Model inference to support detection of vulnerabilities

Transcription

1 Model inference to support detection of vulnerabilities Application to Web apps & services Roland GROZ LIG, Université de Grenoble Alpes Savoie, France Séminaire DGA Sécurité & MF Rennes 23 mai 2014

2 Acknowledgments Joint work (for inference) with (Team:) C. Oriat, J-L. Richier, K. Hossen, F. Duchène Muzammil Shahbaz (U. Sheffield) Keqin Li Alexandre Petrenko (CRIM, Canada) SPaCIoS partners, esp: M. Minea, PF Mihancea, I. Soara (IeAT Timisoara) Inspiration & discussion with: Doron Peled, David Lee, Kirill Bogdanov, Neil Walkinshaw, + U. Dortmund (& Uppsala) 2

3 Motivational examples Customer Retailer Couponing Reverseengineer Internet-Box from supplier (Game) Identify hidden behaviours of 3rd party s/w to put on Orange (trusted Apps) Learning interactions of home appliances Key issues: BB, 3rd party, trust, integration... Get security model of 3rd party component 3

4 Outline Why should we INFER models? Basic techniques used SPaCIoS project: security in Internet of Services (Web apps) Inference of security models for Web apps SIMPA tool (Simpa Infers Models Pretty Automatically) Inference of state + data flow for smart fuzzing KameleonFuzz 4

5 Benefits of models Tool-supported automatic analysis Thorough analysis Spotting tricky unexpected behaviours Confronting and of course: expectations <-> reality specification <-> implementation Bread & butter for attendees of this seminar on security and formal methods 5

6 Example: 3 rd party components Behaviors Interactions Validation Understanding the System of Black Box Components is a challenge How do I perform system behavioral analysis? How do I identify integration problems? Who wants to write models of 3 rd party or legacy components? How many s/w engineers actually use models? 6

7 Our goal Reverse engineer behavioural MODELS not code or design from BLACK BOX systems 3rd party remote access or too complex, not designed with models, etc just by TESTING at interfaces in order to feed into model-based tools, esp. for VULNERABILITY detection 7

8 Outline Why should we INFER models? Basic techniques used SPaCIoS project: security in Internet of Services (Web apps) Inference of security models for Web apps SIMPA tool (Simpa Infers Models Pretty Automatically) Inference of state + data flow for smart fuzzing KameleonFuzz 8

9 Various types of Machine Learning Artificial Intelligence (& datamining) Ability to infer rules, recognize patterns Learning from samples E.g. neural networks Two major techniques (among others) Statistical (bayesian) inference from collection of data -> e.g. Weka tool in testing Grammatical inference of language from theoretical computer science 9

10 Learning languages from samples "Learning from given positive/negative samples Finding a minimum DFA (Deterministic Finite Automaton) is NP-HARD Complexity of automaton identification from given data. [E. Gold 78] Even a DFA with no. of states polynomially larger than the no. of states of the minimum is NP- Complete The minimum consistent DFA problem cannot be approximated within any polynomial. [Pitt & Warmuth 93] Probably Approximately Correct (PAC) A theory of the learnable. [L.G. Valiant 84] 10

11 Active learning Active Learning "Learning from Queries : inference algorithm can query an oracle of the language Angluin's Algorithm L* [Angluin 87] Reference algorithm Two types of queries: membership, equivalence Learns Deterministic Finite Automaton (DFA) in polynomial time key assumption : Minimally Adequate Teacher (MAT) Applied in formal Software Engineering Black Box Checking [Peled 99] Learning and Testing Telecom Systems [Steffen 03] Protocol Testing [Shu & Lee 08] Dana Angluin Yale University and very active research field in model-based techniques 11

12 Our Context of Inference (testing s/w) Components having I/O behaviours I/O are structurally complex (parameters) Formidable size of input sets Input Alphabet Σ The Algorithm L* Test Strategies and heuristics Learned Models can be used to generate tests to find discrepancies System of Communicating Black Box Components Black Box Machine Poor (cheap) oracles Oracle Enhanced State Machine Models Mealy Machines Parameterized Machines Final DFA Conjecture 12

13 Our techniques (Grenoble-LIG) Extensions to Angluin-style learning parameterized, symbolic automata arbitrary (infinite) data types (esp. strings) security-oriented models & features Combining Control-Flow + Data inference machine learning statistical algos New algorithms based on quotients Tailorable + adaptive abstraction Targeting specific parts of behaviour 13

14 Outline Why should we INFER models? Basic techniques used SPaCIoS project: security in Internet of Services (Web apps) Inference of security models for Web apps SIMPA tool (Simpa Infers Models Pretty Automatically) Inference of state + data flow for smart fuzzing KameleonFuzz 14

15 SPaCIoS objectives and approach SPaCIoS Tool: penetration testing, security testing, model checking, automatic learning. Assess on security testing problem cases (industrial/open-source IoS application scenarios). Migrate to industry (SAP, SIEMENS), standardisation bodies, open-source communities. The SPaCIoS Tool Test Results Model of the SUV Model inference and adjustment SUV source code Source based inference Abstract execution trace Model of the SUV User Interface Fault location Security Analyst Test Execution Engine Security goals Tracedriven fault localization Model of the attacker Property-driven and vulnerability-driven test case generation Test case User guidance Libraries Vulnerabilities Attack Patterns Security Goals Attacker Models ASLan++ models for cryptographic protocols & security of services Model checking + Modelbased testing Some Web services may be black boxes: inferred Models used to identify potential attacks and test them SUV

16 IdP Security testing problem cases Objectives Results WP 2 Mod els Model writing, learning, extracting Security goals Attacker behavior & vulnerability models Attack combination Modelling language and Libraries ASLan++ of security aspects & goals Attack patterns, vulnerabilities, attacker models Chained attacks C IdP SP S1. GET URI A1. HTTP302 IdP?SAMLRequest=AuthReq(ID, SP)&RelayState=URI M a SAML Authentication Protocol A2. GET IdP?SAMLRequest=AuthReq(ID, SP)&RelayState=URI IdP builds an authentication assertion A3. HTTP200 Form(...) AA = AuthAssert(ID, C, IdP, SP) A4. POST SP, Response(ID, SP, IdP, {AA} K 1), RelayState(URI) S2. HTTP200 Resource(URI) M c, SUT

17 Model inference: Simpa No model Models? Aslan++? Property Partial model Model Checker Black-box model inference ASLAN++ model Model Attack trace Interactions with the system Real system

18 Model extraction: jmodex

19 KameleonFuzz Security Analyst Vulnerabilities? The SPaCIoS Tool Test Results Model of the SUV Model inference and adjustment SUV source code Source based inference Abstract execution trace Model of the SUV User Interface Fault location Test Execution Engine Security goals Tracedriven fault localization Model of the attacker Property-driven and vulnerability-driven test case generation Test case User guidance Libraries Vulnerabilities Attack Patterns Security Goals Attacker Models Inferred tainted model Interactions with the system Attack input grammar Genetic fuzzing SUV Real system

20 Outline Why should we INFER models? Basic techniques used SPaCIoS project: security in Internet of Services (Web apps) Inference of security models for Web apps SIMPA tool (Simpa Infers Models Pretty Automatically) Inference of state + data flow for smart fuzzing KameleonFuzz 20

21 Black Box inference of Security Models Extend inference methods to deal with SPaCIoS security protocols and Web applications Non-Deterministic Values (NDV, e.g. nonces) Parameters recorded in local variables (sessions IDs, cookies etc) Combining state and data inference Angluin-style observation tables Data tables to record I/O parameters New inference algorithms Combined with Weka statistical tool for parameter associations Implemented in SIMPA (open source) 21

22 Needham Schroeder model s 0 m 1 (p 1 )/ p 2 = p 1, p 3 = ndv, m 2 (p 2, p 3 ), m 1 (p 1 )/ p 2 = p 1, p 3 = ndv, m 2 (p 2, p 3 ), v 3 := p 3 v 3 := p 3 s 2 Extended FSM model of NSPK Responder m 3 (p 4 ), p 4 v 3 / KO s 1 m 3 (p 4 ), p 4 = v 3 / OK m 3 (p 4 ), p 4 = v 3 / OK m 3 (p 4 ), p 4 v 3 / KO Inferred EFSM model m 3 (p 4 )/ Ω [ε] m 1 (p 1 )/ p 2 = p 1, p 3 = ndv, m 2 (p 2, p 3 ), v 3 := p 3 [m 1 (5)] m 1 (p 1 )/ Ω 22

23 Inference algorithm S0 Inputs : m1, m3 Output : m2, OK, KO 23

24 Inference algorithm M1(5)/m2(5,423) S? S0 M3(5)/Ω S? Inputs : m1, m3 Output : m2, OK, KO 24

25 Inference algorithm M1(5)/ Ω M1(5)/m2(5,423) S? M3(5)/ KO S0 M1(5)/m2(5,867) M3(5)/Ω S? M3(5)/ Ω Inputs : m1, m3 Output : m2, OK, KO 25

26 Inference algorithm M1(5)/ Ω M1(5)/m2(5,423) S? M3(5)/ KO S0 M1(5)/m2(5,867) M3(5)/Ω S? M3(5)/ Ω Inputs : m1, m3 Output : m2, OK, KO 26

27 Inference algorithm M1(5)/m2(5,423) M1(5)/ Ω S? S0 S1 M3(5)/ KO S? M3(5)/Ω Inputs : m1, m3 Output : m2, OK, KO 27

28 Table-based inference algorithm Control table Data table 28

29 29 Nonce!

30 30 New behavior!

31 Infering guards of transitions Data mining For S1: m3/ko ((10), [(init)(init)(5)(5, 882)(init)] -> (0)) ((11), [(init)(init)(5)(5, 332)(init)] -> (0)) ((10), [(init)(init)(5)(5, 258)(init)] -> (0)) For S1: m3/ok ((887), [(init)(init)(5)(5, 887)(init)] -> (1)) ((529), [(init)(init)(5)(5, 529)(init)] -> (1)) ((175), [(init)(init)(5)(5, 175)(init)] -> (1)) 31

32 DataMining algos and decision tree (J48 : nominal/string, M5P : integer) Data[0]!= Data[5] Data[0] == Data[5] KO OK 32

33 Abstraction extraction 33

34 Connecting to the real System (SUV) Model inference on BB requires a driver to interact with the system (abstraction/concretization) Writing such drivers is time-consuming Automating driver construction for HTTP interactions based on crawling techniques: page models automatic identification of inputs, and abstracting outputs! (Magic!) SIMPA includes automatic generation of driver for Web applications: recognizes relevant input and output abstractions 34

35 Experiments 35

36 WebGoat (Stored XSS lesson) Automatic abstraction (& driver generation) 11 inputs found / 11 6 outputs found / 6 Output parameters 16 1 in the main page 15 in the profile page 36

37 WebGoat (Stored XSS lesson) Parameter for the main page 37

38 WebGoat (Stored XSS lesson) Parameters for the profile page (which contains the XSS) The name and the fields of the profile are detected by the crawler XSS attack is detected by the SPaCIoS tool 38

39 Inferred model LoginI(user,pass)/ {invalid credentials} home(status) LoginV(user,pass)/ {valid credentials} listing(status) s 0 Logout(profileID)/ home(status) 39 viewprofile(profileid)/ Profile(status) editprofile(profileid)/ editionpage(status) Login(user,pass)/ s 1 {valid credentials} listing(status) updateprofile(profileid)/ Profile(status)

40 Outline Why should we INFER models? Basic techniques used SPaCIoS project: security in Internet of Services (Web apps) Inference of security models for Web apps SIMPA tool (Simpa Infers Models Pretty Automatically) Inference of state + data flow for smart fuzzing KameleonFuzz 40

41 KameleonFuzz precise & automatic detection of XSS Fabien Duchène (PhD 2/6/2014) with Roland Groz, Sanjay Rawat & Jean-Luc Richier 23/05/14 KameleonFuzz - XSS fuzzing 41

42 Black Box XSS detection 42

43 Approach Overview evolve inputs Evolutionary Algorithm A. Inferring SUT state model B. Approximate Taint Dataflow - taint inputs - infer taint in outputs - annotate model C.1. Malicious Inputs Generation - generate inputs C.2. D. Precise Taint Dataflow - attack successful? if new page or state discovered 43 23/05/14 KameleonFuzz - XSS fuzzing

44 A. Model Inference evolve inputs Evolutionary Algorithm A. Inferring SUT state model B. Approximate Taint Dataflow - taint inputs - infer taint in outputs - annotate model C.1. Malicious Inputs Generation - generate inputs C.2. D. Precise Taint Dataflow - attack successful? if new page or state discovered Form Page model Page clustering Navigation 44 23/05/14 KameleonFuzz - XSS fuzzing

45 B. Model Annotation (taint inference) evolve inputs Evolutionary Algorithm A. Inferring SUT state model B. Approximate Taint Dataflow - taint inputs - infer taint in outputs - annotate model C.1. Malicious Inputs Generation - generate inputs C.2. D. Precise Taint Dataflow - attack successful? if new page or state discovered 45 23/05/14 KameleonFuzz - XSS fuzzing

46 B. SUT Model annotation We annotate the model for type-1 & type-2 REFLECTIONS 46 23/05/14 KameleonFuzz - XSS fuzzing

47 Ex: of reflection annotation 47 23/05/14 KameleonFuzz - XSS fuzzing

48 Ex. of annotated SUT model: type-1 XSS 48 23/05/14 KameleonFuzz - XSS fuzzing

49 C. Evolutionary Fuzzing evolve inputs Evolutionary Algorithm A. Inferring SUT state model B. Approximate Taint Dataflow - taint inputs - infer taint in outputs - annotate model C.1. Malicious Inputs Generation - generate inputs C.2. D. Precise Taint Dataflow - attack successful? if new page or state discovered Attack Input Grammar Mutation & Crossover Fitness & Test Verdict 49 23/05/14 KameleonFuzz - XSS fuzzing

50 Attack Input Grammar considered SUT filters browser specific string transformations anti-filters production rules several realistic payloads hacker sources (Shazzer..) Payloads production rules Sets of Attack Vectors (evtly structured) Attack Input Grammar 50 23/05/14 KameleonFuzz - XSS fuzzing

51 Scanner comparisons 51 23/05/14 KameleonFuzz - XSS fuzzing

52 Conclusion Model inference to detect vulnerabilities: it works! ready to become key ingredient in combination with other techniques Black box inference is powerful enough White box suffers from many limitations (aliasing, external libraries, scaling ) But can be complementary (e.g. guard inference vs constraint solving) 52

53 Some perspectives Model inference can help reverse engineering (& understanding) code Possibly malware? Many ways to combine smart fuzzing & inference Feedback loop fuzzing -> model Combining WB & BB inference Binary code analysis enhanced with behavioural model 53