1 / 23

A String Constraint Solver for Web Application Vulnerability Detection

This paper presents a string constraint solver for detecting vulnerabilities in web applications, specifically SQL injection and XSS attacks, using static analysis and string constraint solving techniques. It provides an overview of the constraint solving technique, regular replacement, and experimental data. The paper concludes with lessons learned and future research challenges.

howea
Download Presentation

A String Constraint Solver for Web Application Vulnerability Detection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A String Constraint Solver for Detecting Web Application Vulnerability Xiang Fu Hofstra University Chung-Chih Li Illinois State University SEKES 2010

  2. Outline • Motivation • General Context: Static Analysis + String Constraint Solving • Constraint Solving Technique • Regular Replacement • Application & Experimental Data • Conclusion SEKES 2010

  3. Vulnerable Web Applications • Web App. Successful for Decade! • Public Accessibility  Vulnerability “Today over 70% of attacks against a company’s website or web application come at the ‘Application Layer’ not the network or system layer.” - Gartner Group SEKES 2010

  4. -- comments out rest Log-in w/o pwd! SQL Injection Trick Example: uname “admin’--”, pwd as “abc” SELECT uname, pwd FROM users WHERE uname = ’ ’AND pwd=’ ’ admin’-- abc string sState = “SELECT uname, pwd FROM users \n” + “WHERE uname = ’” + + “’ AND pwd =’” + + “’” tUname.txt tPwd.txt SEKES 2010

  5. Challenges • User Input Validation – the Cure? Programmers are Human Being! SEKES 2010

  6. Generate Escaping Character of SINGLE QUOTE Limit String Size Chop off after 16th char Input Validation Not Easy Can you find an attack against massage? String massage(String strInput) { String sOut = strInput.Replace("’","’’"); sOut = sOut.Substring(0,16); return sOut; } SEKES 2010

  7. 123456789012345’ 123456789012345’’ 123456789012345’ The Cracking Process String massage(String strInput) { String sOut = strInput.Replace("’","’’"); sOut = sOut.Substring(0,16); return sOut; } SEKES 2010

  8. Condition 1 Treated as one single quote Condition 2 tautology! SQL Statement Constructed SELECT uname,pwd FROM users WHERE uname=’123456789012345’’ AND pwd=’ OR uname<>’’ SEKES 2010

  9. Lessons Learned • Bugs  Delicate SQL Injection Vul. • Need Tools for Inspecting Security Holes Smartly and Automatically SEKES 2010

  10. 001000 101010 010101 010101 010101 101010 x=.. y=.. x + “zbc” = y? bytecode 001000 101010 010101 010101 010101 101010 instrumentedbytecode General Approach: (COMPSAC’07)Symbolic Execution + String Solver Bytecode Instrumentor Test Case Generator Sym. Execution Engine String Solver Attack PatternLibrary SEKES 2010

  11. SUSHI Constraint Solver Application Expressiveness Undecidable! SEKES 2010

  12. Simple Linear String Equation String Expression = RegExp Variables occur only on LHS Support all string freq ops: Substring, indexing, replacement, concatenation SEKES 2010

  13. Example (Password Bypass) + + LHS Apply massage on x: replacement and substring + + = RHS SEKES 2010

  14. Solution Algorithm • (1) Break to Atomic Steps • (2) Represent in Finite State Transducer • (3) Symbolic Image Computation • (4) Chain Results => Solution Pool • (5) Solution Pool => Concrete Solution SEKES 2010

  15. Special Challenge (NFM’10) • Regular Replacement • Many Semantics! • Greedy • Reluctant • Declarative • … • Special Algorithm for Precise Modeling SEKES 2010

  16. Finite State Transducer • Accepts Regular Relation • Union, Concat, Composition • Intersection, Complement • Used for Modeling Rewriting Rules [Kaplan94, Karttunen96] ε:1 a:2 1 2 3 4 b:3 A (ab,123) ∈ L(A) NFM 2010

  17. Modeling Greedy Semantics(NFM’2010) Search Pattern a+ x aabab Step 1: Begin Marker #a#ab#ab Step 2: ND End Marker #a#ab#a$b #a$#a$b#a$b #a#a$b#a$b #a#a$b#ab Step 3: Pairing Markers #aa$b#a$b #aaba$b Step 4: Checking Match #a$#a$b#a$b Step 5: Check Longest Step 6: Replacement xbxb One Input Word  One Output Word NFM 2010

  18. Deal with Unicode Alphabet Type I Type II Type III • Explicit Rep. of Transition Not Working! • Compact Representation • Symbolic Transition Set • Special Alg. For FST Composition etc. (I,I) (II,I) (III,II) NFM 2010

  19. Login Servlet Efficiency of Solver 1.4 Seconds on 2Ghz PC Bench Mark Equations NFM 2010

  20. More Applications: XSS Attack • Vul. Originally Reported in SecTrack #1022748 • Adobe Flex SDK 3.3 • SUSHI found Much Shorter Attack Signature Equation Size: 565 74 Seconds SEKES 2010

  21. Related Work • Forward String Analysis • Christensen & Møller [SAS’03] • Wasserman & Su [PLDI’07, ICSE’08] • Bjørner & Tillmann [TACAS’09] • Backward String Analysis • Kiezun & Ganesh [ISSTA’09] • Yu & Bultan [SPIN’08, ASE’09] • Fu [COMPSAC’07, TAVWEB’08] • Natural Language Processing • * Kaplan and Kay [CL’1994] • Our Contribution: • Precise Modeling of Various Regular Substitution Semantics • Precise Security Analysis • ?? Compare with Bit-blasting?? NFM 2010

  22. Conclusion • FST based String Constraint Solving • Applied to Security Analysis • SQL Injection • XSS Attack • More … • More Expressive Extension of SISE SEKES 2010

  23. Questions? SEKES 2010

More Related