sound and precise analysis of web applications for injection vulnerabilities
DESCRIPTION
Sound and Precise Analysis of Web Applications for Injection Vulnerabilities. Gary Wassermann and Zhendong Su UC Davis Slides from http://wwwcsif.cs.ucdavis.edu/~wassermg/research/ Made some additions/clarifications!. SQL Injection Vulnerabilities. - PowerPoint PPT PresentationTRANSCRIPT
Sound and Precise Analysis of Web Applications for Injection Vulnerabilities
Gary Wassermann and Zhendong SuUC Davis
Slides from http://wwwcsif.cs.ucdavis.edu/~wassermg/research/ Made some additions/clarifications!
SQL Injection Vulnerabilities
• 2006: 14% of CVEs were SQLCIVs (2nd most)• Percent of attacks likely much higher
– Web applications are accessible– Databases hold valuable information
Web browser DatabaseApplication
User input SQL Query
Example<?
$sid = addslashes($_GET[‘sid’]);
$query = “SELECT * FROM carts WHERE sid = ”.$sid;
mysql_query($query);
?>
On malicious input: SELECT * FROM carts
WHERE sid = 78 OR 1 = 1
Result: Returns information from all shopping carts.
( () )
Informal Characterization[POPL’06]
During runtime, we can see that the parse tree changed to a completely different structure from the one we had in mind.
Past Approaches
• Runtime checks– Benefits: easy to be precise– State of the Art: lexical or syntactic confinement
• Drawback: We pay many times the overhead of a correctly-placed check
• Static analysis– Benefits
• Early bug detection • Analyze code fragments• No runtime overhead
– State of the Art: static taint analysis
Static Checking for SQLCIVs
Dataflow Graph Code
addslashes()
$sid = addslashes($_GET[‘sid’]);
$query = “SELECT…”.$sid;
mysql_query($query);
.
$_GET[‘sid’]
$sid
$query
SELECT…
Static Checking for SQLCIVs
Static Taint Analysis Code
U
T
T
T
addslashes()
Source
Sink
Sanitizer
false negative!
Integrity
$sid = addslashes($_GET[‘sid’]);
$query = “SELECT…”.$sid;
mysql_query($query);
.
Static Checking for SQLCIVs
Static Taint Analysis Our Goal
U
U’T
T
T
addslashes()
Source
Sink
Sanitizer U
TU’
addslashes()
Source
Sink
false negative!
check against policy
Transformation
T
Integrity (Integrity x String)* Set
. .
Static Checking for SQLCIVs
Our Goal
U’
U
TU’
addslashes()
Source
Sinkcheck against policy
Transformation
T
(Integrity x String)* Set
How can we:• model semantics of
transformation?• track integrity classes
through transformations?• check the value at the sink
against our policy?.
SQLCIV analysis Framework
Static Taint Analysis Compliance Check
$_GET[‘sid’]
$sid
$query
SELECT…
String Analysis
addslashes()
• CFGs model string sets• Construct extended CFG
from dataflow graph
GETsid ! *
Sid ! addslashes(GETsid)C ! SELECT…Query ! C Sid
[Min05]
.
SELECT… $sid
$_GET[‘sid’]
String Analysis
U’
U
TU’
addslashes()
T
• CFGs model string sets• Construct extended CFG
from dataflow graph
GETsid ! *
Sid ! addslashes(GETsid)C ! SELECT…Query ! C Sid
[Min05]
.
$query
Modeling String Transformations
• Finite State Transducers model string functions
• Use FSTs to turn extended CFG into CFG
GETsid ! *
Sid ! addslashes(GETsid)C ! SELECT…Query ! C Sid
\ /
' / '
A / \A
\ / \
O\'Brian ! O'Brian
stripslashes()
B / B
Input Output
A 2 b{'}B 2 b{\}
S ! a S ! S XX !
a*
S01 ! aX11 ! [0-9]S01 ! S01 X11
Tracking Integrity Classes
0 1a-z0-9
S01X11
[a-z][0-9]*
• Find CFG-FSA intersection via CFL-reachability
• Propagate labels to corresponding nonterminals
• Use this algorithm to find CFG’s image over FST
a[0-9]*
S ! a S ! S XX !
a*
S01 ! aX11 ! [0-9]S01 ! S01 X11
Tracking Integrity Classes
0 1a-z0-9
S01X11
[a-z][0-9]*
• Find CFG-FSA intersection via CFL-reachability
• Propagate labels to corresponding nonterminals
• Use this algorithm to find CFG’s image over FST
a[0-9]*
S ! a S ! S XX !
a*
S01 ! a X11 ! [0-9]S01 ! S01 X11
Tracking Integrity Classes
0 1a-z0-9
S01X11
[a-z][0-9]*
• Find CFG-FSA intersection via CFL-reachability
• Propagate labels to corresponding nonterminals
• Use this algorithm to find CFG’s image over FST
a[0-9]*
Policy Conformance• Use SQL grammar as reference grammar• Check “literals” case with regular languages
• Untrusted input – not in quoted context, not numeric, includes SQL code– DIRECT if immediately affected by user– INDIRECT if affected by previous query answer
GETsid’ ! ( b{’} [ {\’} )*
Sid ! GETsid’C ! SELECT * FROM users WHERE id =Query ! C Sid
Evaluation: Results
• Modified Minamide’s PHP String Analyzer• Evaluated on 6 real-world PHP web apps
Subject
Lines Time (h:mm:ss) Errors
String-TaintPolicy
Conformance
Direct Indirect
Real False
Claroline 169,479 3:04:11 0:02:22 30 11 24
e107 132,862 1:08:05 0:01:39 4 8 15
EVE 904 0:00:01 0:00:04 4 0 1
Tiger 14,350 3:14:07 3:27:50 0 3 2
Utopia 5,438 0:13:10 0:00:48 14 2 12
Warp 24,365 0:00:52 0:04:49 0 0 0
issetisset(($$_GET_GET[[‘userid’‘userid’])]) ?? $userid = $_GET[‘userid’] :
$userid = ‘’;
if (!eregi(‘[0-9]+’, $userid)) {
unp_msg(‘invalid user ID.’);
exit;
}
$getuser = $DB-> query(“SELECT * FROM `unp_user` WHERE userid=‘$userid’”);
Example Vulnerability
Should be ‘^[0-9]+$’
False Positive
CASTING PROBLEMS
Indirect Error
Verified
?Returned from DB
Conclusions
• Achieved accurate checking for SQLCIVs by tracking string values and sources
• Successfully applied to real-world PHP programs and found subtle vulnerabilities
• Future work:– Improve error reports – Apply to XSS