240 likes | 372 Views
A String Constraint Solver for Detecting Web Application Vulnerability. Xiang Fu Hofstra University Chung-Chih Li Illinois State University. Outline. Motivation General Context: Static Analysis + String Constraint Solving Constraint Solving Technique Regular Replacement
E N D
A String Constraint Solver for Detecting Web Application Vulnerability Xiang Fu Hofstra University Chung-Chih Li Illinois State University SEKES 2010
Outline • Motivation • General Context: Static Analysis + String Constraint Solving • Constraint Solving Technique • Regular Replacement • Application & Experimental Data • Conclusion SEKES 2010
Vulnerable Web Applications • Web App. Successful for Decade! • Public Accessibility Vulnerability “Today over 70% of attacks against a company’s website or web application come at the ‘Application Layer’ not the network or system layer.” - Gartner Group SEKES 2010
-- comments out rest Log-in w/o pwd! SQL Injection Trick Example: uname “admin’--”, pwd as “abc” SELECT uname, pwd FROM users WHERE uname = ’ ’AND pwd=’ ’ admin’-- abc string sState = “SELECT uname, pwd FROM users \n” + “WHERE uname = ’” + + “’ AND pwd =’” + + “’” tUname.txt tPwd.txt SEKES 2010
Challenges • User Input Validation – the Cure? Programmers are Human Being! SEKES 2010
Generate Escaping Character of SINGLE QUOTE Limit String Size Chop off after 16th char Input Validation Not Easy Can you find an attack against massage? String massage(String strInput) { String sOut = strInput.Replace("’","’’"); sOut = sOut.Substring(0,16); return sOut; } SEKES 2010
123456789012345’ 123456789012345’’ 123456789012345’ The Cracking Process String massage(String strInput) { String sOut = strInput.Replace("’","’’"); sOut = sOut.Substring(0,16); return sOut; } SEKES 2010
Condition 1 Treated as one single quote Condition 2 tautology! SQL Statement Constructed SELECT uname,pwd FROM users WHERE uname=’123456789012345’’ AND pwd=’ OR uname<>’’ SEKES 2010
Lessons Learned • Bugs Delicate SQL Injection Vul. • Need Tools for Inspecting Security Holes Smartly and Automatically SEKES 2010
001000 101010 010101 010101 010101 101010 x=.. y=.. x + “zbc” = y? bytecode 001000 101010 010101 010101 010101 101010 instrumentedbytecode General Approach: (COMPSAC’07)Symbolic Execution + String Solver Bytecode Instrumentor Test Case Generator Sym. Execution Engine String Solver Attack PatternLibrary SEKES 2010
SUSHI Constraint Solver Application Expressiveness Undecidable! SEKES 2010
Simple Linear String Equation String Expression = RegExp Variables occur only on LHS Support all string freq ops: Substring, indexing, replacement, concatenation SEKES 2010
Example (Password Bypass) + + LHS Apply massage on x: replacement and substring + + = RHS SEKES 2010
Solution Algorithm • (1) Break to Atomic Steps • (2) Represent in Finite State Transducer • (3) Symbolic Image Computation • (4) Chain Results => Solution Pool • (5) Solution Pool => Concrete Solution SEKES 2010
Special Challenge (NFM’10) • Regular Replacement • Many Semantics! • Greedy • Reluctant • Declarative • … • Special Algorithm for Precise Modeling SEKES 2010
Finite State Transducer • Accepts Regular Relation • Union, Concat, Composition • Intersection, Complement • Used for Modeling Rewriting Rules [Kaplan94, Karttunen96] ε:1 a:2 1 2 3 4 b:3 A (ab,123) ∈ L(A) NFM 2010
Modeling Greedy Semantics(NFM’2010) Search Pattern a+ x aabab Step 1: Begin Marker #a#ab#ab Step 2: ND End Marker #a#ab#a$b #a$#a$b#a$b #a#a$b#a$b #a#a$b#ab Step 3: Pairing Markers #aa$b#a$b #aaba$b Step 4: Checking Match #a$#a$b#a$b Step 5: Check Longest Step 6: Replacement xbxb One Input Word One Output Word NFM 2010
Deal with Unicode Alphabet Type I Type II Type III • Explicit Rep. of Transition Not Working! • Compact Representation • Symbolic Transition Set • Special Alg. For FST Composition etc. (I,I) (II,I) (III,II) NFM 2010
Login Servlet Efficiency of Solver 1.4 Seconds on 2Ghz PC Bench Mark Equations NFM 2010
More Applications: XSS Attack • Vul. Originally Reported in SecTrack #1022748 • Adobe Flex SDK 3.3 • SUSHI found Much Shorter Attack Signature Equation Size: 565 74 Seconds SEKES 2010
Related Work • Forward String Analysis • Christensen & Møller [SAS’03] • Wasserman & Su [PLDI’07, ICSE’08] • Bjørner & Tillmann [TACAS’09] • Backward String Analysis • Kiezun & Ganesh [ISSTA’09] • Yu & Bultan [SPIN’08, ASE’09] • Fu [COMPSAC’07, TAVWEB’08] • Natural Language Processing • * Kaplan and Kay [CL’1994] • Our Contribution: • Precise Modeling of Various Regular Substitution Semantics • Precise Security Analysis • ?? Compare with Bit-blasting?? NFM 2010
Conclusion • FST based String Constraint Solving • Applied to Security Analysis • SQL Injection • XSS Attack • More … • More Expressive Extension of SISE SEKES 2010
Questions? SEKES 2010