WIPS
ǺA Practical Intrusion Prevention System
∗for Web Applications
Jui-Wen Chen Bo-Chao Cheng Ming-Ni Chuang
Information Networking Security and Assurance LAB
Department of Communications Engineering
National Chung Cheng University
g92430034@comm.ccu.edu.tw bcheng@ccu.edu.tw mini@insa.comm.ccu.edu.tw
∗ This work was sponsored by CCL/ITRI grant T1-94025-3.
ᄔा
! ! ߈ٰ Web ᔈҔޑጲࠁวǴ़ғрӭ Web ᔈҔӼӄޑୢᚒǶ୯ሞౢࣴزϦљ Gartner Group Ψගډӧ܌Ԗװᔐ٣ҹύǴԖԭϩϐΎΜϖࢂวғ ӧᔈҔቫȐOSI Application layerȑǴ٠ЪѤϩϐΟޑ ᆛઠࢂԖᅅࢰޑǴՠࢂޑᆛၡӼӄഢ(ٯ ӵΕߟୀෳسаϷٛОᕅ)٠όૈԖਏޑٛЗᔈ ҔቫޑװᔐǶԖ᠘ܭԜǴҁፕЎۯ՜Ԗज़ރᄊᐒ Ȑfinite state machineȑޑচϷӝ stateful session ᔠෳᐒڋǴගр Web ΕߟٛᑇسȐWIPSȑٰှ ، Web ᔈҔ܌ԋޑӼӄୢᚒǶWeb Εߟٛᑇس ٠่ӝ҅य़߄ॊȐpositive approachȑᆶॄय़߄ॊ Ȑnegative approachȑޑᓬᗺٛЗ Web װᔐޑౢғǶ ҁسςֹԋीЪஒځسჴӧ Intel ᆛၡೀ Ꮤམଛ MontaVista Linux ޑ໒วѳѠǴၸф ૈ܄ᆶਏૈ܄ޑჴሞໆෳёаܴ Web Εߟٛᑇ سёаԖਏЪזೲޑߔᏲ Web װᔐǴࡌҥঁଯ Ӽӄ܄ޑ Web ᔈҔᕉნٰߥምҾаϷӝݤ٬Ҕ ޣޑౢӼӄǶ ᜢᗖຒǺᆛၡᔈҔӼӄǵΕߟୀෳسǵԖज़ރᄊ ᐒǵᆛၡೀᏔ
Abstract
Web application portal with the single sign on (SSO) feature provides an integrated E-Business solution such that web application becomes an essential building block for business operations. Gartner Group report indicates that 75% of malicious attacks targeting the application layer and three out of four business Web sites are vulnerable to Application- level attacks. Therefore, the traditional security devices (such as firewall and intrusion detection system) are not able to protect web-based applications any more. Implementing a solid web application security protection shield is top-of-mind of security researchers. Extending the finite state machine theory and coupling with stateful session inspection, we propose Web Intrusion Prevention System (WIPS) to solve web application security issues listed in the
OWASP Top Ten project. WIPS works as the last defense line to separate web browsers and web servers by examining network traffic, maintaining every session’s state information and allowing only specific web behaviors defined by web finite state machine to pass through. With embedded Snort capability, WIPS also provides negative security models to resist the lower layer attacks. A WIPS prototype has been implemented on Intel Network Processor (IXP425) running with MontaVista Linux. In our study, the functionality and performance has been assessed to show WIPS providing a key answer for advancing the state-of-the-art in web application security in a realistic environment.
Keywords: Web application security, intrusion prevention system, finite state machine, network processor
1.
࣬ᜢࣴزᆶፕ
! ! Ӣࣁ Web ᔈҔޑጲࠁวǴຫٰຫӭᆛӼΓ ໒ۈݙཀځ़ғޑᔈҔӼӄୢᚒ[5][8]ǶਥᏵѱፓ Ϧљ Gartner ӧᆛၡӼӄϩൔύࡰрǴԖԭ ϩϐΎΜϖޑװᔐ٣ҹࢂวғӧᔈҔቫޑװᔐǴ೭ ٤ၗૻӼӄ٣ҹᡉҢ:ӧװᔐޑБԄΨவচҁޑ OSI ۭቫȐӵǵᆛၡቫϷᒡቫȑςᙯ౽ډᔈҔ ቫȐApplication LayerȑวǶGartner ޑᆛၡӼӄ ࣴزୋᕴຊ Richard Stiennon ΨගрճҔ WebApplicationᅅࢰٰװᔐ٠ό֚ᜤǴεཷКቪଫੰ
ࢥाٰޑᙁൂǴԶЪǴװᔐޣёаճҔ٤ᙁൂޑ πڀ(ӵǵtelnet ܈ netcat)ߡёౢғ HTTP request ჹ
Web ApplicationբسӈװᔐǶٯӵ: 2003 ԃ 11 Д ᆵᄡሌՉวғҹख़εޑၗૻӼӄ٣ҹǴҗܭ ำԄीΓޑ౧ѨǴ࠼Њѝाᆛ׳ׯ URL ୖ ኧ൩ёаᘤំځд࠼ЊᆛၡҙፎߞҔь୍ޑঁ ΓၗǶӆޣǴਥᏵ Gartner ൔ׳ࡰр:ԖѤϩϐ ΟޑᆛઠӧӼӄࢂԖᅅࢰޑǶ ! ! ଞჹWebᔈҔำԄӼӄޑख़ा܄ǴᏢࣚکౢ ࣚΨ໒ۈ೭Бय़ޑࣴز[1]ǴεठԖѤᅿБӛǺ(1). চۈዸᔠ: ճҔচۈዸᔠπڀ(ӵFlawfinder, RATSϷITS4)ჹ܌ኗቪޑᆛၡᔈҔำԄᔠǴᔠ
܌ኗቪޑᆛၡᔈҔำԄࢂց֖ԖወӧޑำԄኗ ቪᒱᇤǶ (2). ᅅࢰඔπڀ: ᆛၡᔈҔำԄኗቪ ֹԋ٠ЪӼးԿServerၮբࡕǴ٬Ҕᅅࢰඔπڀ
(ӵNikto, StealthϷParos)ჹ܌ӼးޑᆛၡᔈҔำԄ
১ᗺඔǴڐշঅׯ܈ۓ܌ᙯቪޑᔈҔำԄǶ
(3). Web Application Based Εߟୀෳس: ่ӝ
web server इᒵᔞ(ӵsyslog)ᆶӝweb serverҁي
( ӵ Mod_security⎯http://www.modsecurity.org ᆶ
URL scanner)ǴԜᜪࠠπڀၮբӧWeb ServerǴϩ
Web ᔈҔำԄࢂցᎁڙװᔐǶ (4). WebᔈҔӼӄ ႔ၰᏔȐWeb Application Security Gateway, WASGȑ: ࢎWASGܭϦљ܌ࢎϐᆛઠᆶѦᆛၡϐ໔Ǵ ᅱClientکServerϐ໔ޑ࠾хૻ৲ǴёаϷਔว װᔐ٠ЪஒځߔᏲΠٰǶӢࣁёҔӚᅿweb
serverǵԖਏೀΕߟႣٛ(intrusion prevention) π
բ٠όቹៜweb serverҁيਏૈǴ܌аԜᅿБݤஒࢂ ҂ٰϐᖿ༈Ƕ
! ! Giovanni Vignaӧ2003ԃගрWebSTATࢎᄬ[3] ଞჹWebװᔐՉࣁStatefulޑୀෳǴ WebSTATࢂ ݮ᠍STAT ȐState-Transition Analysis Techniqueȑ[6] ࢎᄬǴ٬Ҕstate-transition diagramޑБԄஒWeb࣬ᜢ װᔐኳಔϯ٠ЪܫӧװᔐՉࣁၗύǴᙖҗΟ ᅿόӕޑၗૻȐServer logs, Operating system-level
eventаϷnetwork-level eventȑޑϩٰղᘐstateᙯ
౽ރᄊǴऩຬၸ܌ۓޑthreshold߾ᇡۓࢂװᔐՉ ࣁǶᗨฅԜسૈၸServerᆄόӕޑᔈҔำԄ܌ ౢғޑeventٰᔅշୀෳװᔐǴฅԶΕߟୀෳسᗨ ฅёаୀෳрװᔐǴՠࢂࠅคݤٛᑇװᔐޑวғǴ ୀෳрװᔐՉࣁਔǴWebᔈҔำԄςᎁڙװᔐ ࣗԿౢғควਉ௱ޑ্Ƕ܌аคݤԖਏܢᏲWeb װᔐǶ ! ! ୷ܭॊࣴزԋ݀Ǵךॺёаวॊှ،Б ਢ ค ݤ Μ ӄ Μ ऍ Ӧ ှ ، OWASP ܌ Ϧ թ ޑ Web ApplicationΜεᅅࢰǴځᓍᆶচӢӵΠǺ
1. ਏૈǺ٬ҔApplication Integrated BasedΕߟୀ
ෳسБԄှ،WebᔈҔӼӄୢᚒਔǴ٬Server ೀਏૈ෧եǴӢࣁΕߟୀෳسѸམଛځдᔈ ҔำԄ܈ޣکWeb Server࣬ϕၮբǶԜਔΕߟୀෳ سᚐѦ՞ҔWeb ServerکWebᔈҔำԄޑس ၗྍǴफ़եServerᆄޑՉਏǶ 2. Negative Approachᔠ ෳ Б Ԅ Ǻ س ٬ Ҕ Negative ApproachᔠෳБԄᗨฅᏱԖόܰᇤղޑୀ ෳ܄Ǵՠࢂ٩ᒘԜᔠෳБԄ٠คݤԖਏୀෳ҂ޕ ޑװᔐᆶफ़եᆅፄᚇࡋǶ 3. คႣٛᐒڋǺ IDS ୀෳрװᔐਔࠅค ݤϷਔբрԖਏޑٛᑇᐒڋаԿܭسςԋ คݤਉ௱ޑ্Ƕ ! ! ҁጇፕЎаॊচӢࣁрวᗺǴ٠Ъۯ՜Ԗज़ ރᄊᐒȐfinite state machineȑޑচϷӝ stateful
session ᔠෳᐒڋǴගр Web Finite State Machine
(WFSM) ٰှ،ॊୢᚒǴ٠٩Ԝჴঁ Web
Intrusion Prevention System (WIPS)ၲډ stateful web
content-aware inspection ᆶΕߟٛᑇфૈǶ٠ஒࢎ ᄬჴբܭᆛၡೀᏔ(Intel IXP425)Ǵࡌҥঁଯ Ӽӄޑ WASG ٰߥៈ Web-based ޑᆛၡᔈҔᆶܺ ୍ǶҁЎࢎᄬӵΠǺ२Ӄϟಏ Web ᔈҔӼӄԖব٤ ࣬ᜢޑࣴزаϷᓍǴௗΠٰϟಏ Web Εߟٛᑇس ޑࢎᄬаϷၮբচǴӆϟಏஒ Web Εߟٛᑇس ჴӧ Intel IXP425 ᆛၡೀᏔ໒วѳѠޑෳ၂ ่݀Ǵനࡕᘜય่ፕǶ
2.Web
ΕߟٛᑇسࢎᄬȐWIPSȑ
! ! WIP җٿঁηس܌ಔԋǴځسࢎᄬӵკ 1 ܌ҢǴϩձࢂ Web Stateful ΕߟٛᑇЇᔏȐWebStateful Intrusion Prevention EngineȑаϷനڙ߆
ޑ໒ܫচۈዸس SnortǶ
Preprocessor Detection Engine Response Module
Snort
Input Output
Web Stateful Intrusion Prevention Engine
WFSM Logic Session Tables
Web Inspection Engine
კ 1 Web Εߟٛᑇسࢎᄬ ! ! ӧSnortηسύςڀഢೀ࠾хޑ୷ҁૈΚ: ёаஒᄒڗޑ࠾хᓯӸܭځၗ่ᄬύǴ٠Չϩ πբǴฅࡕӆҗResponse Moduleֹ๓ޑӣᔈ ೀǶӢԜǴӧӝޑࢎᄬύךॺѝाஒHTTP࠾ хଌ๏Web StatefulΕߟٛᑇЇᔏుቫϩ
(deep layer 7 inspection)Ǵϩֹϐࡕӆሀ๏Snort
Detection EngineNegative ApproachװᔐᔠෳǶऩ
Web StatefulΕߟٛᑇЇᔏϩ࠾хޑ่݀ࣁόӝ ݤਔǴ߾ڥћResponse ModuleޑೀǶ ! ! ӧԜӝࢎᄬǴWIPS ගٮΑ OSI Ύቫޑӄዬ ٛៈǴӧҁകϣௗΠٰޑҽǴךॺஒϟಏ Web StatefulΕߟٛᑇЇᔏޑ୷ҁࢎᄬаϷၮբচǴ٠ ЪၸװᔐጄٯٰᡍࣁՖ Web Stateful Εߟٛᑇ ЇᔏૈԖਏޑٛᑇ Web װᔐǶ 2.1 Web StatefulΕߟٛᑇЇᔏ ! ! Web Stateful ΕߟٛᑇЇᔏࢂ่ӝԖज़ރ ᄊᐒཷۺගٮ Web ࢬໆుቫᔠෳૈΚޑسࢎ ᄬǴ٠Ъ٬Ҕ Positive Approach ᔠෳБԄஒόӝݤ ޑ HTTP Request ߔᏲΠٰǶWeb Stateful Εߟٛᑇ Їᔏࢎᄬӵკ 1܌ҢǴЬाҗΟঁϡҹ܌ಔԋǴϩ ձࢂ Web Ԗज़ރᄊᐒȐWeb Finite State Machineȑǵ
Session Tables аϷ Web ΕߟՉࣁᔠෳЇᔏȐWeb
(1) WebԖज़ރᄊᐒȐWFSMȑ ! ! ӧ Web ࢬໆύᡉҢрѤঁॶளᜢݙޑ܄Ǻ 1.HTTP ڐۓ Stateless ޑ܄ᡣ٬Ҕޣၸຬೱ่ ȐHyperlinkȑᘤំᆛ।ޑׇ٠ό࣬ӕǶ2.Ӣࣁ SessionᆅᐒڋޑౢғǴᡣ HTTP ڐۓၲډ Stateful ޑ܄Ƕ܌а٬Ҕޣ٬Ҕ Application ޑՉࣁёૈ ᐉၠ Stateless аϷ Stateful ໘ࢤǴ٠Ъӧόӕޑ໘ ࢤࡌҥӭచ TCP ೱጕǶ3.ঁᆛ।ёૈх֖ӭނ ҹȐObjectȑٮ٬ҔޣᘤំǶ4.ऩ Web ᔈҔำԄ٬ Ҕ Session ᆅޑᐒڋǴ܌٬Ҕޑձ ID ёૈх ֖ӧ URLǵhidden field ܈ޣ cookie ύǶךॺගр
WebԖज़ރᄊᐒȐWeb Finite State Machine, WFSMȑ
ࢎᄬǴঁڀԖ Web Session Stataful ᔠෳૈΚޑΟ ቫ،Ԗज़ރᄊᐒǴයఈૈԖਏߥៈ Web ᔈҔӼ ӄǶࣁΑ҅ೕӦඔॊ WFSM ၮբচǴךॺۓကΑ аΠҞǺ ΩǺ HTTP RequestǴਥᏵ HTTP /1.1 [9]аϷ cookie [7]ޑۓကǴךॺёаவ Client ܌ଌрޑૻ৲ ύڗள HTTP RequestǶHTTP RequestȐΩȑх֖ http
methodǵrequest-URIǵrequest header fieldsǵcookie
ӜᆀᆶϣаϷԾۓޑឯՏǶଷ hi = <field-name, filed-value>߄Ң HTTP Request ಃ i ঁឯՏޑӜᆀ аϷϣǴ߾ Ω = i 1n{ i} i h = = U Ƕ
µǺClient ܌ଌрޑ URL requestǶ
µrǺ Server ௗԏډ µ ਔǴ܌ଌрޑ Response
ૻ৲Ƕ
huǺж߄ HTTP Request ύޑ Request-URIǴhu =
<request_URI, µ> where hu∈ ΩǶ
ΟǺAccess object list (AOL)Ǵж߄ӧ࣬ӕ State ύ܌ԖϢӸڗނҹаϷჹᔈޑ Server Response Չ ࣁޑӝǴଷ ai = <request_uri, server_response> ࣁ AOL ಃ i ঁނҹޑӜᆀаϷ࣬ჹᔈޑ Server
ResponseՉࣁǴ߾ Ο =Uii==n1{ai}Ƕ
ϕȐΩ, ΟȑǺࣁѲ݅ၮᆉڄኧǴऩӣॶࣁ ȐTrueȑ߾ж߄ µ = a. request_uri where hu∈ Ω and a ∈ΟǶ
γȐΩ, ΟȑǺࣁѲ݅ၮᆉڄኧǴऩӣॶࣁ ȐTrueȑ߾ж߄ µr = a.server_response where hu∈ Ω
and a ∈ΟǶ
ωȐΩ, ΟȑǺࣁѲ݅ၮᆉڄኧǴऩӣॶࣁ Ȑ True ȑ ߾ ж ߄ µ = a.request_uri а Ϸ µr =
a.server_response where hu∈ Ω and a ∈ΟǶ
χǺClient ଌрޑ URL Request ԋӝݤ inter-state
transitionޑచҹǴhχ∉ΟǶ
tǺTCP ೱௗޑ time out ਔ໔ୖኧǴΨҔܭ State
time outǶ
TǺPhase time out ਔ໔ୖኧǶ
ΓǺPhase check listǴҔٰۓကӧӕ Phase ϣ
HTTP Request ѝ Ϣ ܈ ό ௗ ڙ ޑ ၗ ૻ Ƕ
Γ=Uii==1n{ci} where ci = < condition name, condition
value>ǹcondition name ёаၟҺՖၗૻ࣬ᜢٯӵ
session idǵuser idǵrefererǵୖኧߏࡋǵtimeout Tǵ
http methodаϷ٬ҔޣԾुޑୖኧǶ
ψǺState Check listǴϣᜪ՟ܭ Phase check listǴ Ҕٰۓကӧӕ State ϣ HTTP Request ѝϢ܈ό ௗڙޑၗૻǶ κȐh,ΥȑǺࣁѲ݅ၮᆉڄኧǴऩӣॶࣁ ȐTrueȑ߾ж߄ h ಄ӝ Y ޑచҹǴऩࣁଷȐFalseȑ ߾ό಄ӝǶ KȐΩ, ΥȑǺࣁѲ݅ၮᆉڄኧǴऩӣॶࣁ ȐTrueȑ߾ж߄ hi Y true n i i = Π= =1κ( , ) where hi∈ ΩǶ
ρǺEntry ActionǴҔٰۓက State transition ډၲҞ ޑ State ਔѸႣӃೀޑբǴٯӵஒ࠾х Passǵ
DenyǵDrop ޑೀբ܈ޣࢂځд٬ҔޣԾुޑ
ՉࣁǶ
σǺExit ActionǴϣᜪ՟ܭ Entry ActionǴҔٰ ۓက State ᙯ౽ѸೀޑբǶ
ࣁΑၲډ଼ӄޑᔠෳᐒڋǴWFSM٬ҔΟቫԖ ज़ރᄊᐒޑᐒڋၲډSessionރᄊޑᆢаϷᡍ
Client RequestޑServer ResponseՉࣁࢂց಄ӝႣ
යǶΟቫԖज़ރᄊᐒޑᐒڋࢂҗIntra-WFSMǵ Inter-WFSMаϷGlobal-WFSM܌ಔԋǴࢎᄬӵკ 2 ܌ҢǴ၁ಒၮբচஒӧаΠϣϟಏǶ gWFSM Phase level mWFSM State Level µWFSM Page Level კ 2 WFSM ࢎᄬკ Intra-WFSMȐµWFSMȑ ! ! µWFSM ࢂঁᙁൂЪڀԖғౢޣ-ޣ Ȑproducer-consumerȑᜢ߯ޑރᄊᐒǴӧঁ WFSM ܌ۓကޑ State ύࣣڀԖԜރᄊᐒჹ Client
RequestаϷ Server Response բղᘐǶµWFSM ރᄊ
კӵკ 3܌ҢǶ൩ൂપޑ Web ࢬໆ Stateless ೀՉ ࣁԶقǴёа µWFSM మཱ߄ҢϐǶ
Init
Client triggered transition (CTT)
Wait_C
Process_S Process_C
Wait_S
Server triggered transition (STT)
Waiting time > t Receive HTTP request message
Receive response
Client triggered transition (CTT)
Default transition (DT) ω(Ω, Ο) = false µ = χ ∧ χr= true ω(Ω, Ο) = true (Κ(Ω, Γ) = true ∧ Κ(Ω, ψ) = true) ∧ (ϕ (Ω, Ο) = true ∨ µ = χ) ¬((Κ(Ω, Γ) = true ∧ Κ(Ω, ψ) = true) ∧ (ϕ (Ω, Ο) = true ∨ µ = χ) ) კ 3 µWFSM ރᄊკ
! ! ୷ܭ҅य़߄ॊ(Positive Approach)ᔠෳБԄǴ µWFSM ܴዴޑۓကϢޑ Web ᔈҔำԄ٬ҔՉ ࣁȐх֖ Client Request аϷ Server Response Չ ࣁȑǴऩ٬ҔՉࣁό಄ӝځೕۓ߾ஒёᅪޑ࠾хߔ ᏲΠٰǶӧ µWFSM ύǴ߃ۈރᄊ Wait_C ж߄ ࡑ Client ଌр HTTP Request ޑރᄊǶسԏډҗ
Clientଌрޑ HTTP RequestȐΩȑǴރᄊ൩җচҁޑ
Wait_CᙯඤԿ Process_C ჹ Ω ϣᔠෳπբ:К
ჹ Phase check listȐΓȑǵState Check listȐψȑǵAOL Ȑ̋ȑᆶᔠຎ inter-state transition చҹȐχȑǶऩว ό಄ӝۓကՉࣁޑϣ߾җ client triggered transition (CTT)ΕќѦঁ State ೀόӝݤՉ ࣁǶϸϐऩ೯ၸచҹᔠෳ߾ஒރᄊᙯඤԿ Wait_S ރᄊࡑ Server ResponseȐµrȑǴऩࡑਔ໔ຬၸ timeoutਔ໔ t ᗋ҂ԏډ µrǴރᄊஒҗ Wait_S ӣډ ߃ۈރᄊ Wait_C ࡑΠঁ ΩǶऩ t ਔ໔ϣԏډ µr ߾ރᄊஒᙯ౽Կ Process_S ރᄊೀ Ǵӧ Process_S ރᄊԖѤᅿ transition ރݩёૈว ғǺȐ1ȑऩ Ω ჹ State AOL ܌ۓကޑނҹբӸڗǴ µrᆶ AOL ܌ۓကޑ Server Response Չࣁ࣬಄ӝ߾ ӣډ Wait_C ߃ۈރᄊࡑΠঁ ΩǶȐ2ȑऩ µ=χ Ъ µr=χr߾಄ӝ inter-state transition చҹǴSession
ރᄊҗ CTT Չ Inter State ᙯඤԿΠঁ StateǶ Ȑ3ȑऩ µrᆶ AOL ނҹ܈ޣࢂ χr܌ۓကޑ Server
Response Չࣁό಄ӝǴ߾җ Server triggered
transitionȐSTTȑΕ Error Inter-State Չᒱᇤೀ
ำԄǶȐ4ȑऩΟᅿݩό಄ӝǴ߾җ Default
transitionΕ Default Inter-State ՉႣޑೀำ
ԄǶ
Inter-WFSMȐmWFSMȑ
! mWFSMۓကΑInter-State transitionᜢ߯Ƕځಔԋ ϡ ҹ ӵ კ 4 ܌ Ң Ǵ ঁ State х ֖ Ǻ State ID ȐSTIDȑǵµWFSMǵΟǵΓȐҗgWFSM܌ۓက٠ᝩ ܍ϐȑǵΨǵState typeȐж߄initial state, regular state,
error state܈ޣࢂsink stateȑǵEntry ActionǵExit
ActionаϷຏှǶmWFSMࢂঁҗϤᅿϡન<α, ε,
S, S0, η, λ >ಔԋޑԖज़ރᄊᐒǴঁϡનۓကӵ ΠǺ
αǺClient triggered transition requestsаϷserver
triggered transition responsesޑԖज़ᒡΕ
εǺ߄Ңൔૻ৲ȐAlertȑޑᒡр಄ဦ SǺόх֖ޜӝޑ܌ԖStateޑӝ
S0Ǻ߃ۈރᄊȐInitial StateȑǴࣁSӝύޑ
ঁϡન
ηǺState transition functionǺ ηǺS x α → S λǺOutput functionǺ λǺS → ε CTT STT Default Transition (DT) STID µFSM Ο, Γ, Ψ ӹ Ӻ STID: State ID
Ο: Access Object List Γ: Phase Check List Ψ: State Check List
STID µFSM Ο, Γ, Ψ ӹ Ӻ STID µFSM Ο, Γ, Ψ ӹ Ӻ STID µFSM Ο, Γ, Ψ ӹ Ӻ კ 4 mWFSM ރᄊკ ӵ݀ѝाၲډ web-content awareness Ϸ filterǴWFSM ջёаΟঁ mWFSM ֹԋ: (1). CTT
Error State: ёаճҔۓကܭ Entry Action! (ρ)܈
Exit Action (σ)ϐ functions ೀҺՖό HTTP
requestǶ(2). STT Error State: ᜪ՟ CTT Error StateǴ
Ҕٰᔈб server ό҅தӣᙟǶ(3). Nomal State: ӧԜ
state ύ൪Εঁ uWFSM ٰೀ stateless
client-server ᔠຎπբǶ
Global-WFSMȐgWFSMȑ
! ! ! gWFSM ЬाࢂۓကӚᅿόӕ phase (ӵ
Browsing PhaseǵShopping Cart PhaseǵCheck Out
Phase)Ϸ Phase ϐ໔ޑᙯඤᜢ߯Ƕӧӕঁ Phase
ёх֖ӭ StateǴԶঁ phase ԖѬᐱޑ
business logicǶᜢܭ Phase Type ӅԖٿᅿ: Surfing
and TransactionǶԶӢࣁ٬Ҕޣё҂җᇡϐΠӃ ՉᘤំᆛઠϣǴךॺஒԜᜪރݩۓကࣁ SurfingǶ ϸϐऩ Application ࣣ٬Ҕ Session ᆅᐒڋଓᙫ٬ ҔޣՉࣁǴԜਔ Phase ރᄊ൩җ Surfing ᙯ౽Կ TransactionǶӵԜٰǴgWFSM ёаૈӢᔈόӕ ໘ࢤޑሡ٬Ҕόӕޑ Session ၗૻϣᆅ web TrafficsǶ
(2) WebΕߟՉࣁᔠෳЇᔏȐWeb Inspection
Engine - WIEȑ
! ! Web ΕߟՉࣁᔠෳЇᔏࣁ Web Stateful Εߟٛ ᑇЇᔏޑਡЈҽǶسᆅޣஒ WFSM ۓֹ ԋё٬Ҕ WFSM Importer ஒ WFSM Profile ᠐Ε ࡕǴWeb ΕߟՉࣁᔠෳЇᔏ൩ૈམଛ Surfing а Ϸ Transaction ࠠᄊՉ Web Stateful ޑΕߟٛᑇǶ
WebΕߟՉࣁᔠෳЇᔏᄽᆉݤϩԋٿঁϩǴϩձ
ೀس܌ௗԏډޑ Client Request аϷ Server
ResponseՉࣁǶWeb Inspection Engine Client Request
!
კ 5 WIE Client Request ೀᄽᆉݤ ! ! Web Inspection Engine Server Response ೀᄽ ᆉݤӵკ 6܌ҢǴسԏډҗ Server ᆄ܌ӣޑ Response ࠾хࡕǴ၌࠾хၗૻࢂ࣬ᜢܭবచ SessionǴऩפόр࣬ჹᔈޑ Session ၗૻ߾ஒ࠾х DropǴऩפр࣬ჹᔈޑ Session ၗૻس߾ڥћ processServerResponseڄԄՉղᘐǴऩ಄ӝ State transitionచҹ߾Չ࣬ᜢ࠾хೀǶऩղᘐ่݀ࣁ
ӝݤ AOL ӸڗՉࣁǴ߾ forward packet ٠Ъஒ µWFSM ރᄊ߇ӣԿ Wait_C ރᄊǶ
კ 6 WIE Server Response ೀᄽᆉݤ ! ! ၸ Web ΕߟՉࣁᔠෳЇᔏ่ӝ Surfing аϷ
Transaction ࠠᄊаϷ WFSNǴёаᡣ Web Stateful
ΕߟٛᑇЇᔏᏱԖᚈӛ Stateful ుቫᔠෳޑૈΚǶ ٠ЪૈԖਏޑٛЗ Web ᔈҔװᔐǶΠךॺஒ ٬Ҕჴሞޑװᔐጄٯᡍ Web Stateful ΕߟٛᑇЇ ᔏࢂցૈԖਏޑٛЗ Web ᔈҔװᔐǶ 2.2Web StatefulΕߟٛᑇЇᔏٛᑇװᔐጄٯ ! ! WFSM ጄٯӵკ 7܌ҢǴӧ Transaction ࠠᄊ ךॺۓကΟঁ Inter-StateǴState ID ϩձࢂ 2000ǵ2501 аϷ 2808ǶΟᅿ Transition ᜢ߯Ψܴዴۓကځރᄊ ᙯ౽ޑచҹǶ State 2000 ाᙯ౽Կ State 2501 ਔǴ Ѹ಄ӝ Intra-state ܌ղᘐޑ Server Response ่݀
аϷ٬Ҕޣ܌ଌрޑ HTTP Request ύ referer ឯՏ Ѹࢂ State 2000 ܌х֖ޑ URLǴऩղᘐԋф߾
Stateރᄊҗ 2000 ᙯ౽Կ 2501Ǵϸϐ߾Εډ Error
State 2808Ƕ State ރᄊᙯ౽ࡕسϩձڥћ
Entry ActionȐρȑаϷ Exit ActionȐσȑՉ࠾х࣬
ᜢޑೀբǶ
Γ:
C1=<Positive, session id, “sessionid=”>; C2=<Positive, user id, “userid=”>; C3=<Negative, T, 24>; C4=<Negative, HTML_script, *>; µ = χ(2501)∧ χr(2501)= true ^ hreferer= URL2000 State 2501: O: a1=< /shopping/sports/*, 200>; Ψ: C1=<Negative, HTML_script, *>; C2=<Negative, URL length, 255>;
ӹ: Pass packet; Ӻ: NULL; (µ = χ2501 ∧ χr(2501) )∨ ω(Ω, Ο) = false Default Transition (DT) 2000 µFSM Ο, Γ, Ψ ӹ Ӻ 2808 µFSM Ο, Γ, Ψ ӹ Ӻ State 2000: O: a1=< /shopping/*,200 >; Ψ:
C1=<Positive, Method, POST>; C2=<Positive, URL length, 255>; C3=<Negative, HTML_script, *>; C4=<Negative, HTML_form, *>; ӹ: Pass packet; Ӻ: NULL; State 2808: O: NULL;
Ψ: NULL; ӹ: Drop Packet;Ӻ: NULL;
2501 µFSM Ο, Γ, Ψ ӹ Ӻ კ 7 WFSM ጄٯ سԏډҗClientᆄ܌ଌрޑHTTP Request ନΑ಄ӝރᄊᙯ౽ޑచҹϐѦǴᗋѸ಄ӝPhase
checklistаϷState checklist܌ۓޑᔠҞǴӵό
಄ӝPhaseаϷState checklistޑᔠෳǴஒځᇡۓࣁ όӝݤޑ٬ҔޣՉࣁǶӧጄٯύޑPhase checklist аϷState checklistύۓကΑ಄ӝ٬Ҕᕉნޑᔠ ҞǴ၁ಒۓကϣӵკ 8܌ҢǶ C2: നεURLߏࡋࣁ255 BytesǶ C4: όϢ٬ҔޣଌрޑHTTP Requestύх֖HTML Form ᠸǶ C3: όϢ٬ҔޣଌрޑHTTP Requestύх֖HTML Script ᠸǶ C2: നεURLߏࡋࣁ255 BytesǶ C4: όϢ٬ҔޣଌрޑHTTP Requestύх֖HTML Script ᠸǶ C3: ٬ҔtimeoutᐒڋǴਔ໔ࣁ24λਔǶ C2: ٬ҔޣଌрޑHTTP RequestΨх֖User IDޑૻ৲ǶԜ ૻ৲рӧ“userid=”ӷՍϐࡕǶ C1: όϢ٬ҔޣଌрޑHTTP Requestύх֖HTML Script ᠸǶ ψ2501 C1: ѝϢ٬ҔHTTP POST MethodǶ ψ2000 C1: Ԝ໘ࢤ٬ҔSession IDޑSessionᆅኳԄǴ٬Ҕޣଌрޑ
HTTP Requestх֖Session IDޑૻ৲ǶԜૻ৲рӧ
“sessionid=”ӷՍϐࡕǶ
Γ
კ 8 Phase checklist ᆶ State Checklist ጄٯ ! ! !
3. Web
Εߟٛᑇسӝ Snort ٠Ъჴ
ӧ IXP425 ໒วѳѠ
! ! ӧҁകךॺஒϟಏ Web Εߟٛᑇسჴ ӧ Intel IXP425 ໒วѳѠޑسໆෳ่݀Ƕ 3.1 WIPSӧ IXP425 ໒วѳѠޑໆෳ WIPSෳ၂ᕉნӵკ 9܌ҢǴWIPSӧIXP425 ໒วѳѠޑໆෳҗфૈ܄ᆶਏૈෳ၂ٿঁҽ܌ ಔԋǴӚෳ၂ϣӵΠ܌ҢǶc_mid = current mFSM id; n_mid = next mFSM id; c_gid = current gFSM id; n_gid = next gFSM id; For each client packet CP {
Ω = extractRequest (CP);
stn_id = lookUpIDClientPacket(CP, &c_mid, &c_gid); if (stn_id < 0) {
insertSessionTable(CP, &c_mid, &c_gid); }
Γ = getPhaseCheckList (c_gid); Ψ = getStateCheckList (c_mid); Ο = getAccessObjectList (c_mid);
processClientRequest(Ω, Γ, Ψ, Ο, c_mid, &n_mid, c_gid, &n_gid); if (c_mid != n_mid) {
exitAction(c_mid);
trasnition Action (c_mid, n_mid, c_gid, n_gid); entryAction(n_mid);
} else {
forwardPacket (CP); }
updateSessionTable (stn_id, CP, n_mid, n_gid); }
c_mid = current mFSM id; n_mid = next mFSM id; c_gid = current gFSM id; n_gid = next gFSM id; For each server packet SP {
stn_id = lookUPIDServerResponse (SP, &c_mid, &c_gid); if (stn_id < 0) { drop packet; } else { Ω = getClientRequest (stn_id); Ο = getAccessObjectList (c_mid);
processServerResponse(Ω, Ο, SP, c_mid, &n_mid, c_gid, &n_gid); if (c_mid != n_mid) {
exitAction(c_mid);
trasnitionAction (c_mid, n_mid, c_gid, n_gid); entryAction(n_mid);
} else {
forwardPacket (SP); }
updateSessionTable (stn_id, NULL, n_mid, n_gid); }
Client IE 6.0 Server WebGoat SmartBit WIPS კ 9 WIPS ෳ၂ᕉნ WIPSфૈ܄ෳ၂ ӧWIPSфૈ܄ޑໆෳϩǴךॺ٬ҔOWASP ಔᙃ܌วթޑWebGoat೬ᡏǴஒځӼးӧ ServerᐒᏔ္ǴӧၸClientᇻᆄฦΕServerᐒ ᏔϣՉᡍWIPSࢂցૈஒװᔐԖਏߔᏲ ΠٰǶᡍ่݀ᆶSnort InlineКၨӵკ 10܌ ҢǶ O O A5_Buffer Overflows X O
A3_Broken Authentication and Session Management
X
O
A2_Broken Access Control
X
O
A10_Insecure Configuration Management
O O
A9_Denial of Service
X
O
A7_Improper Error Handling
X
O
A4_Cross Site Scripting (XSS) Flaws
X X A8_Insecure Storage X O A6_Injection Flaws O O A1_Unvalidated Input Snort Inline WIPS
OWASP Top Ten
კ 10 WIPS ᆶ Snort Inline ٛᑇфૈϩ ! ! WIPSӢࣁؒԖᔠуஏᓯӸᐒڋ܌аคݤှ ،ԜᜪװᔐୢᚒȐA8_Insecure StorageȑǴԿܭځд ᜪޑװᔐǴWIPSёаၲډۓำࡋޑٛᑇфਏǶԿ ܭSnort InlineǴѝૈӧځύޑΟᜪගٮှ،БਢǴ җԜܴWIPSК҂ӝࡕޑSnortس׳ૈٛЗ WebᔈҔޑװᔐǶ ! ! WIPSޑਏૈෳ၂ ! ! ӧWIPSޑਏૈෳ၂ύҞύǴךॺᒧٿෳ ၂ྗෳ၂WIPSޑਏૈǴࢂThroughputෳ၂Ǵ ќѦෳ၂ࣁLatencyෳ၂ǶسύޑWFSM Logic௦Ҕკ 7ጄٯǴෳ၂ၸำύଌӝݤޑHTTP ࠾хՉໆෳǴҗܭWIPSࢂҗSwBridgeCodeletচ ۈዸঅׯԶԋǴࡺаSwBridgeCodeletࣁBaselineǴ ໆෳWIPSϐਏૈǶ ! ! ˃ ˄˃ ˅˃ ˆ˃ ˇ˃ ˈ˃ ˉ˃ ˊ˃ ˋ˃ ˌ˃ ˄˃˃ ˊˉ ˄˅ˋ ˅ˈˉ ˈ˄˅ ˊˉˋ ˄˃˅ˇ ˄ˆ˃˃ ˄ˈ˄ˋ ˙̅˴̀˸ʳ˦˼̍˸ ˠ ˵̃ ̆ ˪˜ˣ˦ ˦̊˕̅˼˷˺˸˖̂˷˸˿˸̇
კ 11 WIPS ᆶ SwBridgeCodelet Throughput ෳ၂ ! ! WIPS ᆶ SwBridgeCodelet Latency Кၨӵკ܌ ҢǴӧკύךॺёаᢀჸр WIPS ޑ Latency ٠ό ပࡕ SwBridgeCodelet ϼӭǴ܌а WIPS ࠾хۯ ᒨਔ໔ᆉࢂӧёௗڙޑጄൎϐϣǶ ˃ ˈ˃ ˄˃˃ ˄ˈ˃ ˅˃˃ ˅ˈ˃ ˆ˃˃ ˆˈ˃ ˇ˃˃ ˇˈ˃ ˊˉ ˄˅ˋ ˅ˈˉ ˈ˄˅ ˊˉˋ ˄˃˅ˇ ˄ˆ˃˃ ˄ˈ˄ˋ ˙̅˴̀˸ʳ̆˼̍˸ Ӵ ˦ ˸˶ ˪˜ˣ˦ ˦̊˕̅˼˷˺˸˖̂˷˸˿˸̇
კ 12 WIPS ᆶ SwBridgeCodelet Latency Кၨ ! !
4.
่ፕ
! ! ӧҁጇፕЎύךॺගрΑWebΕߟٛᑇسࢎ ᄬǴаWeb Sessionᆅᐒڋࣁ୷ᘵǴམଛԖज़ރᄊ ᐒޑȐFinite State MachineȑޑཷۺගٮWebΕߟٛ ᑇᐒڋǶၸWeb Finite State MachineޑۓကǴᡣ
WebΕߟٛᑇسёаගٮWeb Statefulޑుቫᔠෳ
ૈ Κ Ǵ ׳ ่ ӝ Positive Approach а Ϸ Negative
ApproachᔠෳБԄᡣWebΕߟٛᑇسफ़եװᔐᇤ
ղǴቚуسёࡋǶךॺஒWIPSфૈჴܭIXP
425ᆛၡೀᏔ໒วѳѠǴ٠ᡍځёՉ܄Ƕ܌
аǴWIPSගٮঁֹޑWebᔈҔӼӄှ،БਢǶ
ୖԵЎ
[1]B. Violino, "Decoding Application Security",May
2004. at:http://www.csoonline.com/read/050104/ap plication.html
[2]G. Zuchlinski, “The Anatomy of Cross Site
Scripting”,November 2005 .at:http://www.net-secu rity.org/dl/articles/xss_anatomy.pdf
[3]G. Vigna, W. Robertson, V. Kher and R. A.
Kemmerer, “A Stateful Intrusion Detection System for World-Wide Web Servers”, ACSAC, Dec 2003.
[4]G. Ollmann, “HTML Code Injection and
Cross-site scripting”, at:http://www.technic alinfo.net/papers/CSS.html
[5]G. Ollmann, “Web Based Session Management",
at:http://www.technicalinfo.net/papers/WebBased SessionManagement.html
[6]K. Ilgun, R.A. Kemmerer, and P.A. Porras, “State
Transition Analysis: A Rule-Based Intrusion Detection System”, IEEE Transactions on Software Engineering, 21(3):181–199, March 1995.
[7]D. K r i s t o l , a n d L . M o n t u l l i , “ H T T P State Management Mechanism”, RFC 2965, October 2000.
[8]OWASP, “The Ten Most Critical Web Application
Security Vulnerabilities 2004 Update”, January
27th, 2004
[9]R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L.
Masinter, P. Leach, and T. Berners-Lee, “Hypertext Transfer Protocol -- HTTP 1.1. RFC 2616”, June 1999.
[10] H. Lewis and C. Papadimitriou, "Elements of
the Theory of Computation", Prentice Hall; 2nd edition, August 7, 1997.