efficient patch based auditing for web application
play

Efficient Patch-based Auditing for Web Application Vulnerabilities - PowerPoint PPT Presentation

Feb 08, 2023 •511 likes •1.1k views

Efficient Patch-based Auditing for Web Application Vulnerabilities Taesoo Kim, Ramesh Chandra, Nickolai Zeldovich MIT CSAIL Example: Github Github hosts projects (git repository) Users have own projects Authentication based on SSH

  1. Efficient Patch-based Auditing for Web Application Vulnerabilities Taesoo Kim, Ramesh Chandra, Nickolai Zeldovich MIT CSAIL

  2. Example: Github ● Github hosts projects (git repository) ● Users have own projects ● Authentication based on SSH public key

  3. Vulnerability: attacker can modify any user's public key ● Publicly announced in March 2012 ● Unauthorized user modified Ruby-on-Rails project after modifying a developer's public key .

  4. Problem: who exploited this vulnerability? ● Other attackers may have known about the vulnerability for months or years ● Adversaries could have modified many users' public keys, repositories, etc. ● Ideally , would like to detect past attacks that exploited this vulnerability

  5. Github's actual response ● Immediately blocked all users ● Asked users to audit own public key

  6. Detecting past attacks is hard ● Current tools require manual log analysis ● Logs may be incomplete ● Logs may be large (Github: 18M req/day)

  7. Too many vulnerabilities to inspect manually ● CVE database: 4,000 vulnerabilities per year ● Hard enough for administrator to apply patches ● Auditing each vulnerability for past attacks is impractical

  8. Approach: automate auditing using patches ● Insight : security patch renders attack harmless ● Technique : compare execution of each request before and after patch is applied ● Same result: no attack ● Different results: potential attack!

  9. Example: Github vulnerability < form > <input type="text" name="key"> <input type="hidden" value="taesoo" name="id" > </ form >

  10. Example: Github vulnerability params = { "key" => "ssh-rsa AAA … ", "id" => "taesoo" } def update_pubkey @key = PublicKey.find_by_id(params['id']) @key.update_attributes(params['key']) end

  11. Example: Github vulnerability params = { attacker? "key" => "ssh-rsa AAA … ", "id" => "taesoo" } def update_pubkey @key = PublicKey.find_by_id(params['id']) @key.update_attributes(params['key']) end

  12. Example: Github vulnerability params = { "key" => "attacker's public key", "id" => "victim" } Attackers can overwrite any user's public key, and thus can modify user's repositories. def update_pubkey @key = PublicKey.find_by_id("victim") @key.update_attributes("attacker's public key") end

  13. Simplified patch for Github's vulnerability def update_pubkey - @key = PublicKey.find_by_id(params['id']) + @key = PublicKey.find_by_id(cur_user.id) @key.update_attributes(params['key']) end Login-ed user's id

  14. Patch-based auditing finds attack ● Replay each request using old(-) & new(+) code ● Attack request generates different SQL queries def update_pubkey - @key = PublicKey.find_by_id(params['id']) + @key = PublicKey.find_by_id(cur_user.id) @key.update_attributes(params['key']) end - UPDATE … WHERE KEY=… ID=victim + UPDATE … WHERE KEY=… ID=attacker

  15. Challenge: auditing many requests ● Necessary to audit huge amount of requests ● Vulnerability may have existed for a long time ● Busy web applications may have many requests (Github: 18M req/day) ● Auditing one month traffic requires two months ● Naive approach requires two re-executions (old & new code) per request

  16. Contribution ● Efficient patch-based auditing for web apps. ● 12 – 51x faster than original execution for challenging patches ● Worst case, auditing one month worth of requests takes 14 – 60 hours

  17. Overview of design Runtime Auditing patch Admin HTTPD Audit Ctrl suspect PHP Replayer requests Audit log

  18. Logging during normal execution CGI, GET, POST … initial input PHP rand() mysql_query() non-deterministic input external input HTML

  19. Auditing a request PHP PHP rand() rand() mysql_query() mysql_query() original patched HTML HTML compare? original function Auditing patched function

  20. Auditing a request PHP PHP rand() rand() mysql_query() mysql_query() Naive approach requires two complete re-executions for every request original patched HTML HTML compare? original function Auditing patched function

  21. Opportunities to improve auditing performance ● Patch might not affect every request ● How to determine affected requests? ● Original and patched runs execute common code ● How to share common code during re-execution? ● Multiple requests execute similar code ● How to reuse similar code across multiple requests?

  22. Key ideas ● Idea 1: Control flow filtering ● Auditing only affected requests ● Idea 2: Function-level auditing ● Sharing common code during re-execution ● Idea 3: Memoized re-execution ● Reusing memoized code across multiple requests

  23. Idea 1: Control flow filtering ● Step 1: Normal execution ● Record the control flow trace ( CFT ) of each request ● Step 2: Indexing ● Map the control flow trace (CFT) to the basic blocks ● Step 3: Auditing ● Compute the basic blocks modified by the patch ● Filter out requests if did not execute any patched basic blocks

  24. Static analysis of source code ● Computing basic blocks of source code ① function get_name() { ② return $_GET['name']; ③ } start ④ if ($_GET['q'] == 'echo') { ⑤ echo get_name(); ⑥ }

  25. Static analysis of source code ● Computing basic blocks of source code ① function get_name() { ② return $_GET['name']; ③ } start ④ if ($_GET['q'] == 'echo') { ⑤ echo get_name(); ⑥ } JMP,BRK …

  26. Recording control flow trace ● Normal execution: logging control flow trace (CFT) of each request /s.php?q=test ① function get_name() { ② return $_GET['name']; ③ } 'test'!='echo' start ④ if ($_GET['q'] == 'echo') { ⑤ echo get_name(); ⑥ } CFT: [ ④ ⑥ ] , (file, scope, func, #instruction)

  27. Computing executed basic blocks ● Indexing: computing executed basic blocks of each request /s.php?q=test Basic Blocks ① function get_name() { return $_GET['name']; ② [ , , ] ① ② ③ ③ } [ ] ④ ④ if ($_GET['q'] == 'echo') { [ ] ⑤ echo get_name(); ⑤ [ ] ⑥ } ⑥

  28. Computing modified basic blocks ● Auditing: compute the basic blocks modified by the patch Basic Blocks ① function get_name() { - ② return $_GET['name']; [ ① ② , , ] ③ + ② return sanitize($_GET['name']); ③ } [ ] ④ ④ if ($_GET['q'] == 'echo') { [ ] ⑤ ⑤ echo get_name(); [ ] ⑥ ⑥ }

  29. Comparing basic blocks ● Auditing: filter out the requests that did not execute patched basic blocks Executed Patched [ , , ] ① ② ③ [ ① ② , , ] ③ [ ] [ ] ④ ④ [ ] ⑤ [ ] ⑤ [ ] [ ] ⑥ ⑥

  30. Summary: control flow filtering Filtered Recorded requests Affected requests modified basic block

  31. Idea 2: Function-level auditing PHP PHP optimization 1 optimization 2 original function patched function ● Optimization 1: sharing common code ● Share code up to the patched function ● Optimization 2: early termination ● Stop after the last invocation of the patched functions

  32. Function-level auditing PHP Auditing fork() original function compare patched function side-effects? ● Intercept side-effects inside the patched functions ● Stop after the last invocation of the patched functions ● Compare intercepted side-effects

  33. Intercepting side-effects global writes class PublicKey { (e.g., global, class) … function update($key) { html output $this->last = date(); echo "updated"; $rtn = mysql_query("UPDATE … $key …"); return $rtn; } return value external calls … (e.g., header, sql-query …) } <the worst case example>

  34. Comparing side-effects PHP Serialized Serialized [output] [output] s:102:<html> …. s:102:<html> …. fork() [globals] [globals] s:29:Fri Sept …; s:29:Fri Sept …; s:7:patched; s:6:updated; … … [return] [return] r:1 r:1 compare side-effects? ● If different , mark the request suspect ● If same , stop and audit next request

  35. Summary: function-level auditing Optimize Affected requests ... Naive Function-level auditing auditing

  36. Idea 3: Memoized re-execution ● Motivation : many requests run similar code 1)/s.php?q=echo&name= alice CFT : [ ] ④ , ⑤ , ① ② ③ ⑥ , ⑤ , , ⑤ , ① , ② , ⑤ , ⑤ , ① , ⑤ , ① ② , ③ ① ② ③ , ⑥ , , , , , , ① function get_name() { ② return $_GET['name']; ③ } start ④ if ($_GET['q'] == 'echo') { ⑤ echo get_name(); ⑥ }

  37. Idea 3: Memoized re-execution ● Motivation : many requests run similar code 1)/s.php?q=echo&name= alice 2)/s.php?q=echo&name= bob ④ ⑤ , ① ② ③ , ⑥ CFT : [ , , , ] 3)/s.php?q=echo&name= <script>… ① function get_name() { ② return $_GET['name']; ③ } start ④ if ($_GET['q'] == 'echo') { ⑤ echo get_name(); ⑥ }

  38. Idea 3: Memoized re-execution ● Motivation : many requests run similar code Control flow group ( CFG ) 1)/s.php?q=echo&name= alice 2)/s.php?q=echo&name= bob ④ ⑤ , ① ② ③ , ⑥ CFT : [ , , , ] 3)/s.php?q=echo&name= <script>… ① function get_name() { ② return $_GET['name']; ③ } start ④ if ($_GET['q'] == 'echo') { ⑤ echo get_name(); ⑥ }

Recommend

Application of data analysis in public auditing of the national goals attainability:

Application of data analysis in public auditing of the national goals attainability:

2020 Application of data analysis in public auditing of the national goals attainability: evidence-based policies in contemporary state governance 1. Theory of change and theory of transformation: application for analysis of national goals

597 views • 18 slides
INNOVATIVE SOLUTIONS MEETING EXPECTATIONS Locations &amp; Projects Auditing Auditing

INNOVATIVE SOLUTIONS MEETING EXPECTATIONS Locations &amp; Projects Auditing Auditing

INNOVATIVE SOLUTIONS MEETING EXPECTATIONS Locations &amp; Projects Auditing Auditing and assurance plays a crucial part of ensuring the safety and integrity of any diving system as well as ensuring safe and efficient diving

185 views • 14 slides
Highly Efficient GF (2 8 ) Inversion Circuit Based on Redundant GF Arithmetic and Its Application

Highly Efficient GF (2 8 ) Inversion Circuit Based on Redundant GF Arithmetic and Its Application

Saint-Malo, September 13th, 2015 Cryptographic Hardware and Embedded Systems Highly Efficient GF (2 8 ) Inversion Circuit Based on Redundant GF Arithmetic and Its Application to AES Design Rei Ueno 1 , Naofumi Homma 1 , Yukihiro Sugawara 1 ,

445 views • 26 slides
School Equipment Auditing System(SEAS) Mr.Anuwat Shutanaruk 5522800556 Mr.Thanapon Areewattana

School Equipment Auditing System(SEAS) Mr.Anuwat Shutanaruk 5522800556 Mr.Thanapon Areewattana

School Equipment Auditing System(SEAS) Mr.Anuwat Shutanaruk 5522800556 Mr.Thanapon Areewattana 5522791896 Objective To make auditing system more efficient we develop the new auditing system version. Motivation Old style of search or tracking

852 views • 8 slides
Pat Patch ch-based based Ei Eigen en-fac ace e Isomap omap Netw Networ orks ks By:

Pat Patch ch-based based Ei Eigen en-fac ace e Isomap omap Netw Networ orks ks By:

Fac acial ial Ex Expression ression Det etecti ection on using ng Pat Patch ch-based based Ei Eigen en-fac ace e Isomap omap Netw Networ orks ks By: Sohini Roychowdhury, Assistant Professor, Department of Electrical and

951 views • 17 slides
Remarks on Auditing, Regulatory Auditing and Regulatory Auditing Strategy Prof. Dr. Horst

Remarks on Auditing, Regulatory Auditing and Regulatory Auditing Strategy Prof. Dr. Horst

Remarks on Auditing, Regulatory Auditing and Regulatory Auditing Strategy Prof. Dr. Horst Frankenberger University of Applied Sciences Lbeck SG 4: Auditing - Lbeck 16.09.2002 1 Remarks on Auditing, Regulatory Auditing and Regulatory

305 views • 16 slides
Lattice-Based SNARGs and Their Application to More Efficient Obfuscation Dan Boneh, Yuval Ishai,

Lattice-Based SNARGs and Their Application to More Efficient Obfuscation Dan Boneh, Yuval Ishai,

Lattice-Based SNARGs and Their Application to More Efficient Obfuscation Dan Boneh, Yuval Ishai, Amit Sahai, and David J. Wu Program Obfuscation [BGIRSVY01, GGHRSW13] Indistinguishability obfuscation ( ) has emerged as a central hub

648 views • 36 slides
Efficient Power Management based on Application Timing Overview of presentation Semantics for

Efficient Power Management based on Application Timing Overview of presentation Semantics for

Efficient Power Management based on Application Timing Overview of presentation Semantics for Wireless Sensor Motivation for power management Networks Power management techniques ESSAT Octav Chipara, Chenyang Lu, Workload model

304 views • 6 slides
Auditing large-scale medical terminologies, with a focus on SNOMED CT Ronald Cornet PhD Dept.

Auditing large-scale medical terminologies, with a focus on SNOMED CT Ronald Cornet PhD Dept.

Auditing large-scale medical terminologies, with a focus on SNOMED CT Ronald Cornet PhD Dept. of Medical Informatics Academic Medical Center University of Amsterdam Outline Background Types of Auditing Logic-based Auditing

245 views • 21 slides
An Analysis of Patch Plausibility and Correctness of

An Analysis of Patch Plausibility and Correctness of

An Analysis of Patch Plausibility and Correctness of Generate-And- Validate Patch Genera8on System Zichao Qi , Fan Long, Sara Achour, and Mar8n Rinard MIT

323 views • 29 slides
IMS based NGN IMS based NGN Architecture Architecture and its application and its application

IMS based NGN IMS based NGN Architecture Architecture and its application and its application

I nternational Telecom m unication Union ITU-T IMS based NGN IMS based NGN Architecture Architecture and its application and its application Dick Knight BT Group plc I TU-T W orkshop NGN and its Transport Netw orks Kobe, 2 0 -2 1

218 views • 17 slides
La Larg rge-Scal Scale Patch Patch Reco comme mmendati ation at at Alibab aba Xindong

La Larg rge-Scal Scale Patch Patch Reco comme mmendati ation at at Alibab aba Xindong

La Larg rge-Scal Scale Patch Patch Reco comme mmendati ation at at Alibab aba Xindong Zhang 1 , Chenguang Zhu 2 , Yi Li 3 , Jianmei Guo 1 , Lihua Liu 1 , and Haobo Gu 1 1. Alibaba Group 2. University of Texas at Austin 3. Nanyang

462 views • 7 slides
Identifying Patch Correctness in Test-based Program Repair Yingfei Xiong, Xinyuan Liu, Muhan Zeng

Identifying Patch Correctness in Test-based Program Repair Yingfei Xiong, Xinyuan Liu, Muhan Zeng

Identifying Patch Correctness in Test-based Program Repair Yingfei Xiong, Xinyuan Liu, Muhan Zeng , Lu Zhang, Gang Huang Peking University Test-based Program Repair Passing test Passing test Program Program Passing test Patch Passing

465 views • 27 slides
Auditing Chapter 25 Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 25-1

Auditing Chapter 25 Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 25-1

Auditing Chapter 25 Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 25-1 Outline Overview What is auditing? What does an audit system look like? How do you design an auditing system? Auditing mechanisms

1.4k views • 88 slides
A Fast Spatial Patch Blending Algorithm for Artefact Reduction in Pattern-based Image Inpainting

A Fast Spatial Patch Blending Algorithm for Artefact Reduction in Pattern-based Image Inpainting

A Fast Spatial Patch Blending Algorithm for Artefact Reduction in Pattern-based Image Inpainting Maxime Daisy, David Tschumperl e, Olivier L ezoray GREYC - UMR 6072 CNRS, ENSICAEN, University of Caen Image team SIGGRAPH Asia 21

542 views • 42 slides
An Efficient GPU-based An Efficient GPU-based LDPC Decoder for Long LDPC Decoder for Long

An Efficient GPU-based An Efficient GPU-based LDPC Decoder for Long LDPC Decoder for Long

An Efficient GPU-based An Efficient GPU-based LDPC Decoder for Long LDPC Decoder for Long Codewords Codewords Stefan Grnroos Kristian Nybom Jerker Bjrkqvist 18.10.11 bo Akademi University - Turku, Finland 1 Background Background

301 views • 11 slides
Bruin Patch &amp; Big Wave C ate ring Recipe for Success: Community Partnerships Recipe for

Bruin Patch &amp; Big Wave C ate ring Recipe for Success: Community Partnerships Recipe for

Brookings-Harbor School District 17C School-based Businesses Bruin Patch &amp; Big Wave C ate ring Recipe for Success: Community Partnerships Recipe for success OSU Extension Office Local School District 4H Youth Bruin Patch &amp;

612 views • 12 slides
THE AUDITING OF SOCIAL ACCOUNTS SOME GENERAL CONSIDERATIONS INDEPENDENT AUDITING (with

THE AUDITING OF SOCIAL ACCOUNTS SOME GENERAL CONSIDERATIONS INDEPENDENT AUDITING (with

16/11/2012 THE AUDITING OF SOCIAL ACCOUNTS SOME GENERAL CONSIDERATIONS INDEPENDENT AUDITING (with certification) OF SOCIAL ACCOUNTS A DEBATE (CONSIDERING IN THIS CASE ONLY ITALY): A) ONLY VOLUNTARY B) COMPULSORY BY LAW 1

322 views • 7 slides
Non-Inferiority Assessment of Patch Adhesion Non-Inferiority Assessment of Patch Adhesion and and

Non-Inferiority Assessment of Patch Adhesion Non-Inferiority Assessment of Patch Adhesion and and

5/21/2015 Non-Inferiority Assessment of Patch Adhesion Non-Inferiority Assessment of Patch Adhesion and and Dermatology Irritation of Post-Market Dermatology Irritation Evaluation Change and Generic Drug Evaluation Presented by Mark Liu,

529 views • 22 slides
A Component-Based Architecture for Power-Efficient Media Access Control in WSNs Kevin Klues ,

A Component-Based Architecture for Power-Efficient Media Access Control in WSNs Kevin Klues ,

A Component-Based Architecture for Power-Efficient Media Access Control in WSNs Kevin Klues , Greg Hackmann, Octav Chipara, Chenyang Lu Department of Computer Science and Engineering Problem ! Conflicting application requirements &quot; Energy

598 views • 41 slides
Auditing a DRE-Based Election in South Carolina D. A. Buell, E. Hare, F. Heindel, C. Moore, B.

Auditing a DRE-Based Election in South Carolina D. A. Buell, E. Hare, F. Heindel, C. Moore, B.

Auditing a DRE-Based Election in South Carolina D. A. Buell, E. Hare, F. Heindel, C. Moore, B. Zia Computer Science and Engineering 1 August 11, 11 Elections in South Carolina Statewide adoption of ES&amp;S iVotronics DRE (2006-forward) with

617 views • 19 slides
Auditing in the Public Interest Auditing in the Public Interest Victorian Government

Auditing in the Public Interest Auditing in the Public Interest Victorian Government

Victorian Auditor-Generals Office Auditing in the Public Interest Auditing in the Public Interest Victorian Government Solicitors Office Seminar 30 May 2007 Des Pearson - Auditor-General 1 Auditing in the Public Interest Personal

352 views • 20 slides
Congress A System For Declaring, Auditing, and Enforcing Policy In Heterogeneous Cloud

Congress A System For Declaring, Auditing, and Enforcing Policy In Heterogeneous Cloud

Congress A System For Declaring, Auditing, and Enforcing Policy In Heterogeneous Cloud Environments Peter Balland Tim Hinrichs OpenStack Summit, May 2014 The Policy Problem Organizational Business Contracts Rules Industrial Application

348 views • 18 slides
How to install Patch Manager Plus at AWS Steps to install Patch Manager Plus at AWS 1. Login to

How to install Patch Manager Plus at AWS Steps to install Patch Manager Plus at AWS 1. Login to

How to install Patch Manager Plus at AWS Steps to install Patch Manager Plus at AWS 1. Login to Aws console 2. Select launch instance 3. Select your OS 4. Choose instance type 5. Select VPC 6. Add storage 7. Tag your instance 8. Configure security

185 views • 14 slides

More recommend