This is my first seminar presentation. The presentation is based on the core paper: CRAXweb: Automatic Web Application Testing and Attack Generation. If you are interested in this research area, other research methods of this research can be found at reference sections.
AWS Community Day CPH - Three problems of Terraform
CRAXweb: Automatic Exploit Generation for Web Applications
1. Lehrstuhl für Informatik 4
1/161/2012 <Title> <Name LastName> Seminar in Computer Science
Kip IrvineCRAXweb: Automatic Web Application
Testing and Attack Generation1
Shih-Kun Huang ,Han-Lin Lu, Wai-Meng Leong ,Huan Liu
National Chiao Tung University
Presented by
Aung Thu Rha Hein
5536871
1 “CRAXWweb:Automatic Web Application Testing and Attack Generation”, Software Security and Reliability
(SERE), June 2013 IEEE 7th International Conference.
2. Lehrstuhl für Informatik 4
2/161/2012 <Title> <Name LastName> Seminar in Computer Science
Outline
1. Introduction
2. Background
-What is an exploit?
-Dynamic Analysis
-Semantic Execution
2. CRAXWeb: Automatic Web Application Testing and
Attack Generation
4. Conclusions
5. References
3. Lehrstuhl für Informatik 4
3/161/2012 <Title> <Name LastName> Seminar in Computer Science
●
Software bugs are common
●
Especially in web applications
●
Some bugs are more harmful
●
It is difficult to detect manually
●
Static analysis gives developer confusion and false
positives
●
Manual testing is not effective
Introduction
Motivation
4. Lehrstuhl für Informatik 4
4/161/2012 <Title> <Name LastName> Seminar in Computer Science
●
Challenge
●
How to find exploits, shellcode in the program
●
Source code analysis alone is not enough
●
Finding exploitable paths among program execution
paths
Introduction
Problem Statements
5. Lehrstuhl für Informatik 4
5/161/2012 <Title> <Name LastName> Seminar in Computer Science
●
To generate exploits for web-applications
Introduction
Research Objectives
6. Lehrstuhl für Informatik 4
6/161/2012 <Title> <Name LastName> Seminar in Computer Science
●
Exploits techniques vary upon OS architectures
●
Type of Exploits
●
Stack Overflow Exploit
●
Heap Corruption Exploit
●
Format String Attack
●
Attack Methodologies
●
Remote Exploit
●
Local Exploit
●
Two Stage Exploit
●
Tools for writing Exploits: LibExploit, Metasploit,
CANVAS
Background: Exploits
What is an exploit?
7. Lehrstuhl für Informatik 4
7/161/2012 <Title> <Name LastName> Seminar in Computer Science
Background: Exploits
Stack Overflow Exploit Example
#include <string.h>
void foo (char *bar)
{
char c[12];
strcpy(c, bar);
}
int main (int argc, char **argv)
{
foo(argv[1]);
}
8. Lehrstuhl für Informatik 4
8/161/2012 <Title> <Name LastName> Seminar in Computer Science
Background: Exploits
Stack Overflow Exploit Example
9. Lehrstuhl für Informatik 4
9/161/2012 <Title> <Name LastName> Seminar in Computer Science
Background: Dynamic analysis
Introduction
●
Monitor code as it executes
●
Usefulness of Dynamic analysis
●
Precision of information
●
Dependence on program inputs
●
Four common dynamic analysis techniques:
●
Dynamic taint analysis
●
Forward symbolic execution
●
Frequency Spectrum Analysis
●
Coverage Concept Analysis ...
10. Lehrstuhl für Informatik 4
10/161/2012 <Title> <Name LastName> Seminar in Computer Science
Background: Dynamic analysis
Dynamic Taint Analysis
●
To exploit program execution,
●
use values from a trusted source
●
attackers overwrite, tainted these values
●
Taint Analysis Process
1. mark input data from untrusted sources tainted
2. monitor program execution to track how they
propagated
3. check when tainted data is used in dangerous ways
11. Lehrstuhl für Informatik 4
11/161/2012 <Title> <Name LastName> Seminar in Computer Science
Background: Dynamic analysis
Dynamic Taint Analysis
Attack detected using TaintCheck
12. Lehrstuhl für Informatik 4
12/161/2012 <Title> <Name LastName> Seminar in Computer Science
Background:Dynamic analysis
Symbolic Execution
●
Key idea: generalize testing by using unknown
●
symbolic variables in evaluation
●
int f(1, 2)= int f(α1 , α2)
●
Allows unknown symbolic variables in evaluation
●
y = α; assert(f(y) == 2*y-1);
●
If execution path depends on unknown, conceptually
fork symbolic executor
●
int f(int x)
{if(x > 0) then return 2*x - 1; else return 10;}
13. Lehrstuhl für Informatik 4
13/161/2012 <Title> <Name LastName> Seminar in Computer Science
Background:Dynamic analysis
Symbolic Execution Example
l …
14. Lehrstuhl für Informatik 4
14/161/2012 <Title> <Name LastName> Seminar in Computer Science
Background:Dynamic analysis
Symbolic Execution: Purpose
●
E.g. Particular program points reachable?
●
E.g. Is array access a[i] out of bounds?
●
E.g. Generate concrete inputs that execute same
paths
●
With constraints solvers
●
E.g. Z3, Yices, STP
15. Lehrstuhl für Informatik 4
15/161/2012 <Title> <Name LastName> Seminar in Computer Science
Background:Dynamic analysis
Symbolic Execution Limitations
●
Scalability Issue when execution paths are large
●
Source code, or equivalent is required
●
Limitations in solving constraints
●
cannot handle non-linear and very complex constraints
16. Lehrstuhl für Informatik 4
16/161/2012 <Title> <Name LastName> Seminar in Computer Science
Research Paper
CRAXweb: Automatic Web Application
Testing and Attack Generation
17. Lehrstuhl für Informatik 4
17/161/2012 <Title> <Name LastName> Seminar in Computer Science
Research Paper
●
Implement AEG for large-scaled web applications
●
Focus on XSS and SQLi attacks
●
Based on Symbolic Socket or symbolic execution
●
Single path concolic mode is used to reduce path-
explosion
●
Selective Symbolic Execution(S2E)
●
Provide the ability to execute a specific part of
program
●
Simple Theorem Prover(STP) as a constraint solver
●
Acunetix as web crawler
Overview of CRAXweb
18. Lehrstuhl für Informatik 4
19/161/2012 <Title> <Name LastName> Seminar in Computer Science
Research Paper
●
Generate test cases and exploits
Exploit Generation: Constraint Solving
19. Lehrstuhl für Informatik 4
20/161/2012 <Title> <Name LastName> Seminar in Computer Science
Research Paper
Exploit Generation:Constraint Solving
x- exploit
f(x)- expected attack script
20. Lehrstuhl für Informatik 4
21/161/2012 <Title> <Name LastName> Seminar in Computer Science
Research Paper
●
To reduce overhead caused by symbolic execution
●
Explore one path at a time
Single Path Concolic Mode
21. Lehrstuhl für Informatik 4
22/161/2012 <Title> <Name LastName> Seminar in Computer Science
Research Paper
Flow diagram of automatic process
22. Lehrstuhl für Informatik 4
23/161/2012 <Title> <Name LastName> Seminar in Computer Science
Research Paper
●
S2E as symbolic environment
Implementation:Symbolic Socket
23. Lehrstuhl für Informatik 4
24/161/2012 <Title> <Name LastName> Seminar in Computer Science
Research Paper
●
Overall architecture for automatic exploit generator
Implementation: Architecture
24. Lehrstuhl für Informatik 4
25/161/2012 <Title> <Name LastName> Seminar in Computer Science
Research Paper
Implementation: Symbolic Response and Query Handler
●
From Web Crawler to Symbolic Request
25. Lehrstuhl für Informatik 4
26/161/2012 <Title> <Name LastName> Seminar in Computer Science
Research Paper
Implementation: Symbolic Response and Query Handler
●
From symbolic response or query to exploit generator
26. Lehrstuhl für Informatik 4
27/161/2012 <Title> <Name LastName> Seminar in Computer Science
Research Paper
Implementation: Exploit Generation
27. Lehrstuhl für Informatik 4
28/161/2012 <Title> <Name LastName> Seminar in Computer Science
Research Paper
Implementation: Exploit Generation
●
Algorithm to solve the exploit constraint
28. Lehrstuhl für Informatik 4
29/161/2012 <Title> <Name LastName> Seminar in Computer Science
Research Paper
Results: Experiment Environment
●
Host OS- Ubuntu 10.10
●
Guest Environment- emulated by Qemu
●
Qemu- hosted Debian 5.07 and Windows XP
●
Softwares- S2E 1.0 and MySQL as database handler
29. Lehrstuhl für Informatik 4
30/161/2012 <Title> <Name LastName> Seminar in Computer Science
Research Paper
Results: Evaluation for different platforms
30. Lehrstuhl für Informatik 4
31/161/2012 <Title> <Name LastName> Seminar in Computer Science
Research Paper
Results: Evaluation for Exploit Generation
●
With test cases from Ardilla
31. Lehrstuhl für Informatik 4
32/161/2012 <Title> <Name LastName> Seminar in Computer Science
Research Paper
Results: Evaluation for Exploit Generation
●
With test cases from Ardilla
32. Lehrstuhl für Informatik 4
33/161/2012 <Title> <Name LastName> Seminar in Computer Science
Research Paper
Results: Evaluation for Exploit Generation
●
With Real world Applications
33. Lehrstuhl für Informatik 4
34/161/2012 <Title> <Name LastName> Seminar in Computer Science
Research Paper
Results: Related works
34. Lehrstuhl für Informatik 4
35/161/2012 <Title> <Name LastName> Seminar in Computer Science
Conclusions
●
AEG is possible for web applications
●
CRAXWeb uses
●
Symbolic execution
●
Concolic Testing
●
However,Still have rooms for development
●
for more exploit types
●
to integration with browser
35. Lehrstuhl für Informatik 4
36/161/2012 <Title> <Name LastName> Seminar in Computer Science
References
Shih-Kun Huang,Han-Lin Lu ; Wai-Meng Leong ; Huan Liu,
”CRAXweb: Automatic Web Application Testing and Attack
Generation”, Software Security and Reliability (SERE),IEEE 7th
International Conference, June 2013
Shih-Kun Huang,Min-Hsiang Huang ; Po-Yen Huang ; Chung-Wei
Lai ; Han-Lin Lu ; Wai-Meng Leong, “CRAX: Software Crash
Analysis for Automatic Exploit Generation by Modeling Attacks as
Symbolic Continuations” ,Software Security and Reliability
(SERE), 2012 IEEE Sixth International Conference, June 2012
Thanassis Avgerinos and Sang Kil Cha and Brent Lim Tze Hao
and David Brumley, “AEG: Automatic Exploit Generation”,Network
and Distributed System Security Symposium, Feb 2012
36. Lehrstuhl für Informatik 4
37/161/2012 <Title> <Name LastName> Seminar in Computer Science
References
James Newsome,Dawn Song,”Dynamic Taint Analysis for
Automatic Detection,An alysis, and Signature Generation of
Exploitson Commodity Software”, Network and Distributed System
Security Symposium, 2005
Cristian Cadar, Daniel Dunbar, Dawson Engler, “KLEE:
Unassisted and Automatic Generation of High-CoverageTests for
Complex Systems Programs”, USENIX Symposium on Operating
Systems Design and Implementation, December 2008