SYSTEMATIC THOUGHT LEADERSHIP FOR INNOVATIVE BUSINESS Towards Security Vulnerability Detection by...
-
Upload
alfihar-worster -
Category
Documents
-
view
103 -
download
1
Transcript of SYSTEMATIC THOUGHT LEADERSHIP FOR INNOVATIVE BUSINESS Towards Security Vulnerability Detection by...
SYSTEMATIC THOUGHT LEADERSHIP FOR INNOVATIVE BUSINESS
TowardsSecurity Vulnerability Detectionby Source Code Model Checking
Keqin Li
April, 2010
Motivation
Programming guidelines
Source code model checking Java PathFinder (JPF) Bandera, Kansas State University ...
Proposed approach Formalize programming guidelines as temporal properties Checking whether the programming guidelines are followed by source code
model checking
© SAP 2008 / Standard Presentation / Page 3
1. Motivation
2. Security programming guidelines Secure logging Cross Site Scripting
3. Source code modeling checking Bandera tool set Temporal property specification in Bandera
4. Property Specification Secure logging Cross Site Scripting
5. Conclusion
Overview
Secure logging
Before sensitive information is logged, it must be encrypted in order to prevent information leakage
Logging APIsCategory myCat = Category.getCategory("/System/Database");
myCat.warningT("Sample message" + password);
/* fatalT() ; errorT() ; infoT() ; pathT() ; debugT() ; */
Encryption APIsISsfData data;
profile = new SsfProfileKeyStore(keyStore, alias, null);
result = data.encrypt(profile);
© SAP 2009 / Page 4
Cross Site Scripting
Cross-Site Scripting (XSS) attacks
SAP Output Encoding Framework
Four different cases
Case 1: string from a user is output between tags
HTML Example<head>
<title>[CASE1-A]</title>
</head>
<body>
<table>
<tr>
<td>Username</td>
<td>[CASE1-B]</td>
</tr>
</table>
</body>
© SAP 2007 / QUB Presentation / Page 6
Attack Example<head>
<title>
<script>alert();</script>
</title>
</head>
Encoding functions to be usedstatic String escapeToHTML(String input);
static String escapeToHTML(StringBuffer sb, String input,
int maxLength);
static String escapeToHTML(String input, int maxLength);
Case 1: Sample program
© SAP 2007 / QUB Presentation / Page 7
public void doContent(String title) {
String my_title, my_user;
my_title = StringUtils.escapeToHTML(title);
response.write(“<head><title>” +
my_title + “</title></head>”);
if ((my_user = getUsernameByID(“userid”)) != null) {
my_user = StringUtils.escapeToHTML(my_user, 30);
response.write(“<body><table><tr><td>Username</td><td>”
+ my_user + “</td></tr></table></body>”);
}
}
Case 2: string from a user is output inside tags, and the output is not a URL or style
HTML Example<form name=’[CASE2-A]’>
<input type=”text” name=”user” value=”[CASE2-B]”>
</form>
© SAP 2007 / QUB Presentation / Page 8
Encoding functions to be usedstatic String escapeToAttributeValue(String input);
static String escapeToAttributeValue(StringBuffer sb,
String input,
int maxLength);
static String escapeToAttributeValue(String input,
int maxLength);
Case 3: string from a user is output which is a URL or style
HTML Example<img src=”[CASE3]”>
© SAP 2007 / QUB Presentation / Page 9
Encoding functions to be usedstatic String escapeToURL(String input);
static String escapeToURL(StringBuffer sb, String input,
int maxLength);
static String escapeToURL(String input, int maxLength);
Case 4: string from a user is output inside a SCRIPT context
HTML Example<script>
var a = ‘[CASE4]’;
</script>
© SAP 2007 / QUB Presentation / Page 10
Encoding functions to be usedstatic String escapeToJS(String input);
static String escapeToJS(StringBuffer sb, String input,
int maxLength);
static String escapeToJS(String input, int maxLength);
© SAP 2008 / Standard Presentation / Page 11
Bandera Tool Set
Predicates in BSL
© SAP 2008 / Standard Presentation / Page 12
Location insensitiveExpression predicate
EXP <predicate-name> <params> : <exp>
Location sensitivedefined in method header documentation Invocation predicate
INVOKE <predicate-name> <params> [: <exp>]Location predicate
LOCATION ‘[’ <label> ‘]’ <predicate-name> <params> [: <exp>] ?
Return predicateRETURN <predicate-name> <params> [: <exp>]
Example
© SAP 2007 / QUB Presentation / Page 13
expression predicate
return predicate
invocation predicate
Specifying temporal property
© SAP 2007 / QUB Presentation / Page 14
© SAP 2008 / Standard Presentation / Page 15
Temporal property pattern
Absence: A given state/event does not occur within a scope
Existence: A given state/event must occur within a scope Universality: A given state/event occurs throughout a
scope Precedence: A state/event P must always be preceded
by a state/event Q within a scopeResponse: A state/event P must always be followed by a
state/event Q within a scope...
Scopes
© SAP 2007 / QUB Presentation / Page 16
http://patterns.projects.cis.ksu.edu/
© SAP 2007 / QUB Presentation / Page 17
Syntax
© SAP 2007 / QUB Presentation / Page 18
“Over the 555 example specifications we collected,511 (92%) matched one of our patterns”
Secure logging: target program
© SAP 2007 / QUB Presentation / Page 19
void main () { String secret = new String() ; ISsfProfile profile = new ISsfProfile() ; /* secret.encrypt( profile ) ; */
Category myCat = new Category() ;
myCat.warningT( secret );}
Secure logging: auxiliary file
© SAP 2007 / QUB Presentation / Page 20
Class String {
public boolean isConf ; public String() { isConf = false ; } /** * @observable * INVOKE call(this, ISsfProfile profile ) ; */ public void encrypt ( ISsfProfile profile ) { }}
class Category {
/** * @observable * INVOKE call(this, String m) ; */ public void errorT( String m ) { }
/** * @observable * INVOKE call(this, String m ; */ public void warningT( String m ) { }}
a string isencrypted
String mystr ; /* confidential */
=>
String mystr ;mystr.isConf = true ;
a string islogged
a string isconfidential
Property formalization
Informally If a string s is confidential, before errorT(s) or warningT(s) is called, s.encrypt()
should be called
Using LTL
P = s.isConf ( Category.errorT.call(c, s) Category.warningT.call(c, s) )
S = String.encrypt.call(s, prof)
F P (P U (S P)))
Using BSL
S proceeds P globally
© SAP 2007 / QUB Presentation / Page 21
F P (P U (S P)))
© SAP 2007 / QUB Presentation / Page 22
s1
s2
s3
s4
s5
s6
P
FP
S P
P U (S P)
Confidential string is logged
Confidential string is encrypted
Procedure
© SAP 2007 / QUB Presentation / Page 23
...String str; /* confidential */...
Pre-processor
...String str;str.isConf = true;...
Model Checker(Bandera)
...S proceeds P globally...
result
.../** * @observable * INVOKE call(this, String m) ; */ public void errorT( String m ) { }...
Cross Site Scripting: target program
© SAP 2007 / QUB Presentation / Page 24
public class SampleServlet extends HttpServlet {
public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
// Use "request" to read incoming HTTP headers and HTML form data String input = request.getParameter(“Input"); // Use "response" to specify the HTTP response line and headers PrintWriter out = response.getWriter(); // case 1 out.write("<td>"); // input = StringUtils.escapeToHTML(input); out.write(input); out.write("</td>"); // case 4 out.write("<script>“); // input = StringUtils.escapeToJS(input); out.write(input); out.write("</script>"); }}
Cross Site Scripting: auxiliary file
class HttpServletRequest { public HttpServletRequest() { }
/** * @observable * RETURN from_input(this, String str): ( $ret == str ) ; */ public String getParameter( String field ) { String temp_str = new String() ; return temp_str ; }}
class PrintWriter { public boolean js = false ; public PrintWriter() { }
/** * @observable * INVOKE js_begin(this, String str): ( str == "<script>" ) ; * INVOKE js_end(this, String str): ( str == "</script>" ) ; * INVOKE call(this, String str); */ public void write( String str ) { if( str == “<script>” ) js = true ; if( str == “</script>” ) js = false ; }}
A string is obtained from user input
JavaScript tagsare output
A string is output
Output is between JavaScript tags
Continue
© SAP 2007 / QUB Presentation / Page 26
class StringUtils {
/** * @observable * INVOKE call(this, String str); */ static String escapeToHTML( String str ) { String temp_str = new String() ; return temp_str ; }
/** * @observable * INVOKE call(this, String str); */ static String escapeToJS( String str ) { String temp_str = new String() ; return temp_str ; }}
Encoding functionfor CASE 1
is called
Encoding functionfor CASE 4
is called
Property formalization 1
Informally If a string s is obtained from user input, before write(s) is called, escapeToHTML(s) or escapeToJS(s) should be called
Using LTL
R = HttpServletRequest.getParameter.from_input(s)
S = StringUtils.escapeToHTML.call(s) StringUtils.escapeToJS.call(s)
P = PrintWriter.write.call(s)
F P (R (!P U (S !P))) U P
Using BSL
S responds to R before P
© SAP 2007 / QUB Presentation / Page 27
F P (R (!P U (S !P))) U P
© SAP 2007 / QUB Presentation / Page 28
s1
s2
s3
s4
s5
s6
User input is output
P
FP
User input is obtained
R
User input is encoded
S P
!P U (S !P)
(R (!P U (S !P))) U P ???
F P (R (!P U (S !P))) U P
© SAP 2007 / QUB Presentation / Page 29
s1
s2
s3
s4
s5
s6
P
FP
R
S P
!P U (S !P)
R (!P U (S !P))
(R (!P U (S !P))) U P
Property formalization 2
Informally If a string s is obtained from user input, and write(s) is called between write(<script>) and write(</script>), escapeToJS(s) should be called
Using LTL
R = HttpServletRequest.getParameter.from_input(s)
S = StringUtils.escapeToJS.call(s)
P = PrintWriter.write.call(s) (PrintWriter.js == true)
F P (R (!P U (S !P))) U P
Using BSL
S responds to R before P
© SAP 2007 / QUB Presentation / Page 30
Conclusion
The first step Auxiliary files are made Properties are specified
Benefits seen Additional effort needed for developers are minor Auxiliary files and property specification are provided by security and formal
method experts, and could be used across projects
Next steps Consider string assignment, concatenation, etc. Try bigger programs Improve Bandera 0.3 or find something else Try more programming guidelines
Thank you!