Context-Sensitive Program Analysis as Database Queries

Size: px

Start display at page:

Download "Context-Sensitive Program Analysis as Database Queries"

Tracy Eaton
6 years ago
Views:

1 Context-Sensitive Program Analysis as Database Queries Monica Lam Stanford University Team: John Whaley, Ben Livshits, Michael Martin, Dzintars Avots, Michael Carbin, Chris Unkel

2 Emacs Grep State-of-the-Art Programming Tools IDE: integrated program development environment (e.g. Eclipse) Smarter syntactic searches What programmers want: Information about dynamic behavior Compiler (data-flow) analysis

3 PQL: Program Query Language User: Queries on dynamic behavior of programs PQL: Resolve with static (and dynamic) analyses Important problems Database security Easy queries PQL (declarative) Datalog Deep analyses A deductive database Accurate answers Sound:all errors, few false warn.

4 Hard Important Problems

5 Web Applications Hacker Browser Web App Database Evil Input Confidential information leak

6 Web Application Vulnerabilities 48% of all vulnerabilities Q3-Q4, 24 Up from 39% Q-Q2, 4 [Symantec May 2, 25] 5% databases had a security breach [22 Computer crime & security survey]

7 Top Ten Security Flaws in Web Applications [OWASP]. Unvalidated Input 2. Broken Access Control 3. Broken Authentication and Session Management 4. Cross Site Scripting (XSS) Flaws 5. Buffer Overflows 6. Injection Flaws 7. Improper Error Handling 8. Insecure Storage 9. Denial of Service. Insecure Configuration Management

8 Vulnerability Alerts SecurityFocus.com, on May 6, 25

9 25-5-6: JGS-Portal Multiple Cross-Site Scripting and SQL Injection Vulnerabilities : WoltLab Burning Board Verify_ Function SQL Injection Vulnerability : Version Cue Local Privilege Escalation Vulnerability : NPDS THOLD Parameter SQL Injection Vulnerability : DotNetNuke User Registration Information HTML Injection Vulnerability : Pserv completedpath Remote Buffer Overflow Vulnerability : DotNetNuke User-Agent String Application Logs HTML Injection Vulnerability : DotNetNuke Failed Logon Username Application Logs HTML Injection Vulnerability : Mozilla Source Suite And Firefox DOM Property of vulnerabilities Overrides Code Execution Vulnerability : Sigma ISP Manager Sigmaweb.DLL SQL Injection Vulnerability : Mozilla Suite And Firefox Multiple Script Manager Security Bypass Vulnerabilities : PServ Remote Source Code Disclosure Vulnerability : PServ Symbolic Link Information Disclosure Vulnerability : Pserv Directory Traversal Vulnerability : MetaCart E-Shop ProductsByCategory.ASP Cross-Site Scripting Vulnerability : WebAPP Apage.CGI Input Remote Command validation: Execution Vulnerability 62% : OpenBB Multiple Validation Vulnerabilities : PostNuke Blocks Module Directory Traversal Vulnerability : MetaCart E-Shop SQL V-8 IntProdID injection: Parameter Remote SQL Injection 26% Vulnerability : MetaCart2 StrSubCatalogID Parameter Remote SQL Injection Vulnerability : Shop-Script ProductID SQL Injection Vulnerability : Shop-Script CategoryID SQL Injection Vulnerability : SWSoft Confixx Change User SQL Injection Vulnerability : PGN2WEB Buffer Overflow Vulnerability : Apache HTDigest Realm Command Line Argument Buffer Overflow Vulnerability : Squid Proxy Unspecified DNS Spoofing Vulnerability : Linux Kernel ELF Core Dump Local Buffer Overflow Vulnerability : Gaim Jabber File Request Remote Denial Of Service Vulnerability : Gaim IRC Protocol Plug-in Markup Language Injection Vulnerability : Gaim Gaim_Markup_Strip_HTML Remote Denial Of Service Vulnerability : GDK-Pixbuf BMP Image Processing Double Free Remote Denial of Service Vulnerability : Mozilla Firefox Install Method Remote Arbitrary Code Execution Vulnerability : Multiple Vendor FTP Client Side File Overwriting Vulnerability : PostgreSQL TSearch2 Design Error Vulnerability : PostgreSQL Character Set Conversion Privilege Escalation Vulnerability

10 SQL Injection Errors Hacker Browser Web App Database Give me Bob s credit card # Delete all records

11 Happy-go-lucky SQL Query User supplies: name, password Java program: String query = SELECT UserID, Creditcard FROM CCRec WHERE Name = + name + AND PW = + password

12 Fun with SQL : the rest are comments in Oracle SQL SELECT UserID, CreditCard FROM CCRec WHERE: Name = bob AND PW = foo Name = bob AND PW = x Name = bob or = AND PW = x Name = bob; DROP CCRec AND PW = x

13 A Simple SQL Injection o = req.getparameter ( ); stmt.executequery ( o );

14 In Practice ParameterParser.java:586 String session.parameterparser.getrawparameter(string name) public String getrawparameter(string name) throws ParameterNotFoundException { String[] values = request.getparametervalues(name); if (values == null) { throw new ParameterNotFoundException(name + " not found"); } else if (values[].length() == ) { throw new ParameterNotFoundException(name + " was empty"); } return (values[]); } ParameterParser.java:57 String session.parameterparser.getrawparameter(string name, String def) public String getrawparameter(string name, String def) { try { return getrawparameter(name); } catch (Exception e) { return def; } }

15 In Practice (II) ChallengeScreen.java:94 Element lessons.challengescreen.dostage2(websession s) String user = s.getparser().getrawparameter( USER, "" ); StringBuffer tmp = new StringBuffer(); tmp.append("select cc_type, cc_number from user_data WHERE userid = ' ); tmp.append(user); tmp.append("' ); query = tmp.tostring(); Vector v = new Vector(); try { ResultSet results = statement3.executequery( query );...

16 PQL Dynamically: o = req.getparameter ( ); stmt.executequery (o); Statically: p = req.getparameter ( ); stmt.executequery (p 2 ); p and p 2 point to same object? Pointer alias analysis

17 SQL Injection in PQL query SQLInjection() returns object Object source, taint; uses object HttpServletRequest req, java.sql.statement stmt; matches { source = req.getparameter (); tainted := derivedstring(source); stmt.execute(tainted); } query derivedstring(object Object x) returns object Object y; uses object Object temp; matches { y := x { temp.append(x); y := derivedstring(temp); } }

18 Vulnerabilities in Web Applications Inject Parameters Hidden fields Headers Cookie poisoning X Exploit SQL injection Cross-site scripting HTTP splitting Path traversal

19 Big Picture Important problems Security Auditing, Debugging Easy queries PQL Deep analyses Accurate answers

20 Top 4 Techniques in PQL Implementation Drawn from 4 different fields Compiler Context-sensitive pointer analysis HW Verification BDD: binary decision diagrams Database Datalog AI Active machine learning

21 Compiler Context-sensitive pointer analysis HW Verification BDD: binary decision diagrams

22 Context-Sensitive Pointer Analysis L: a=malloc(); a=id(a); id(x) id(x) id(x) {return x;} L2: b=malloc( ); b=id(b); context-sensitive a L x context-insensitive b L2 x

23 # of Contexts is exponential!

24 Recursion A A B C D B C D E F E F E F E F G G G G

25 Top 2 Sourceforge Java Apps Number of Clones Number of clones.e+6 6.E+4.E+2 2.E+ 8.E+8.E+6 4.E+4.E+2.E+ Size of program (variable nodes)

26 Costs of Context Sensitivity Typical large program has ~ 4 paths If you need byte to represent a context: 256 terabytes of storage > 2 times size of Library of Congress GB DIMMs: $98.6 million Power: 96.4 kilowatts (28 homes) 3 GB hard disks: 939 x $25 = $234,75 Time to read sequential: 7.8 days

27 Cloning-Based Algorithm Whaley&Lam, PLDI 24 (best paper) Create a clone for every context Apply context-insensitive algorithm to cloned call graph Lots of redundancy in result Exploit redundancy by clever use of BDDs (binary decision diagrams)

28 Performance of BDD Algorithm Direct implementation Does not finish even for small programs > 3 lines of code Requires tuning for about year Easy to make mistakes Mistakes found months later

29 Automatic Analysis Generation PQL Ptr analysis in lines Thousand-lines year tuning Datalog BDD code bddbddb (BDD-based deductive database) with Active Machine Learning

30 Datalog BDD code bddbddb (BDD-based deductive database) with Active Machine Learning

31 Flow-Insensitive Pointer Analysis o : p = new Object(); o 2 : q = new Object(); p.f = q; r = p.f; Input Tuples vpointsto(p,o ) vpointsto(q,o 2 ) Store(p,f,q) Load(p,f,r) p o f q o 2 r New Tuples hpointsto(o,f,o 2 ) vpointsto(r,o 2 )

32 Stores: Inference Rule in Datalog hpointsto(h, f, h 2 ) :- Store(v, f, v 2 ), vpointsto(v, h ), vpointsto(v 2, h 2 ). v.f = v 2 ; v h v 2 h 2 f

33 Inference Rules vpointsto(v, h) :- vpointsto (v, h). vpointsto(v, h ) :- Assign(v, v 2 ), vpointsto(v 2, h ). hpointsto(h, f, h 2 ) :- Store(v, f, v 2 ), vpointsto(v, h ), vpointsto(v 2, h 2 ). vpointsto(v 2, h 2 ) :- Load(v, f, v 2 ), vpointsto(v, h ), hpointsto(h, f, h 2 ).

34 Pointer Alias Analysis Specified by a few Datalog rules Creation sites Assignments Stores Loads Apply rules until they converge

35 SQL Injection Query PQL: Datalog: SQLInjection: o = req.getparameter ( ); stmt.executequery ( o ); SQLInjection (o) :- calls(c,b,_, getparameter ), ret(b,v ),vpointsto(c, v,o), calls(c 2,b 2,_, executequery ), actual(b 2,,v 2 ),vpointsto(c 2,v 2,o)

36 Program Analyses in Datalog Context-sensitive Java pointer analysis C pointer analysis Escape analysis Type analysis External lock analysis Interprocedural def-use Interprocedural mod-ref Object-sensitive analysis Cartesian product algorithm 35

37 Datalog BDD code bddbddb (BDD-based deductive database) with Active Machine Learning

38 Example: Call Graph Relation Call graph expressed as a relation. Five edges: calls(a,b) calls(a,c) calls(a,d) calls(b,d) calls(c,d) B A D C

39 Call Graph Relation Relation expressed as a binary function. A=, B=, C=, D= x 3 f x 4 x 2 x B D C A

40 Binary Decision Diagrams Graphical encoding of a truth table. x edge edge x 2 x 2 x 3 x 3 x 3 x 3 x 4 x 4 x 4 x 4 x 4 x 4 x 4 x 4

41 Binary Decision Diagrams Collapse redundant nodes. x x 2 x 2 x 3 x 3 x 3 x 3 x 4 x 4 x 4 x 4 x 4 x 4 x 4 x 4

42 Binary Decision Diagrams Collapse redundant nodes. x x 2 x 2 x 3 x 3 x 3 x 3 x 4 x 4 x 4 x 4 x 4 x 4 x 4 x 4

43 Binary Decision Diagrams Collapse redundant nodes. x x 2 x 2 x 3 x 3 x 3 x 3 x 4 x 4 x 4

44 Binary Decision Diagrams Collapse redundant nodes. x x 2 x 2 x 3 x 3 x 3 x 4 x 4 x 4

45 Binary Decision Diagrams Eliminate unnecessary nodes. x x 2 x 2 x 3 x 3 x 3 x 4 x 4 x 4

46 Binary Decision Diagrams Eliminate unnecessary nodes. x x 2 x 2 x 3 x 3 x 4

47 Datalog BDDs Datalog Relations Relation ops:,, select, project Relation at a time Semi-naïve evaluation Fixed-point BDDs Boolean functions Boolean function ops:,,, Function at a time Incrementalization Iterate until stable

48 Binary Decision Diagrams Represent tiny and huge relations compactly Size depends on redundancy Similar contexts have similar numberings Variable ordering in BDDs

49 BDD Variable Order is Important! x x 2 + x 3 x 4 x x x 2 x 3 x 3 x 3 x 2 x 2 x 4 x 4 x <x 2 <x 3 <x 4 x <x 3 <x 2 <x 4

50 Variable Numbering: Active Machine Learning Must be determined dynamically Limit trials with properties of relations Each trial may take a long time Active learning: select trials based on uncertainty Several hours Comparable to exhaustive for small apps

51 Optimizations in bddbddb Algorithmic Clever context numbering to exploit similarities Query optimizations Magic-set transformation semi-naïve evaluation Compiler optimizations Redundancy elimination, liveness analysis BDD optimizations Active machine learning BDD library extensions and turning

52 Top 4 Techniques in PQL Compiler Context-sensitive pointer analysis HW Verification BDD: binary decision diagrams Database Datalog AI Active machine learning

53 Big Picture Important problems Security Easy queries PQL Datalog BDD (bddbddb) Deep analyses Context-sensitive pointers Accurate answers

54 Benchmark Nine large, widely used applications Blogging/bulletin board applications Used at a variety of sites Open-source Java J2EE apps Available from SourceForge.net

55 Vulnerabilities Found SQL injection HTTP splitting Cross-site scripting Path traveral Total Header 6 4 Parameter Cookie Non-Web Total

56 Accuracy 2 2 False Context sensitive Context insensitive 5356 Total 989 roller 889 pebble 867 road2hibernate 653 snipsnap 6 personalblog 428 blojsom 349 webgoat 36 blueblog 264 jboard Classes Benchmark

57 Related Work Program analysis as deductive queries Ullman, Principles of Databsae and Knowledge-Base Systems, 989

58 Reps, 994 bddbddb, 25 Problem data-flow analysis reaching def/slicing Coral Demand Driven Implementation ease magic set xform Slower software security pointer alias analysis Custom BDD based Exhaustive BDD tuning Faster solved open problem < lines of code 8, byte codes

59 References Pointers: Whaley, Lam, PLDI 4 C pointers: Avots, Dalton, Livshits, Lam, ICSE 5 PQL: Martin, Livshits, Lam, OOPSLA 5 Java Security: Livshits, Lam, Usenix security 5

60 Easy Context-Sensitive Analysis PQL Sophisticated Context-sensitive Analysis Datalog BDD code bddbddb (BDD-based deductive database) with Active Machine Learning

cti uln 200 ify il Fu cti ion rma jec ion 200 w V rab lit 200 ogs TML lne lit 200 ern App n L s H cti ner lit 2005 SQL ili abi ipt ner

cti uln 200 ify il Fu cti ion rma jec ion 200 w V rab lit 200 ogs TML lne lit 200 ern App n L s H cti ner lit 2005 SQL ili abi ipt ner ! " 25-5-16: JGS-Portal Multiple Cross-Site Scripting and SQL Injection Vulnerabilities 25-5-16: WoltLab Burning Board Verify_email Function SQL Injection Vulnerability 25-5-16: Version Cue Local Privilege