sound and precise analysis of web applications for injection vulnerabilities
Post on 17-Jan-2016
36 Views
Preview:
DESCRIPTION
TRANSCRIPT
Sound and Precise Analysis of Web Applications for Injection Vulnerabilities
Gary Wassermann and Zhendong SuUC Davis
Slides from http://wwwcsif.cs.ucdavis.edu/~wassermg/research/ Made some additions/clarifications!
SQL Injection Vulnerabilities
• 2006: 14% of CVEs were SQLCIVs (2nd most)• Percent of attacks likely much higher
– Web applications are accessible– Databases hold valuable information
Web browser DatabaseApplication
User input SQL Query
Example<?
$sid = addslashes($_GET[‘sid’]);
$query = “SELECT * FROM carts WHERE sid = ”.$sid;
mysql_query($query);
?>
On malicious input: SELECT * FROM carts
WHERE sid = 78 OR 1 = 1
Result: Returns information from all shopping carts.
( () )
Informal Characterization[POPL’06]
During runtime, we can see that the parse tree changed to a completely different structure from the one we had in mind.
Past Approaches
• Runtime checks– Benefits: easy to be precise– State of the Art: lexical or syntactic confinement
• Drawback: We pay many times the overhead of a correctly-placed check
• Static analysis– Benefits
• Early bug detection • Analyze code fragments• No runtime overhead
– State of the Art: static taint analysis
Static Checking for SQLCIVs
Dataflow Graph Code
addslashes()
$sid = addslashes($_GET[‘sid’]);
$query = “SELECT…”.$sid;
mysql_query($query);
.
$_GET[‘sid’]
$sid
$query
SELECT…
Static Checking for SQLCIVs
Static Taint Analysis Code
U
T
T
T
addslashes()
Source
Sink
Sanitizer
false negative!
Integrity
$sid = addslashes($_GET[‘sid’]);
$query = “SELECT…”.$sid;
mysql_query($query);
.
Static Checking for SQLCIVs
Static Taint Analysis Our Goal
U
U’T
T
T
addslashes()
Source
Sink
Sanitizer U
TU’
addslashes()
Source
Sink
false negative!
check against policy
Transformation
T
Integrity (Integrity x String)* Set
. .
Static Checking for SQLCIVs
Our Goal
U’
U
TU’
addslashes()
Source
Sinkcheck against policy
Transformation
T
(Integrity x String)* Set
How can we:• model semantics of
transformation?• track integrity classes
through transformations?• check the value at the sink
against our policy?.
SQLCIV analysis Framework
Static Taint Analysis Compliance Check
$_GET[‘sid’]
$sid
$query
SELECT…
String Analysis
addslashes()
• CFGs model string sets• Construct extended CFG
from dataflow graph
GETsid ! *
Sid ! addslashes(GETsid)C ! SELECT…Query ! C Sid
[Min05]
.
SELECT… $sid
$_GET[‘sid’]
String Analysis
U’
U
TU’
addslashes()
T
• CFGs model string sets• Construct extended CFG
from dataflow graph
GETsid ! *
Sid ! addslashes(GETsid)C ! SELECT…Query ! C Sid
[Min05]
.
$query
Modeling String Transformations
• Finite State Transducers model string functions
• Use FSTs to turn extended CFG into CFG
GETsid ! *
Sid ! addslashes(GETsid)C ! SELECT…Query ! C Sid
\ /
' / '
A / \A
\ / \
O\'Brian ! O'Brian
stripslashes()
B / B
Input Output
A 2 b{'}B 2 b{\}
S ! a S ! S XX !
a*
S01 ! aX11 ! [0-9]S01 ! S01 X11
Tracking Integrity Classes
0 1a-z0-9
S01X11
[a-z][0-9]*
• Find CFG-FSA intersection via CFL-reachability
• Propagate labels to corresponding nonterminals
• Use this algorithm to find CFG’s image over FST
a[0-9]*
S ! a S ! S XX !
a*
S01 ! aX11 ! [0-9]S01 ! S01 X11
Tracking Integrity Classes
0 1a-z0-9
S01X11
[a-z][0-9]*
• Find CFG-FSA intersection via CFL-reachability
• Propagate labels to corresponding nonterminals
• Use this algorithm to find CFG’s image over FST
a[0-9]*
S ! a S ! S XX !
a*
S01 ! a X11 ! [0-9]S01 ! S01 X11
Tracking Integrity Classes
0 1a-z0-9
S01X11
[a-z][0-9]*
• Find CFG-FSA intersection via CFL-reachability
• Propagate labels to corresponding nonterminals
• Use this algorithm to find CFG’s image over FST
a[0-9]*
Policy Conformance• Use SQL grammar as reference grammar• Check “literals” case with regular languages
• Untrusted input – not in quoted context, not numeric, includes SQL code– DIRECT if immediately affected by user– INDIRECT if affected by previous query answer
GETsid’ ! ( b{’} [ {\’} )*
Sid ! GETsid’C ! SELECT * FROM users WHERE id =Query ! C Sid
Evaluation: Results
• Modified Minamide’s PHP String Analyzer• Evaluated on 6 real-world PHP web apps
Subject
Lines Time (h:mm:ss) Errors
String-TaintPolicy
Conformance
Direct Indirect
Real False
Claroline 169,479 3:04:11 0:02:22 30 11 24
e107 132,862 1:08:05 0:01:39 4 8 15
EVE 904 0:00:01 0:00:04 4 0 1
Tiger 14,350 3:14:07 3:27:50 0 3 2
Utopia 5,438 0:13:10 0:00:48 14 2 12
Warp 24,365 0:00:52 0:04:49 0 0 0
issetisset(($$_GET_GET[[‘userid’‘userid’])]) ?? $userid = $_GET[‘userid’] :
$userid = ‘’;
if (!eregi(‘[0-9]+’, $userid)) {
unp_msg(‘invalid user ID.’);
exit;
}
$getuser = $DB-> query(“SELECT * FROM `unp_user` WHERE userid=‘$userid’”);
Example Vulnerability
Should be ‘^[0-9]+$’
False Positive
CASTING PROBLEMS
Indirect Error
Verified
?Returned from DB
Conclusions
• Achieved accurate checking for SQLCIVs by tracking string values and sources
• Successfully applied to real-world PHP programs and found subtle vulnerabilities
• Future work:– Improve error reports – Apply to XSS
top related