arc: protecting against http parameter pollution attacks using application request caches elias...
TRANSCRIPT
ARC: Protecting against HTTP Parameter Pollution Attacks Using
Application Request Caches
Elias Athanasopoulos, Vassileios P. Kemerlis, Michalis Polychronakis Columbia University (US)
Evangelos P. MarkatosFORTH-ICS (GREECE)
ACNS 2012
Elias Athanasopoulos, Columbia University 2
Web Applications
ARC, ACNS 2012
Web Server Web Browser
HTTP RequestGET login?username=joe
HTTP ResponseHTTP OK
Elias Athanasopoulos, Columbia University 3
URLs in HTTP
URL: login?username=joeAction: loginParameters: usernameARC, ACNS 2012
HTTP RequestGET login?username=joe
Elias Athanasopoulos, Columbia University 4
Example: Web e-mail
ARC, ACNS 2012
Login
Read e-mail
Delete e-mail
Delete mailbox
Logout
login?username=joe
action?type=read&id=42
action?type=delete&id=42
action?type=del_box&id=inbox
logout?username=joe
Elias Athanasopoulos, Columbia University 5
Are all URLs valid?
ARC, ACNS 2012
login?username=joe&type=delete&id=42
action?type=read&id=42&id=2
action?type=delete&id=2&id=42
action?type=del_box
logout?username=joe&type=del_mbox&id=inbox
Elias Athanasopoulos, Columbia University 6
HTTP Parameter Pollution (HPP)
How is this URL interpreted? Parsing goes from left to right (6 wins) Parsing goes from right to left (42 wins) Parsing direction does not matter (6 and 42, or 42 and 6
are concatenated)
ARC, ACNS 2012
action?type=read&id=6&id=42
action?type=read&id=6
Elias Athanasopoulos, Columbia University 7
HPP is yet another injection attack
Ambiguity in parsing parameters makes HPP possible
ARC, ACNS 2012
Elias Athanasopoulos, Columbia University 8
URL Space
ARC, ACNS 2012
All possible URLs
URLs that define Web
Application’s Logic
Attacker URLs
Elias Athanasopoulos, Columbia University 9
HPP Impact
About 1,499 of 5,000 highly ranked in Alexa.com web sites are considered
vulnerable to HPP exploitation
Automated discovery of parameter pollution vulnerabilities in web applications. Balduzzi et al., NDSS 2011.
ARC, ACNS 2012
Elias Athanasopoulos, Columbia University 10
Application Request Caches
ARC, ACNS 2012
Elias Athanasopoulos, Columbia University 11
Goal
ARC, ACNS 2012
All possible URLs
URLs that define Web
Application’s Logic
Attacker URLs
We need to serve
these
We need to block
these
Elias Athanasopoulos, Columbia University 12
URL Schema
A URL schema has the form of:action?par1=&par2=...&parN=
ARC, ACNS 2012
login=?username=joe login?username=
Elias Athanasopoulos, Columbia University 13
Architecture
Training phase
Deployment phase
ARC, ACNS 2012
Web application Passive MonitoringCollection of
Legitimate URL schemas
Web application ARC Client HTTP Request
Elias Athanasopoulos, Columbia University 14
Training Phase
Large frameworks (such as phpBB) are developed and tested by a large community
Big applications (like Facebook) test new features in a close environment
ARC, ACNS 2012
Elias Athanasopoulos, Columbia University 15
ARC at run-time
ARC, ACNS 2012
Web application
ARCURL Schemas
action?par1=&par2=&…&parN=
HTTP Request
Valid Schema Exists
No SchemaReject Request
Elias Athanasopoulos, Columbia University 16
Implementation
ARC is a web application proxy implemented in Google’s Go
ARC uses Go structures for hash tables and lists, Go channels for multithreading
ARC, ACNS 2012
Elias Athanasopoulos, Columbia University 17
Data Structures
ARC, ACNS 2012
actiontype= id=
action?type=forward&id=42&to=mark
to=
Elias Athanasopoulos, Columbia University 18
Evaluation
ARC, ACNS 2012
Elias Athanasopoulos, Columbia University 19
Synthetic Traces
Web App URLs Min Par. Max Par. Density
Small 1,000 5 12 0.01
Medium 10,000 7 15 0.001
Heavy 100,000 12 20 0.001
ARC, ACNS 2012
Density: ratio of unique actions over all possible URL schemas.
Elias Athanasopoulos, Columbia University 20
Trace Selection
ARC, ACNS 2012
Elias Athanasopoulos, Columbia University 21
Multithreading
We have implemented two version of ARCSingle Channel 4-Channel
ARC, ACNS 2012
Elias Athanasopoulos, Columbia University 22
Request Resolution
ARC, ACNS 2012
Requests are resolved in less than 10 microseconds.
Elias Athanasopoulos, Columbia University 23
Throughput
ARC, ACNS 2012
Requests can be processed in a rate of hundreds of
thousand URLS per second
Elias Athanasopoulos, Columbia University 24
Takeaways
ARC can protect HPP vulnerable applications by keeping a white list of accepted URL schemas
ARC is fast and can be transparently applied to legacy web applications
ARC, ACNS 2012
Elias Athanasopoulos, Columbia University 25
BACKUP SLIDES
ARC, ACNS 2012
Elias Athanasopoulos, Columbia University 26
HTTP Parameter Pollution (HPP)
New attack targeting web applications
HTTP parameters injectionManipulation of web application’s
control flowDrive a web application according to
attacker’s needs
ARC, ACNS 2012
Elias Athanasopoulos, Columbia University 27
HPP in a slide
Web applications are driven through HTTP requests and responses, which encapsulate resource descriptors: URLs
URLs are composed by an action and a list of parameters http://site/login?user=joe&country=SG
The list of parameters can be polluted with extra parameters
ARC, ACNS 2012
Elias Athanasopoulos, Columbia University 28
URL example
This URL is associated with a script purchase, which is called with input argument item_id which has the value 42
http://www.e-store.com/purchase?item_id=42
ARC, ACNS 2012
Action: purchase
Parameter: item_id=42
Elias Athanasopoulos, Columbia University 29
Attack Scenario: e-store
Two families of URLs:
(1) show?category=1
(2) purchase?category=1&item_id=1
ARC, ACNS 2012
Elias Athanasopoulos, Columbia University 30
Normal Operation
ARC, ACNS 2012
show?category=1
purchase?item_id=1purchase?item_id=2
…purchase?item_id=N
category=1+
purchase?item_id=1&category=1purchase?item_id=2&category=1
…purchase?item_id=N&category=1
Elias Athanasopoulos, Columbia University 31
Bob attacks
Bob lures Alice to click on links, like:
show?category=1%26item_id=42
Channels: IM, fake web pages, e-mail, etc.
ARC, ACNS 2012
Elias Athanasopoulos, Columbia University 32
HPP in Action
ARC, ACNS 2012
show?category=1%26item_id=42
purchase?item_id=1purchase?item_id=2
…purchase?item_id=N
category=1%26item_id=42+
purchase?item_id=1&category=1&item_id=42purchase?item_id=2&category=1&item_id=42
…purchase?item_id=N&category=1&item_id=42
Elias Athanasopoulos, Columbia University 33
Normal Operation vs HPP
ARC, ACNS 2012
purchase?item_id=1&category=1&item_id=42
purchase?item_id=1&category=1
Elias Athanasopoulos, Columbia University 34
The web application logic has been altered by the attacker
ARC, ACNS 2012