security slicing for auditing xml, xpath, and sql injection vulnerabilities
TRANSCRIPT
.lusoftware verification & validationVVS
Security Slicing for Auditing XML, XPath, and SQL Injection
VulnerabilitiesJulian Thomé, Lwin Khin Shar and Lionel Briand
1
Source
req.getParameter("password");
Account :
Password:
Submit
Source
Sink
NodeList nl = xpath.evaluate(q, doc, XPathConstants.NODESET);
String q = "/users/user[@nick='" + account + "' and @password='" + password + "']";
Sink
password = req.getParameter("password");
Account :
Password:
Submit
XPath Injection
password = req.getParameter("password");
Account :
Password:
Submit
test' or '1'='1
XPath Injection
Account :
Password:
Submit
test' or '1'='1
password = "test' or '1'='1";
XPath Injection
password = "test' or '1'='1";
NodeList nl = xpath.evaluate(q, doc, XPathConstants.NODESET);
String q = "/users/user[@nick='" + account + "' and @password='" + password + "']";
XPath Injection
NodeList nl = xpath.evaluate(q, doc, XPathConstants.NODESET);
String q = "/users/user[@nick='" + account + "' and @password='" + password + "']";
password = "test' or '1'='1";
XPath Injection
NodeList nl = xpath.evaluate(q, doc, XPathConstants.NODESET);
String q = "/users/user[@nick='' and @password='test' or '1'='1']";
password = "test' or '1'='1";
XPath Injection
NodeList nl = xpath.evaluate(q, doc, XPathConstants.NODESET);
String q = "/users/user[@nick='' and @password='test' or '1'='1']";
XPath Injection
NodeList nl = xpath.evaluate( "/users/user[@nick='' and @password='test' or '1'='1']",doc, XPathConstants.NODESET);
XPath Injection
Taint Analysis
Taint Analysis
Focus on Integrity
No Filtering
False Positives
Security Slicing
System Dependence Graph
Construction
Chopping
System Dependence Graph
Construction
Filtering
Chopping
Security Slices
System Dependence Graph
Construction
// …
allowUser(req.getParameter(“account”), req.getParameter(“password”));// …
protected boolean allowUser(String account, String password) {
// …org.w3c.dom.Document doc = builder.parse("db.xml");// …XPath xpath = xPathfactory.newXPath();String q = "/database/table[@name='customers']/entry[@nick='"
+ account + "' and @password='" + password + "']";// …NodeList nl = (NodeList) xpath.evaluate(q,doc,
XPathConstants.NODESET);// …
}
Filtering
Chopping
SDG Construction
Security Slices
“account”
getParameter()
account = getParameter()
fpar0 … ret
account
password = getParameter()
allowUser()
account password
password
… q= … nl = xpath.evaluate() …
evaluate()
apar0 …
fpar0 … ret
“account”
getParameter()
account = getParameter()
fpar0 … ret
account
password = getParameter()
allowUser()
account password
password
… q= … nl = xpath.evaluate() …
evaluate()
apar0 …
fpar0 … ret
account
account password
password
q= …
apar0
account
account password
password
q= …
apar0
account
account password
password
q= …
apar0
Filtering
Chopping
SDG Construction
Security Slices
Declassification
HH LL
HL
LH
HH
LL
HL
LH
High ConfidentialityHigh Integrity
Low ConfidentialityHigh Integrity
Low ConfidentialityLow Integrity
High ConfidentialityLow Integrity
HH LLHL
LH
HH LL
HL
LH
Secret
HH LL
HL
LH
WritableSecret
HH LL
HL
LH
WritableSecret
HH LL
HL
LH
WritableSecret
account
account password
password
q= …
apar0
account
account password
password
q= …
apar0
HL HL
HH
HH LL
HL
LH
account
account password
password
q= …
apar0
HL HL
HH
HH LL
HL
LH
protected boolean allowUser(String account, String password) {
account = ESAPI.encoder().encodeForXPath(account);password = ESAPI.encoder().encodeForXPath(password);
// …org.w3c.dom.Document doc = builder.parse("db.xml");// …XPath xpath = xPathfactory.newXPath();String q = "/database/table[@name='customers']/entry[@nick='"
+ account + "' and @password='" + password + "']";// …NodeList nl = (NodeList) xpath.evaluate(q,doc,
XPathConstants.NODESET);// …
}
“account”
getParameter()
account = getParameter()
fpar0 … ret
account
password = getParameter()
allowUser()
account password
password
… q= … nl = xpath.evaluate() …
encodeForXpath()
apar0 … ret
evaluate()
apar0 …
fpar0 … ret
…
…
HL HL
HH
HL HH
account
account password
password
q= …
apar0 … ret
apar0
HL HL
HH
HL HH
HH LL
HL
LH
account
account password
password
q= …
apar0 … ret
apar0
HL HL
HH
HL HH
account
account password
password
q= …
apar0 … ret
apar0
HL HL
HH
HL HH
HH LL
HL
LH
Known-Good Irrelevant
Automated Fixing
protected boolean allowUser(String account, String password) {
// …org.w3c.dom.Document doc = builder.parse("db.xml");// …XPath xpath = xPathfactory.newXPath();String q = "/database/table[@name='customers']/entry[@nick='"
+ account + "' and @password='" + password + "']";// …NodeList nl = (NodeList) xpath.evaluate(q,doc,
XPathConstants.NODESET);// …
}
password
password
q= …
apar0
HL
HH
protected boolean allowUser(String account, String password) {// …org.w3c.dom.Document doc = builder.parse("db.xml");// …XPath xpath = xPathfactory.newXPath();
String q = "/database/table[@name=‘customers’]/entry[@nick='" + ESAPI.encoder().encodeForXPath(account) +
"' and @password='" + ESAPI.encoder().encodeForXPath(password) + "']";
// …NodeList nl = (NodeList) xpath.evaluate(q,doc,
XPathConstants.NODESET);// …
}
Filtering
Chopping
SDG Construction
Security Slices
Contributions
Filtering
Chopping
SDG Construction
Security Slices
Automatic detection of sources, sinks and declassifiers
Extensive library of sources, sinks and declassifiers
Filtering
Chopping
SDG Construction
Security Slices
Extraction of path conditions, control dependencies,
data dependencies
Threat Categorisation
Automatic annotation of sources, sinks and declassifiers
Filtering
Chopping
SDG Construction
Security Slices
Information Flow Control/ Declassification
Known-Good/Irrelevant
Automated Fixing
Filtering
Chopping
SDG Construction
Security Slices
Evaluation
Test SubjectsSubject KLOC #Servlets #Sources #Sinks #Declassifiers
XML XPath SQL XML XPath SQLWebGoat 24.6 14 40 3 1 29 0 0 25
Roller 52.4 3 14 13 0 0 11 0 0Pebble 36.5 3 6 7 0 0 3 0 0Regain 23.1 1 1 1 0 0 3 0 0PubSub 1.9 4 16 3 4 0 4 0 0
Comparison between Chopping and Security Slicing
#SDG
Nod
es
1
10
100
1000
10000
100000
1000000
WebGoat Roller Pebble Regain PubSub
SDG Construction Chopping Security Slicing
Comparison between Chopping and Security Slicing
#SDG
Nod
es
1
10
100
1000
10000
100000
1000000
SDG Construction Chopping Security Slicing
Total Mean Median
Chopping
SecSlicing
#Chops to be audited0 20 40 60 80
21
73
Execution Time in msSubject SDG
GenerationSource/SinkIdentification Chopping Filtering Total
WebGoat 124,301 504 12,266 694 137,765Roller 23,815 56 763 69 24,703Pebble 4,570 20 128 53 4,771Regain 44,311 40 285 30 44,666PubSub 39,213 85 965 153 40,416
Future Work
String Operations + Path Conditions
Threat ModelsString Operations + Path Conditions
Threat Models
Constraint Solver
String Operations + Path Conditions