L1-ptr-handout

L1-ptr-handout - Securing
Web
Applications
with



Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: Securing
Web
Applications
with

 Information
Flow
Tracking
 with Michael Martin, Benjamin Livshits, John Whaley, Michael Carbin, Dzin Avots, Chris Unkel Web
Application
Vulnerabilities
   50%
databases
had
a
security
breach
 [Computer
crime
&
security
survey,
2002]
   92%
Web
applications
are
vulnerable
 [Application
Defense
Center,
2004]
   48%
of
all
vulnerabilities
Q3-Q4,
2004
 [Symantec
May,
2005]
 1 Top
Ten
Security
Flaws
 in
Web
Applications
[OWASP]
 1.  Unvalidated
Input
 2.  Broken
Access
Control
 3.  Broken
Authentication
and
Session
 Management
 4.  Cross
Site
Scripting
(XSS)
Flaws
 5.  Buffer
Overflows
 6.  Injection
Flaws
 7.  Improper
Error
Handling
 8.  Insecure
Storage
 9.  Denial
of
Service
 10.  Insecure
Configuration
Management
 Web
Applications
 Hacker
 Browser
 Evil
Input
 Web
App

 Database
 Confidential
 information
leak
 2 SQL
Injection
Errors
 Hacker
 Browser
 Web
App

 Database
 Give
me
Bob’s
credit
card
#
 Delete
all
records
 Happy-go-lucky
SQL
Query
 User
supplies:
name,
password
 Java
program:

 String
query
=


 

“SELECT
UserID,
Creditcard
FROM
CCRec
 WHERE
Name
=
”
 
+
name
+
“

AND
PW
=
”





 
+
password

 3 Fun
with
SQL
 “
—
”:
“the
rest
are
comments”
in
Oracle
SQL
 SELECT
UserID,
CreditCard
FROM
CCRec
 WHERE:
 Name
=
bob



























AND
PW
=
foo
 Name
=
bob—
























AND
PW
=
x
 Name
=
bob
or
1=1—











AND
PW
=
x
 Name
=
bob;
DROP
CCRec—
AND
PW
=
x
 Vulnerabilities
 in
Web
Applications
 Inject
 Exploit
 Parameters
 SQL
injection
 Hidden
fields
 X Cross-site
scripting
 Headers
 HTTP
splitting
 Cookie
poisoning
 Path
traversal
 4 Key:
Information
Flow
 A
Simple
SQL
Injection
Pattern
 o
=
req.getParameter
(
);
 stmt.executeQuery
(
o
);
 5 In
Practice
 ParameterParser.java:586 String session.ParameterParser.getRawParameter(String name) public String getRawParameter(String name) throws ParameterNotFoundException { String values = request.getParameterValues(name); if (values == null) { throw new ParameterNotFoundException(name + " not found"); } else if (values[0].length() == 0) { throw new ParameterNotFoundException(name + " was empty"); } return (values[0]); } ParameterParser.java:570 String session.ParameterParser.getRawParameter(String name, String def) public String getRawParameter(String name, String def) { try { return getRawParameter(name); } catch (Exception e) { return def; } } In
Practice
(II)
 ChallengeScreen.java:194 Element lessons.ChallengeScreen.doStage2(WebSession s) String user = s.getParser().getRawParameter( USER, "" ); StringBuffer tmp = new StringBuffer(); tmp.append("SELECT cc_type, cc_number from user_data WHERE userid = '“); tmp.append(user); tmp.append("'“); query = tmp.toString(); Vector v = new Vector(); try { ResultSet results = statement3.executeQuery( query ); ... 6 PQL:
Program
Query
Language
 o
=
req.getParameter
(
);
 stmt.executeQuery
(
o
);
   Query
on
the
dynamic
behavior

 based
on
object
entities
   Abstracting
away
information
flow
 Dynamic
vs.
Static
Pattern
 Dynamically: o = req.getParameter ( ); stmt.executeQuery (o); Statically: p1 = req.getParameter ( ); stmt.executeQuery (p2); p1
and
p2
point
to
same
object?
 Pointer
alias
analysis
 7 Flow-Insensitive
Pointer
Analysis
 Objects allocated by same line of code are given the same name. Datalog

 o1:
p
=
new
Object();
 pts(p,o1)
 o2:
q
=
new
Object();
 pts(q,o2)
 hpts(o1,f,o2)
 



p.f
=
q;
 pts(r,o2)
 





r
=
p.f;
 p
 o 1
 q
 o 2
 f
 r
 Inference
Rule
in
Datalog
 Assignments:
 
pts
(v1,
h1)
 :-
“v1
=
v2
”
&
pts
(v2,
h1).
 v1
=
v2;
 v2
 h1
 v1
 8 Inference
Rule
in
Datalog
 Stores:
 
hpts(h1,
f,
h2)
 :-
“v1.f
=
v2”
&
 
pts(v1,
h1)
&
pts(v2,
h2).
 v1.f
=
v2;
 v1
 h1
 v2
 h2
 f
 Inference
Rule
in
Datalog
 Loads:
 
pts(v2,
h2)
 :-
“v2
=
v1.f
”
&

 
pts(v1,
h1)

&
hpts(h1,
f,
h2).
 v2
=
v1.f;
 v1
 h1
 v2
 h2
 f
 9 Pointer
Analysis
Rules
 
pts(v,
h)
 :-
“h:
T
v
=
new
T()”;
 
pts(v1,
h1)
 :-
“v1
=
v2”
&
pts(v2,
h1).
 
hpts(h1,
f,
h2)
 :-
“v1.f
=
v2”
&

 
pts(v1,
h1)
&
pts(v2,
h2).
 
pts(v2,
h2)
 :-
“v2
=
v1.f”
&

 
pts(v1,
h1)
&
hpts(h1,
f,
h2).
 Pointer
Alias
Analysis
   Specified
by
a
few
Datalog
rules
   Creation
sites
   Assignments
   Stores
   Loads
   Apply
rules
until
they
converge
 10 Context-Sensitive
 Pointer
Analysis
 L1:
a=malloc();
 





a=id(a);
 
id(x)

 id(x)
 id(x)
 
{return
x;}
 L2:
b=malloc(
);
 





b=id(b);
 context-sensitive
 a
 L1
 x
 context-insensitive
 b
 L2
 x
 Even
without
recursion,

 #
of
Contexts
is
exponential!
 11 Top
20
Sourceforge
Java
Apps
 1016 1012 108 104 100 Costs
of
Context
Sensitivity
   Typical large program has ~1014 paths   If you need 1 byte to represent a context:   100 terabytes of storage   > 12 times size of Library of Congress   Memory: $1.2 million   Hard drive: $47,500   Time to read sequentially: 20 days 12 Cloning-Based
Algorithm
   Whaley&Lam, PLDI 2004 (best paper award)   Create a “clone” for every context   Apply context-insensitive algorithm to cloned call graph   Lots of redundancy in result   Exploit redundancy by clever use of BDDs (binary decision diagrams) Automatic
Analysis
Generation
 PQL Ptr analysis in 10 lines Datalog bddbddb (BDD-based deductive database) with Active Machine Learning 1000s of lines BDD operations 1 year tuning BDD: 10,000s-lines library 13 Benchmarks
 9 large, widely used applications   Blogging/bulletin board applications   Used at a variety of sites   Open-source Java J2EE apps   Available from SourceForge.net Vulnerabilities
Found
 SQL HTTP Cross-site Path Total injection splitting scripting traversal Header 0 6 5 0 11 Parameter 6 5 0 2 13 Cookie 1 0 0 0 1 Non-Web 2 0 0 3 5 Total 9 11 5 5 30 14 ...
View Full Document

This document was uploaded on 03/12/2012.

Ask a homework question - tutors are online