國
立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
5.3 Attack Pattern
know that the number of states and bdds affect execution time. However, in this time, we choose a list of common attack strings shown on table 5.2 instead of random generating from black automata used before. The result proves that the algorithms Character composition and Pre-computation have correct editing effect while the average edit distances of all attack inputs are always 1. Table 5.2 is also calculated the average execution time to make us know the execution condition in really. The data show us to know that the long time spent caused by the large bdds and track more than 1. Thus, Pre-computation can improve the actual efficiency and decrease users waiting time. No matter how, we can get that our approach reach the original goal of having the minimum edit distance and patching the web vulnerabilities.
5.3 Attack Pattern
We first evaluated our approach for sanitization signature using some known examples. A benchmarks will be a pair included Attack-pattern and Desire-pattern from a known vulnerability, where Attack-pattern is a vulnerability signature and Desire-pattern is a sanitization signature.The dependency graphs of these benchmarks are rather small but include loops, concatenations with large con-stants, and nested replacements.
In the second part of experiment, we get 9 different attack patterns to prod-uct automata for testing edited output. The results show that our techniques are very effective that every attack string will lose the effect after editing a char. In table 5.3 show the original words noted as O, and the edit results while A equals to Automata composition and C equal to Character composition. This two algorithms has different edit result. Because of the computing order, Automata composition always make an edition at the end of key part. On the contrary, Character composition prefer the start. However, the last edit distance is the same and minimum. On the same time, the result proves our functions has effec-tive defense to any type of SQLI and XSS attacks.
Table 5.3 only show the attack patterns that edit distance is 1, but it is possible that a string includes many attack parts. The following table 5.4 proves a string
‧
Attack pattern type Edit string
SCRIPT Tag /.*\<SCRIPT.*\>.*/
Ascript34alert(¢XSS¢)14/script34 C
/.*\\0075 \\0072 \\006C \\0028’ \\006a
\\0061 \\0076 \\0061 \\0073 \\0063
\\0072 \\0069 \\0070 \\0074 \\003a
\\0061 \\006c \\0065 \\0072 \\0074
\\0028 \.1027 \\0058 \.1053 \\0053 \\0027
\\0029’ \\0029. */
Track:1
O <DIV STYLE=”background-image:\0075 \0072 \006C \0028’
\006a \0061 \0076 \0061 \0073 \0063 \0072 \0069 \0070 \0074
\003a \0061 \006c \0065 \0072 \0074 \0028.1027 \0058.1053 \0053
\0027 \0029’ \0029 ”>
A <DIV STYLE=”background-image:\0075 \0072 \006C \0028’
\006a \0061 \0076 \0061 \0073 \0063 \0072 \0069 \0070 \0074
\003a \0061 \006c \0065 \0072 \0074 \0028.1027 \0058.1053 \0053
\0027 \0029’ \002\”>
C <DIV STYLE=”background-image: 0075 \0072 \006C \0028’
\006a \0061 \0076 \0061 \0073 \0063 \0072 \0069 \0070 \0074
\003a \0061 \006c \0065 \0072 \0074 \0028.1027 \0058.1053 \0053
\0027 \0029’ \002\”>
O ’union ALL SELECT password FROM users WHERE username =
’admin’/*
A ’unio’ALL SELECT password FROM users WHERE username =
’admin’/*
C ’uunion ALL SELECT password FROM users WHERE username =
’admin’/*
SQLI exec Directive /.*exec(\s|\+)+(s|x)p.*/
Track:1
O exec+xp cmdshell ’cmd.exe dir c:’
A exec+xecmdshell ’cmd.exe dir c:’
C exxec+xp cmdshell ’cmd.exe dir c:’
Table 5.3: Attack patterns edit result
has not only one but also many attack parts can be disinfected by minimum editing. We use ’!’ to represent the char that can’t show on the screen because of decoding problems. In the meanwhile, we notice the average time cost is not
‧
file original Automata dis Character dis
sendcard 3-4-1/login.php (XSS)
<SCRIPT test <SCRIPT!test 1
!SCRIPT test 1
<SCRIPT test<SCRaPT test <SCRIPT!test<SCRaPT test 1
!SCRIPT test<SCRaPT test 1
<SCRIPT test<SCRIPT test <SCRIPT!test<SCRIPT!test 2
!SCRIPT test!SCRIPT test 2
<SCR<SCRIPT IPT test <SCR<SCRIPT!IPT test 2 <SCR!SCRIPT IPT test 2
<SCRIPT test<SCRIPT test<SCRIPT
x2:PT test<SCRIPT test
x1:<SCRI
x2:PT!test<SCRIPT!test
2 x1:!SCRI
x2:PT test!SCRIPT test
2
x1: <SCRIPT test<SCRI x2:PT test<SCRIPT test
x1: <SCRIPT!test<SCRI x2:PT!test<SCRIPT!test
3 x1:!SCRIPT test!SCRI x2:PT test!SCRIPT test
3
x1: <SCRIPT test<SCRITTTTTTT x2:PT test<SCRIPT test
x1:<SCRIPT!test<SCRITTTTTTT x2:PT test<SCRIPT!test
2 x1:!SCRIPT test<SCRITTTTTTT x2:PT test!SCRIPT test
2
Table 5.4: multiple edit result
affected by edit distance but string length. The time is close in the same length of string even if edit distance is different.
For m-track benchmarks in second case (vuln01.php), we produce the number of two inputs to execute this experiments. As a result, we can find out that this two strings are a connection and can build up a attack string based on string 1 being first. It is a more complex condition to edit than single track automata so that the consuming time get longer. However, the algorithm has minimum cost to edit string is what we want.
‧
國立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
6
Conclusions
Most security vulnerabilities of network programs exist due to lack of control in input fields, therefore, many practice ways limit the length of the user input and special characters such as0 <0, or block away the input complied with a attack model, but we propose a new approach in this article is through minimum edited changes to eliminate the attacks for ensuring that all inputs can be accepted and harmless. reinforcing our actions in two stages (1) vulnerability analysis and san-itization generation through Stranger vulnerability analysis tools to produce the sanitization signature, in order to contain all harmless string or Pre-computation information. (2) sanitization patching to detect dynamic input. If the string is sensitive then eliminate attacks with minimum changes by edit action. In the fu-ture, we will be adding more types of attack patterns and improve the efficiency.
We expect that through this tool platform, normal people with no security back-ground can follow the simple steps to ensure that their web site is safe and not easy to be attacked for protecting both their and clients’ virtual property.
‧
[1] Cyril Allauzen and Mehryar Mohri. Linear-Space Compu-tation of the Edit-Distance be-tween a String and a Finite Au-tomaton. CoRR, abs/0904.4686, 2009. 6, 15, 17, 23
[2] Aske Simon Christensen, An-ders Møller, and Michael I.
Schwartzbach. Precise Analy-sis of String Expressions. In SAS, pages 1–18, 2003. 4
[3] Manuel Costa, Miguel Castro, Lidong Zhou, Lintao Zhang, and Marcus Peinado. Bouncer:
securing software by blocking bad input. In SOSP, pages 117–
130, 2007. 6
[4] Silviu Cucerzan and Eric Brill. Spelling Correction as an Iterative Process that Exploits the Collective Knowledge of Web Users. In Dekang Lin and
ation for Computational Linguistics.
6
[5] Adam Doup´e, Weidong Cui, Mariusz H. Jakubowski, Mar-cus Peinado, Christopher Kruegel, and Giovanni Vigna.
deDacota: toward preventing server-side XSS via automatic code and data separation. In Proceedings of the 2013 ACM SIGSAC conference on Computer
& communications security, CCS ’13, pages 1205–1216, New York, NY, USA, 2013. ACM. Avail-able from: http://doi.acm.org/
10.1145/2508859.2516708. 7
[6] Xiang Fu, Xin Lu, Boris Peltsverger, Shijun Chen, Kai Qian, and Lixin Tao. A Static Analysis Framework For Detecting SQL Injection Vulnerabilities. In COMPSAC, pages 87–96, 2007. 4
[7] Carl Gould, Zhendong Su, and Premkumar Devanbu. Static Checking of Dynamically Gen-erated Queries in Database Ap-plications. In ICSE, pages 645–654, 2004. 4
‧
Venkatakr-ishnan, A. Prasad Sistla, and Lenore D. Zuck. WEBLOG:A Declarative Language for Secure Web Development. In Proceedings of the Eighth ACM SIGPLAN Workshop on Program-ming Languages and Analysis for Security, PLAS ’13, pages 59–70, New York, NY, USA, 2013. ACM.
Available from: http://doi.acm.
org/10.1145/2465106.2465119. 8 [9] Rangasami L. Kashyap and
B. John Oommen. An effective algorithm for string correction using generalized edit distance - II. Computational complexity of the algorithm and some ap-plications. Inf. Sci., 23(3):201–217, 1981. 5
[10] Adam Kiezun, Vijay Ganesh, Philip J. Guo, Pieter Hooimei-jer, and Michael D. Ernst.
HAMPI: a solver for string con-straints. In ISSTA, pages 105–116, 2009. 4
[11] Benjamin Livshits and Stephen Chong. Towards fully automatic placement of security sanitizers and declassifiers. In Proceedings of the 40th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages, POPL
’13, pages 385–398, 2013. 7
[12] Yasuhiko Minamide. Static Approximation of Dynamically Generated Web Pages. In WWW, pages 432–441, 2005. 4 [13] Kemal Oflazer. Error-tolerant
[14] Mike Samuel, Prateek Sax-ena, and Dawn Song. Context-sensitive auto-sanitization in web templating languages using type qualifiers. In Proceedings of the 18th ACM conference on Com-puter and communications security, CCS ’11, pages 587–600, 2011. 7 [15] Prateek Saxena, David
Mol-nar, and Benjamin Livshits.
SCRIPTGARD: automatic context-sensitive sanitization for large-scale legacy web ap-plications. In CCS, pages 601–614, 2011. 6
[16] Daryl Shannon, Sukant Hajra, Alison Lee, Daiqian Zhan, and Sarfraz Khurshid. Abstract-ing Symbolic Execution with String Analysis. In TAICPART-MUTATION, pages 13–22, 2007. 4 [17] Zhendong Su and Gary
Wasser-‧
injection attacks in web ap-plications. In Proceedings of the 33rd ACM SIGPLAN-SIGACT symposium on Principles of pro-gramming languages, POPL ’06, pages 372–382, New York, NY, USA, 2006. ACM. Available from:
http://doi.acm.org/10.1145/
1111037.1111070. 6
[18] Robert A. Wagner. Order-n correction for regular languages. Commun. ACM, 17(5):265–268, May 1974. 5
[19] Gary Wassermann and Zhen-dong Su. Sound and pre-cise analysis of web applications for injection vulnerabilities. In PLDI, pages 32–41, 2007. 4
[20] Gary Wassermann and Zhen-dong Su. Static detection of cross-site scripting vulnerabili-ties. In ICSE, pages 171–180, 2008.
4
[21] Fang Yu, Muath Alkhalaf, and Tevfik Bultan. Generating Vul-nerability Signatures for String
Manipulating Programs Using Automata-based Forward and Backward Symbolic Analyses.
In ASE, pages 605–609, 2009. 4 [22] Fang Yu, Muath Alkhalaf, and
Tevfik Bultan. Stranger: An Automata-based String Analy-sis Tool for PHP. In TACAS, pages 154–157, 2010. 4, 10
[23] Fang Yu, Muath Alkhalaf, and Tevfik Bultan. Patching vulnerabilities with sanitization synthesis. In ICSE, pages 251–260, 2011. 4
[24] Fang Yu, Tevfik Bultan, Marco Cova, and Oscar H.
Ibarra. Symbolic String Veri-fication: An Automata-Based Approach. In SPIN, pages 306–
324, 2008. 4
[25] Fang Yu, Tevfik Bultan, and Oscar H. Ibarra. Relational String Verification Using Multi-Track Automata. In CIAA, pages 290–299, 2010. 4