1 / 29

Preventing Web Application Injections with Complementary Character Coding

Preventing Web Application Injections with Complementary Character Coding. Raymond Mui Phyllis Frankl Polytechnic Institute of NYU. Presented at ESORICS 2011 Supported by NSF and CATT; Patent Pending. Web Application Injection Attacks.

anne-beard
Download Presentation

Preventing Web Application Injections with Complementary Character Coding

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Preventing Web Application Injections with Complementary Character Coding Raymond Mui Phyllis Frankl Polytechnic Institute of NYU Presented at ESORICS 2011 Supported by NSF and CATT; Patent Pending

  2. Web Application Injection Attacks • Malicious user inputs cause unintended executions of commands • Caused by improper input sanitization • SQL injection and cross-site scripting rank among top application security threats (OWASP Top 10)

  3. <?PHP $message = $_POST[’message’]; $username = $_POST[’username’]; … //welcome the user if(isset($username)) { echo "Welcome $username <br />"; } // insert new message if(isset($message)) { $query = “insert into messages values(’$username’, ’$message’)"; mysql_query($query); } … // display all messages except the ones from admin $query = "select * from messages where not (user = ‘admin’)"; $result = mysql_query($query); echo ’<br /><b>Your messages:</b><br/>’; while($row=mysql_fetch_assoc($result)){ if($row[’username’] != $username) echo "you "; else echo "{ $row[’username’]} "; echo "wrote: { $row[’message’]}"; } … ?> Example: Vulnerable PHP program Unsanitized user inputs

  4. Normal Use select * from messages … DBMS insert into messages values(‘Alice’,’hello’); Alice Hello Web Server/ PHP Interpreter Bonnie <html> … Alice wrote Hello …

  5. SQL Injection insert into messages values(‘Alice’,’hello’); drop table messages; --’); Alice hello’); drop table messages; -- DBMS Web Server/ PHP Interpreter

  6. Persistent Cross-Site Scripting Alice <script>…</script> select * from messages … insert into messages values(‘Alice’,’<script> …’); DBMS Web Server/ PHP Interpreter Browser/Javascript Execute script with privileges Of the origin site Bonnie <html> … Alice wrote <script>…</script> …

  7. Injection Attack Defenses • Input sanitization • Blacklist / whitelist • In research • Dynamic tainting • Static analysis • Model checking • Instruction randomization • Machine learning • …

  8. Weaknesses of Current Approaches to Dynamic Tainting • Overhead • Code instrumentation • Storage and propagation of taint data • Sink checking • Requires detailed knowledge of context at taint sinks: • SQL syntax (for particular SQL dialect) • Taint propagation cannot cross component boundaries • Either the entire database is tainted or it is not • Persistent XSS

  9. Our Approach: Complementary Character Coding • Main idea • Turn dynamic tainting into a character coding • Free taint storage • Free taint propagation through execution • Taint propagation across components • Between application and database • Between client and server over HTTP • Complement Aware Components • Safe execution of unsanitized code against injection attacks • Backwards compatibility through HTTP content negotiation

  10. Complementary Character Coding • Two versions of every character • Each character gets two code points instead of one • Standard characters • Complement characters • Two flavors • Complementary ASCII • Complementary Unicode

  11. Complementary Character Coding: Comparison Functions • Value Comparison • A standard character is equal to its complement • Convert to standard character, and then compare all the bits • Full Comparison • Standard and complement versions of same character are not equal • Compare all the bits

  12. Complementary ASCII • Standard characters • Values 0 – 127 • Same as standard ASCII characters • Complement characters • Values 128 – 256

  13. Complementary Unicode • Unicode • Current version 6.0 • Less than 25% code space used or reserved • Allows possibility of having more than two versions of each character • Future work

  14. Dynamic Tainting with Complementary Character Coding • Encode untrusted user inputs with complement characters • Explicitly converted by the server on entry • Encode trusted developer code with standard characters • Value comparison during execution • Functionality remains the same • Automatic taint propagation by execution • Taint propagation over database and HTTP • Each complement aware component has complete picture of taint status during parsing

  15. Complement Aware Components and Security Policy • Allowed token set • Specified by each component individually for parsing • Defines tokens allowed to contain untrusted characters • Default policy • Allowed token set = {numbers, string literals} • Prevents all possible injections • Maybe too restrictive for web browsers • More permissive policies • Browsers could allow tainted formatting tags • Allowed token set = {numbers, string literals, <b>, <i>, etc.} • Enforcement • Match tokens in allowed token set with value comparison • Everything else (forbidden tokens) are matched with full comparison

  16. Example: Vulnerable PHP program <?PHP … $message = $_POST[’message’]; $username = $_POST[’username’]; … //welcome the user if(isset($username)) { echo "Welcome $username <br />"; } // insert new message if(isset($message)) { $query = “INSERT INTO messages VALUES(’$username’, ’$message’)"; MySQL_query($query); } … // display all messages except the ones from admin $query = "select * from messages where not (user = ‘admin’)”; $result = MySQL_query($query); echo ’<br /><b>Your messages:</b>’; while($row=MySQL_fetch_assoc($result)){ if($row[’username’] != $username) echo "you"; else echo " {$row[’username’]} "; echo "wrote: {$row[’message’]}"; } … ?> Untrusted inputs converted Into complement characters by server Value comparison Used by DBMS And PHP interpreter here

  17. SQL Injection with Complement Aware DBMS insert into messages values(‘Alice’,’hello’); drop table messages;--’); Alice hello’); drop table messages; -- … DBMS Web Server/ PHP Interpreter ‘ does not match ‘ ; does not match ; ) does not match ) drop does not match drop, etc. So DBMS stores literal rather than dropping table. Red denotes complement characters

  18. Persistent Cross-site scripting attack insert into messages values(‘Alice’,’<script>…’); Alice <script>…</script> select * from messages … DBMS Web Server/ PHP Interpreter Bonnie <html> … Alice wrote <script>…</script> … <script> does not match <script>, etc., so browser displays the characters rather than executing the script.

  19. More permissive browser security policy: Allowed token set includes boldface tags Alice <b>Hello</b> select * from messages … insert into messages values(‘Alice’,’<b>Hello</b>’); DBMS Web Server/ PHP Interpreter Bonnie Browser, Javascript, … Policy with allowed token set: {<b>, </b>, …} Boldface tags matched with value comparison, so browser renders Hello in bold. <html> … Alice wrote <b>Hello</b> …

  20. Backwards Compatibility • Take advantage of HTTP content negotiation mechanism • Web browsers identify themselves through Accept-Charset header • Complement aware browser • Send output in complementary character coding • Non-complement aware browser • Route output through a filter that acts as a complement aware browser • Apply security policy (e.g. default policy) • Convert output into format specified by Accept-Charset header • Extra overhead • Gradually decrease as more people upgrade to complement aware browser

  21. Prototype Implementation • Done in complementary ASCII • LAMP (Linux Apache MySQL PHP) • Default policy • Backwards compatible with standard browsers • Firefox • Customized security policies through defined allowed token sets • Enough to run proof-of-concept experiments

  22. Experimental Evaluation • Evaluation objectives • Effectiveness • Possible Defects • Overhead • Benchmarks • SQL Injection Application Testbed (Halfond et al) • ATTACK set • LEGIT set • ARDILLA (Kieyzun et al) • Generated using automated technique • SQL injection, reflected XSS, and persistent XSS

  23. Benchmarks

  24. Results: Effectiveness • Ran ATTACK set from SQL Injection Application Testbed using a script • Checked database logs for SQL injection • Manually executed ARDILLA test cases • Found no signs of injections

  25. Results: Possible Defects • Set up original and complement aware web server with identical initial environments • Ran LEGIT set from SQL Injection Application Testbed on both • Compared output produced by both versions • Resulting web pages identical by value comparison

  26. Ran LEGIT set in SQL Injection Application Testbed and compared average over 100 runs • Worse case overhead less than 2%

  27. Conclusion and Future Work Complementary character coding Low overhead character level taint tracking Taint propagation across component boundaries Complement aware components Safe execution of unsanitized code against injection attacks Backwards compatibility with current browsers Future Work Implement complementary Unicode Explore other applications of complementary character coding Web standard

  28. Questions?

More Related