Generating String Attack Inputs Using Constrained Symbolic Execution. presented by Kinga Dobolyi

Transcription

1 Generating String Attack Inputs Using Constrained Symbolic Execution presented by Kinga Dobolyi

2 What is a String Attack? Web applications are 3 tiered Vulnerabilities in the application layer Buffer overruns, cross-site scripting, code injection Command injection allow a malicious user direct access to the back end database In 2006 they made up 14% of reported vulnerabilities (second most common)

3 Outline SQL command injections Motivating example Algorithm to detect Generating grammars Generating strings Concatenation Intersection Summary

4 Background What is an SQL command injection? Query commands are passed to the DB, usually some sort of business logic A bad command could return secret information or corrupt the database

5 An Example Attack $DB->query("SELECT * from news where newsid= 5 "); $DB->query("SELECT * from news where newsid= 5 OR 1=1; DROP news ");

6 How can we avoid this? Dynamic taint analyses expensive Static analyses Undecidable approximate

7 Static Analysis

8 Motivation Static analyses will result in false positives Even if we flag vulnerable points in the code, it would be better if we could generate test cases automatically that demonstrate them How could we generate test cases with a test input and a viable path to the error?

9 Algorithm Create a Context Free Grammar to represent all possible bad String variable values in the program Identify a set of locations (from the grammar) that we must pass through to get a specific bad String Find the exact path Use static analysis to find the inputs that will demonstrate the fault along that path to the location

10 Inputs The program as a control flow graph The location that represents the defect A policy: a regular expression describing illegal string arguments ( to the query function)

11 Algorithm

12 Step 1: the grammar Construct an annotated grammar that soundly approximates the values possible at a location We want a Context Free Grammar that represents all possible values that String variables in the program might take at runtime Not precise, but it always terminates We are interested in variables that the user might have an effect on We need to encode locations in the program

13 Step 1: the grammar Each String variable is associated with a sub-grammar from the program Context Free Grammar The variable is a terminal For each production, add conditionals that had to be true for the program to get there from the Control Flow Graph

14 Step 1: the grammar

15 Step 1: the grammar

16 Step 1: the grammar

17 Step 1: the grammar

18 Step 1: the grammar

19 Step 1: the grammar

20 Step 1: the grammar

21 Step 1: the grammar Now we have a way of representing the values that a particular variable may take at runtime

22 Step 1: String generation Use the potential runtime values of the variable (from the grammar), together with our policy to generate violating String instances Intersect the grammar with the policy If == Ø, we are safe (good programmer filtering) If!= Ø, we have a violation (bad programmer filtering = defect)

23 What next? The grammar doesn t match the Control Flow Graph exactly, to give a precise path We enumerate a String in our grammar, keeping track of the productions used From this set of productions, we obtain a set of constraints on program variables and a set of locations that must be visited Check for internal consistency of the constraints

24 Algorithm

25 Step 2: get a path Step 2: Use backwards reachability analysis from the location to the start of the program to enumerate paths that demonstrate the defect

26 Step 3: user inputs Step 3: We want to find user inputs for the path Given a path that lead to a location with some vulnerability, what was the user input? How do we build the defective String for the query? We need to concatenate Strings along the path of execution but there can be so many! So unclear!

27 Dependency Graph We have a set of locations in the Control Flow Graph that we must pass through to demonstrate the defect, and we are trying to get to the start from the location We can build a dependency graph of program statements

28 Dependency Graph: example 1 $p = getuserinput(); 2 if ($p == ab ) //t0 3 exit(); 4 $querystring = $q.$p; 5 $DB->query($queryString); For line 5, if our policy says querystring is Σ*cab, let akcab be a bad String

29 Dependency Graph Perform a topological sort of the graph to generate a sequence of operations But how does this work when we have so many possibilities? Use concatenationintersection to generate the Strings

30 Concatenation-intersection Problem statement: Given 3 regular languages L 1, L 2, L 3 Generate a set of elements <L i, L i >

31 How do we solve the CI problem? Use the NFA that recognizes L 5 = (L 1 L 2 ) L 3 We need to construct M 5 to extract a solution, assuming that there is a single start state and a single final state

32 Constructing M 5 First construct M 4 for L 4 = (L 1 L 2 ) Use a single ε-transition between the final state of M 1 and the start state of M 2 Next construct the cross product of L 4 and L 3 such that L 5 = L 4 L 3 = (L 1 L 2 ) L 3

33 Continuing the previous example We now have a finite state machine that represents all possible Strings that would lead to the defect Enumerate over Strings in this language to generate the test cases Breadth first search of the DFA

34 Victory Now we can use these test cases to show the defect, and for regression testing

35 Summary We have an algorithm that is able to produce test cases for command injections in vulnerable code We did this by modeling the variables String variables could take on in the code We found the path through the code to the defect We generated user inputs to demonstrate the defect