back in black
play

Back In Black: Towards Formal, Black Box Analysis Of Sanitizers and - PowerPoint PPT Presentation

Apr 13, 2023 •241 likes •597 views

Back In Black: Towards Formal, Black Box Analysis Of Sanitizers and Filters George Argyros* , Ioannis Stais**, Angelos Keromytis* and Aggelos Kiayias*** * ** *** Motivation Sanitizers and filters are important components of securing

  1. Back In Black: Towards Formal, Black Box Analysis Of Sanitizers and Filters George Argyros* , Ioannis Stais**, Angelos Keromytis* and Aggelos Kiayias*** * ** ***

  2. Motivation • Sanitizers and filters are important components of securing applications. - Think code injection attacks. • Black-Box analysis is often a necessity. - Penetration testing, hardware testing. • Filters need to be fast. - Possibility of representing with automata models. • This talk: focus on regular expression filters. - Check the paper for results on sanitizers.

  3. Regular Expression Filters • Pass untrusted input through Regular Expressions. - Reject if match found. • Widely employed for protecting against code injection attacks. - Not very robust. • Significant components of large scale software. - Web Application Firewalls, IDS, DPI and others. • Represented by Deterministic Finite State Automata (DFA).

  4. Can we efficiently infer Regular Expression Filters?

  5. Exact Learning From Queries Form of Active Learning. Target M Learning Two types of Queries. Algorithm

  6. Exact Learning From Queries Membership Query Target M Learning Algorithm string s Is s accepted by M ?

  7. Exact Learning From Queries Equivalence Query Target M Learning Algorithm Model H Is M = H ? Yes, or provide counterexample.

  8. Learning Deterministic Finite Automata [Angluin ’87], [Rivest-Schapire ’93] • Start with an initial state. q 1 q 1 q 1 q 4 • Test all transitions from that state. q 1 • When valid DFA is formed test for q 0 q 0 q 0 q 0 q 0 Equivalence. • Counterexamples provide access q 2 q 3 q 2 q 2 q 2 q 3 to previously undiscovered states. Testing all transitions is inefficient for large Alphabets!

  9. Symbolic Finite Automata (SFA) Symbolic Automata Classical Automata guards

  10. Learning SFA: Challenges • Alphabet may be infinite! • How to distinguish causes for counterexamples in the models? - Counterexamples due to undiscovered states in the target. - Counterexamples due to inaccurate transition guards.

  11. Learning Symbolic Finite Automata φ 1 , 0 ( x ) φ 1 , 0 ( x ) • Start with an initial state. φ 1 , 1 ( x ) q 1 q 1 q 1 q 4 • Test sample transitions from that state. a φ 0 , 0 ( x ) φ 0 , 0 ( x ) • Use sample transitions as training set (q0,a,q1), (q0,b,q2), … guardgen() q 0 q 0 φ 2 , 1 ( x ) q 0 q 0 to generate guards. b φ 0 , 1 ( x ) φ 0 , 1 ( x ) φ 2 , 0 ( x ) • Novel counterexample processing q 2 q 3 q 2 q 2 method to handle incorrect guards. Convergence under natural assumptions on guardgen()

  12. Is Exact Learning From Queries a realistic model?

  13. Is Exact Learning from Queries a realistic model? • Membership Queries? Test whether input is rejected by the filter. • Equivalence Queries?

  14. Grammar Oriented Filter Auditing or How to Implement an Equivalence Oracle

  15. Grammar Oriented Filter Auditing (GOFA)

  16. Grammar Oriented Filter Auditing (GOFA) Context Free Grammar G … select_exp: SELECT name any_all_some: ANY | ALL column_ref: name parameter: name

  17. Grammar Oriented Filter Auditing (GOFA) Context Free Grammar G … select_exp: SELECT name any_all_some: ANY | ALL column_ref: name parameter: name

  18. Grammar Oriented Filter Auditing (GOFA) Context Free Regular Filter F Grammar G … select_exp: SELECT name (alter{s}*{w}+.*character{s} any_all_some: ANY | ALL +set{s}+{w}+)|(\";{s} column_ref: name *waitfor{s}+time{s}+\") parameter: name /index.php?id=1’ or ‘1’=‘1 Normal output or REJECT

  19. Grammar Oriented Filter Auditing (GOFA) Context Free Regular Filter F Grammar G Find string s such that May Require Exponential … select_exp: SELECT name (alter{s}*{w}+.*character{s} Number of Queries! any_all_some: ANY | ALL +set{s}+{w}+)|(\";{s} column_ref: name *waitfor{s}+time{s}+\") parameter: name /index.php?id=1’ or ‘1’=‘1 Normal output or REJECT

  20. Solving GOFA • In an ideal (White-Box) world both G and F are available: 1. Compute , the set of strings not rejected by F. 2. Check for emptiness. • In practice F is unavailable. - Learn a model for F !

  21. Solving GOFA Context Free Regular Filter F Grammar G

  22. Solving GOFA Context Free Regular Filter F Grammar G

  23. Solving GOFA Membership Query Context Free Regular Filter F Grammar G string s True if REJECT is returned False otherwise

  24. Solving GOFA Equivalence Query One Membership Query per Equivalence Query! Context Free Regular Filter F Grammar G If REJECT: H If no such s s is a counterexample for H . exists then Otherwise: terminate s is a bypass for the filter F .

  25. Evaluation

  26. Experimental Setup • 15 Regular Expression Filters from popular Web Application Firewalls(WAFs). ‣ 7 - 179 states. ‣ 13 - 658 transitions. • Alphabet size of 92 symbols. ‣ Includes most printable ASCII characters.

  27. DFA vs SFA Learning ✓ On average 15x less queries. ✓ Increase in Equivalence queries. ✓ Speedup is not a simple function of the automaton size.

  28. DFA vs SFA Learning

  29. GOFA Algorithm Evaluation • Assume that the grammar G does not contain a string that bypasses the filter. - How good is the approximation of the filter obtained? - How efficient is SFA Learning in the GOFA context? • What is an appropriate grammar to perform this experiment? - Use the filter itself as the input grammar! - Intuitively, a maximal set that does not include a bypass.

  30. DFA vs SFA Learning in GOFA ✓ SFA utilizes x35 less queries. ✓ States recovered: ‣ DFA: 91.95% ‣ SFA: 89.87%

  31. GOFA: Evading WAF • Handcrafted grammar with valid suffixes of SQL statements. - SELECT * from table WHERE id= S - Simulates an SQL Injection attack. • Test GOFA algorithm against live installations of ModSecurity and PHPIDS. - Both systems include non regular anomaly detection components.

  32. GOFA: Evading WAF Evasions found for both web application firewalls. ✓ Authentication Bypass: 1 or isAdmin like 1 ✓ Data Retrieval: 1 right join users on author.id = users.id Evasion attacks aknowledged by ModSecurity team.

  33. Conclusions • SFAs provide an efficient way to infer regular expressions. • SFA learning can provide insights for non regular systems . • Similar techniques derived for sanitizers, more in the paper! • Large space for improvements over presented learning algorithm. - Smarter guard generation algorithms. • We envision assisted Black-Box testing of sanitizers and filters. - Auditor will correct inaccuracies of models. - Derive concrete attacks from abstract language constructs.

  34. Back In Black: Towards Formal, Black Box Analysis Of Sanitizers and Filters George Argyros* , Ioannis Stais**, Angelos Keromytis* and Aggelos Kiayias*** * ** ***

Recommend

Turbulence in black holes and back again L. Lehner (Perimeter Institute) Motivation

Turbulence in black holes and back again L. Lehner (Perimeter Institute) Motivation

Turbulence in black holes and back again L. Lehner (Perimeter Institute) Motivation Holography provides a remarkable framework to connect gravitational phenomena in d+1 dimensions with field theories in d dimensions. Most robustly

625 views • 31 slides
GirlTrek Quick Review THE FACTS 2 3 OUT OF Black women get no exercise everyday. 137 >

GirlTrek Quick Review THE FACTS 2 3 OUT OF Black women get no exercise everyday. 137 >

GirlTrek Quick Review THE FACTS 2 3 OUT OF Black women get no exercise everyday. 137 > gun violence, HIV/AIDS and smoking combined. THE HE TUB UBMAN D N DOCTRINE 1. SAVE YOUR OWN LI FE. 2. COME BACK FOR SI STERS. 3. RALLY YOUR

206 views • 17 slides
Black Hole Thermodynamics Robert M. Wald I. Black Holes; Event Horizons and Killing Horizons II.

Black Hole Thermodynamics Robert M. Wald I. Black Holes; Event Horizons and Killing Horizons II.

Black Hole Thermodynamics Robert M. Wald I. Black Holes; Event Horizons and Killing Horizons II. The First Law of Black Hole Mechanics and Black Hole Entropy III. Dynamic and Thermodynamic Stability of Black Holes IV. Quantum Aspects of Black

1.74k views • 116 slides
PREVENTION OF LOW BACK PAIN : Back Education for Workplace and Home PRESENTED AT BODIJA-ASHI

PREVENTION OF LOW BACK PAIN : Back Education for Workplace and Home PRESENTED AT BODIJA-ASHI

PREVENTION OF LOW BACK PAIN : Back Education for Workplace and Home PRESENTED AT BODIJA-ASHI BAPTIST CHURCH, IBADAN MARCH 10, 2013 Ibidunni Alonge Olumide Dada WHY LOW BACK PAIN? 2 Knee Back Neck WHAT IS LOW BACK PAIN? 3 Low back

1.56k views • 61 slides
2013-14 Fiscal Year End June 30, 2014 Overview Turning the corner back in the black

2013-14 Fiscal Year End June 30, 2014 Overview Turning the corner back in the black

2013-14 Fiscal Year End June 30, 2014 Overview Turning the corner back in the black Operational surplus and overall fiscal plan surplus Fiscal Plan surplus (change in net assets) Operational surplus Budget 2013 Actual Budget

430 views • 22 slides
Constructing black holes and black hole microstates String theory and the fuzzball proposal Cl

Constructing black holes and black hole microstates String theory and the fuzzball proposal Cl

Introduction : black hole issues and entropy counting The fuzzball proposal Constructing three-charge supersymmetric solutions Non-BPS extremal black holes Conclusion and perspectives Constructing black holes and black hole microstates String

1.37k views • 95 slides
Red-Black Trees Binary Search Trees with O(log n) Worst-Case Time per Operation The Red-Black

Red-Black Trees Binary Search Trees with O(log n) Worst-Case Time per Operation The Red-Black

Red-Black Trees Binary Search Trees with O(log n) Worst-Case Time per Operation The Red-Black Tree Properties Red-black tree properties Every node has a color, red or black. The root is black. The leaves are black. nil nil nil nil nil

392 views • 36 slides
Putting the P back in VPN: An Overlay Network to Resist Traffic Analysis Roger Dingledine The

Putting the P back in VPN: An Overlay Network to Resist Traffic Analysis Roger Dingledine The

Putting the P back in VPN: An Overlay Network to Resist Traffic Analysis Roger Dingledine The Free Haven Project http://freehaven.net/tor/ July 29, Black Hat 2004 Talk Outline Motivation: Why anonymous communication? Personal privacy

788 views • 57 slides
Back-Up Servicing www.1stservicing.com Back-Up Servicing A back-up servicer is a service

Back-Up Servicing www.1stservicing.com Back-Up Servicing A back-up servicer is a service

Back-Up Servicing www.1stservicing.com Back-Up Servicing A back-up servicer is a service provider who agrees to take over the servicing of a portfolio of assets on the occurrence of certain trigger events, most commonly failure of the

829 views • 5 slides
BLACK HISTORY MONTH 2014 African Americans in the Sciences BLACK HISTORY IS AMERICAN HISTORY

BLACK HISTORY MONTH 2014 African Americans in the Sciences BLACK HISTORY IS AMERICAN HISTORY

BLACK HISTORY MONTH 2014 African Americans in the Sciences BLACK HISTORY IS AMERICAN HISTORY HIGHLIGHTED OF BLACK ACHIEVEMENTS The creative contributions in all fields throughout the world. With this background, both Black students

635 views • 46 slides
Example of Black Body Spectra for different temperatures What is the best known example of a black

Example of Black Body Spectra for different temperatures What is the best known example of a black

Example of Black Body Spectra for different temperatures What is the best known example of a black body source? What is the best known example of a black body source? Hint Temperature = 2.7 K Planck Radiation Law Cosmic Microwave

504 views • 32 slides
Black Country Annual Economic Review 2018 May 2018 The Black Country Economy continues to Grow

Black Country Annual Economic Review 2018 May 2018 The Black Country Economy continues to Grow

Black Country Annual Economic Review 2018 May 2018 The Black Country Economy continues to Grow Source: Office for National Statistics, Regional Accounts, 2017 2 3 3 Business stock in the Black Country is at its highest since 2004 Black

532 views • 19 slides
Black Pre-Law Students Association (BPLSA) REQUEST TO FUND ATTENDANCE TO THE NATIONAL BLACK

Black Pre-Law Students Association (BPLSA) REQUEST TO FUND ATTENDANCE TO THE NATIONAL BLACK

Black Pre-Law Students Association (BPLSA) REQUEST TO FUND ATTENDANCE TO THE NATIONAL BLACK PRE-LAW CONFERENCE VALENCIA SCOTT | PRESIDENT SHONDREYA LANDRUM | INTERNAL AFFAIRS VICE PRESIDENT Our Organization Purpose - Goals The Black

589 views • 16 slides
5 Rules 1 Red Black Tree Properties - A 1. Every Node Is Either RED or BLACK 2. Every NILL Node

5 Rules 1 Red Black Tree Properties - A 1. Every Node Is Either RED or BLACK 2. Every NILL Node

Red Black Tree 5 Rules 1 Red Black Tree Properties - A 1. Every Node Is Either RED or BLACK 2. Every NILL Node Is BLACK sometimes referred to as a "Null Leaf" Red Black Tree Properties - B 3. Every RED Node Has Two Black Child

1.14k views • 100 slides
Black Hills Power CIS Testing Importance to your TIMP Programs And Black Hills Powers

Black Hills Power CIS Testing Importance to your TIMP Programs And Black Hills Powers

Black Hills Power CIS Testing Importance to your TIMP Programs And Black Hills Powers Lessons Learned WHO WE ARE Black Hills Corporation is a diversified energy service company operating in several western states. o Corporate Offices

626 views • 39 slides
Queensnake recovery, distribution and stewardship in Huron County 1 2 Queensnake ( Regina

Queensnake recovery, distribution and stewardship in Huron County 1 2 Queensnake ( Regina

Queensnake recovery, distribution and stewardship in Huron County 1 2 Queensnake ( Regina septemvittata) Small to medium semi-aquatic snake Brown to olive back with narrow black stripes Belly is pale yellow with narrow black stripes

368 views • 34 slides
Black Kernel Rot Malady of Pecan B Wood, C Bock, l Wells, T Cottrell, M Hotchkiss Black Kernel

Black Kernel Rot Malady of Pecan B Wood, C Bock, l Wells, T Cottrell, M Hotchkiss Black Kernel

Black Kernel Rot Malady of Pecan B Wood, C Bock, l Wells, T Cottrell, M Hotchkiss Black Kernel Rot: What is it? Black Kernel Rot: Black Phase Black Kernel Rot: Brown Phase Sampling of Fruit for Black Kernel Rot Malady (Lenny

661 views • 35 slides
A taxonomy of black swans What is a Black Swan? Outlier event Hard to predict

A taxonomy of black swans What is a Black Swan? Outlier event Hard to predict

What breaks our systems: A taxonomy of black swans What is a Black Swan? Outlier event Hard to predict Severe in impact Every black swan is unique But there are patterns, and sometimes we can use those to create defences

802 views • 53 slides
A Presentation on Supporting Black Students ALL ARE WELCOME! Presented by the Black Faculty

A Presentation on Supporting Black Students ALL ARE WELCOME! Presented by the Black Faculty

A Presentation on Supporting Black Students ALL ARE WELCOME! Presented by the Black Faculty Counselors' Collaborative July 1, 2020, 12:00 - 2:00 PM Black Faculty Counselors' Collaborative Michael Temple Professor/Counselor, UMOJA Mesa

578 views • 45 slides
to get back on track It took a while but now I have taken back control. Im trying new things,

to get back on track It took a while but now I have taken back control. Im trying new things,

Making it easier to get back on track It took a while but now I have taken back control. Im trying new things, pushing my limits again. Alessia Leading intimate healthcare Coloplast Earnings Conference Call Q1 2019/20 February 6 th , 2020

465 views • 8 slides
Simulations of tilted black hole accretion Sasha Tchekhovskoy (Northwestern) How Do Black

Simulations of tilted black hole accretion Sasha Tchekhovskoy (Northwestern) How Do Black

Simulations of tilted black hole accretion Sasha Tchekhovskoy (Northwestern) How Do Black Holes Explode Galaxies/Clusters? Perseus Cluster (Fabian et al. 2003) Alexander (Sasha) Tchekhovskoy Blue Waters Symposium 2019 How Do Black Holes

276 views • 27 slides
Dr Ben Black Systems Engineer National Instruments ben.black@ni.com Agenda Trends in

Dr Ben Black Systems Engineer National Instruments ben.black@ni.com Agenda Trends in

Dr Ben Black Systems Engineer National Instruments ben.black@ni.com Agenda Trends in Automotive Electronics Flexible HIL Solutions High Speed Deterministic Data Transfer Distributed HIL Discontinuous Simulation Solvers

637 views • 41 slides
Himalayan Black Bear Conservation Awareness program in buffer of JKSNR. HIMALAYAN BLACK BEAR

Himalayan Black Bear Conservation Awareness program in buffer of JKSNR. HIMALAYAN BLACK BEAR

Himalayan Black Bear Conservation Awareness program in buffer of JKSNR. HIMALAYAN BLACK BEAR Asian black bears are dwelling in daytime , though they become nocturnal near human habitations. They may live in family groups consisting of

290 views • 13 slides
Black and White Patrol Cars Briefing to the Vancouver Police Board July 18, 2012 In Camera

Black and White Patrol Cars Briefing to the Vancouver Police Board July 18, 2012 In Camera

Black and White Patrol Cars Briefing to the Vancouver Police Board July 18, 2012 In Camera Superintendent Daryl Wiebe History Black fleet vehicles were the cheapest Colour options were black or black In 1930s: High

587 views • 9 slides

More recommend