Methodologies and Tools for the Development of Non-vulnerable Web Services Nuno Antunes nmsa@dei.uc.pt Advisor: Prof. Marco Vieira 2009/2010 Ph.D. Research Proposal Doctoral Program in Science and Information Technology Department of Informatics Engineering University of Coimbra
Outline Contextualization Motivation Research Objectives and Approach Current Work and Preliminary Results Work Plan Conclusions 2 Nuno Antunes Ph.D. Research Proposal - 2009/2010 September 10, 2010
Web Services 3 Nuno Antunes Ph.D. Research Proposal - 2009/2010 September 10, 2010
Motivation Web Services security threats Web Services are widely exposed to attacks Hackers are moving their focus to applications’ code Traditional security mechanisms cannot mitigate these attacks Vulnerabilities like SQL Injection and XPath Injection are particularly relevant Developers must Apply best coding practices However… Security testing! 4 Nuno Antunes Ph.D. Research Proposal - 2009/2010 September 10, 2010
The problem Developers often disregard security concerns Focus on satisfying costumer’s requirements Time-to-market constraints limit an in-depth search for security vulnerabilities Not specialized on security Published studies and reports show that, in general, web applications present dangerous security flaws 5 Nuno Antunes Ph.D. Research Proposal - 2009/2010 September 10, 2010
Research Objectives and Approach (1) Automated tools are very important to: Automatically Detect vulnerabilities Automatically Mitigate vulnerabilities Help developers Including the ones not specialized in security Increase development productivity 6 Nuno Antunes Ph.D. Research Proposal - 2009/2010 September 10, 2010
Research Objectives and Approach (2) Benchmarking Improving Vulnerability Detection Vulnerability Mitigation Evaluate the existing methodologies Develop a benchmarking suite to assess and compare vulnerability detection and mitigation tools Research and propose improved techniques and methodologies 7 Nuno Antunes Ph.D. Research Proposal - 2009/2010 September 10, 2010
Benchmarking Automated Tools Evaluate and compare existing solutions to select the best tools and configurations Guide the improvement of methodologies Existing evaluations have limited value Benchmarking approaches will need: Workload Procedures and Rules Measures 8 Nuno Antunes Ph.D. Research Proposal - 2009/2010 September 10, 2010
New Techniques for Vuln. Detection (1) Goal : achieve higher coverage and lower false positive rate Tools that don’t need access to services’ code Can be used by web services’ consumers Penetration testing tools: Larger and more comprehensive workloads More complete and complex attackloads Evaluate thoroughly service’s responses 9 Nuno Antunes Ph.D. Research Proposal - 2009/2010 September 10, 2010
New Techniques for Vuln. Detection (2) Tools that need access to services’ code Usually present higher coverage rates Important for developers Static code analysis Goal: reduce false positives Take advantage of web services’ well defined interface Analyze relation between inputs and vulnerabilities Verify if the inputs of a WS are pre-processed using vulnerability prevention mechanisms Combination of different techniques Penetration testing with runtime anomaly detection 10 Nuno Antunes Ph.D. Research Proposal - 2009/2010 September 10, 2010
New Techniques for Vuln. Mitigation Modify service’s code to remove vulnerabilities Without modifying the functional behavior Introduce attack detection capabilities: Can be used when applications’ code is unavailable Overhead and false positives are prejudicial Very important because: Developers not specialized in security are less capable to fix vulnerabilities Vulnerable code patterns are frequently repeated Can save time and costs in repetitive corrections 11 Nuno Antunes Ph.D. Research Proposal - 2009/2010 September 10, 2010
Current Work and Preliminary Results Apply leading commercial security scanners in public web services 300 Web Services tested, randomly selected 4 Scanners used (including two versions of a brand) Goals: What is the effectiveness of existing tools for vulnerability detection? Can programmers rely on these tools? What are the most common types of vulnerabilities? 12 Nuno Antunes Ph.D. Research Proposal - 2009/2010 September 10, 2010
Using Security Scanners in Web Services SQL Injection vulnerabilities Vulnerabilities distributed per type. without False Positives False positives analysis in the next slide 13 Nuno Antunes Ph.D. Research Proposal - 2009/2010 September 10, 2010
Penetration Testing Approach Detect SQL Injection Vuln. in Web Services: More representative workload More complete attackload Analyze responses to improve coverage and reduce false positives Achieved better results than the security scanners However, the efficiency is limited by the lack of visibility on the internal behavior of the service 14 Nuno Antunes Ph.D. Research Proposal - 2009/2010 September 10, 2010
A Runtime Anomaly Detection Approach Detect Command Injection V. in Web Services Implemented for SQL/XPath Inj., but easily extendable Combine the analysis of services responses with the analysis of the runtime behavior Vulnerabilities are identified by comparing the structure of SQL/XPath commands executed in the presence of attacks to the ones previously learned in the absence of attacks Much better results than the existing tools Discussed together with benchmark results 15 Nuno Antunes Ph.D. Research Proposal - 2009/2010 September 10, 2010
Benchmarking Vuln. Detection Tools Proposed an approach to benchmark the effectiveness of V. D. tools in web services Procedures and measures were specified A concrete benchmark was implemented Targeting tools able to detect SQL Injection A benchmarking example was conducted Results show that the benchmark can be used to assess and compare different tools 16 Nuno Antunes Ph.D. Research Proposal - 2009/2010 September 10, 2010
Benchmarking Vuln. Detection Tools Tool % TP % FP Tool % TP % FP VS1 32% 54% CIVS 79% 0% VS2 24% 61% SA1 55% 7% VS3 2% 0% SA2 100% 36% VS4 24% 43% SA3 14% 67% Results for CIVS-WS and static analysis Results for Penetration Testing Benchmarked Tools Ranking 17 Nuno Antunes Ph.D. Research Proposal - 2009/2010 September 10, 2010
Work Plan 18 Nuno Antunes Ph.D. Research Proposal - 2009/2010 September 10, 2010
Target Conferences and Journals Journals with high impact factor: IEEE Trans. on Software Engineering (TSE) IEEE Trans. on Dependable and Secure Comp. (TDSC) International Journal of Web Services Research (JWSR) IEEE Trans. on Services Computing (TSC) First tier conferences: IEEE/IFIP Dependable Systems and Networks (DSN) IEEE International Conference on Web Services (ICWS) IEEE Services Computing Conference (SCC) … 19 Nuno Antunes Ph.D. Research Proposal - 2009/2010 September 10, 2010
Conclusions The main goal is to provide tools that help to produce web services with less vulnerabilities Many Web Services present security vulnerabilities Its important to improve automated tools Vulnerability detection Vulnerability mitigation We also need to benchmark these tools This work is important for web services’ providers and consumers… … and also has great scientific potential! 20 Nuno Antunes Ph.D. Research Proposal - 2009/2010 September 10, 2010
Recommend
More recommend