combining static analysis and runtime monitoring to
play

Combining Static Analysis and Runtime Monitoring to Counter - PowerPoint PPT Presentation

Nov 04, 2022 •17 likes •187 views

Combining Static Analysis and Runtime Monitoring to Counter SQL-Injection Attacks William Halfond & Alessandro Orso Georgia Institute of Technology This work was supported in part by NSF awards CCR-0306372, CCR-0205422, and CCR-0209322 to

  1. Combining Static Analysis and Runtime Monitoring to Counter SQL-Injection Attacks William Halfond & Alessandro Orso Georgia Institute of Technology This work was supported in part by NSF awards CCR-0306372, CCR-0205422, and CCR-0209322 to Georgia Tech.

  2. Vulnerable Application String queryString = "SELECT info FROM userTable WHERE "; if ((! login.equals("")) && (! password.equals(""))) { queryString += "login='" + login + "' AND pass='" + password + "'"; } else { queryString+="login='guest'"; } ResultSet tempSet = stmt.executeQuery(queryString); William Halfond – WODA 2005

  3. Attack Scenario String queryString = "SELECT info FROM userTable WHERE "; if ((! login.equals("")) && (! password.equals(""))) { queryString += "login='" + login + "' AND pass='" + password + "'"; } else { queryString+="login='guest'"; } ResultSet tempSet = stmt.executeQuery(queryString); Normal Usage  User submits login “ doe ” and password “ xyz ”  SELECT info FROM users WHERE login=’ doe ’ AND pass=’ xyz ’ William Halfond – WODA 2005

  4. Attack Scenario String queryString = "SELECT info FROM userTable WHERE "; if ((! login.equals("")) && (! password.equals(""))) { queryString += "login='" + login + "' AND pass='" + password + "'"; } else { queryString+="login='guest'"; } ResultSet tempSet = stmt.executeQuery(queryString); Malicious Usage  Attacker submits “ ’ or 1=1 -- ” and password of “”  SELECT info FROM users WHERE login=’ ’ or 1=1 -- ’ AND pass=’’ William Halfond – WODA 2005

  5. Presentation Outline • Related Work • Our Solution • Implementation Details • Preliminary Results William Halfond – WODA 2005

  6. Related Approaches • Program Analysis • Information Flow Reasoning [Huang04] • Type Analysis [Gould04] • Check for Tautologies [Wasserman04] • Defensive Coding [WSC03] • Proxy Filtering [Scott02] • Randomized Instruction Set [Kc03] • Penetration Testing [Huang03] William Halfond – WODA 2005

  7. Our Solution Basic Insights Code contains enough information to accurately 1. predict and model all possible queries. A SQL Injection Attack will not conform to the 2. predicted model. Solution: Static analysis => build query models Runtime analysis => enforce models William Halfond – WODA 2005

  8. Overview of Analysis Identify all hotspots. 1. Build SQL query models for each 2. hotspot. Instrument hotspots. 3. Monitor application at runtime. 4. William Halfond – WODA 2005

  9. 1 -- Identify Hotspots Scan application code to identify hotspots. String queryString = "SELECT info FROM userTable WHERE "; if ((! login.equals("")) && (! password.equals(""))) { queryString += "login='" + login + "' AND pass='" + password + "'"; } else { queryString+="login='guest'"; } ResultSet tempSet = stmt.executeQuery(queryString); Hotspot William Halfond – WODA 2005

  10. 2 -- Build SQL Query Model Use JSA [Christensen03] to construct 1. character-level automaton. Parse graph (similar to [Gould04]) to group 2. characters into SQL tokens. = ‘ guest ‘ login SELECT info FROM userTable WHERE login = ‘ VAR ‘ AND pass = ‘ VAR ‘ William Halfond – WODA 2005

  11. 3 -- Instrument Application Wrap each hotspot with call to monitor. String queryString = "SELECT info FROM userTable WHERE "; if ((! login.equals("")) && (! password.equals(""))) { queryString += "login='" + login + "' AND pass='" + password + "'"; } else { queryString+="login='guest'"; Call to Monitor } if (monitor.accepts (hotspotID, queryString) { ResultSet tempSet = stmt.executeQuery(queryString); } Hotspot William Halfond – WODA 2005

  12. 4 -- Runtime Monitoring Check queries against SQL query model. = ‘ guest ‘ login SELECT info FROM userTable WHERE login = ‘ VAR ‘ AND pass = ‘ VAR ‘ Normal Usage: SELECT info FROM userTable WHERE login = ‘ doe ‘ AND pass = ‘ xyz ‘ William Halfond – WODA 2005

  13. 4 -- Runtime Monitoring Check queries against SQL query model. = ‘ guest ‘ login SELECT info FROM userTable WHERE login = ‘ VAR ‘ AND pass = ‘ VAR ‘ Malicious Usage: SELECT info FROM userTable WHERE login = ‘ ‘ OR 1 = 1 -- ‘ AND pass = ‘ ‘ William Halfond – WODA 2005

  14. Implementation Analysis Module: (Steps 1 & 2) • String Analysis: JSA [Christensen03] • SQL Tokenizing: Modified depth- first traversal Instrumentation: (Step 3) • InsECT [Chawla04] Run-time Monitoring: (Step 4) • Monitoring Library: InsECT [Chawla04] • Runtime Checker: NDFA implementation William Halfond – WODA 2005

  15. Preliminary Results • Used two applications • Identified vulnerable hotspots • Crafted targeted attack queries and normal queries • Evaluated effectiveness of technique for protecting applications • No false positives or negatives. William Halfond – WODA 2005

  16. Future Work • More extensive and realistic evaluation • Identify limitations of analysis • Evaluate scalability of technique • Use of dynamic techniques to construct model where static analysis fails William Halfond – WODA 2005

  17. Questions William Halfond – WODA 2005

Recommend

Using AOP for Detailed Runtime Monitoring Instrumentation Jonathan E Cook, joncook@nmsu.edu

Using AOP for Detailed Runtime Monitoring Instrumentation Jonathan E Cook, joncook@nmsu.edu

Using AOP for Detailed Runtime Monitoring Instrumentation Jonathan E Cook, joncook@nmsu.edu Amjad Nusayr, anusayr@cs.nmsu.edu The 2009 Workshop on Dynamic Analysis New Mexico State University Runtime Monitoring The act of observing an

590 views • 23 slides
MarQ : Monitoring At Runtime with QEA Giles Reger in collaboration with Helena Cuenca Cruz,

MarQ : Monitoring At Runtime with QEA Giles Reger in collaboration with Helena Cuenca Cruz,

Runtime Monitoring Quantified Event Automata Efficient monitoring Using MarQ MarQ : Monitoring At Runtime with QEA Giles Reger in collaboration with Helena Cuenca Cruz, David Rydeheard at University of Manchester, UK April 17th, 2015 Runtime

1.01k views • 97 slides
Runtime monitoring of time-critical tasks in multi-core systems Claire Pagetti ONERA, France

Runtime monitoring of time-critical tasks in multi-core systems Claire Pagetti ONERA, France

Runtime monitoring of time-critical tasks in multi-core systems Claire Pagetti ONERA, France Christine Rochange, Univ. of Toulouse, France Motivation Static analysis provides safe but pessimistic WCET estimates safe WCET estimation

257 views • 10 slides
Program analysis for security Two main classes Static: Operates on source or binary at

Program analysis for security Two main classes Static: Operates on source or binary at

Program analysis for security Two main classes Static: Operates on source or binary at rest Dynamic: Operates at runtime Also hybrids of the two Static: Examples Code review Grep Taint analysis Symbolic

726 views • 49 slides
Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting

Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting

Static Analysis of Haskell Neil Mitchell http://ndmitchell.com Static Analysis is getting insights at compile time Full branch coverage Terminates Doesnt rely on a test suite Types are static analysis. Lets talk about

784 views • 39 slides
SERVER-SIDE ANALYSIS Ben Livshits, Microsoft Research Overview of Todays Lecture 2 Static

SERVER-SIDE ANALYSIS Ben Livshits, Microsoft Research Overview of Todays Lecture 2 Static

SERVER-SIDE ANALYSIS Ben Livshits, Microsoft Research Overview of Todays Lecture 2 Static analysis for Runtime analysis bug finding Fuzzing Pen testing Tainting Scripting languages Symbolic execution analyzed

646 views • 41 slides
Static Analysis for Secure Development Introduction Static analysis : What , and why ?

Static Analysis for Secure Development Introduction Static analysis : What , and why ?

Static Analysis for Secure Development Introduction Static analysis : What , and why ? Basic analysis ! Example : Flow analysis ! Increasing precision ! Context -, flow -, and path sensitivity Scaling it up !

527 views • 27 slides
1 Analysis Information Where Do Facts Hold? How much information depends on the client

1 Analysis Information Where Do Facts Hold? How much information depends on the client

711? CS711 Advanced Programming Languages Topics in Program Analysis Radu Rugina Fall 2005 CS711 Overview 2 Program Analysis Static vs. Dynamic Static analysis: inspect programs at compile-time Static analysis: Work done at

282 views • 4 slides
A Brief Introduction to Static Analysis Sam Blackshear March 13, 2012 Outline A theoretical

A Brief Introduction to Static Analysis Sam Blackshear March 13, 2012 Outline A theoretical

A Brief Introduction to Static Analysis Sam Blackshear March 13, 2012 Outline A theoretical problem and how to ignore it An example static analysis What is static analysis used for? Commercial successes Free static analysis tools you should

490 views • 37 slides
Assignments Homework 1 due Friday Lab1 due next Wednesday Section - will talk

Assignments Homework 1 due Friday Lab1 due next Wednesday Section - will talk

Assignments Homework 1 due Friday Lab1 due next Wednesday Section - will talk about gdb, etc. Approaches to Fin inding Security Bugs 2 Runtime Monitoring Black-box Testing Static Analysis From Coverity 3

613 views • 33 slides
Static Analysis Static Analysis they are read? Will the current value of a variable ever be

Static Analysis Static Analysis they are read? Will the current value of a variable ever be

Interesting Questions Interesting Questions Is every statement reachable? Does every non- void method return a value? Compilation 2007 Compilation 2007 Will local variables definitely be assigned before Static Analysis Static

169 views • 13 slides
Unication of static analyses and runtime measurements for improving vectorization Ashay Rane,

Unication of static analyses and runtime measurements for improving vectorization Ashay Rane,

Unication of static analyses and runtime measurements for improving vectorization Ashay Rane, Rakesh Krishnaiyer, Chris Newburn, James Browne, Leo Fialho and Zakhar Matveev th 4 August, 2014 Petascale Tools Workshop 1 Overview of this

430 views • 26 slides
Static and dynamic verification Software inspections Concerned with analysis of the static

Static and dynamic verification Software inspections Concerned with analysis of the static

1 Static and dynamic verification Software inspections Concerned with analysis of the static system representation to discover problems (static verification) May be supplement by tool-based document and code analysis Software

430 views • 12 slides
Static Analysis of Embedded DSL-s Aivar Annamaa University of Tartu aivar.annamaa@gmail.com

Static Analysis of Embedded DSL-s Aivar Annamaa University of Tartu aivar.annamaa@gmail.com

Static Analysis of Embedded DSL-s Aivar Annamaa University of Tartu aivar.annamaa@gmail.com February 6th, 2010 Problem DSL-s are often embedded as string literals in a GPL SQL, RegEx, HTML Mistakes pop up at runtime Especially

668 views • 15 slides
Static vs. Dynamic Analysis Static analysis: analyze source code or byte code Imprecise

Static vs. Dynamic Analysis Static analysis: analyze source code or byte code Imprecise

I NTELLI D ROID A Targeted Input Generator for the Dynamic Analysis of Android Malware Michelle Y. Wong and David Lie University of Toronto Department of Electrical and Computer Engineering NDSS Symposium 2016 ! ! ! B ACKGROUND Static vs.

1.02k views • 32 slides
St Static to live: Combining St Stata wi with th Go Google Charts API Stata Conference

St Static to live: Combining St Stata wi with th Go Google Charts API Stata Conference

St Static to live: Combining St Stata wi with th Go Google Charts API Stata Conference Chicago 2016 Belen Chavez William Matsuoka July 28, 2016 Overview Motivation Introduction Examples Future features Questions

785 views • 45 slides
Static analysis and all that Martin Steffen IfI UiO Spring 2014 Static analysis and all that

Static analysis and all that Martin Steffen IfI UiO Spring 2014 Static analysis and all that

Static analysis and all that Martin Steffen IfI UiO Spring 2014 Static analysis and all that Martin Steffen IfI UiO Spring 2014 Plan approx. 15 lectures, details see web-page flexible time-schedule, depending on progress/interest

2.15k views • 194 slides
CS7038 - Malware Analysis - Wk04.1 Static Analysis Introduction Coleman Kane kaneca@mail.uc.edu

CS7038 - Malware Analysis - Wk04.1 Static Analysis Introduction Coleman Kane kaneca@mail.uc.edu

CS7038 - Malware Analysis - Wk04.1 Static Analysis Introduction Coleman Kane kaneca@mail.uc.edu February 1, 2017 Static Analysis Static Analysis is the process of documenting your observations about what identifying characteristics a

575 views • 8 slides
Combining Static and Dynamic Contract Checking for Curry Michael Hanus University of Kiel

Combining Static and Dynamic Contract Checking for Curry Michael Hanus University of Kiel

Combining Static and Dynamic Contract Checking for Curry Michael Hanus University of Kiel Programming Languages and Compiler Construction LOPSTR 2017 Michael Hanus (CAU Kiel) Combining Static and Dynamic Contract Checking for Curry LOPSTR

463 views • 20 slides
Static and dynamic verification Software inspections Concerned with analysis of the

Static and dynamic verification Software inspections Concerned with analysis of the

1 Static and dynamic verification Software inspections Concerned with analysis of the static system representation to discover problems (static verification) May be supplement by tool-based document and code analysis

310 views • 12 slides
Static analysis and all that Martin Steffen IfI UiO Spring 2014 uio Static analysis and all

Static analysis and all that Martin Steffen IfI UiO Spring 2014 uio Static analysis and all

Static analysis and all that Martin Steffen IfI UiO Spring 2014 uio Static analysis and all that Martin Steffen IfI UiO Spring 2014 uio Plan approx. 15 lectures, details see web-page flexible time-schedule, depending on

938 views • 69 slides
Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis

Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis

Modelling, Specification and Formal Analysis of Complex Software Systems Precise Static Analysis of Programs with Dynamic Memory Mihaela Sighireanu IRIF, University Paris Diderot & CNRS VTSA 2015 1 / 99 Static Analysis Establish

2.15k views • 186 slides
Whats Coverity static analysis ever done for us? Philip Withnall Endless Mobile

Whats Coverity static analysis ever done for us? Philip Withnall Endless Mobile

Whats Coverity static analysis ever done for us? Philip Withnall Endless Mobile philip@tecnocode.co.uk July 30, 2017 MANCHESTER What is static analysis? Compile-time testing of all possible code paths. Whats Coverity static analysis

236 views • 12 slides
Outline t t Why static analysis? t t What is it? Underlying technology t Some

Outline t t Why static analysis? t t What is it? Underlying technology t Some

2005-05-04 Static Analysis methods and tools An industrial study t Pr Emanuelsson Ericsson AB and LiU Prof Ulf Nilsson LiU t itle Outline t t Why static analysis? t t What is it? Underlying technology t Some tools

438 views • 19 slides

More recommend