1 / 22

Sound and Precise Analysis of Web Applications for Injection Vulnerabilities

Sound and Precise Analysis of Web Applications for Injection Vulnerabilities. Gary Wassermann and Zhendong Su UC Davis Slides from http://wwwcsif.cs.ucdavis.edu/~wassermg/research/ Made some additions/clarifications!. SQL Injection Vulnerabilities.

odetta
Télécharger la présentation

Sound and Precise Analysis of Web Applications for Injection Vulnerabilities

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Gary Wassermann and Zhendong Su UC Davis Slides from http://wwwcsif.cs.ucdavis.edu/~wassermg/research/ Made some additions/clarifications!

  2. SQL Injection Vulnerabilities • 2006: 14% of CVEs were SQLCIVs (2nd most) • Percent of attacks likely much higher • Web applications are accessible • Databases hold valuable information User input SQL Query Database Web browser Application

  3. Example <? $sid = addslashes($_GET[‘sid’]); $query = “SELECT * FROM carts WHERE sid =”.$sid; mysql_query($query); ?> On malicious input: SELECT * FROM carts WHERE sid=78 OR 1 = 1 ( ) ( ) Result: Returns information from all shopping carts.

  4. Informal Characterization [POPL’06] During runtime, we can see that the parse tree changed to a completely different structure from the one we had in mind.

  5. Past Approaches • Runtime checks • Benefits: easy to be precise • State of the Art: lexical or syntactic confinement • Drawback: We pay many times the overhead of a correctly-placed check • Static analysis • Benefits • Early bug detection • Analyze code fragments • No runtime overhead • State of the Art: static taint analysis

  6. Static Checking for SQLCIVs Dataflow Graph Code $sid = addslashes($_GET[‘sid’]); $query = “SELECT…”.$sid; mysql_query($query); $_GET[‘sid’] addslashes() SELECT… $sid . $query

  7. Static Checking for SQLCIVs Static Taint Analysis Code $sid = addslashes($_GET[‘sid’]); $query = “SELECT…”.$sid; mysql_query($query); U Source Sanitizer addslashes() Integrity T T . T Sink false negative!

  8. Static Checking for SQLCIVs Static Taint Analysis Our Goal U U Source Source Sanitizer Transformation addslashes() addslashes() (Integrity x String)* Set Integrity T T T U’ . . check against policy T TU’ Sink Sink false negative!

  9. Static Checking for SQLCIVs Our Goal How can we: • model semantics of transformation? • track integrity classes through transformations? • check the value at the sink against our policy? U Source Transformation addslashes() (Integrity x String)* Set T U’ . check against policy TU’ Sink

  10. SQLCIV analysis Framework Static Taint Analysis Compliance Check

  11. String Analysis [Min05] • CFGs model string sets • Construct extended CFG from dataflow graph GETsid!* Sid!addslashes(GETsid) C! SELECT… Query!C Sid $_GET[‘sid’] addslashes() SELECT… $sid . $query

  12. String Analysis [Min05] • CFGs model string sets • Construct extended CFG from dataflow graph GETsid!* Sid!addslashes(GETsid) C! SELECT… Query!C Sid U $_GET[‘sid’] addslashes() T U’ SELECT… $sid . TU’ $query

  13. Modeling String Transformations stripslashes() • Finite State Transducers model string functions • Use FSTs to turn extended CFG into CFG GETsid!* Sid! addslashes(GETsid) C! SELECT… Query!C Sid Input Output \ /  \ / \ ' / ' A/ \A B/ B A2b{'} B2b{\} • O\'Brian ! O'Brian

  14. Tracking Integrity Classes X11 S01 0-9 a-z 0 1 [a-z][0-9]* S01! a X11! [0-9] S01! S01 X11 S ! a S ! S X X ! a* a[0-9]* Find CFG-FSA intersection via CFL-reachability Propagate labels to corresponding nonterminals Use this algorithm to find CFG’s image over FST

  15. Tracking Integrity Classes X11 S01 0-9 a-z 0 1 [a-z][0-9]* S01! a X11! [0-9] S01! S01 X11 S! a S!SX X! a* a[0-9]* Find CFG-FSA intersection via CFL-reachability Propagate labels to corresponding nonterminals Use this algorithm to find CFG’s image over FST

  16. Tracking Integrity Classes X11 S01 0-9 a-z 0 1 [a-z][0-9]* S01! a X11! [0-9] S01!S01X11 S! a S!SX X! a* a[0-9]* Find CFG-FSA intersection via CFL-reachability Propagate labels to corresponding nonterminals Use this algorithm to find CFG’s image over FST

  17. Policy Conformance • Use SQL grammar as reference grammar • Check “literals” case with regular languages • Untrusted input • not in quoted context, not numeric, includes SQL code • DIRECT if immediately affected by user • INDIRECT if affected by previous query answer GETsid’!( b{’} [{\’} )* Sid!GETsid’ C! SELECT * FROM users WHERE id = Query!C Sid

  18. Evaluation: Results • Modified Minamide’s PHP String Analyzer • Evaluated on 6 real-world PHP web apps

  19. Example Vulnerability isset($_GET[‘userid’])?$userid=$_GET[‘userid’]:$userid= ‘’; if(!eregi(‘[0-9]+’, $userid)) { unp_msg(‘invalid user ID.’); exit; } $getuser=$DB-> query(“SELECT * FROM `unp_user` WHERE userid=‘$userid’”); Should be ‘^[0-9]+$’

  20. False Positive CASTING PROBLEMS

  21. Indirect Error ? Returned from DB Verified

  22. Conclusions • Achieved accurate checking for SQLCIVs by tracking string values and sources • Successfully applied to real-world PHP programs and found subtle vulnerabilities • Future work: • Improve error reports • Apply to XSS

More Related