocuments.us/reader035/viewer/2022062423/56814d61550346895dbaaa61/html5/thumbnails/22.jpg)
Conclusions
• Achieved accurate checking for SQLCIVs by tracking string values and sources
• Successfully applied to real-world PHP programs and found subtle vulnerabilities
• Future work:– Improve error reports – Apply to XSS