220 likes | 352 Views
Sound and Precise Analysis of Web Applications for Injection Vulnerabilities. Gary Wassermann and Zhendong Su UC Davis Slides from http://wwwcsif.cs.ucdavis.edu/~wassermg/research/ Made some additions/clarifications!. SQL Injection Vulnerabilities.
E N D
Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Gary Wassermann and Zhendong Su UC Davis Slides from http://wwwcsif.cs.ucdavis.edu/~wassermg/research/ Made some additions/clarifications!
SQL Injection Vulnerabilities • 2006: 14% of CVEs were SQLCIVs (2nd most) • Percent of attacks likely much higher • Web applications are accessible • Databases hold valuable information User input SQL Query Database Web browser Application
Example <? $sid = addslashes($_GET[‘sid’]); $query = “SELECT * FROM carts WHERE sid =”.$sid; mysql_query($query); ?> On malicious input: SELECT * FROM carts WHERE sid=78 OR 1 = 1 ( ) ( ) Result: Returns information from all shopping carts.
Informal Characterization [POPL’06] During runtime, we can see that the parse tree changed to a completely different structure from the one we had in mind.
Past Approaches • Runtime checks • Benefits: easy to be precise • State of the Art: lexical or syntactic confinement • Drawback: We pay many times the overhead of a correctly-placed check • Static analysis • Benefits • Early bug detection • Analyze code fragments • No runtime overhead • State of the Art: static taint analysis
Static Checking for SQLCIVs Dataflow Graph Code $sid = addslashes($_GET[‘sid’]); $query = “SELECT…”.$sid; mysql_query($query); $_GET[‘sid’] addslashes() SELECT… $sid . $query
Static Checking for SQLCIVs Static Taint Analysis Code $sid = addslashes($_GET[‘sid’]); $query = “SELECT…”.$sid; mysql_query($query); U Source Sanitizer addslashes() Integrity T T . T Sink false negative!
Static Checking for SQLCIVs Static Taint Analysis Our Goal U U Source Source Sanitizer Transformation addslashes() addslashes() (Integrity x String)* Set Integrity T T T U’ . . check against policy T TU’ Sink Sink false negative!
Static Checking for SQLCIVs Our Goal How can we: • model semantics of transformation? • track integrity classes through transformations? • check the value at the sink against our policy? U Source Transformation addslashes() (Integrity x String)* Set T U’ . check against policy TU’ Sink
SQLCIV analysis Framework Static Taint Analysis Compliance Check
String Analysis [Min05] • CFGs model string sets • Construct extended CFG from dataflow graph GETsid!* Sid!addslashes(GETsid) C! SELECT… Query!C Sid $_GET[‘sid’] addslashes() SELECT… $sid . $query
String Analysis [Min05] • CFGs model string sets • Construct extended CFG from dataflow graph GETsid!* Sid!addslashes(GETsid) C! SELECT… Query!C Sid U $_GET[‘sid’] addslashes() T U’ SELECT… $sid . TU’ $query
Modeling String Transformations stripslashes() • Finite State Transducers model string functions • Use FSTs to turn extended CFG into CFG GETsid!* Sid! addslashes(GETsid) C! SELECT… Query!C Sid Input Output \ / \ / \ ' / ' A/ \A B/ B A2b{'} B2b{\} • O\'Brian ! O'Brian
Tracking Integrity Classes X11 S01 0-9 a-z 0 1 [a-z][0-9]* S01! a X11! [0-9] S01! S01 X11 S ! a S ! S X X ! a* a[0-9]* Find CFG-FSA intersection via CFL-reachability Propagate labels to corresponding nonterminals Use this algorithm to find CFG’s image over FST
Tracking Integrity Classes X11 S01 0-9 a-z 0 1 [a-z][0-9]* S01! a X11! [0-9] S01! S01 X11 S! a S!SX X! a* a[0-9]* Find CFG-FSA intersection via CFL-reachability Propagate labels to corresponding nonterminals Use this algorithm to find CFG’s image over FST
Tracking Integrity Classes X11 S01 0-9 a-z 0 1 [a-z][0-9]* S01! a X11! [0-9] S01!S01X11 S! a S!SX X! a* a[0-9]* Find CFG-FSA intersection via CFL-reachability Propagate labels to corresponding nonterminals Use this algorithm to find CFG’s image over FST
Policy Conformance • Use SQL grammar as reference grammar • Check “literals” case with regular languages • Untrusted input • not in quoted context, not numeric, includes SQL code • DIRECT if immediately affected by user • INDIRECT if affected by previous query answer GETsid’!( b{’} [{\’} )* Sid!GETsid’ C! SELECT * FROM users WHERE id = Query!C Sid
Evaluation: Results • Modified Minamide’s PHP String Analyzer • Evaluated on 6 real-world PHP web apps
Example Vulnerability isset($_GET[‘userid’])?$userid=$_GET[‘userid’]:$userid= ‘’; if(!eregi(‘[0-9]+’, $userid)) { unp_msg(‘invalid user ID.’); exit; } $getuser=$DB-> query(“SELECT * FROM `unp_user` WHERE userid=‘$userid’”); Should be ‘^[0-9]+$’
False Positive CASTING PROBLEMS
Indirect Error ? Returned from DB Verified
Conclusions • Achieved accurate checking for SQLCIVs by tracking string values and sources • Successfully applied to real-world PHP programs and found subtle vulnerabilities • Future work: • Improve error reports • Apply to XSS