Upload File

arc: protecting against http parameter pollution attacks using application request caches elias...

  • Home
  • Documents
  • ARC: Protecting against HTTP Parameter Pollution Attacks Using Application Request Caches Elias Athanasopoulos, Vassileios P. Kemerlis, Michalis Polychronakis
34
ARC: Protecting against HTTP Parameter Pollution Attacks Using Application Request Caches Elias Athanasopoulos, Vassileios P. Kemerlis, Michalis Polychronakis Columbia University (US) Evangelos P. Markatos FORTH-ICS (GREECE) ACNS 2012

Upload: sydnee-bracey

Post on 16-Dec-2015

219 views

Category:

Documents


2 download

Report

TRANSCRIPT

Page 1: ARC: Protecting against HTTP Parameter Pollution Attacks Using Application Request Caches Elias Athanasopoulos, Vassileios P. Kemerlis, Michalis Polychronakis

ARC: Protecting against HTTP Parameter Pollution Attacks Using

Application Request Caches

Elias Athanasopoulos, Vassileios P. Kemerlis, Michalis Polychronakis Columbia University (US)

Evangelos P. MarkatosFORTH-ICS (GREECE)

ACNS 2012

Page 2: ARC: Protecting against HTTP Parameter Pollution Attacks Using Application Request Caches Elias Athanasopoulos, Vassileios P. Kemerlis, Michalis Polychronakis

Elias Athanasopoulos, Columbia University 2

Web Applications

ARC, ACNS 2012

Web Server Web Browser

HTTP RequestGET login?username=joe

HTTP ResponseHTTP OK

Page 3: ARC: Protecting against HTTP Parameter Pollution Attacks Using Application Request Caches Elias Athanasopoulos, Vassileios P. Kemerlis, Michalis Polychronakis

Elias Athanasopoulos, Columbia University 3

URLs in HTTP

URL: login?username=joeAction: loginParameters: usernameARC, ACNS 2012

HTTP RequestGET login?username=joe

Page 4: ARC: Protecting against HTTP Parameter Pollution Attacks Using Application Request Caches Elias Athanasopoulos, Vassileios P. Kemerlis, Michalis Polychronakis

Elias Athanasopoulos, Columbia University 4

Example: Web e-mail

ARC, ACNS 2012

Login

Read e-mail

Delete e-mail

Delete mailbox

Logout

login?username=joe

action?type=read&id=42

action?type=delete&id=42

action?type=del_box&id=inbox

logout?username=joe

Page 5: ARC: Protecting against HTTP Parameter Pollution Attacks Using Application Request Caches Elias Athanasopoulos, Vassileios P. Kemerlis, Michalis Polychronakis

Elias Athanasopoulos, Columbia University 5

Are all URLs valid?

ARC, ACNS 2012

login?username=joe&type=delete&id=42

action?type=read&id=42&id=2

action?type=delete&id=2&id=42

action?type=del_box

logout?username=joe&type=del_mbox&id=inbox

Page 6: ARC: Protecting against HTTP Parameter Pollution Attacks Using Application Request Caches Elias Athanasopoulos, Vassileios P. Kemerlis, Michalis Polychronakis

Elias Athanasopoulos, Columbia University 6

HTTP Parameter Pollution (HPP)

How is this URL interpreted? Parsing goes from left to right (6 wins) Parsing goes from right to left (42 wins) Parsing direction does not matter (6 and 42, or 42 and 6

are concatenated)

ARC, ACNS 2012

action?type=read&id=6&id=42

action?type=read&id=6

Page 7: ARC: Protecting against HTTP Parameter Pollution Attacks Using Application Request Caches Elias Athanasopoulos, Vassileios P. Kemerlis, Michalis Polychronakis

Elias Athanasopoulos, Columbia University 7

HPP is yet another injection attack

Ambiguity in parsing parameters makes HPP possible

ARC, ACNS 2012

Page 8: ARC: Protecting against HTTP Parameter Pollution Attacks Using Application Request Caches Elias Athanasopoulos, Vassileios P. Kemerlis, Michalis Polychronakis

Elias Athanasopoulos, Columbia University 8

URL Space

ARC, ACNS 2012

All possible URLs

URLs that define Web

Application’s Logic

Attacker URLs

Page 9: ARC: Protecting against HTTP Parameter Pollution Attacks Using Application Request Caches Elias Athanasopoulos, Vassileios P. Kemerlis, Michalis Polychronakis

Elias Athanasopoulos, Columbia University 9

HPP Impact

About 1,499 of 5,000 highly ranked in Alexa.com web sites are considered

vulnerable to HPP exploitation

Automated discovery of parameter pollution vulnerabilities in web applications. Balduzzi et al., NDSS 2011.

ARC, ACNS 2012

Page 10: ARC: Protecting against HTTP Parameter Pollution Attacks Using Application Request Caches Elias Athanasopoulos, Vassileios P. Kemerlis, Michalis Polychronakis

Elias Athanasopoulos, Columbia University 10

Application Request Caches

ARC, ACNS 2012

Page 11: ARC: Protecting against HTTP Parameter Pollution Attacks Using Application Request Caches Elias Athanasopoulos, Vassileios P. Kemerlis, Michalis Polychronakis

Elias Athanasopoulos, Columbia University 11

Goal

ARC, ACNS 2012

All possible URLs

URLs that define Web

Application’s Logic

Attacker URLs

We need to serve

these

We need to block

these

Page 12: ARC: Protecting against HTTP Parameter Pollution Attacks Using Application Request Caches Elias Athanasopoulos, Vassileios P. Kemerlis, Michalis Polychronakis

Elias Athanasopoulos, Columbia University 12

URL Schema

A URL schema has the form of:action?par1=&par2=...&parN=

ARC, ACNS 2012

login=?username=joe login?username=

Page 13: ARC: Protecting against HTTP Parameter Pollution Attacks Using Application Request Caches Elias Athanasopoulos, Vassileios P. Kemerlis, Michalis Polychronakis

Elias Athanasopoulos, Columbia University 13

Architecture

Training phase

Deployment phase

ARC, ACNS 2012

Web application Passive MonitoringCollection of

Legitimate URL schemas

Web application ARC Client HTTP Request

Page 14: ARC: Protecting against HTTP Parameter Pollution Attacks Using Application Request Caches Elias Athanasopoulos, Vassileios P. Kemerlis, Michalis Polychronakis

Elias Athanasopoulos, Columbia University 14

Training Phase

Large frameworks (such as phpBB) are developed and tested by a large community

Big applications (like Facebook) test new features in a close environment

ARC, ACNS 2012

Page 15: ARC: Protecting against HTTP Parameter Pollution Attacks Using Application Request Caches Elias Athanasopoulos, Vassileios P. Kemerlis, Michalis Polychronakis

Elias Athanasopoulos, Columbia University 15

ARC at run-time

ARC, ACNS 2012

Web application

ARCURL Schemas

action?par1=&par2=&…&parN=

HTTP Request

Valid Schema Exists

No SchemaReject Request

Page 16: ARC: Protecting against HTTP Parameter Pollution Attacks Using Application Request Caches Elias Athanasopoulos, Vassileios P. Kemerlis, Michalis Polychronakis

Elias Athanasopoulos, Columbia University 16

Implementation

ARC is a web application proxy implemented in Google’s Go

ARC uses Go structures for hash tables and lists, Go channels for multithreading

ARC, ACNS 2012

Page 17: ARC: Protecting against HTTP Parameter Pollution Attacks Using Application Request Caches Elias Athanasopoulos, Vassileios P. Kemerlis, Michalis Polychronakis

Elias Athanasopoulos, Columbia University 17

Data Structures

ARC, ACNS 2012

actiontype= id=

action?type=forward&id=42&to=mark

to=

Page 18: ARC: Protecting against HTTP Parameter Pollution Attacks Using Application Request Caches Elias Athanasopoulos, Vassileios P. Kemerlis, Michalis Polychronakis

Elias Athanasopoulos, Columbia University 18

Evaluation

ARC, ACNS 2012

Page 19: ARC: Protecting against HTTP Parameter Pollution Attacks Using Application Request Caches Elias Athanasopoulos, Vassileios P. Kemerlis, Michalis Polychronakis

Elias Athanasopoulos, Columbia University 19

Synthetic Traces

Web App URLs Min Par. Max Par. Density

Small 1,000 5 12 0.01

Medium 10,000 7 15 0.001

Heavy 100,000 12 20 0.001

ARC, ACNS 2012

Density: ratio of unique actions over all possible URL schemas.

Page 20: ARC: Protecting against HTTP Parameter Pollution Attacks Using Application Request Caches Elias Athanasopoulos, Vassileios P. Kemerlis, Michalis Polychronakis

Elias Athanasopoulos, Columbia University 20

Trace Selection

ARC, ACNS 2012

Page 21: ARC: Protecting against HTTP Parameter Pollution Attacks Using Application Request Caches Elias Athanasopoulos, Vassileios P. Kemerlis, Michalis Polychronakis

Elias Athanasopoulos, Columbia University 21

Multithreading

We have implemented two version of ARCSingle Channel 4-Channel

ARC, ACNS 2012

Page 22: ARC: Protecting against HTTP Parameter Pollution Attacks Using Application Request Caches Elias Athanasopoulos, Vassileios P. Kemerlis, Michalis Polychronakis

Elias Athanasopoulos, Columbia University 22

Request Resolution

ARC, ACNS 2012

Requests are resolved in less than 10 microseconds.

Page 23: ARC: Protecting against HTTP Parameter Pollution Attacks Using Application Request Caches Elias Athanasopoulos, Vassileios P. Kemerlis, Michalis Polychronakis

Elias Athanasopoulos, Columbia University 23

Throughput

ARC, ACNS 2012

Requests can be processed in a rate of hundreds of

thousand URLS per second

Page 24: ARC: Protecting against HTTP Parameter Pollution Attacks Using Application Request Caches Elias Athanasopoulos, Vassileios P. Kemerlis, Michalis Polychronakis

Elias Athanasopoulos, Columbia University 24

Takeaways

ARC can protect HPP vulnerable applications by keeping a white list of accepted URL schemas

ARC is fast and can be transparently applied to legacy web applications

ARC, ACNS 2012

Page 25: ARC: Protecting against HTTP Parameter Pollution Attacks Using Application Request Caches Elias Athanasopoulos, Vassileios P. Kemerlis, Michalis Polychronakis

Elias Athanasopoulos, Columbia University 25

BACKUP SLIDES

ARC, ACNS 2012

Page 26: ARC: Protecting against HTTP Parameter Pollution Attacks Using Application Request Caches Elias Athanasopoulos, Vassileios P. Kemerlis, Michalis Polychronakis

Elias Athanasopoulos, Columbia University 26

HTTP Parameter Pollution (HPP)

New attack targeting web applications

HTTP parameters injectionManipulation of web application’s

control flowDrive a web application according to

attacker’s needs

ARC, ACNS 2012

Page 27: ARC: Protecting against HTTP Parameter Pollution Attacks Using Application Request Caches Elias Athanasopoulos, Vassileios P. Kemerlis, Michalis Polychronakis

Elias Athanasopoulos, Columbia University 27

HPP in a slide

Web applications are driven through HTTP requests and responses, which encapsulate resource descriptors: URLs

URLs are composed by an action and a list of parameters http://site/login?user=joe&country=SG

The list of parameters can be polluted with extra parameters

ARC, ACNS 2012

Page 28: ARC: Protecting against HTTP Parameter Pollution Attacks Using Application Request Caches Elias Athanasopoulos, Vassileios P. Kemerlis, Michalis Polychronakis

Elias Athanasopoulos, Columbia University 28

URL example

This URL is associated with a script purchase, which is called with input argument item_id which has the value 42

http://www.e-store.com/purchase?item_id=42

ARC, ACNS 2012

Action: purchase

Parameter: item_id=42

Page 29: ARC: Protecting against HTTP Parameter Pollution Attacks Using Application Request Caches Elias Athanasopoulos, Vassileios P. Kemerlis, Michalis Polychronakis

Elias Athanasopoulos, Columbia University 29

Attack Scenario: e-store

Two families of URLs:

(1) show?category=1

(2) purchase?category=1&item_id=1

ARC, ACNS 2012

Page 30: ARC: Protecting against HTTP Parameter Pollution Attacks Using Application Request Caches Elias Athanasopoulos, Vassileios P. Kemerlis, Michalis Polychronakis

Elias Athanasopoulos, Columbia University 30

Normal Operation

ARC, ACNS 2012

show?category=1

purchase?item_id=1purchase?item_id=2

…purchase?item_id=N

category=1+

purchase?item_id=1&category=1purchase?item_id=2&category=1

…purchase?item_id=N&category=1

Page 31: ARC: Protecting against HTTP Parameter Pollution Attacks Using Application Request Caches Elias Athanasopoulos, Vassileios P. Kemerlis, Michalis Polychronakis

Elias Athanasopoulos, Columbia University 31

Bob attacks

Bob lures Alice to click on links, like:

show?category=1%26item_id=42

Channels: IM, fake web pages, e-mail, etc.

ARC, ACNS 2012

Page 32: ARC: Protecting against HTTP Parameter Pollution Attacks Using Application Request Caches Elias Athanasopoulos, Vassileios P. Kemerlis, Michalis Polychronakis

Elias Athanasopoulos, Columbia University 32

HPP in Action

ARC, ACNS 2012

show?category=1%26item_id=42

purchase?item_id=1purchase?item_id=2

…purchase?item_id=N

category=1%26item_id=42+

purchase?item_id=1&category=1&item_id=42purchase?item_id=2&category=1&item_id=42

…purchase?item_id=N&category=1&item_id=42

Page 33: ARC: Protecting against HTTP Parameter Pollution Attacks Using Application Request Caches Elias Athanasopoulos, Vassileios P. Kemerlis, Michalis Polychronakis

Elias Athanasopoulos, Columbia University 33

Normal Operation vs HPP

ARC, ACNS 2012

purchase?item_id=1&category=1&item_id=42

purchase?item_id=1&category=1

Page 34: ARC: Protecting against HTTP Parameter Pollution Attacks Using Application Request Caches Elias Athanasopoulos, Vassileios P. Kemerlis, Michalis Polychronakis

Elias Athanasopoulos, Columbia University 34

The web application logic has been altered by the attacker

ARC, ACNS 2012


Image Matching: Local Features and Beyond · 2020-06-15 · Image Matching: Local Features and Beyond CVPR 2019 Workshop: June 16 (morning) Vassileios Balntas (Scape), Vincent Lepetit

Presented by: Akbar Saidov Authors: M. Polychronakis, K. G. Anagnostakis, E. P. Markatos

Learning Deep Convolutional Embeddings for Face ...Learning Deep Convolutional Embeddings for Face Representation Using Joint Sample- and Set-based Supervision Baris Gecer, Vassileios

Parametric Form Finding in Contemporary Architecturepapers.cumincad.org/data/works/att/bsct_kourkoutas.content.03024.pdf · Affidavit I, Vassileios Kourkoutas, hereby declare 1. That

Vasileios P. Kemerlis, Georgios Portokalidis, Angelos D. Keromytis Network Security Lab, Department of Computer Science, Columbia University, USA 21 st

Compiler-assisted Code Randomizationvpk/papers/ccr.sp18.pdfCompiler-assisted Code Randomization Hyungjoon Koo, Yaohui Chen, yLong Lu, Vasileios P. Kemerlis,zMichalis Polychronakis

Michalis Polychronakis joint work with Vasilis Pappas and ... · 4. NX. W^X, PaX, Exec Shield, DEP. x86 support introduced by AMD, followed by Intel. Pentium 4 (late models) DEP introduced

Gnort: High Performance Intrusion Detection Using Graphics Processors Giorgos Vasiliadis, Spiros Antonatos, Michalis Polychronakis, Evangelos Markatos,

Georgios Kontaxis, Michalis Polychronakis Angelos D. Keromytis, Evangelos P. Markatos Siddhant Ujjain (2009cs10219) Deepak Sharma (2009cs10185)

Vassileios curriculum Dracopoulos vitae - Hellas · 1995‐1998: Physical Chemistry I,II, Physical Chemistry Laboratory, Chemical Thermodynamics Department of Chemical Engineering

Smashing the Gadgets: Hindering Return-Oriented Programming Using In-Place Code Randomization Vasilis Pappas, Michalis Polychronakis, and Angelos D. Keromytis

Vasileios P. Kemerlis Michalis Polychronakis Angelos D. … · 2015. 5. 28. · 1. Privilege escalation I Arbitrary code execution code-injection, ROP, ret2usr 7 Kernel stack smashing

Ambient Intelligence through Ontologies Vassileios Tsetsos [email protected] P-comp Research Group

MIDeA :A Multi-Parallel Instrusion Detection Architecture Author: Giorgos Vasiliadis, Michalis Polychronakis,Sotiris Ioannidis Publisher: CCS’11, October

CCBEInfoInfo N° 60 · CCBE/DAV delegation, ELIL volunteers, Project Manager Philip Worthington, and Mr Vassileios Zissis outside the ELIL offices in Mytilene, Lesvos European Lawyers

MICHALIS POLYCHRONAKIS(COLUMBIA UNIVERSITY,USA), KOSTAS G. ANAGNOSTAKIS(NIOMETRICS, SINGAPORE), EVANGELOS P. MARKATOS(FORTH-ICS, GREECE) ACSAC,2010 Comprehensive

Announcement and Call for Papers …Rich Johnson, Cisco Talos Alexandros Kapravelos, North Carolina State University Vasileios Kemerlis, Brown University Tim Kornau, Google Per Larsen,

The Rotterdam approach to Elder Abuse Anthony Polychronakis Anthony Polychronakis European Programme Coordinator European Programme Coordinator

Systems (CRANS), University of Patras, GR– 26500 · ORDER AND CHAOS IN MULTI–DIMENSIONAL HAMILTONIAN SYSTEMS Tassos BOUNTIS(*), Christos Antonopoulos(*) and Vassileios Basios(**)

The Role of the Operating System in the Era of CyberwarThe Role of the Operating System in the Era of Cyberwar Vasileios (Vasilis) Kemerlis Department of Computer Science Brown University

KGuard: Lightweight Kernel Protection against Return-to-User Attacks Authors: Vasileios P. Kemerlis Georgios Portokalidis Angelos D. Keromytis Presenter:

Parametric Form Finding in Contemporary Architecture · Affidavit I, Vassileios Kourkoutas, hereby declare . 1. That I am the sole author of the present Master Thesis, "Parametric

The Spy in the Sandbox – Practical Cache Attacks in Javascript · The Spy in the Sandbox – Practical Cache Attacks in Javascript Yossef Oren, Vasileios P. Kemerlis, Simha Sethumadhavan

EDF2014: Talk of Vassileios Tsetsos, Chief Technical Officer, Mobics Ltd: Predicting parking occupancy in a sensor-enabled smart city