Download - SPaCiTE – Web Application Testing Engine
Please insert a figure in the master transparency.
KIT – University of the State of Baden-Wuerttemberg and National Research Center of the Helmholtz Association
Certifiable Trustworthy IT Systems
www.kit.edu
flickr.com/photos/85638163@N00/4627233065/sizes/l/in/photostream/
SPaCiTE – Web Application Testing Engine
Matthias Büchler, Johan Oudinet, and Alexander PretschnerApril 21, 2012
M. Büchler, J. Oudinet, A. Pretschner2 SPaCiTE – Web Application Testing Engine
Motivation / Purpose of the Tool
Secure Model: M ⊨ φ Is Web Application Secure ?
Web Application
How does a secure model help to answer this question?
M. Büchler, J. Oudinet, A. Pretschner3 SPaCiTE – Web Application Testing Engine
Motivation / Purpose of the Tool
Client Side Server Side
M. Büchler, J. Oudinet, A. Pretschner4 SPaCiTE – Web Application Testing Engine
Motivation / Purpose of the Tool
M. Büchler, J. Oudinet, A. Pretschner5 SPaCiTE – Web Application Testing Engine
SPaCiTE Workflow
How SPaCiTE executes test cases (attack traces) based on secure
models
M. Büchler, J. Oudinet, A. Pretschner6 SPaCiTE – Web Application Testing Engine
The Secure Model – Abstract Messages
M. Büchler, J. Oudinet, A. Pretschner7 SPaCiTE – Web Application Testing Engine
The Secure Model – Horn Clauses
M. Büchler, J. Oudinet, A. Pretschner8 SPaCiTE – Web Application Testing Engine
The Secure Model – The Honest User
M. Büchler, J. Oudinet, A. Pretschner9 SPaCiTE – Web Application Testing Engine
The Secure Model – The Server
M. Büchler, J. Oudinet, A. Pretschner10 SPaCiTE – Web Application Testing Engine
The Secure Model – Secrecy Goal
M. Büchler, J. Oudinet, A. Pretschner11 SPaCiTE – Web Application Testing Engine
Model-Based Flaw Injection Library
<configuration>
<ACflaw><funcname>isAuthorizedTo*</funcname>
</ACflaw>
</configuration>
M. Büchler, J. Oudinet, A. Pretschner12 SPaCiTE – Web Application Testing Engine
Model Checking
SATMCCL-ATSE
OFMC
Reuse AVANTSSAR Backends
M. Büchler, J. Oudinet, A. Pretschner13 SPaCiTE – Web Application Testing Engine
Abstract Attack Trace
<tom> ->* webServer : login(tom,password(tom,webServer))webServer -> <tom> : listStaffOf(tom)<tom> *-> webServer : viewProfileOf(jerry)webServer *->* <tom> : profileOf(jerry)
M. Büchler, J. Oudinet, A. Pretschner14 SPaCiTE – Web Application Testing Engine
Transform AAT to WAAL
Configuration InformationHow are abstract messages translated into actions
How is a viewProfileOf message generated in the browser?
M. Büchler, J. Oudinet, A. Pretschner15 SPaCiTE – Web Application Testing Engine
Transform AAT to WAAL
How are abstract messages translated into actions
M. Büchler, J. Oudinet, A. Pretschner16 SPaCiTE – Web Application Testing Engine
Transform AAT to WAAL
Translate WAAL actions to Java source codeEmbed them into a test execution engine skeleton
M. Büchler, J. Oudinet, A. Pretschner17 SPaCiTE – Web Application Testing Engine
Execution
Execute the test caseRecovery actions might be needed
M. Büchler, J. Oudinet, A. Pretschner18 SPaCiTE – Web Application Testing Engine
Example of a Recovery Action
M. Büchler, J. Oudinet, A. Pretschner19 SPaCiTE – Web Application Testing Engine
M. Büchler, J. Oudinet, A. Pretschner20 SPaCiTE – Web Application Testing Engine
Verdict
M. Büchler, J. Oudinet, A. Pretschner21 SPaCiTE – Web Application Testing Engine
Conclusion
Semi-automatic security testing of web applicationsAutomatic at browser levelMay request help from a test expert at HTTP level
Interesting abstract attack traces were generated by injecting relevant source code level faults into the model
Relevant fault = known vulnerability that have been exploited to violate any security goal in the secure model.
We were able to reproduce all 4 Abstract Attack Traces coming from 2 RBAC and 2 XSS models
M. Büchler, J. Oudinet, A. Pretschner22 SPaCiTE – Web Application Testing Engine
Future Work
Target different vulnerabilities and security goals
Address side effects during recovery actions
Extend the tool when global observation is not possible
Integration work as part of SPaCiOS EU project
www.spacios.eu
* Demo on request, or visit: http://zvi.ipd.kit.edu/26_500.php
M. Büchler, J. Oudinet, A. Pretschner23 SPaCiTE – Web Application Testing Engine
Model-Based Flaw Injection Library
Mutation Operator represent vulnerabilities at model levelThey combine a security property and a vulnerability
M. Büchler, J. Oudinet, A. Pretschner24 SPaCiTE – Web Application Testing Engine
Assumptions and Limitations
Secure model must exist → If not, try to make use of model inference
Each abstract message must be mappable to WAAL actionsthat means every abstract message must be expressed in terms of generating and/or verifying actions at browser levelthat doesn’t imply that action must be performed in browser → see Recovery Actions → If not, WAAL actions can be bypassed and abstract message is directly mapped to protocol level messages (no guidance by SPaCiTE)
Used model checker considers the Dolev Yao Model for the intruder behavior
Intruder is the network (Every component must be wrapped by a Proxy to have global observation property)
No side effects during recovery actionsDeterministic system