SYSTEMATIC THOUGHT LEADERSHIP FOR INNOVATIVE BUSINESS Towards Security Vulnerability Detection by...

SYSTEMATIC THOUGHT LEADERSHIP FOR INNOVATIVE BUSINESS

TowardsSecurity Vulnerability Detectionby Source Code Model Checking

Keqin Li

April, 2010

Motivation

Programming guidelines

Source code model checking Java PathFinder (JPF) Bandera, Kansas State University ...

Proposed approach Formalize programming guidelines as temporal properties Checking whether the programming guidelines are followed by source code

model checking

© SAP 2008 / Standard Presentation /

1. Motivation

2. Security programming guidelines Secure logging Cross Site Scripting

3. Source code modeling checking Bandera tool set Temporal property specification in Bandera

4. Property Specification Secure logging Cross Site Scripting

5. Conclusion

Overview

Secure logging

Before sensitive information is logged, it must be encrypted in order to prevent information leakage

Logging APIsCategory myCat = Category.getCategory("/System/Database");

myCat.warningT("Sample message" + password);

/* fatalT() ; errorT() ; infoT() ; pathT() ; debugT() ; */

Encryption APIsISsfData data;

profile = new SsfProfileKeyStore(keyStore, alias, null);

result = data.encrypt(profile);

© SAP 2009 /

Cross Site Scripting

Cross-Site Scripting (XSS) attacks

SAP Output Encoding Framework

Four different cases

Case 1: string from a user is output between tags

HTML Example<head>

<title>[CASE1-A]</title>

</head>

<body>

<table>

<tr>

<td>Username</td>

<td>[CASE1-B]</td>

</tr>

</table>

</body>

© SAP 2007 / QUB Presentation /

Attack Example<head>

<title>

<script>alert();</script>

</title>

</head>

Encoding functions to be usedstatic String escapeToHTML(String input);

static String escapeToHTML(StringBuffer sb, String input,

int maxLength);

static String escapeToHTML(String input, int maxLength);

Case 1: Sample program


public void doContent(String title) {

String my_title, my_user;

my_title = StringUtils.escapeToHTML(title);

response.write(“<head><title>” +

my_title + “</title></head>”);

if ((my_user = getUsernameByID(“userid”)) != null) {

my_user = StringUtils.escapeToHTML(my_user, 30);

response.write(“<body><table><tr><td>Username</td><td>”

+ my_user + “</td></tr></table></body>”);

}

}

Case 2: string from a user is output inside tags, and the output is not a URL or style

HTML Example<form name=’[CASE2-A]’>

<input type=”text” name=”user” value=”[CASE2-B]”>

</form>


Encoding functions to be usedstatic String escapeToAttributeValue(String input);

static String escapeToAttributeValue(StringBuffer sb,

String input,

int maxLength);

static String escapeToAttributeValue(String input,

int maxLength);

Case 3: string from a user is output which is a URL or style

HTML Example<img src=”[CASE3]”>


Encoding functions to be usedstatic String escapeToURL(String input);

static String escapeToURL(StringBuffer sb, String input,

int maxLength);

static String escapeToURL(String input, int maxLength);

Case 4: string from a user is output inside a SCRIPT context

HTML Example<script>

var a = ‘[CASE4]’;

</script>


Encoding functions to be usedstatic String escapeToJS(String input);

static String escapeToJS(StringBuffer sb, String input,

int maxLength);

static String escapeToJS(String input, int maxLength);


Bandera Tool Set

Predicates in BSL


Location insensitiveExpression predicate

EXP <predicate-name> <params> : <exp>

Location sensitivedefined in method header documentation Invocation predicate

INVOKE <predicate-name> <params> [: <exp>]Location predicate

LOCATION ‘[’ <label> ‘]’ <predicate-name> <params> [: <exp>] ?

Return predicateRETURN <predicate-name> <params> [: <exp>]

Example


expression predicate

return predicate

invocation predicate

Specifying temporal property



Temporal property pattern

Absence: A given state/event does not occur within a scope

Existence: A given state/event must occur within a scope Universality: A given state/event occurs throughout a

scope Precedence: A state/event P must always be preceded

by a state/event Q within a scopeResponse: A state/event P must always be followed by a

state/event Q within a scope...

Scopes


http://patterns.projects.cis.ksu.edu/


Syntax


“Over the 555 example specifications we collected,511 (92%) matched one of our patterns”

Secure logging: target program


void main () { String secret = new String() ; ISsfProfile profile = new ISsfProfile() ; /* secret.encrypt( profile ) ; */

Category myCat = new Category() ;

myCat.warningT( secret );}

Secure logging: auxiliary file


Class String {

public boolean isConf ; public String() { isConf = false ; } /** * @observable * INVOKE call(this, ISsfProfile profile ) ; */ public void encrypt ( ISsfProfile profile ) { }}

class Category {

/** * @observable * INVOKE call(this, String m) ; */ public void errorT( String m ) { }

/** * @observable * INVOKE call(this, String m ; */ public void warningT( String m ) { }}

a string isencrypted

String mystr ; /* confidential */

=>

String mystr ;mystr.isConf = true ;

a string islogged

a string isconfidential

Property formalization

Informally If a string s is confidential, before errorT(s) or warningT(s) is called, s.encrypt()

should be called

Using LTL

P = s.isConf ( Category.errorT.call(c, s) Category.warningT.call(c, s) )

S = String.encrypt.call(s, prof)

F P (P U (S P)))

Using BSL

S proceeds P globally


F P (P U (S P)))


s1

s2

s3

s4

s5

s6

P

FP

S P

P U (S P)

Confidential string is logged

Confidential string is encrypted

Procedure


...String str; /* confidential */...

Pre-processor

...String str;str.isConf = true;...

Model Checker(Bandera)

...S proceeds P globally...

result

.../** * @observable * INVOKE call(this, String m) ; */ public void errorT( String m ) { }...

Cross Site Scripting: target program


public class SampleServlet extends HttpServlet {

public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {

// Use "request" to read incoming HTTP headers and HTML form data String input = request.getParameter(“Input"); // Use "response" to specify the HTTP response line and headers PrintWriter out = response.getWriter(); // case 1 out.write("<td>"); // input = StringUtils.escapeToHTML(input); out.write(input); out.write("</td>"); // case 4 out.write("<script>“); // input = StringUtils.escapeToJS(input); out.write(input); out.write("</script>"); }}

Cross Site Scripting: auxiliary file

class HttpServletRequest { public HttpServletRequest() { }

/** * @observable * RETURN from_input(this, String str): ( $ret == str ) ; */ public String getParameter( String field ) { String temp_str = new String() ; return temp_str ; }}

class PrintWriter { public boolean js = false ; public PrintWriter() { }

/** * @observable * INVOKE js_begin(this, String str): ( str == "<script>" ) ; * INVOKE js_end(this, String str): ( str == "</script>" ) ; * INVOKE call(this, String str); */ public void write( String str ) { if( str == “<script>” ) js = true ; if( str == “</script>” ) js = false ; }}

A string is obtained from user input

JavaScript tagsare output

A string is output

Output is between JavaScript tags

Continue


class StringUtils {

/** * @observable * INVOKE call(this, String str); */ static String escapeToHTML( String str ) { String temp_str = new String() ; return temp_str ; }

/** * @observable * INVOKE call(this, String str); */ static String escapeToJS( String str ) { String temp_str = new String() ; return temp_str ; }}

Encoding functionfor CASE 1

is called

Encoding functionfor CASE 4

is called

Property formalization 1

Informally If a string s is obtained from user input, before write(s) is called, escapeToHTML(s) or escapeToJS(s) should be called

Using LTL

R = HttpServletRequest.getParameter.from_input(s)

S = StringUtils.escapeToHTML.call(s) StringUtils.escapeToJS.call(s)

P = PrintWriter.write.call(s)

F P (R (!P U (S !P))) U P

Using BSL

S responds to R before P


F P (R (!P U (S !P))) U P


s1

s2

s3

s4

s5

s6

User input is output

P

FP

User input is obtained

R

User input is encoded

S P

!P U (S !P)

(R (!P U (S !P))) U P ???

F P (R (!P U (S !P))) U P


s1

s2

s3

s4

s5

s6

P

FP

R

S P

!P U (S !P)

R (!P U (S !P))

(R (!P U (S !P))) U P

Property formalization 2

Informally If a string s is obtained from user input, and write(s) is called between write(<script>) and write(</script>), escapeToJS(s) should be called

Using LTL

R = HttpServletRequest.getParameter.from_input(s)

S = StringUtils.escapeToJS.call(s)

P = PrintWriter.write.call(s) (PrintWriter.js == true)

F P (R (!P U (S !P))) U P

Using BSL

S responds to R before P


Conclusion

The first step Auxiliary files are made Properties are specified

Benefits seen Additional effort needed for developers are minor Auxiliary files and property specification are provided by security and formal

method experts, and could be used across projects

Next steps Consider string assignment, concatenation, etc. Try bigger programs Improve Bandera 0.3 or find something else Try more programming guidelines

Thank you!

SYSTEMATIC THOUGHT LEADERSHIP FOR INNOVATIVE BUSINESS Towards Security Vulnerability Detection by...

Documents

Transcript of SYSTEMATIC THOUGHT LEADERSHIP FOR INNOVATIVE BUSINESS Towards Security Vulnerability Detection by...