The SPaCIoS Tool property-driven and vulnerability-driven security testing for Web-based apps Alessandro Armando DIBRIS – University of Genova and Security & Trust – FBK, Trento (on behalf of the SPaCIoS consortium) STREP Project number: 257876 Objective ICT-2009.1.4 c: Technology and Tools for Trustworthy ICT 01.10.10 − 31.01.14 www.spacios.eu
Motivations
Goal
Model Checking vs Penetration Testing Model Penetration Testing The SPaCIoS Ideal Checking Target of Abstraction of Actual System (the 1. Use model to test Verification Actual System System Under system (the Model) Validation, SUV) 2. Use system to discharge spurious attacks 3. Use system to build model Scope Design flaws Implementation flaws Design and Implementation flaws (and their interaction) Input Model + Spec Vulnerabilities to seek Partial model, sec. of Sec. Goals (attack surface goals & assumptions, & Assumptions automatically vulnerabilities (in user discovered) friendly notation) Automation High Low High
Research prototype • model checking Security • security testing Analyst • penetration testing • … The SPaCIoS Tool Complements state-of-the-art User Interface SUV Fault Security Model of User source location goals the attacker guidance Model code of the Targets industrially-relevant SUV Trace- Source Test Results Security Protocols & Web Apps Libraries driven fault based localization inference Model Property-driven inference and and vulnerability-driven adjustment test case generation Broad security range Model of the SUV • logic- flaws, injections, AC, … Abstract Test case Vulnerabilities execution trace • good coverage of OWASP top 10 Attack Patterns Security Goals Test Execution Engine Attacker Models Promising results • SAML SSO, OAuth2, .. (System Under Validation) • WebGoat, Shopping Cart, .. SUV On-going transfers to SAP and SIEMENS
Research prototype • model checking • security testing • penetration testing • … Complements state-of-the-art Targets industrially-relevant Security Protocols & Web Apps Broad security range • logic- flaws, injections, AC, … • good coverage of OWASP top 10 Promising results • SAML SSO, OAuth2, .. • WebGoat, Shopping Cart, .. On-going transfers to SAP and SIEMENS
The SPaCIoS Tool Property-driven Security Testing Model Inference Mutation-based Testing Vulnerabilty-driven Testing
property-driven security testing Security impact? Property Model Property Model 1. Step_C_1(…) 2. Step_SP_1(…) Model 3. Step_C_2(…) Checker …`` Attack GET http:// … trace HTTP/1.1 200 OK … GET http:// … HTTP/1.1 302… SUV data Concretization … Test execution SUV Test case engine Input Output
Model inference : black-box Models? Property Model Model Property Model Model Model Checker Attack Black-box model- trace inference SUV data Concretization Test execution SUV Test case engine Input Output
Model inference: white-box Models? Property Model Model Property Model Model Model Checker Attack White-box model- trace inference source code SUV data Concretization of system Test execution SUV Test case engine Input Output
Model inference: sequence diagrams Models? Property Model Model Property Model Model Model Checker Attack translator trace Sequence SUV data Concretization diagrams Test execution SUV Test case engine Input Output
Mutation-based Testing No attack traces? Property Model Property Model Model Checker Mutated Mutation Mutation Attack Model engine operators trace SUV data Concretization Test execution SUV Test case engine Input Output
Vulnerability-driven Testing Well-known vulnerabilities? Property Model Property Model Model Checker Attack trace SUV data Concretization Test execution SUV Test case engine Input Output
Well-known vulnerabilities? Attack Instantiation pattern files models SUV data Concretization Test execution SUV Test case engine Input Output
Attack Pattern + Instantiation file + SUV data
OWASP Top 10 The SPaCIoS Tool A1 Injection WebGoat lesson: String SQL Injection WebGoat lesson: Numeric SQL Injection SIEMENS InfoBase and eHealth A2 Broken Authentication & SAML, OpenID, OAuth: e.g., authentication logic-flaws Session Management Password brute-forcing on SIEMENS InfoBase and eHealth A3 Cross-Site Scripting WebGoat lesson: Stored XSS WebGoat lesson: Reflected XSS SIEMENS InfoCase and eHealth A4 Insecure Direct Object SIEMENS InfoBase and eHealth: File Enumeration and Path Traversal References A5 Security Misconfiguration WebGoat lesson: Forced Browsing (File Enumeration) A6 Sensitive Data Exposure SAML, OpenID, OAuth: data confidentiality logic flaws A7 Missing Function Level WebGoat lesson: Bypass Business Layer Access Control, Access Control WebGoat lesson: Bypass Data Layer Access Control WebGoat lesson: Role Based Access Control SIEMENS eHealth A8 CSRF SIEMENS InfoBase and eHealth A9 Using Components with Known Vulnerabilities A10 Unvalidated Redirects and Forwards
Research prototype • model checking • security testing • penetration testing • … Thank you! Complements state-of-the-art Security Analyst Targets industrially-relevant Security Protocols & Web Apps The SPaCIoS Tool User Interface SUV Fault Security Model of User source location goals the attacker guidance Model code of the Broad security range SUV Trace- Source Test Results Libraries driven fault based inference localization Model Property-driven inference and and vulnerability-driven • logic- flaws, injections, AC, … adjustment test case generation Model of the SUV Abstract Test case Vulnerabilities execution trace • good coverage of OWASP top 10 Attack Patterns Security Goals Test Execution Engine Attacker Models Promising results SUV • SAML SSO, OAuth2, .. • WebGoat, Shopping Cart, .. The SPaCIoS Tool is available for public download at http://www.spacios.eu On-going transfers to SAP and SIEMENS
Recommend
More recommend