Non-vulnerable Web Services Nuno Antunes nmsa@dei.uc.pt Advisor: - PowerPoint PPT Presentation

Methodologies and Tools for the Development of Non-vulnerable Web Services Nuno Antunes nmsa@dei.uc.pt Advisor: Prof. Marco Vieira 2009/2010 Ph.D. Research Proposal Doctoral Program in Science and Information Technology Department of Informatics Engineering University of Coimbra

Outline  Contextualization  Motivation  Research Objectives and Approach  Current Work and Preliminary Results  Work Plan  Conclusions 2 Nuno Antunes Ph.D. Research Proposal - 2009/2010 September 10, 2010

Web Services 3 Nuno Antunes Ph.D. Research Proposal - 2009/2010 September 10, 2010

Motivation  Web Services security threats  Web Services are widely exposed to attacks  Hackers are moving their focus to applications’ code  Traditional security mechanisms cannot mitigate these attacks  Vulnerabilities like SQL Injection and XPath Injection are particularly relevant  Developers must  Apply best coding practices However…  Security testing! 4 Nuno Antunes Ph.D. Research Proposal - 2009/2010 September 10, 2010

The problem  Developers often disregard security concerns  Focus on satisfying costumer’s requirements  Time-to-market constraints limit an in-depth search for security vulnerabilities  Not specialized on security Published studies and reports show that, in general, web applications present dangerous security flaws 5 Nuno Antunes Ph.D. Research Proposal - 2009/2010 September 10, 2010

Research Objectives and Approach (1)  Automated tools are very important to:  Automatically Detect vulnerabilities  Automatically Mitigate vulnerabilities  Help developers  Including the ones not specialized in security  Increase development productivity 6 Nuno Antunes Ph.D. Research Proposal - 2009/2010 September 10, 2010

Research Objectives and Approach (2) Benchmarking Improving   Vulnerability Detection   Vulnerability Mitigation  Evaluate the existing methodologies  Develop a benchmarking suite to assess and compare vulnerability detection and mitigation tools  Research and propose improved techniques and methodologies 7 Nuno Antunes Ph.D. Research Proposal - 2009/2010 September 10, 2010

Benchmarking Automated Tools  Evaluate and compare existing solutions to select the best tools and configurations  Guide the improvement of methodologies  Existing evaluations have limited value  Benchmarking approaches will need:  Workload  Procedures and Rules  Measures 8 Nuno Antunes Ph.D. Research Proposal - 2009/2010 September 10, 2010

New Techniques for Vuln. Detection (1)  Goal : achieve higher coverage and lower false positive rate  Tools that don’t need access to services’ code  Can be used by web services’ consumers  Penetration testing tools:  Larger and more comprehensive workloads  More complete and complex attackloads  Evaluate thoroughly service’s responses 9 Nuno Antunes Ph.D. Research Proposal - 2009/2010 September 10, 2010

New Techniques for Vuln. Detection (2)  Tools that need access to services’ code  Usually present higher coverage rates  Important for developers  Static code analysis  Goal: reduce false positives  Take advantage of web services’ well defined interface  Analyze relation between inputs and vulnerabilities  Verify if the inputs of a WS are pre-processed using vulnerability prevention mechanisms  Combination of different techniques  Penetration testing with runtime anomaly detection 10 Nuno Antunes Ph.D. Research Proposal - 2009/2010 September 10, 2010

New Techniques for Vuln. Mitigation  Modify service’s code to remove vulnerabilities  Without modifying the functional behavior  Introduce attack detection capabilities:  Can be used when applications’ code is unavailable   Overhead and false positives are prejudicial   Very important because:  Developers not specialized in security are less capable to fix vulnerabilities  Vulnerable code patterns are frequently repeated  Can save time and costs in repetitive corrections 11 Nuno Antunes Ph.D. Research Proposal - 2009/2010 September 10, 2010

Current Work and Preliminary Results  Apply leading commercial security scanners in public web services  300 Web Services tested, randomly selected  4 Scanners used (including two versions of a brand)  Goals:  What is the effectiveness of existing tools for vulnerability detection?  Can programmers rely on these tools?  What are the most common types of vulnerabilities? 12 Nuno Antunes Ph.D. Research Proposal - 2009/2010 September 10, 2010

Using Security Scanners in Web Services SQL Injection vulnerabilities Vulnerabilities distributed per type. without False Positives  False positives analysis in the next slide 13 Nuno Antunes Ph.D. Research Proposal - 2009/2010 September 10, 2010

Penetration Testing Approach  Detect SQL Injection Vuln. in Web Services:  More representative workload  More complete attackload  Analyze responses to improve coverage and reduce false positives  Achieved better results than the security scanners  However, the efficiency is limited by the lack of visibility on the internal behavior of the service 14 Nuno Antunes Ph.D. Research Proposal - 2009/2010 September 10, 2010

A Runtime Anomaly Detection Approach  Detect Command Injection V. in Web Services  Implemented for SQL/XPath Inj., but easily extendable  Combine the analysis of services responses with the analysis of the runtime behavior  Vulnerabilities are identified by comparing the structure of SQL/XPath commands executed in the presence of attacks to the ones previously learned in the absence of attacks  Much better results than the existing tools  Discussed together with benchmark results 15 Nuno Antunes Ph.D. Research Proposal - 2009/2010 September 10, 2010

Benchmarking Vuln. Detection Tools  Proposed an approach to benchmark the effectiveness of V. D. tools in web services  Procedures and measures were specified  A concrete benchmark was implemented  Targeting tools able to detect SQL Injection  A benchmarking example was conducted  Results show that the benchmark can be used to assess and compare different tools 16 Nuno Antunes Ph.D. Research Proposal - 2009/2010 September 10, 2010

Benchmarking Vuln. Detection Tools Tool % TP % FP Tool % TP % FP VS1 32% 54% CIVS 79% 0% VS2 24% 61% SA1 55% 7% VS3 2% 0% SA2 100% 36% VS4 24% 43% SA3 14% 67% Results for CIVS-WS and static analysis Results for Penetration Testing Benchmarked Tools Ranking 17 Nuno Antunes Ph.D. Research Proposal - 2009/2010 September 10, 2010

Work Plan 18 Nuno Antunes Ph.D. Research Proposal - 2009/2010 September 10, 2010

Target Conferences and Journals  Journals with high impact factor:  IEEE Trans. on Software Engineering (TSE)  IEEE Trans. on Dependable and Secure Comp. (TDSC)  International Journal of Web Services Research (JWSR)  IEEE Trans. on Services Computing (TSC)  First tier conferences:  IEEE/IFIP Dependable Systems and Networks (DSN)  IEEE International Conference on Web Services (ICWS)  IEEE Services Computing Conference (SCC)  … 19 Nuno Antunes Ph.D. Research Proposal - 2009/2010 September 10, 2010

Conclusions  The main goal is to provide tools that help to produce web services with less vulnerabilities  Many Web Services present security vulnerabilities  Its important to improve automated tools  Vulnerability detection  Vulnerability mitigation  We also need to benchmark these tools  This work is important for web services’ providers and consumers…  … and also has great scientific potential! 20 Nuno Antunes Ph.D. Research Proposal - 2009/2010 September 10, 2010