Cybersecurity Vulnerabilities and Solutions in Web Development

Discover the dangers of malicious scripting and the importance of sanitizing text inputs on servers to prevent security breaches in web applications. Explore techniques such as Atomic Replacement Constraints, Finite State Transducers, and Hierarchical FST modeling for enhancing security and analyzing vulnerabilities in web development.

• Cybersecurity
• Web Development
• Malicious Scripts
• Server Security
• Vulnerability Analysis

buffkin_b Follow

Uploaded on Sep 16, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

Presentation Transcript

1. Xiang Fu Hofstra University Chung-Chih Li Illinois State University 04/13/2010 NFM 2010 1

2. Background Hacker malicious scripts Cool page! Problem? Lack of Sufficient Sanitation of Text Inputs Server 04/13/2010 NFM 2010 2

3. One Typical Error 1 <?php 2 $msg = $_POST[ msg ]; 3 $sanitized = pregreplace( 4 /\< s c r i p t .*?\>.*?\<\/ s c r i p t .*?\ >/ i , 5 , 6 $msg ) ; 7 savetodb($sanitized ) 8 ?> Reluctant Kleene Star Attacker s Input <<script></script>script>alert( a )</script> <script>alert( a )</script> 04/13/2010 NFM 2010 3

4. Bigger Picture Objective: Automatic Discovery of Vulnerabilities SUSHI Bytecode Symbolic String Constraint Solver Test Execution Replayer Attack Pattern 04/13/2010 NFM 2010 4

5. Our Contribution Atomic Replacement Constraints Consider Two Semantics Greedy Reluctant Modeling Using Finite State Transducer (FST) Compact Representation of FST Security Analysis 04/13/2010 NFM 2010 5

6. Finite State Transducer Accepts Regular Relation Union, Concat, Composition Intersection, Complement :1 1 2 a:2 Used for Modeling Rewriting Rules [Kaplan94, Karttunen96] 4 3 b:3 A (ab,123) L(A) 04/13/2010 NFM 2010 6

7. Hierarchical FST & Modeling Declarative Semantics S aaa { b, bb, bbb } Goal: + a b r Replacement Regular Search Pattern Any String not Containing patter r Id( * - * r *) r : Id( * - * r *) 2 1 3 4 : Identical Relation 04/13/2010 NFM 2010 7

8. Modeling Reluctant Semantics S r - a aaa bbb { } Goal: + b Key: Left-Most Matching 2 Steps Mark the beginning of pattern Do the replacement 04/13/2010 NFM 2010 8

9. Input Word Search Pattern a+b+c x a a b b c d a b c a b d # a # a b b c d # a b c a b d Begin Marker s1 reluc(r)# : #: x d x a b d : s2 f1 Id( ) 04/13/2010 NFM 2010 9

10. The Challenge: Begin Marker Search Pattern a+b+c x Input Word a a b b c d a b c a b d # # # # Look-ahead Capability? 3 Steps: (1) End marker (2) Generic end marker (3) Begin marker Non-determinism 04/13/2010 NFM 2010 10

11. Preliminary End Marker Search Pattern c: c b: b 1 2 3 a+b+c x a: a b : b :$ Idea: Start with End Marker for Reverse of Search Pattern 4 5 a: a A1 Reversed Pattern cb+a+ Problem: Input tape accepts cb+a+ only! 04/13/2010 NFM 2010 11

12. Generic End Marker Pattern cb+a+ c:c b:b 1 2 3 4 5 c:c b:b a:a :$ 1 2,1 3,1 4,1 5,1 a:a a:a Deterministic! a:a b:b c:c c:c b:b A2 c c b a a Input Word c c b a $ a $ Output Word 04/13/2010 NFM 2010 12

13. Finally, the Begin Marker Search Pattern a+b+c x 0 : c:c b:b : : c:c b:b a:a :# 1 2 3 4 5 1 2,1 3,1 4,1 5,1 a:a a:a b:b c:c c:c b:b A3 04/13/2010 NFM 2010 13

14. Input Word Search Pattern a+b+c x a a b b c d a b c a b d # a # a b b c d # a b c a b d Begin Marker s1 reluc(r)# : #: x d x a b d : s2 f1 Id( ) 04/13/2010 NFM 2010 14

15. Greedy Semantics greedy + a aaa { b } + r + S b Goal: Challenge: Look-ahead longestmatch 04/13/2010 NFM 2010 15

16. Search Pattern a+ x aabab Step 1: Begin Marker #a#ab#ab Step 2: ND End Marker #a#ab#a$b #a$#a$b#a$b #a#a$b#a$b #a#a$b#ab Step 3: Pairing Markers #aa$b#a$b #aaba$b Step 4: Checking Match #a$#a$b#a$b Step 5: Check Longest Step 6: Replacement xbxb 04/13/2010 NFM 2010 16

17. Login Servlet Applications Solve String Constraints Input: user name After filtering single quote and length restriction + + + + = + ' ' ' + ' SELECT...W HERE ...' , 0 [ ' ' 16 ] ' ' AND pwd ' ' , 0 [ ' ' 16 ] x y ' ' = uname ' ' |' ] ).*' OR * . uname ' ' ([ ' 04/13/2010 NFM 2010 17

18. Solving Atomic Constraint P S Goal: r A1 Id(P) Project to Input Tape Solution 04/13/2010 NFM 2010 18

19. SUSHI Constraint Solver Solves Simple Linear String Constraints (SISE) Relies on dk.brics.automaton for FSA operations Self-made Java package for FST operations Supports 16-bit Unicode Compact Transition Representation Type I Type II Type III (I,I) (II,I) (III,II) 04/13/2010 NFM 2010 19

20. Login Servlet Efficiency of Solver 1.4 Seconds on 2Ghz PC Benchmark Equations + = { 2 2 , n } x b n 1 + { , } a b n n = { 2 2 , n } x b n 2 + { , } a b n n Flex SDK XSS Attack Equation Size: 565 74 Seconds Shorter than Security Track #1022748 + = { 2 2 , n } x b n 3 * { , } a b n n = { 2 2 , n } x b n 4 * { , } a b n n 04/13/2010 NFM 2010 20

21. Related Work Forward String Analysis Christensen & M ller [SAS 03] Wasserman & Su [PLDI 07, ICSE 08] Bj rner & Tillmann [TACAS 09] Backward String Analysis Kiezun & Ganesh [ISSTA 09] Yu & Bultan [SPIN 08, ASE 09] Fu [COMPSAC 07, TAVWEB 08] Natural Language Processing * Kaplan and Kay [CL 1994] Our Contribution: Precise Modeling of Various Regular Substitution Semantics 04/13/2010 NFM 2010 21

22. Limitations SISE String Constraints All Variables Appear on LHS (Once) No Easy Solution for Equation System Yet No string length Future Directions Encoding string length in automata Finite model on bit-vector 04/13/2010 NFM 2010 22

23. Questions? 04/13/2010 NFM 2010 23