Large Scale Generation of Complex and Faulty PHP Test Cases

Similar documents
Evaluating Bug Finders

Large Scale Generation of Complex and Faulty PHP Test Cases

Application Security Approach

OWASP Top David Caissy OWASP Los Angeles Chapter July 2017

OWASP Review. Amherst Security Group June 14, 2017 Robert Hurlbut.

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

Using and Customizing Microsoft Threat Modeling Tool 2016

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Certified Secure Web Application Engineer

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

Secure Programming Techniques

OPEN WEB APPLICATION SECURITY PROJECT OWASP TOP 10 VULNERABILITIES

EPRI Software Development 2016 Guide for Testing Your Software. Software Quality Assurance (SQA)

Web Application Security. Philippe Bogaerts

Application vulnerabilities and defences

Development*Process*for*Secure* So2ware

Web Application Vulnerabilities: OWASP Top 10 Revisited

OWASP TOP 10. By: Ilia

6-Points Strategy to Get Your Application in Security Shape

CSWAE Certified Secure Web Application Engineer

"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary

Your Turn to Hack the OWASP Top 10!

Introductions. Jack Katie

Source Code Patterns of Cross Site Scripting in PHP Open Source Projects

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

SECURITY TESTING. Towards a safer web world

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

Developing Secure Systems. Associate Professor

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

WEB APPLICATION SCANNERS. Evaluating Past the Base Case

Web Application Threats and Remediation. Terry Labach, IST Security Team

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

OWASP Top 10 The Ten Most Critical Web Application Security Risks

OWASP Top David Johansson. Principal Consultant, Synopsys. Presentation material contributed by Andrew van der Stock

THREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda

Atlassian. Atlassian Software Development and Collaboration Tools. Bugcrowd Bounty Program Results. Report created on October 04, 2017.

PEACHTECH PEACH API SECURITY AUTOMATING API SECURITY TESTING. Peach.tech

OWASP 5/07/09. The OWASP Foundation OWASP Static Analysis (SA) Track Session 1: Intro to Static Analysis

CLOUD COMPUTING SECURITY THE SOFT SPOT Security by Application Development Quality Assurance

Using Open Tools to Convert Threat Intelligence into Practical Defenses A Practical Approach

Developing Secure Systems. Introduction Aug 30, James Joshi, Professor, SCI

Applications Security

SAMATE (Software Assurance Metrics And Tool Evaluation) Project Overview. Tim Boland NIST May 29,

V Conference on Application Security and Modern Technologies

Taking White Hats to the Laundry: How to Strengthen Testing in Common Criteria

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

Clojure Web Security. FrOSCon Joy Clark & Simon Kölsch

Security Communications and Awareness

Security Communications and Awareness

OWASP ASVS for NFTaaS in Financial Services OLEKSANDR KAZYMYROV, TECHNICAL TEST ANALYST

Sichere Webanwendungen mit Java

Finding Architectural Flaws in Android Apps Is Easy

Simplifying Application Security and Compliance with the OWASP Top 10

F5 Application Security. Radovan Gibala Field Systems Engineer

ShiftLeft. Real-World Runtime Protection Benchmarking

Presentation Overview

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

1 About Web Security. What is application security? So what can happen? see [?]

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

Aguascalientes Local Chapter. Kickoff

Saving Time and Costs with Virtual Patching and Legacy Application Modernizing

Continuously Discover and Eliminate Security Risk in Production Apps

AN EVALUATION OF THE GOOGLE CHROME EXTENSION SECURITY ARCHITECTURE

eb Security Software Studio

IronWASP (Iron Web application Advanced Security testing Platform)

Application. Security. on line training. Academy. by Appsec Labs

Web Applications Penetration Testing

Exploiting and Defending: Common Web Application Vulnerabilities

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

SECURITY OF VEHICLE TELEMATICS SYSTEMS. Daniel Xiapu Luo Department of Computing The Hong Kong Polytechnic University

16th Annual Karnataka Conference

Managed Application Security trends and best practices in application security

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

Important Points to Note

Atlassian Crowdsourced Penetration Test Results: January 2018

Application Layer Security

Vulnerabilities in web applications

The Top 6 WAF Essentials to Achieve Application Security Efficacy

PRESENTED BY:

gfuzz: An instrumented Web application fuzzing environment Ezequiel D. Gutesman Corelabs Core Security Technologies


RiskSense Attack Surface Validation for Web Applications

Perslink Security. Perslink Security. Eleonora Petridou Pascal Cuylaerts. System And Network Engineering University of Amsterdam.

Engineering Your Software For Attack

The OWASP Foundation

Web Security. Web Programming.

VULNERABILITIES IN 2017 CODE ANALYSIS WEB APPLICATION AUTOMATED

JAMES BENNETT DJANGOCON EUROPE 3RD JUNE 2015 THE NET IS DARK AND FULL OF TERRORS

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

GOING WHERE NO WAFS HAVE GONE BEFORE

Top 10 Web Application Vulnerabilities

Solutions Business Manager Web Application Security Assessment

Table of Contents Computer Based Training - Security Awareness - General Staff AWA 007 AWA 008 AWA 009 AWA 010 AWA 012 AWA 013 AWA 014 AWA 015

State of Software Security Report Volume 2. Jeff Ennis, CEH Solutions Architect Veracode

CIS 4360 Secure Computer Systems XSS

Secure Development Guide

Defend Your Web Applications Against the OWASP Top 10 Security Risks. Speaker Name, Job Title

Cybersecurity Education Catalog

Security Solution. Web Application

Transcription:

Large Scale Generation of Complex and Faulty PHP Test Cases Bertrand STIVALET Elizabeth FONG ICST 2016 Chicago, IL, USA April 15th, 2016 http://samate.nist.gov

Authors Bertrand STIVALET National Institute of Standards and Technology bertrand.stivalet@nist.gov Elizabeth FONG National Institute of Standards and Technology efong@nist.gov 2

"If debugging is the process of removing software bugs, then programming must be the process of putting them in" E. Dijkstra 3

NIST - SAMATE - SARD NIST - National Institute of Standards and Technology Part of the US Department Of Commerce Promote U.S. Innovation and Industrial Competitiveness SAMATE - Software Assurance Metrics And Tool Evaluation Improve Software Assurance by: developing materials, specifications, and methods testing tools and techniques and measure their effectiveness SARD - Software Assurance Reference Dataset Provide database of known security flaws C/C++, JAVA, PHP, C# 148,903 Test cases / 665,481 Files 4

Outline 1. Software Testing 5

Outline 1. Software Testing Static Application Security Testing 6

Outline 2. Design of Test Cases 1. Software Testing Test Cases Static Application Security Testing 7

Outline 3. PHP Vulnerability Test Cases Generator 2. Design of Test Cases 1. Software Testing Test Cases Generator Test Cases Static Application Security Testing 8

Outline 3. PHP Vulnerability Test Cases Generator 2. Design of Test Cases 1. Software Testing Test Cases Generator Test Cases Static Application Security Testing 4. Live Demo 9

1. Software Testing Introduction to Static Analysis 10

Static Analysis Automated analysis of large software Defect detection and remediation Use different approaches: Syntax checking Heuristics Formal methods 11

Static Analysis Automated analysis of large software Defect detection and remediation Use different approaches Buggy Source Compilation Buggy Software 12

Static Analysis Automated analysis of large software Defect detection and remediation Use different approaches Buggy Source Static Analysis Bug Report Remediation 13

Static Analysis Automated analysis of large software Defect detection and remediation Use different approaches Fixed Source Compilation Secure Software 14

Static Analysis Automated analysis of large software Defect detection and remediation Use different approaches Buggy Source Static Analysis Bug Report? 15

Static Analysis Testing Static Analysis Bug Report True Negative 16

Static Analysis Testing Static Analysis Bug Report True Negative Static Analysis Bug Report False Positive 17

Static Analysis Testing Static Analysis Bug Report True Negative Static Analysis NOISE Bug Report False Positive 18

Static Analysis Testing Static Analysis Bug Report True Negative Static Analysis NOISE Bug Report False Positive Buggy Static Analysis Bug Report True Positive 19

Static Analysis Testing Static Analysis Bug Report True Negative Static Analysis NOISE Bug Report False Positive Buggy Static Analysis Bug Report True Positive Buggy Static Analysis Bug Report False Negative 20

Static Analysis Testing Static Analysis Bug Report True Negative Static Analysis NOISE Bug Report False Positive Buggy Static Analysis Bug Report True Positive Buggy MISSED DEFECT Static Analysis Bug Report False Negative 21

Pros and Cons Improves software assurance Saves time and money Takes customized rule sets False positive (noise) False negative (missed defects) Limited scope 22

2. Design of Test Cases Test cases features 23

Test Cases Design Cover the most vulnerabilities possible Various complexities Statistically significant Ground truth Paired safe and flawed test cases Representative of production code 24

PHP Test Case Example 25

PHP Test Case Example INPUT 26

PHP Test Case Example INPUT FILTERING 27

PHP Test Case Example INPUT FILTERING SINK 28

3. PHP Vulnerability Test Cases Generator Overview of the Test Cases generator 29

Test Cases Generator Conditional Loops Functions Classes Multiple Files Complexities: choose none, one, or combine several Input Templates Filtering Templates Sink Templates Selected Input Selected Filtering Selected Sink Buggy File Structure: Input + Filtering + Sink 30

Test Cases Design Various complexities Statistically significant Ground truth Paired safe and flawed test cases Cover the more vulnerabilities possible Representative of production code 31

Vulnerabilities covered Vulnerabilities based on OWASP Top 10 2013 [ #safe / #unsafe ] Injection [ 20912 / 5920 ] Broken Authentication and Session Management Cross Site Scripting (XSS) [ 5728 / 4352 ] Insecure Direct Object References [ 400 / 80 ] Security Misconfiguration [ 5 / 3 ] Sensitive Data Exposure [ 5 / 7 ] Missing Function Level Access Control Cross-Site Request Forgery (CSRF) Using Known Vulnerable Component Unvalidated Redirects and Forwards [ 2208 / 2592 ] 32

4. Live Demo Generating Test Cases to Testing 33

Live Demo <?PHP Vulnerability Test Case Generator?> PHP Test Cases 34

RIPS - Metrics Missed defects - present : 912 - found : 312* Recall = 312 / 912 = 34.2% * considering all findings are True positives 35

Report SQL Injection : Userinput reaches sensitive sink. RIPS - True Positive INPUT FILTERING SINK CWE_89 GET no_sanitizing multiple_select-interpretation.php 36

Report SQL Injection : Userinput returned by function getinput() reaches sensitive sink. RIPS - False Positive INPUT FILTERING SINK CWE_89 object-directget CAST-func_settype_float multiple_as-sprintf_%u.php 37

Conclusion Tools need evaluation! Test cases need improvement PHP Vulnerability Test Suite Generator: Automated generation Modular and expandable Customizable with options 42 000 PHP test cases generated 38

Conclusion Tool is available on Github: https://github.com/stivalet/php-vuln-test-suite-generator Test cases are hosted in the SARD: https://samate.nist.gov/sard/view.php?tsid=103 Project is already used by researchers: M. K. Gupta, et al, Security Vulnerabilities in Web Applications", JCSSE 2015 M. K. Gupta, et al, "XSSDM: Towards Detection and Mitigation of Cross-Site Scripting Vulnerabilities in Web Applications", ICACCI 2015 SATE VI - Static Analysis Tool Exposition, NIST 2016 39

Thanks! Any questions? Find us at: http://samate.nist.gov stivalet@nist.gov Twitter: @B_Stivalet 40

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback