WIPS A Practical Intrusion Prevention System for Web Applications

WIPS

ǺA Practical Intrusion Prevention System

∗

for Web Applications

Jui-Wen Chen Bo-Chao Cheng Ming-Ni Chuang

Information Networking Security and Assurance LAB

Department of Communications Engineering

National Chung Cheng University

g92430034@comm.ccu.edu.tw bcheng@ccu.edu.tw mini@insa.comm.ccu.edu.tw

∗ _{This work was sponsored by CCL/ITRI grant T1-94025-3.}

ᄔा

! ! ߈ٰ Web ᔈҔޑጲࠁว৖Ǵ़ғр೚ӭ Web ᔈҔӼӄޑୢᚒǶ୯ሞౢ཰ࣴزϦљ Gartner Group Ψගډӧ܌Ԗװᔐ٣ҹύǴԖԭϩϐΎΜϖࢂวғ ӧᔈҔቫȐOSI Application layerȑǴ٠ЪѤϩϐΟޑ ୘཰ᆛઠࢂԖᅅࢰޑǴՠࢂ໺಍ޑᆛၡӼӄ೛ഢ(ٯ ӵΕߟୀෳس಍аϷٛОᕅ)٠όૈԖਏޑٛЗᔈ ҔቫޑװᔐǶԖ᠘ܭԜǴҁፕЎۯ՜Ԗज़ރᄊᐒ Ȑfinite state machineȑޑচ౛Ϸ᏾ӝ stateful session ᔠෳᐒڋǴගр Web Εߟٛᑇس಍ȐWIPSȑٰှ ، Web ᔈҔ܌೷ԋޑӼӄୢᚒǶWeb Εߟٛᑇس಍ ٠่ӝ҅य़߄ॊȐpositive approachȑᆶॄय़߄ॊ Ȑnegative approachȑޑᓬᗺٛЗ Web װᔐޑౢғǶ ҁس಍ςֹԋ೛ीЪஒځس಍ჴ౜ӧ Intel ᆛၡೀ ౛Ꮤམଛ MontaVista Linux ޑ໒วѳѠ΢Ǵ೸ၸф ૈ܄ᆶਏૈ܄ޑჴሞໆෳёа᛾ܴ Web Εߟٛᑇ س಍ёаԖਏЪזೲޑߔᏲ Web װᔐǴࡌҥ΋ঁଯ Ӽӄ܄ޑ Web ᔈҔᕉნٰߥምҾ཰аϷӝݤ٬Ҕ ޣޑ଄ౢӼӄǶ ᜢᗖຒǺᆛၡᔈҔӼӄǵΕߟୀෳس಍ǵԖज़ރᄊ ᐒǵᆛၡೀ౛Ꮤ

Abstract

Web application portal with the single sign on (SSO) feature provides an integrated E-Business solution such that web application becomes an essential building block for business operations. Gartner Group report indicates that 75% of malicious attacks targeting the application layer and three out of four business Web sites are vulnerable to Application- level attacks. Therefore, the traditional security devices (such as firewall and intrusion detection system) are not able to protect web-based applications any more. Implementing a solid web application security protection shield is top-of-mind of security researchers. Extending the finite state machine theory and coupling with stateful session inspection, we propose Web Intrusion Prevention System (WIPS) to solve web application security issues listed in the

OWASP Top Ten project. WIPS works as the last defense line to separate web browsers and web servers by examining network traffic, maintaining every session’s state information and allowing only specific web behaviors defined by web finite state machine to pass through. With embedded Snort capability, WIPS also provides negative security models to resist the lower layer attacks. A WIPS prototype has been implemented on Intel Network Processor (IXP425) running with MontaVista Linux. In our study, the functionality and performance has been assessed to show WIPS providing a key answer for advancing the state-of-the-art in web application security in a realistic environment.

Keywords: Web application security, intrusion prevention system, finite state machine, network processor

1.

࣬ᜢࣴزᆶ૸ፕ

! ! Ӣࣁ Web ᔈҔޑጲࠁว৖ǴຫٰຫӭᆛӼΓ঩ ໒ۈݙཀځ़ғޑᔈҔӼӄୢᚒ[5][8]ǶਥᏵѱ൑ፓ ࢗϦљ Gartner ӧᆛၡӼӄϩ݋ൔ֋ύࡰрǴԖԭ ϩϐΎΜϖޑװᔐ٣ҹࢂวғӧᔈҔቫޑװᔐǴ೭ ٤ၗૻӼӄ٣ҹᡉҢ:౜ӧװᔐޑБԄΨவচҁޑ OSI ۭቫȐӵǵᆛၡቫϷ໺ᒡቫȑς࿶ᙯ౽ډᔈҔ ቫȐApplication Layerȑว৖ǶGartner ޑᆛၡӼӄ ࣴزୋᕴຊ Richard Stiennon ΨගрճҔ Web

Applicationᅅࢰٰװᔐ٠ό֚ᜤǴεཷКቪ΋ଫੰ

ࢥाٰޑᙁൂǴԶЪǴװᔐޣёаճҔ΋٤ᙁൂޑ πڀ(ӵǵtelnet ܈ netcat)ߡёౢғ HTTP request ჹ

Web Applicationբ΋سӈװᔐǶٯӵ: 2003 ԃ 11 Д ᆵ᡼޸ᄡሌՉวғ΋ҹख़εޑၗૻӼӄ٣ҹǴҗܭ ำԄ೛ीΓ঩ޑ౧ѨǴ࠼Њѝा΢ᆛ׳ׯ URL ୖ ኧ൩ёаᘤំځд࠼ЊᆛၡҙፎߞҔь཰୍ޑঁ Γၗ਑ǶӆޣǴਥᏵ Gartner ൔ֋׳ࡰр:ԖѤϩϐ Οޑ୘཰ᆛઠӧӼӄ΢ࢂԖᅅࢰޑǶ ! ! ଞჹWebᔈҔำԄӼӄޑख़ा܄ǴᏢࣚکౢ཰ ࣚΨ໒ۈ೭Бय़ޑࣴز[1]Ǵεठ΢ԖѤᅿБӛǺ(1). চۈዸᔠࢗ: ճҔচۈዸᔠࢗπڀ(ӵFlawfinder, RATSϷITS4)ჹ܌ኗቪޑᆛၡᔈҔำԄ଺ᔠࢗǴᔠ

ࢗ܌ኗቪޑᆛၡᔈҔำԄࢂց֖ԖወӧޑำԄኗ ቪᒱᇤǶ (2). ᅅࢰ௟ඔπڀ: ྽ᆛၡᔈҔำԄኗቪ ֹԋ٠ЪӼးԿServerၮբࡕǴ٬Ҕᅅࢰ௟ඔπڀ

(ӵNikto, StealthϷParos)ჹ܌ӼးޑᆛၡᔈҔำԄ

଺১ᗺ௟ඔǴڐշঅׯ܈೛ۓ܌ᙯቪޑᔈҔำԄǶ

(3). Web Application Based Εߟୀෳس಍: ่ӝ

web server इᒵᔞ(ӵsyslog)ᆶ᏾ӝweb serverҁي

( ӵ Mod_security⎯http://www.modsecurity.org ᆶ

URL scanner)ǴԜᜪࠠπڀၮբӧWeb Server΢Ǵϩ

݋Web ᔈҔำԄࢂցᎁڙװᔐǶ (4). WebᔈҔӼӄ ႔ၰᏔȐWeb Application Security Gateway, WASGȑ: ࢎ೛WASGܭϦљ܌ࢎ೛ϐᆛઠᆶѦ೽ᆛၡϐ໔Ǵ ᅱ௓ClientکServerϐ໔ޑ࠾хૻ৲ǴёаϷਔว౜ װᔐ٠ЪஒځߔᏲΠٰǶӢࣁё፾ҔӚᅿweb

serverǵԖਏೀ౛ΕߟႣٛ(intrusion prevention) π

բ٠όቹៜweb serverҁيਏૈǴ܌аԜᅿБݤஒࢂ ҂ٰϐᖿ༈Ƕ

! ! Giovanni Vignaӧ2003ԃගрWebSTATࢎᄬ[3] ଞჹWebװᔐՉࣁ଺StatefulޑୀෳǴ WebSTATࢂ ݮ᠍STAT ȐState-Transition Analysis Techniqueȑ[6] ࢎᄬǴ٬Ҕstate-transition diagramޑБԄஒWeb࣬ᜢ װᔐኳಔϯ٠Ъܫ࿼ӧװᔐՉࣁၗ਑৤ύǴᙖҗΟ ᅿόӕޑၗૻȐServer logs, Operating system-level

eventаϷnetwork-level eventȑޑϩ݋ٰղᘐstateᙯ

౽ރᄊǴऩຬၸ܌೛ۓޑthreshold߾ᇡۓࢂװᔐՉ ࣁǶᗨฅԜس಍ૈ೸ၸServerᆄόӕޑᔈҔำԄ܌ ౢғޑeventٰᔅշୀෳװᔐǴฅԶΕߟୀෳس಍ᗨ ฅёаୀෳрװᔐǴՠࢂࠅคݤٛᑇװᔐޑวғǴ ྽ୀෳрװᔐՉࣁਔǴWebᔈҔำԄς࿶ᎁڙװᔐ ࣗԿౢғควਉ௱ޑ໾্Ƕ܌аคݤԖਏܢᏲWeb װᔐǶ ! ! ୷ܭ΢ॊࣴزԋ݀Ǵךॺёаว౜΢ॊှ،Б ਢ ค ݤ Μ ӄ Μ ऍ Ӧ ှ ، OWASP ܌ Ϧ թ ޑ Web ApplicationΜεᅅࢰǴځ౟ᓍᆶচӢ௖૸ӵΠǺ

1. ਏૈǺ٬ҔApplication Integrated BasedΕߟୀ

ෳس಍БԄှ،WebᔈҔӼӄୢᚒਔǴ཮٬Server ೀ౛ਏૈ෧եǴӢࣁΕߟୀෳس಍Ѹ໪མଛځдᔈ ҔำԄ܈ޣکWeb Server࣬ϕၮբǶԜਔΕߟୀෳ س಍཮ᚐѦ՞ҔWeb ServerکWebᔈҔำԄޑس಍ ၗྍǴ཮फ़եServerᆄޑ୺Չਏ౗Ƕ 2. Negative Approachᔠ ෳ Б Ԅ Ǻ س ಍ ٬ Ҕ Negative ApproachᔠෳБԄᗨฅᏱԖόܰᇤղޑୀ ෳ੝܄Ǵՠࢂ٩ᒘԜᔠෳБԄ٠คݤԖਏୀෳ҂ޕ ޑװᔐᆶफ़եᆅ౛ፄᚇࡋǶ 3. คႣٛᐒڋǺ྽໺಍ IDS ୀෳрװᔐਔࠅค ݤϷਔբрԖਏޑٛᑇᐒڋаԿܭس಍ς࿶೷ԋ คݤਉ௱ޑ໾্Ƕ ! ! ҁጇፕЎа΢ॊচӢࣁрวᗺǴ٠Ъۯ՜Ԗज़ ރᄊᐒȐfinite state machineȑޑচ౛Ϸ᏾ӝ stateful

session ᔠෳᐒڋǴගр Web Finite State Machine

(WFSM) ٰှ،΢ॊୢᚒǴ٠٩Ԝჴ౜΋ঁ Web

Intrusion Prevention System (WIPS)ၲډ stateful web

content-aware inspection ᆶΕߟٛᑇфૈǶ٠ஒࢎ ᄬჴբܭᆛၡೀ౛Ꮤ(Intel IXP425)΢Ǵࡌҥ΋ঁଯ Ӽӄޑ WASG ٰߥៈ Web-based ޑᆛၡᔈҔᆶܺ ୍ǶҁЎࢎᄬӵΠǺ२Ӄϟಏ Web ᔈҔӼӄԖব٤ ࣬ᜢޑࣴزаϷ౟ᓍǴௗΠٰϟಏ Web Εߟٛᑇس ಍ޑࢎᄬаϷၮբচ౛Ǵӆϟಏஒ Web Εߟٛᑇس ಍ჴ౜ӧ Intel IXP425 ᆛၡೀ౛Ꮤ໒วѳѠޑෳ၂ ่݀Ǵനࡕᘜય่ፕǶ

2.Web

Εߟٛᑇس಍ࢎᄬȐWIPSȑ

! ! WIP җٿঁηس಍܌ಔԋǴځس಍ࢎᄬӵკ 1 ܌ҢǴϩձࢂ Web Stateful ΕߟٛᑇЇᔏȐWeb

Stateful Intrusion Prevention EngineȑаϷനڙ៿߆

ޑ໒ܫচۈዸس಍ SnortǶ

Preprocessor Detection Engine Response _Module

Snort

Input Output

Web Stateful Intrusion Prevention Engine

WFSM Logic Session Tables

Web Inspection Engine

კ 1 Web Εߟٛᑇس಍ࢎᄬ ! ! ӧSnortηس಍ύςڀഢೀ౛࠾хޑ୷ҁૈΚ: ёаஒᄒڗޑ࠾хᓯӸܭځၗ਑่ᄬύǴ٠຾Չϩ ݋πբǴฅࡕӆ࿶җResponse Module଺ֹ๓ޑӣᔈ ೀ౛ǶӢԜǴӧ᏾ӝޑࢎᄬύךॺѝाஒHTTP࠾ х໺ଌ๏Web StatefulΕߟٛᑇЇᔏ଺ుቫϩ݋

(deep layer 7 inspection)Ǵϩ݋ֹϐࡕӆ໺ሀ๏Snort

Detection Engine଺Negative ApproachװᔐᔠෳǶऩ

Web StatefulΕߟٛᑇЇᔏϩ݋࠾хޑ่݀ࣁόӝ ݤਔǴ߾ڥћResponse Module଺຾΋؁ޑೀ౛Ƕ ! ! ӧԜ᏾ӝࢎᄬǴWIPS ගٮΑ OSI Ύቫޑӄዬ ٛៈǴӧҁകϣ৒ௗΠٰޑ೽ҽǴךॺஒϟಏ Web StatefulΕߟٛᑇЇᔏޑ୷ҁࢎᄬаϷၮբচ౛Ǵ٠ Ъ೸ၸװᔐጄٯٰᡍ᛾ࣁՖ Web Stateful Εߟٛᑇ ЇᔏૈԖਏޑٛᑇ Web װᔐǶ 2.1 Web StatefulΕߟٛᑇЇᔏ ! ! Web Stateful ΕߟٛᑇЇᔏࢂ΋঺่ӝԖज़ރ ᄊᐒཷۺගٮ Web ࢬໆుቫᔠෳૈΚޑس಍ࢎ ᄬǴ٠Ъ٬Ҕ Positive Approach ᔠෳБԄஒόӝݤ ޑ HTTP Request ߔᏲΠٰǶWeb Stateful Εߟٛᑇ Їᔏࢎᄬӵკ 1܌ҢǴЬाҗΟঁϡҹ܌ಔԋǴϩ ձࢂ Web Ԗज़ރᄊᐒȐWeb Finite State Machineȑǵ

Session Tables аϷ Web ΕߟՉࣁᔠෳЇᔏȐWeb

(1) WebԖज़ރᄊᐒȐWFSMȑ ! ! ӧ Web ࢬໆύᡉҢрѤঁॶளᜢݙޑ੝܄Ǻ 1.HTTP ڐۓ Stateless ޑ੝܄ᡣ٬Ҕޣ೸ၸຬೱ่ ȐHyperlinkȑᘤំᆛ।ޑ໩ׇ٠ό཮࣬ӕǶ2.Ӣࣁ Sessionᆅ౛ᐒڋޑౢғǴᡣ HTTP ڐۓၲډ Stateful ޑ੝܄Ƕ܌а٬Ҕޣ٬Ҕ Application ޑՉࣁёૈ཮ ᐉၠ Stateless аϷ Stateful ໘ࢤǴ٠Ъӧόӕޑ໘ ࢤࡌҥӭచ TCP ೱጕǶ3.΋ঁᆛ।ёૈх֖೚ӭނ ҹȐObjectȑٮ٬ҔޣᘤំǶ4.ऩ Web ᔈҔำԄ٬ Ҕ Session ᆅ౛ޑᐒڋǴ܌٬Ҕޑ᛽ձ ID ёૈ೏х ֖ӧ URLǵhidden field ܈ޣ cookie ύǶךॺගр

WebԖज़ރᄊᐒȐWeb Finite State Machine, WFSMȑ

ࢎᄬǴ΋ঁڀԖ Web Session Stataful ᔠෳૈΚޑΟ ቫ،฼Ԗज़ރᄊᐒǴයఈૈ୼Ԗਏߥៈ Web ᔈҔӼ ӄǶࣁΑ҅ೕӦඔॊ WFSM ၮբচ౛ǴךॺۓကΑ аΠ໨ҞǺ
ΩǺ HTTP RequestǴਥᏵ HTTP /1.1 [9]аϷ cookie [7]ޑۓကǴךॺёаவ Client ܌ଌрޑૻ৲ ύڗள HTTP RequestǶHTTP RequestȐΩȑх֖ http

methodǵrequest-URIǵrequest header fieldsǵcookie

Ӝᆀᆶϣ৒аϷԾۓޑឯՏǶଷ೛ hi = <field-name, filed-value>߄Ң HTTP Request ಃ i ঁឯՏޑӜᆀ аϷϣ৒Ǵ߾ Ω = i ₁n{ _i} i h = = U Ƕ

µǺClient ܌ଌрޑ URL requestǶ

µrǺ྽ Server ௗԏډ µ ਔǴ܌ଌрޑ Response

ૻ৲Ƕ

huǺж߄ HTTP Request ύޑ Request-URIǴhu =

<request_URI, µ> where hu∈ ΩǶ

ΟǺAccess object list (AOL)Ǵж߄ӧ࣬ӕ State ύ܌ԖϢ೚ӸڗނҹаϷჹᔈޑ Server Response Չ ࣁޑ໣ӝǴଷ೛ ai = <request_uri, server_response> ࣁ AOL ಃ i ঁނҹޑӜᆀаϷ࣬ჹᔈޑ Server

ResponseՉࣁǴ߾ Ο =Ui_i=₌n₁{a_i}Ƕ

ϕȐΩ, ΟȑǺࣁ΋Ѳ݅ၮᆉڄኧǴऩӣ໺ॶࣁ੿ ȐTrueȑ߾ж߄ µ = a. request_uri where hu∈ Ω and a ∈ΟǶ

γȐΩ, ΟȑǺࣁ΋Ѳ݅ၮᆉڄኧǴऩӣ໺ॶࣁ੿ ȐTrueȑ߾ж߄ µr = a.server_response where hu∈ Ω

and a ∈ΟǶ

ωȐΩ, ΟȑǺࣁ΋Ѳ݅ၮᆉڄኧǴऩӣ໺ॶࣁ੿ Ȑ True ȑ ߾ ж ߄ µ = a.request_uri а Ϸ µr =

a.server_response where hu∈ Ω and a ∈ΟǶ

χǺClient ଌрޑ URL Request ೷ԋӝݤ inter-state

transitionޑచҹǴh_χ∉ΟǶ

tǺTCP ೱௗޑ time out ਔ໔ୖኧǴΨ፾Ҕܭ State

time outǶ

TǺPhase time out ਔ໔ୖኧǶ

ΓǺPhase check listǴҔٰۓကӧӕ΋ Phase ϣ

HTTP Request ѝ Ϣ ೚ ܈ ό ೏ ௗ ڙ ޑ ၗ ૻ Ƕ

Γ=Ui_i=₌₁n{c_i} where ci = < condition name, condition

value>ǹcondition name ёаၟҺՖၗૻ࣬ᜢٯӵ

session idǵuser idǵrefererǵୖኧߏࡋǵtimeout Tǵ

http methodаϷ٬ҔޣԾुޑୖኧǶ

ψǺState Check listǴϣ৒ᜪ՟ܭ Phase check listǴ Ҕٰۓကӧӕ΋ State ϣ HTTP Request ѝϢ೚܈ό ೏ௗڙޑၗૻǶ
κȐh,ΥȑǺࣁ΋Ѳ݅ၮᆉڄኧǴऩӣ໺ॶࣁ੿ ȐTrueȑ߾ж߄ h ಄ӝ Y ޑచҹǴऩࣁଷȐFalseȑ ߾ό಄ӝǶ
KȐΩ, ΥȑǺࣁ΋Ѳ݅ၮᆉڄኧǴऩӣ໺ॶࣁ੿ ȐTrueȑ߾ж߄ hi Y true n i i = Π= =1κ( , ) where hi∈ ΩǶ

ρǺEntry ActionǴҔٰۓက State transition ډၲҞ ޑ State ਔѸ໪ႣӃೀ౛ޑ୏բǴٯӵஒ࠾х Passǵ

DenyǵDrop ޑೀ౛୏բ܈ޣࢂځд٬ҔޣԾुޑ

ՉࣁǶ

σǺExit ActionǴϣ৒ᜪ՟ܭ Entry ActionǴҔٰ ۓက State ᙯ౽߻Ѹ໪ೀ౛ޑ୏բǶ

ࣁΑၲډ଼ӄޑᔠෳᐒڋǴWFSM٬ҔΟቫԖ ज़ރᄊᐒޑᐒڋၲډSessionރᄊޑᆢ࡭аϷᡍ᛾

Client RequestޑServer ResponseՉࣁࢂց಄ӝႣ

යǶΟቫԖज़ރᄊᐒޑᐒڋࢂҗIntra-WFSMǵ Inter-WFSMаϷGlobal-WFSM܌ಔԋǴࢎᄬӵკ 2 ܌ҢǴ၁ಒၮբচ౛ஒӧаΠϣ৒ϟಏǶ gWFSM Phase level mWFSM State Level µWFSM Page Level კ 2 WFSM ࢎᄬკ  Intra-WFSMȐµWFSMȑ ! ! µWFSM ࢂ΋ঁᙁൂЪڀԖғౢޣ-੃຤ޣ Ȑproducer-consumerȑᜢ߯ޑރᄊᐒǴӧ؂΋ঁ WFSM ܌ۓကޑ State ύࣣڀԖԜރᄊᐒჹ Client

RequestаϷ Server Response բղᘐǶµWFSM ރᄊ

კӵკ 3܌ҢǶ൩ൂપޑ Web ࢬໆ Stateless ೀ౛Չ ࣁԶقǴёа೏ µWFSM మཱ߄ҢϐǶ

Init

Client triggered transition (CTT)

Wait_C

Process_S Process_C

Wait_S

Server triggered transition (STT)

Waiting time > t Receive HTTP request message

Receive response

Client triggered transition (CTT)

Default transition (DT) ω(Ω, Ο) = false µ = χ ∧ χr= true ω(Ω, Ο) = true (Κ(Ω, Γ) = true ∧ Κ(Ω, ψ) = true) ∧ (ϕ (Ω, Ο) = true ∨ µ = χ) ¬((Κ(Ω, Γ) = true ∧ Κ(Ω, ψ) = true) ∧ (ϕ (Ω, Ο) = true ∨ µ = χ) ) კ 3 µWFSM ރᄊკ

! ! ୷ܭ҅य़߄ॊ(Positive Approach)ᔠෳБԄǴ µWFSM ܴዴޑۓက೏Ϣ೚ޑ Web ᔈҔำԄ٬ҔՉ ࣁȐх֖ Client Request аϷ Server Response Չ ࣁȑǴऩ٬ҔՉࣁό಄ӝځೕۓ߾ஒёᅪޑ࠾хߔ ᏲΠٰǶӧ µWFSM ύǴ߃ۈރᄊ Wait_C ж߄฻ ࡑ Client ଌр HTTP Request ޑރᄊǶ྽س಍ԏډҗ

Clientଌрޑ HTTP RequestȐΩȑǴރᄊ൩җচҁޑ

Wait_CᙯඤԿ Process_C ჹ Ω ϣ৒଺ᔠෳπբ:К

ჹ Phase check listȐΓȑǵState Check listȐψȑǵAOL Ȑ̋ȑᆶᔠຎ inter-state transition చҹȐχȑǶऩว ౜ό಄ӝۓကՉࣁޑϣ৒߾࿶җ client triggered transition (CTT)຾ΕќѦ΋ঁ State ೀ౛όӝݤՉ ࣁǶϸϐऩ೯ၸచҹᔠෳ߾ஒރᄊᙯඤԿ Wait_S ރᄊ฻ࡑ Server ResponseȐµrȑǴऩ฻ࡑਔ໔ຬၸ timeoutਔ໔ t ᗋ҂ԏډ µrǴރᄊஒҗ Wait_S ӣډ ߃ۈރᄊ Wait_C ฻ࡑΠ΋ঁ ΩǶऩ t ਔ໔ϣԏډ µr ߾ރᄊஒ཮ᙯ౽Կ Process_S ރᄊ଺຾΋؁ೀ ౛Ǵӧ Process_S ރᄊԖѤᅿ transition ރݩёૈว ғǺȐ1ȑऩ Ω ჹ State AOL ܌ۓကޑނҹբӸڗǴ µrᆶ AOL ܌ۓကޑ Server Response Չࣁ࣬಄ӝ߾ ӣډ Wait_C ߃ۈރᄊ฻ࡑΠ΋ঁ ΩǶȐ2ȑऩ µ=χ Ъ µr=χr߾಄ӝ inter-state transition చҹǴSession

ރᄊ࿶җ CTT ୺Չ Inter State ᙯඤԿΠ΋ঁ StateǶ Ȑ3ȑऩ µrᆶ AOL ނҹ܈ޣࢂ χr܌ۓကޑ Server

Response Չࣁό಄ӝǴ߾࿶җ Server triggered

transitionȐSTTȑ຾Ε Error Inter-State ຾Չᒱᇤೀ

౛ำԄǶȐ4ȑऩ߻Οᅿ௃ݩ೿ό಄ӝǴ߾࿶җ Default

transition຾Ε Default Inter-State ຾ՉႣ೛ޑೀ౛ำ

ԄǶ

 Inter-WFSMȐmWFSMȑ

! mWFSMۓကΑInter-State transitionᜢ߯Ƕځಔԋ ϡ ҹ ӵ კ 4 ܌ Ң Ǵ ؂ ΋ ঁ State х ֖ Ǻ State ID ȐSTIDȑǵµWFSMǵΟǵΓȐҗgWFSM܌ۓက٠ᝩ ܍ϐȑǵΨǵState typeȐж߄initial state, regular state,

error state܈ޣࢂsink stateȑǵEntry ActionǵExit

ActionаϷຏှǶmWFSMࢂ΋ঁҗϤᅿϡન<α, ε,

S, S0, η, λ >ಔԋޑԖज़ރᄊᐒǴ؂΋ঁϡનۓကӵ ΠǺ

 αǺClient triggered transition requestsаϷserver

triggered transition responsesޑԖज़ᒡΕ኱૶

 εǺ߄Ң᝾ൔૻ৲ȐAlertȑޑᒡр಄ဦ  SǺόх֖ޜ໣ӝޑ܌ԖStateޑ໣ӝ

 S0Ǻ߃ۈރᄊȐInitial StateȑǴࣁS໣ӝύޑ΋

ঁϡન

 ηǺState transition functionǺ ηǺS x α → S  λǺOutput functionǺ λǺS → ε CTT STT Default Transition (DT) STID µFSM Ο, Γ, Ψ ӹ Ӻ STID: State ID

Ο: Access Object List Γ: Phase Check List Ψ: State Check List

STID µFSM Ο, Γ, Ψ ӹ Ӻ STID µFSM Ο, Γ, Ψ ӹ Ӻ STID µFSM Ο, Γ, Ψ ӹ Ӻ კ 4 mWFSM ރᄊკ ӵ݀ѝाၲډ΋૓ web-content awareness Ϸ filterǴWFSM ջёаΟঁ mWFSM ֹԋ: (1). CTT

Error State: ёаճҔۓကܭ Entry Action! (ρ)܈

Exit Action (σ)ϐ functions ೀ౛ҺՖό྽ HTTP

requestǶ(2). STT Error State: ᜪ՟ CTT Error StateǴ

Ҕٰᔈб server ό҅தӣᙟǶ(3). Nomal State: ӧԜ

state ύ൪Ε΋ঁ uWFSM ٰೀ౛΋૓ stateless

client-server ᔠຎπբǶ

 Global-WFSMȐgWFSMȑ

! ! ! gWFSM ЬाࢂۓကӚᅿόӕ phase (ӵ

Browsing PhaseǵShopping Cart PhaseǵCheck Out

Phase)Ϸ Phase ϐ໔ޑᙯඤᜢ߯Ƕӧӕ΋ঁ Phase

ёх֖೚ӭ StateǴԶ؂΋ঁ phase ೿ԖѬᐱ੝ޑ

business logicǶᜢܭ Phase Type ΋ӅԖٿᅿ: Surfing

and TransactionǶԶӢࣁ٬Ҕޣё҂࿶җᇡ᛾ϐΠӃ Չᘤំᆛઠϣ৒ǴךॺஒԜᜪރݩۓကࣁ SurfingǶ ϸϐऩ Application ࣣ٬Ҕ Session ᆅ౛ᐒڋଓᙫ٬ ҔޣՉࣁǴԜਔ Phase ރᄊ൩җ Surfing ᙯ౽Կ TransactionǶӵԜ΋ٰǴgWFSM ёаૈ୼Ӣᔈόӕ ໘ࢤޑሡ؃٬Ҕόӕޑ Session ၗૻϣ৒ᆅ౛ web TrafficsǶ

(2) WebΕߟՉࣁᔠෳЇᔏȐWeb Inspection

Engine - WIEȑ

! ! Web ΕߟՉࣁᔠෳЇᔏࣁ Web Stateful Εߟٛ ᑇЇᔏޑਡЈ೽ҽǶ྽س಍ᆅ౛ޣஒ WFSM ೛ۓֹ ԋё٬Ҕ WFSM Importer ஒ WFSM Profile ᠐Ε ࡕǴWeb ΕߟՉࣁᔠෳЇᔏ൩ૈ୼མଛ Surfing а Ϸ Transaction ࠠᄊ୺Չ Web Stateful ޑΕߟٛᑇǶ

WebΕߟՉࣁᔠෳЇᔏᄽᆉݤϩԋٿঁ೽ϩǴϩձ

ೀ౛س಍܌ௗԏډޑ Client Request аϷ Server

ResponseՉࣁǶWeb Inspection Engine Client Request

!

კ 5 WIE Client Request ೀ౛ᄽᆉݤ ! ! Web Inspection Engine Server Response ೀ౛ᄽ ᆉݤӵკ 6܌ҢǴ྽س಍ԏډҗ Server ᆄ܌ӣ໺ޑ Response ࠾хࡕǴࢗ၌࠾хၗૻࢂ࣬ᜢܭব΋చ SessionǴऩפόр࣬ჹᔈޑ Session ၗૻ߾ஒ࠾х DropǴऩפр࣬ჹᔈޑ Session ၗૻس಍߾ڥћ processServerResponseڄԄ຾ՉղᘐǴऩ಄ӝ State transitionచҹ߾຾Չ࣬ᜢ࠾хೀ౛Ƕऩղᘐ่݀ࣁ

ӝݤ AOL ӸڗՉࣁǴ߾ forward packet ٠Ъஒ µWFSM ރᄊ߇ӣԿ Wait_C ރᄊǶ

კ 6 WIE Server Response ೀ౛ᄽᆉݤ ! ! ೸ၸ Web ΕߟՉࣁᔠෳЇᔏ่ӝ Surfing аϷ

Transaction ࠠᄊаϷ WFSNǴёаᡣ Web Stateful

ΕߟٛᑇЇᔏᏱԖᚈӛ Stateful ుቫᔠෳޑૈΚǶ ٠Ъૈ୼ԖਏޑٛЗ Web ᔈҔװᔐǶΠ΋࿯ךॺஒ ٬Ҕჴሞޑװᔐጄٯᡍ᛾ Web Stateful ΕߟٛᑇЇ ᔏࢂցૈ୼ԖਏޑٛЗ Web ᔈҔװᔐǶ 2.2Web StatefulΕߟٛᑇЇᔏٛᑇװᔐጄٯ ! ! WFSM ጄٯӵკ 7܌ҢǴӧ Transaction ࠠᄊ ךॺۓကΟঁ Inter-StateǴState ID ϩձࢂ 2000ǵ2501 аϷ 2808ǶΟᅿ Transition ᜢ߯Ψܴዴۓကځރᄊ ᙯ౽ޑచҹǶ྽ State 2000 ाᙯ౽Կ State 2501 ਔǴ Ѹ໪಄ӝ Intra-state ܌ղᘐޑ Server Response ่݀

аϷ٬Ҕޣ܌ଌрޑ HTTP Request ύ referer ឯՏ Ѹ໪ࢂ State 2000 ܌х֖ޑ URLǴऩղᘐԋф߾

Stateރᄊҗ 2000 ᙯ౽Կ 2501Ǵϸϐ߾຾Εډ Error

State 2808Ƕ྽ State ރᄊᙯ౽߻ࡕس಍ϩձ཮ڥћ

Entry ActionȐρȑаϷ Exit ActionȐσȑ୺Չ࠾х࣬

ᜢޑೀ౛୏բǶ

Γ:

C1=<Positive, session id, “sessionid=”>; C2=<Positive, user id, “userid=”>; C3=<Negative, T, 24>; C4=<Negative, HTML_script, *>; µ = χ(2501)∧ χr(2501)= true ^ hreferer= URL2000 State 2501: O: a1=< /shopping/sports/*, 200>; Ψ: C1=<Negative, HTML_script, *>; C2=<Negative, URL length, 255>;

ӹ: Pass packet; Ӻ: NULL; (µ = χ2501 ∧ χr(2501) )∨ ω(Ω, Ο) = false Default Transition (DT) 2000 µFSM Ο, Γ, Ψ ӹ Ӻ 2808 µFSM Ο, Γ, Ψ ӹ Ӻ State 2000: O: a1=< /shopping/*,200 >; Ψ:

C1=<Positive, Method, POST>; C2=<Positive, URL length, 255>; C3=<Negative, HTML_script, *>; C4=<Negative, HTML_form, *>; ӹ: Pass packet; Ӻ: NULL; State 2808: O: NULL;

Ψ: NULL; ӹ: Drop Packet;Ӻ: NULL;

2501 µFSM Ο, Γ, Ψ ӹ Ӻ კ 7 WFSM ጄٯ ྽س಍ԏډҗClientᆄ܌ଌрޑHTTP Request ନΑ಄ӝރᄊᙯ౽ޑచҹϐѦǴᗋѸ໪಄ӝPhase

checklistаϷState checklist܌೛ۓޑᔠࢗ໨ҞǴӵό

಄ӝPhaseаϷState checklistޑᔠෳǴ཮ஒځᇡۓࣁ όӝݤޑ٬ҔޣՉࣁǶӧጄٯύޑPhase checklist аϷState checklistύۓကΑ಄ӝ٬Ҕᕉნޑᔠࢗ໨ ҞǴ၁ಒۓကϣ৒ӵკ 8܌ҢǶ C2: നεURLߏࡋࣁ255 BytesǶ C4: όϢ೚٬ҔޣଌрޑHTTP Requestύх֖HTML Form኱ ᠸǶ C3: όϢ೚٬ҔޣଌрޑHTTP Requestύх֖HTML Script኱ ᠸǶ C2: നεURLߏࡋࣁ255 BytesǶ C4: όϢ೚٬ҔޣଌрޑHTTP Requestύх֖HTML Script኱ ᠸǶ C3: ٬ҔtimeoutᐒڋǴਔ໔ࣁ24λਔǶ C2: ٬ҔޣଌрޑHTTP RequestΨ཮х֖User IDޑૻ৲ǶԜ ૻ৲р౜ӧ“userid=”ӷՍϐࡕǶ C1: όϢ೚٬ҔޣଌрޑHTTP Requestύх֖HTML Script኱ ᠸǶ ψ2501 C1: ѝϢ೚٬ҔHTTP POST MethodǶ ψ2000 C1: Ԝ໘ࢤ٬ҔSession IDޑSessionᆅ౛ኳԄǴ٬Ҕޣଌрޑ

HTTP Request཮х֖Session IDޑૻ৲ǶԜૻ৲р౜ӧ

“sessionid=”ӷՍϐࡕǶ

Γ

კ 8 Phase checklist ᆶ State Checklist ጄٯ ! ! !

3. Web

Εߟٛᑇس಍᏾ӝ Snort ٠Ъჴ౜

ӧ IXP425 ໒วѳѠ

! ! ӧҁക࿯ךॺஒϟಏ Web Εߟٛᑇس಍ჴ౜ ӧ Intel IXP425 ໒วѳѠޑس಍ໆෳ่݀Ƕ 3.1 WIPSӧ IXP425 ໒วѳѠޑໆෳ WIPSෳ၂ᕉნӵკ 9܌ҢǴWIPSӧIXP425 ໒วѳѠޑໆෳҗфૈ܄ᆶਏૈෳ၂ٿঁ೽ҽ܌ ಔԋǴӚෳ၂ϣ৒ӵΠ܌ҢǶ

c_mid = current mFSM id; n_mid = next mFSM id; c_gid = current gFSM id; n_gid = next gFSM id; For each client packet CP {

Ω = extractRequest (CP);

stn_id = lookUpIDClientPacket(CP, &c_mid, &c_gid); if (stn_id < 0) {

insertSessionTable(CP, &c_mid, &c_gid); }

Γ = getPhaseCheckList (c_gid); Ψ = getStateCheckList (c_mid); Ο = getAccessObjectList (c_mid);

processClientRequest(Ω, Γ, Ψ, Ο, c_mid, &n_mid, c_gid, &n_gid); if (c_mid != n_mid) {

exitAction(c_mid);

trasnition Action (c_mid, n_mid, c_gid, n_gid); entryAction(n_mid);

} else {

forwardPacket (CP); }

updateSessionTable (stn_id, CP, n_mid, n_gid); }

c_mid = current mFSM id; n_mid = next mFSM id; c_gid = current gFSM id; n_gid = next gFSM id; For each server packet SP {

stn_id = lookUPIDServerResponse (SP, &c_mid, &c_gid); if (stn_id < 0) { drop packet; } else { Ω = getClientRequest (stn_id); Ο = getAccessObjectList (c_mid);

processServerResponse(Ω, Ο, SP, c_mid, &n_mid, c_gid, &n_gid); if (c_mid != n_mid) {

exitAction(c_mid);

trasnitionAction (c_mid, n_mid, c_gid, n_gid); entryAction(n_mid);

} else {

forwardPacket (SP); }

updateSessionTable (stn_id, NULL, n_mid, n_gid); }

Client IE 6.0 Server WebGoat SmartBit WIPS კ 9 WIPS ෳ၂ᕉნ
WIPSфૈ܄ෳ၂ ӧWIPSфૈ܄ޑໆෳ೽ϩǴךॺ٬ҔOWASP ಔᙃ܌วթޑWebGoat೬ᡏǴஒځӼးӧ ServerᐒᏔ္Ǵӧ೸ၸClientᇻᆄฦΕServerᐒ Ꮤϣ຾Չᡍ᛾WIPSࢂցૈ୼ஒװᔐԖਏߔᏲ ΠٰǶᡍ᛾่݀ᆶSnort InlineКၨӵკ 10܌ ҢǶ O O A5_Buffer Overflows X O

A3_Broken Authentication and Session Management

X

O

A2_Broken Access Control

X

O

A10_Insecure Configuration Management

O O

A9_Denial of Service

X

O

A7_Improper Error Handling

X

O

A4_Cross Site Scripting (XSS) Flaws

X X A8_Insecure Storage X O A6_Injection Flaws O O A1_Unvalidated Input Snort Inline WIPS

OWASP Top Ten

კ 10 WIPS ᆶ Snort Inline ٛᑇфૈϩ݋ ! ! WIPSӢࣁؒԖᔠࢗуஏᓯӸᐒڋ܌аคݤှ ،ԜᜪװᔐୢᚒȐA8_Insecure StorageȑǴԿܭځд ᜪޑװᔐǴWIPSёаၲډ΋ۓำࡋޑٛᑇфਏǶԿ ܭSnort InlineǴѝૈӧځύޑΟᜪගٮှ،БਢǴ җԜ᛾ܴWIPSК҂࿶᏾ӝࡕޑSnortس಍׳ૈٛЗ WebᔈҔޑװᔐǶ ! !
WIPSޑਏૈෳ၂ ! ! ӧWIPSޑਏૈෳ၂ύ໨ҞύǴךॺᒧ᏷ٿ໨ෳ ၂኱ྗෳ၂WIPSޑਏૈǴ΋໨ࢂThroughputෳ၂Ǵ ќѦ΋໨ෳ၂ࣁLatencyෳ၂Ƕس಍ύޑWFSM Logic௦Ҕკ 7ጄٯǴෳ၂ၸำύ໺ଌӝݤޑHTTP ࠾х຾ՉໆෳǴҗܭWIPSࢂҗSwBridgeCodeletচ ۈዸঅׯԶԋǴࡺаSwBridgeCodeletࣁBaselineǴ ໆෳWIPSϐਏૈǶ ! ! ˃ ˄˃ ˅˃ ˆ˃ ˇ˃ ˈ˃ ˉ˃ ˊ˃ ˋ˃ ˌ˃ ˄˃˃ ˊˉ ˄˅ˋ ˅ˈˉ ˈ˄˅ ˊˉˋ ˄˃˅ˇ ˄ˆ˃˃ ˄ˈ˄ˋ ˙̅˴̀˸ʳ˦˼̍˸ ˠ ˵̃ ̆ ˪˜ˣ˦ ˦̊˕̅˼˷˺˸˖̂˷˸˿˸̇

კ 11 WIPS ᆶ SwBridgeCodelet Throughput ෳ၂ ! ! WIPS ᆶ SwBridgeCodelet Latency Кၨӵკ܌ ҢǴӧკύךॺёаᢀჸр WIPS ޑ Latency ٠ό ཮ပࡕ SwBridgeCodelet ϼӭǴ܌а WIPS ࠾хۯ ᒨਔ໔ᆉࢂӧёௗڙޑጄൎϐϣǶ ˃ ˈ˃ ˄˃˃ ˄ˈ˃ ˅˃˃ ˅ˈ˃ ˆ˃˃ ˆˈ˃ ˇ˃˃ ˇˈ˃ ˊˉ ˄˅ˋ ˅ˈˉ ˈ˄˅ ˊˉˋ ˄˃˅ˇ ˄ˆ˃˃ ˄ˈ˄ˋ ˙̅˴̀˸ʳ̆˼̍˸ Ӵ ˦ ˸˶ ˪˜ˣ˦ ˦̊˕̅˼˷˺˸˖̂˷˸˿˸̇

კ 12 WIPS ᆶ SwBridgeCodelet Latency Кၨ ! !

4.

่ፕ

! ! ӧҁጇፕЎύךॺගрΑWebΕߟٛᑇس಍ࢎ ᄬǴаWeb Sessionᆅ౛ᐒڋࣁ୷ᘵǴམଛԖज़ރᄊ ᐒޑȐFinite State MachineȑޑཷۺගٮWebΕߟٛ ᑇᐒڋǶ೸ၸWeb Finite State MachineޑۓကǴᡣ

WebΕߟٛᑇس಍ёаගٮWeb Statefulޑుቫᔠෳ

ૈ Κ Ǵ ׳ ่ ӝ Positive Approach а Ϸ Negative

ApproachᔠෳБԄᡣWebΕߟٛᑇس಍फ़եװᔐᇤ

ղ౗Ǵቚуس಍ё᎞ࡋǶךॺஒWIPSфૈჴ౜ܭIXP

425ᆛၡೀ౛Ꮤ໒วѳѠ΢Ǵ٠ᡍ᛾ځёՉ܄Ƕ܌

аǴWIPSගٮ΋ঁֹ᏾ޑWebᔈҔӼӄှ،БਢǶ

ୖԵЎ᝘

[1]B. Violino, "Decoding Application Security",May

2004. at:http://www.csoonline.com/read/050104/ap plication.html

[2]G. Zuchlinski, “The Anatomy of Cross Site

Scripting”,November 2005 .at:http://www.net-secu rity.org/dl/articles/xss_anatomy.pdf

[3]G. Vigna, W. Robertson, V. Kher and R. A.

Kemmerer, “A Stateful Intrusion Detection System for World-Wide Web Servers”, ACSAC, Dec 2003.

[4]G. Ollmann, “HTML Code Injection and

Cross-site scripting”, at:http://www.technic alinfo.net/papers/CSS.html

[5]G. Ollmann, “Web Based Session Management",

at:http://www.technicalinfo.net/papers/WebBased SessionManagement.html

[6]K. Ilgun, R.A. Kemmerer, and P.A. Porras, “State

Transition Analysis: A Rule-Based Intrusion Detection System”, IEEE Transactions on Software Engineering, 21(3):181–199, March 1995.

[7]D. K r i s t o l , a n d L . M o n t u l l i , “ H T T P State Management Mechanism”, RFC 2965, October 2000.

[8]OWASP, “The Ten Most Critical Web Application

Security Vulnerabilities 2004 Update”, January

27th, 2004

[9]R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L.

Masinter, P. Leach, and T. Berners-Lee, “Hypertext Transfer Protocol -- HTTP 1.1. RFC 2616”, June 1999.

[10] H. Lewis and C. Papadimitriou, "Elements of

the Theory of Computation", Prentice Hall; 2nd edition, August 7, 1997.