CRAXweb: Automatic Exploit Generation for Web Applications

Lehrstuhl für Informatik 4

1/161/2012 <Title> <Name LastName> Seminar in Computer Science

Kip IrvineCRAXweb: Automatic Web Application Testing and Attack Generation1

Shih-Kun Huang ,Han-Lin Lu, Wai-Meng Leong ,Huan LiuNational Chiao Tung University

Presented byAung Thu Rha Hein

5536871

1 “CRAXWweb:Automatic Web Application Testing and Attack Generation”, Software Security and Reliability (SERE), June 2013 IEEE 7th International Conference.



Outline

1. Introduction2. Background

-What is an exploit?-Dynamic Analysis-Semantic Execution

2. CRAXWeb: Automatic Web Application Testing and Attack Generation4. Conclusions5. References



● Software bugs are common● Especially in web applications● Some bugs are more harmful● It is difficult to detect manually● Static analysis gives developer confusion and false

positives● Manual testing is not effective

Introduction

Motivation



●Challenge●How to find exploits, shellcode in the program

●Source code analysis alone is not enough

●Finding exploitable paths among program execution paths

Introduction

Problem Statements



● To generate exploits for web-applications

Introduction

Research Objectives



●Exploits techniques vary upon OS architectures●Type of Exploits

● Stack Overflow Exploit● Heap Corruption Exploit● Format String Attack

●Attack Methodologies● Remote Exploit● Local Exploit● Two Stage Exploit

●Tools for writing Exploits: LibExploit, Metasploit, CANVAS

Background: Exploits

What is an exploit?




Stack Overflow Exploit Example

#include <string.h>void foo (char *bar){ char c[12]; strcpy(c, bar);}int main (int argc, char **argv){ foo(argv[1]); }




Stack Overflow Exploit Example



Background: Dynamic analysis

Introduction

●Monitor code as it executes●Usefulness of Dynamic analysis

● Precision of information● Dependence on program inputs

●Four common dynamic analysis techniques:● Dynamic taint analysis● Forward symbolic execution● Frequency Spectrum Analysis ● Coverage Concept Analysis ...




Dynamic Taint Analysis

●To exploit program execution, ● use values from a trusted source● attackers overwrite, tainted these values

● Taint Analysis Process1. mark input data from untrusted sources tainted2. monitor program execution to track how they

propagated3. check when tainted data is used in dangerous ways




Dynamic Taint Analysis

Attack detected using TaintCheck



Background:Dynamic analysis

Symbolic Execution

●Key idea: generalize testing by using unknown●symbolic variables in evaluation

● int f(1, 2)= int f(α1 , α2)

●Allows unknown symbolic variables in evaluation● y = α; assert(f(y) == 2*y-1);

●If execution path depends on unknown, conceptuallyfork symbolic executor● int f(int x) {if(x > 0) then return 2*x - 1; else return 10;}




Symbolic Execution Example

l …




Symbolic Execution: Purpose

●E.g. Particular program points reachable?●E.g. Is array access a[i] out of bounds?●E.g. Generate concrete inputs that execute same paths

● With constraints solvers● E.g. Z3, Yices, STP




Symbolic Execution Limitations

●Scalability Issue when execution paths are large●Source code, or equivalent is required●Limitations in solving constraints

● cannot handle non-linear and very complex constraints



Research Paper

CRAXweb: Automatic Web Application Testing and Attack Generation



Research Paper

●Implement AEG for large-scaled web applications●Focus on XSS and SQLi attacks●Based on Symbolic Socket or symbolic execution ●Single path concolic mode is used to reduce path- explosion●Selective Symbolic Execution(S2E)

● Provide the ability to execute a specific part of program

●Simple Theorem Prover(STP) as a constraint solver●Acunetix as web crawler

Overview of CRAXweb



Research Paper

●Generate test cases and exploits

Exploit Generation: Constraint Solving



Research Paper

Exploit Generation:Constraint Solving

x- exploitf(x)- expected attack script



Research Paper

● To reduce overhead caused by symbolic execution● Explore one path at a time

Single Path Concolic Mode



Research Paper

Flow diagram of automatic process



Research Paper

● S2E as symbolic environment

Implementation:Symbolic Socket



Research Paper

● Overall architecture for automatic exploit generator

Implementation: Architecture



Research Paper

Implementation: Symbolic Response and Query Handler

● From Web Crawler to Symbolic Request



Research Paper

Implementation: Symbolic Response and Query Handler

● From symbolic response or query to exploit generator



Research Paper

Implementation: Exploit Generation



Research Paper

Implementation: Exploit Generation

● Algorithm to solve the exploit constraint



Research Paper

Results: Experiment Environment

● Host OS- Ubuntu 10.10● Guest Environment- emulated by Qemu● Qemu- hosted Debian 5.07 and Windows XP● Softwares- S2E 1.0 and MySQL as database handler



Research Paper

Results: Evaluation for different platforms



Research Paper

Results: Evaluation for Exploit Generation

● With test cases from Ardilla



Research Paper


● With test cases from Ardilla



Research Paper


● With Real world Applications



Research Paper

Results: Related works



Conclusions

● AEG is possible for web applications● CRAXWeb uses

● Symbolic execution ● Concolic Testing

● However,Still have rooms for development● for more exploit types● to integration with browser



References

Shih-Kun Huang,Han-Lin Lu ; Wai-Meng Leong ; Huan Liu, ”CRAXweb: Automatic Web Application Testing and Attack Generation”, Software Security and Reliability (SERE),IEEE 7th International Conference, June 2013

Shih-Kun Huang,Min-Hsiang Huang ; Po-Yen Huang ; Chung-Wei Lai ; Han-Lin Lu ; Wai-Meng Leong, “CRAX: Software Crash Analysis for Automatic Exploit Generation by Modeling Attacks as Symbolic Continuations” ,Software Security and Reliability (SERE), 2012 IEEE Sixth International Conference, June 2012

Thanassis Avgerinos and Sang Kil Cha and Brent Lim Tze Hao and David Brumley, “AEG: Automatic Exploit Generation”,Network and Distributed System Security Symposium, Feb 2012



References

James Newsome,Dawn Song,”Dynamic Taint Analysis for Automatic Detection,An alysis, and Signature Generation of Exploitson Commodity Software”, Network and Distributed System Security Symposium, 2005

Cristian Cadar, Daniel Dunbar, Dawson Engler, “KLEE: Unassisted and Automatic Generation of High-CoverageTests for Complex Systems Programs”, USENIX Symposium on Operating Systems Design and Implementation, December 2008

CRAXweb: Automatic Exploit Generation for Web Applications

Technology

Transcript of CRAXweb: Automatic Exploit Generation for Web Applications