NOZZLE: A Defense Against Heap-spraying Code Injection
Attacks
NoTamper: Automatic Blackbox Detection of Parameter Tampering
Opportunities in Web ApplicationsPrithvi Bisht , Timothy Hinrichs,
Nazari Skrupsky, Radoslaw Bobrowicz, V.N. VenkatakrishnanUniversity
of Illinois at Chicago, USAACM CCS (Oct,2010) A Presentation at
Advanced Defense Lab1OutlineIntroductionArchitecture &
ChallengesImplementationEvaluationRelated WorkConclusion
Advanced Defense Lab22IntroductionA novel approach for
automatically detecting potential server-side vulnerabilities of
parameter-tampering in existing web applications.
Advanced Defense Lab3IntroductionAdvanced Defense Lab4
IntroductionAttack 1: Negative quantities.Resulting in a
discount.
Attack 2: Charging another users account.A malicious user can
purchase products and charge someone elses account.
Attack 3: Pattern validation bypass.XSS and SQL
injection.Advanced Defense Lab5Introduction Problem Description:
the set of alphabet.I = * x * x * x x *I -> { true , false
}Pserver: constraint-checking function on the server.Pclient:
constraint-checking function on the client.Pserver(I) = true ->
Pclient(I) = truePserver(I) = true ^ Pclient(I) = false (BUG)
Advanced Defense Lab6Introduction Problem DescriptionFclient: a
logical representation of Pclient.Fserver: a logical representation
of Pserver.(hostile) h1,,hn such that Fclient(hi) = false for each
i.(benign) b1,,bm such that Fclient(bj) = true for each j.(hostile
responses from the server) H1,,Hn(benign responses from the server)
B1,,BmThe more similar a hostile response is to the benign
responses, the more likely the hostile input was successful.
Advanced Defense Lab7OutlineIntroductionArchitecture &
ChallengesImplementationEvaluationRelated WorkConclusion
Advanced Defense Lab88ARCHITECTURE & CHALLENGESAdvanced
Defense Lab9
ARCHITECTURE & CHALLENGESAdvanced Defense Lab10
ARCHITECTURE & CHALLENGESHTML/JS AnalyzerTo simulates an
environment similar to a JavaScript interpreter in a browser,
including the DOM (AJAX not supported).Executes all the init. Code
for the web form concretely.Advanced Defense Lab11ARCHITECTURE
& CHALLENGESHTML/JS AnalyzerIdentifying JS validation codeWhen
a form is submitted.Each time the user enters or changes data on
the form.Analyzing JS validation codeEmploying a mixed
concrete-symbolic execution approach.Symbolic execution provides
coverage of all control paths.Concrete execution enables NoTamper
to ignore irrelevant code.Resolving DOM referencesConstructing the
pertinent portion of the DOM.Simulating DOM functions that are used
to modify the DOM structure.Advanced Defense Lab12ARCHITECTURE
& CHALLENGESInput GeneratorAvoiding spurious rejectionsChecking
that all required variables have values of the right type.
(Manually overridden)Generating orthogonal hostile inputsConverts
Fclient to disjunctive normal form (DNF).Coping with incomplete
informationAccepting hints (delta) from human that guide the search
for hostile and benign inputs.Addressing state changesProviding a
optional list of variables required to have unique values.Advanced
Defense Lab13OutlineIntroductionArchitecture &
ChallengesImplementationEvaluationRelated WorkConclusion
Advanced Defense Lab1414ImplementationAdvanced Defense Lab15
IMPLEMENTATIONClient Constraint ExtractionBy collecting all the
event handlers (and associated scripts) and generating a single
function that invokes all those event handlers.Simulates a small
set of core
methodsgetElementById()document.wite()document.innerHTML()Advanced
Defense Lab16IMPLEMENTATIONClient Constraint ExtractionAdvanced
Defense Lab17
IMPLEMENTATIONHostile Input GuidanceInitial valuesNumbersHidden
fields (Session identifier)TypesThe HTML widget associated with
()Initial valueOccurrence in arithmetic constraintsRequired
variablesAnalyzing the HTML (e.g., asterisks next to field
labels)Drop-down listUnique variablesAdvanced Defense
Lab18IMPLEMENTATIONInput GenerationBenign inputsConverts Fclient to
DNFFinds one solution per disjunct (or).
Hostile inputs!FclientAdvanced Defense Lab19
IMPLEMENTATIONConstraint SolvingHAMPI[13]Advanced Defense
Lab20
IMPLEMENTATIONConstraint SolvingAdvanced Defense Lab21
IMPLEMENTATIONHTML Response ComparisonAdvanced Defense
Lab22Compares the servers response against a response that is known
to have been generated by benign (valid) inputs.
Edit distanceRatcliff/Obsershelp algorithm.
Remove the noise in B1 and B2 and produce C1.Remove the noise in
B1 and Hi and produce C2.Compare C1 and C2 and result in difference
rank.IMPLEMENTATIONAdvanced Defense Lab23HTML analysisOn top of the
APIs provided by the HTML Parser.JavaScript analysis Using a
modified Narcissus JavaScript engine-based symbolic evaluator.Input
GeneratorHAMPIOpportunity DetectorJava-based module relayed HTTTP
requests to the test server.OutlineIntroductionArchitecture &
ChallengesImplementationEvaluationRelated WorkConclusion
Advanced Defense Lab2424EvaluationSelected 8 open source
applications and 5 live
websites.http://opensourcescripts.comTestingLinux Apache web server
(2.8 GHz Dual Intel Xeon, 6.0 GB RAM)Ubuntu 9.10 (2.45 Ghz Quad
Intel, 2.0 GB RAM) NoTamper
Advanced Defense Lab25EvaluationAdvanced Defense Lab26
EvaluationAdvanced Defense Lab27
EvaluationUnauthorized money
transferswww.selfreliance.comUnlimited shopping
rebateswww.codemicro.comFixed within 24 hoursPrivilege
escalationOpenITBy manipulating the userid parameter.Advanced
Defense Lab28EvaluationFalse PositivesPertaining to the maxlength
constraints on form inputs that couldnt be exploited to any serious
vulnerability.
Rewritten by the server without any observable difference in
HTML output.Advanced Defense Lab29EvaluationAdvanced Defense
Lab30
EvaluationAdvanced Defense Lab31
EvaluationPerformanceInput GeneratorSolved 315 formulas in a
total of 219 seconds.Giving an average time of 0.7 seconds per
input.
HTML / JavaScriptRun in under a second
Opportunity DetectorRun in sub-second time for each
application.
Advanced Defense Lab32OutlineIntroductionArchitecture &
ChallengesImplementationEvaluationRelated WorkConclusion
Advanced Defense Lab3333Related WorkNoTamers goals are focusing
on discovering vulnerabilities in existing ( legacy )
applications.Advanced Defense Lab34OutlineIntroductionArchitecture
& ChallengesImplementationEvaluationRelated WorkConclusion
Advanced Defense Lab3535ConclusionNoTampers results highlight a
significant gap between the server-side parameter validation that
should occur and the server-side validation that does occur in
todays web applications.Advanced Defense Lab36