back in black
play

Back In Black: Towards Formal, Black Box Analysis Of Sanitizers and - PowerPoint PPT Presentation

Apr 13, 2023 •241 likes •597 views

Back In Black: Towards Formal, Black Box Analysis Of Sanitizers and Filters George Argyros* , Ioannis Stais**, Angelos Keromytis* and Aggelos Kiayias*** * ** *** Motivation Sanitizers and filters are important components of securing

  1. Back In Black: Towards Formal, Black Box Analysis Of Sanitizers and Filters George Argyros* , Ioannis Stais**, Angelos Keromytis* and Aggelos Kiayias*** * ** ***

  2. Motivation • Sanitizers and filters are important components of securing applications. - Think code injection attacks. • Black-Box analysis is often a necessity. - Penetration testing, hardware testing. • Filters need to be fast. - Possibility of representing with automata models. • This talk: focus on regular expression filters. - Check the paper for results on sanitizers.

  3. Regular Expression Filters • Pass untrusted input through Regular Expressions. - Reject if match found. • Widely employed for protecting against code injection attacks. - Not very robust. • Significant components of large scale software. - Web Application Firewalls, IDS, DPI and others. • Represented by Deterministic Finite State Automata (DFA).

  4. Can we efficiently infer Regular Expression Filters?

  5. Exact Learning From Queries Form of Active Learning. Target M Learning Two types of Queries. Algorithm

  6. Exact Learning From Queries Membership Query Target M Learning Algorithm string s Is s accepted by M ?

  7. Exact Learning From Queries Equivalence Query Target M Learning Algorithm Model H Is M = H ? Yes, or provide counterexample.

  8. Learning Deterministic Finite Automata [Angluin ’87], [Rivest-Schapire ’93] • Start with an initial state. q 1 q 1 q 1 q 4 • Test all transitions from that state. q 1 • When valid DFA is formed test for q 0 q 0 q 0 q 0 q 0 Equivalence. • Counterexamples provide access q 2 q 3 q 2 q 2 q 2 q 3 to previously undiscovered states. Testing all transitions is inefficient for large Alphabets!

  9. Symbolic Finite Automata (SFA) Symbolic Automata Classical Automata guards

  10. Learning SFA: Challenges • Alphabet may be infinite! • How to distinguish causes for counterexamples in the models? - Counterexamples due to undiscovered states in the target. - Counterexamples due to inaccurate transition guards.

  11. Learning Symbolic Finite Automata φ 1 , 0 ( x ) φ 1 , 0 ( x ) • Start with an initial state. φ 1 , 1 ( x ) q 1 q 1 q 1 q 4 • Test sample transitions from that state. a φ 0 , 0 ( x ) φ 0 , 0 ( x ) • Use sample transitions as training set (q0,a,q1), (q0,b,q2), … guardgen() q 0 q 0 φ 2 , 1 ( x ) q 0 q 0 to generate guards. b φ 0 , 1 ( x ) φ 0 , 1 ( x ) φ 2 , 0 ( x ) • Novel counterexample processing q 2 q 3 q 2 q 2 method to handle incorrect guards. Convergence under natural assumptions on guardgen()

  12. Is Exact Learning From Queries a realistic model?

  13. Is Exact Learning from Queries a realistic model? • Membership Queries? Test whether input is rejected by the filter. • Equivalence Queries?

  14. Grammar Oriented Filter Auditing or How to Implement an Equivalence Oracle

  15. Grammar Oriented Filter Auditing (GOFA)

  16. Grammar Oriented Filter Auditing (GOFA) Context Free Grammar G … select_exp: SELECT name any_all_some: ANY | ALL column_ref: name parameter: name

  17. Grammar Oriented Filter Auditing (GOFA) Context Free Grammar G … select_exp: SELECT name any_all_some: ANY | ALL column_ref: name parameter: name

  18. Grammar Oriented Filter Auditing (GOFA) Context Free Regular Filter F Grammar G … select_exp: SELECT name (alter{s}*{w}+.*character{s} any_all_some: ANY | ALL +set{s}+{w}+)|(\";{s} column_ref: name *waitfor{s}+time{s}+\") parameter: name /index.php?id=1’ or ‘1’=‘1 Normal output or REJECT

  19. Grammar Oriented Filter Auditing (GOFA) Context Free Regular Filter F Grammar G Find string s such that May Require Exponential … select_exp: SELECT name (alter{s}*{w}+.*character{s} Number of Queries! any_all_some: ANY | ALL +set{s}+{w}+)|(\";{s} column_ref: name *waitfor{s}+time{s}+\") parameter: name /index.php?id=1’ or ‘1’=‘1 Normal output or REJECT

  20. Solving GOFA • In an ideal (White-Box) world both G and F are available: 1. Compute , the set of strings not rejected by F. 2. Check for emptiness. • In practice F is unavailable. - Learn a model for F !

  21. Solving GOFA Context Free Regular Filter F Grammar G

  22. Solving GOFA Context Free Regular Filter F Grammar G

  23. Solving GOFA Membership Query Context Free Regular Filter F Grammar G string s True if REJECT is returned False otherwise

  24. Solving GOFA Equivalence Query One Membership Query per Equivalence Query! Context Free Regular Filter F Grammar G If REJECT: H If no such s s is a counterexample for H . exists then Otherwise: terminate s is a bypass for the filter F .

  25. Evaluation

  26. Experimental Setup • 15 Regular Expression Filters from popular Web Application Firewalls(WAFs). ‣ 7 - 179 states. ‣ 13 - 658 transitions. • Alphabet size of 92 symbols. ‣ Includes most printable ASCII characters.

  27. DFA vs SFA Learning ✓ On average 15x less queries. ✓ Increase in Equivalence queries. ✓ Speedup is not a simple function of the automaton size.

  28. DFA vs SFA Learning

  29. GOFA Algorithm Evaluation • Assume that the grammar G does not contain a string that bypasses the filter. - How good is the approximation of the filter obtained? - How efficient is SFA Learning in the GOFA context? • What is an appropriate grammar to perform this experiment? - Use the filter itself as the input grammar! - Intuitively, a maximal set that does not include a bypass.

  30. DFA vs SFA Learning in GOFA ✓ SFA utilizes x35 less queries. ✓ States recovered: ‣ DFA: 91.95% ‣ SFA: 89.87%

  31. GOFA: Evading WAF • Handcrafted grammar with valid suffixes of SQL statements. - SELECT * from table WHERE id= S - Simulates an SQL Injection attack. • Test GOFA algorithm against live installations of ModSecurity and PHPIDS. - Both systems include non regular anomaly detection components.

  32. GOFA: Evading WAF Evasions found for both web application firewalls. ✓ Authentication Bypass: 1 or isAdmin like 1 ✓ Data Retrieval: 1 right join users on author.id = users.id Evasion attacks aknowledged by ModSecurity team.

  33. Conclusions • SFAs provide an efficient way to infer regular expressions. • SFA learning can provide insights for non regular systems . • Similar techniques derived for sanitizers, more in the paper! • Large space for improvements over presented learning algorithm. - Smarter guard generation algorithms. • We envision assisted Black-Box testing of sanitizers and filters. - Auditor will correct inaccuracies of models. - Derive concrete attacks from abstract language constructs.

  34. Back In Black: Towards Formal, Black Box Analysis Of Sanitizers and Filters George Argyros* , Ioannis Stais**, Angelos Keromytis* and Aggelos Kiayias*** * ** ***

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Turbulence in black holes and back again L. Lehner (Perimeter Institute) Motivation

Turbulence in black holes and back again L. Lehner (Perimeter Institute) Motivation

Turbulence in black holes and back again L. Lehner (Perimeter Institute) Motivation Holography provides a remarkable framework to connect gravitational phenomena in d+1 dimensions with field theories in d dimensions. Most robustly

625 views • 31 slides
GirlTrek Quick Review THE FACTS 2 3 OUT OF Black women get no exercise everyday. 137 >

GirlTrek Quick Review THE FACTS 2 3 OUT OF Black women get no exercise everyday. 137 >

GirlTrek Quick Review THE FACTS 2 3 OUT OF Black women get no exercise everyday. 137 > gun violence, HIV/AIDS and smoking combined. THE HE TUB UBMAN D N DOCTRINE 1. SAVE YOUR OWN LI FE. 2. COME BACK FOR SI STERS. 3. RALLY YOUR

206 views • 17 slides
Black Hole Thermodynamics Robert M. Wald I. Black Holes; Event Horizons and Killing Horizons II.

Black Hole Thermodynamics Robert M. Wald I. Black Holes; Event Horizons and Killing Horizons II.

Black Hole Thermodynamics Robert M. Wald I. Black Holes; Event Horizons and Killing Horizons II. The First Law of Black Hole Mechanics and Black Hole Entropy III. Dynamic and Thermodynamic Stability of Black Holes IV. Quantum Aspects of Black

1.74k views • 116 slides
PREVENTION OF LOW BACK PAIN : Back Education for Workplace and Home PRESENTED AT BODIJA-ASHI

PREVENTION OF LOW BACK PAIN : Back Education for Workplace and Home PRESENTED AT BODIJA-ASHI

PREVENTION OF LOW BACK PAIN : Back Education for Workplace and Home PRESENTED AT BODIJA-ASHI BAPTIST CHURCH, IBADAN MARCH 10, 2013 Ibidunni Alonge Olumide Dada WHY LOW BACK PAIN? 2 Knee Back Neck WHAT IS LOW BACK PAIN? 3 Low back

1.56k views • 61 slides
2013-14 Fiscal Year End June 30, 2014 Overview Turning the corner back in the black

2013-14 Fiscal Year End June 30, 2014 Overview Turning the corner back in the black

2013-14 Fiscal Year End June 30, 2014 Overview Turning the corner back in the black Operational surplus and overall fiscal plan surplus Fiscal Plan surplus (change in net assets) Operational surplus Budget 2013 Actual Budget

430 views • 22 slides
Constructing black holes and black hole microstates String theory and the fuzzball proposal Cl

Constructing black holes and black hole microstates String theory and the fuzzball proposal Cl

Introduction : black hole issues and entropy counting The fuzzball proposal Constructing three-charge supersymmetric solutions Non-BPS extremal black holes Conclusion and perspectives Constructing black holes and black hole microstates String

1.37k views • 95 slides
Red-Black Trees Binary Search Trees with O(log n) Worst-Case Time per Operation The Red-Black

Red-Black Trees Binary Search Trees with O(log n) Worst-Case Time per Operation The Red-Black

Red-Black Trees Binary Search Trees with O(log n) Worst-Case Time per Operation The Red-Black Tree Properties Red-black tree properties Every node has a color, red or black. The root is black. The leaves are black. nil nil nil nil nil

392 views • 36 slides
Putting the P back in VPN: An Overlay Network to Resist Traffic Analysis Roger Dingledine The

Putting the P back in VPN: An Overlay Network to Resist Traffic Analysis Roger Dingledine The

Putting the P back in VPN: An Overlay Network to Resist Traffic Analysis Roger Dingledine The Free Haven Project http://freehaven.net/tor/ July 29, Black Hat 2004 Talk Outline Motivation: Why anonymous communication? Personal privacy

788 views • 57 slides
Back-Up Servicing www.1stservicing.com Back-Up Servicing A back-up servicer is a service

Back-Up Servicing www.1stservicing.com Back-Up Servicing A back-up servicer is a service

Back-Up Servicing www.1stservicing.com Back-Up Servicing A back-up servicer is a service provider who agrees to take over the servicing of a portfolio of assets on the occurrence of certain trigger events, most commonly failure of the

829 views • 5 slides
BLACK HISTORY MONTH 2014 African Americans in the Sciences BLACK HISTORY IS AMERICAN HISTORY

BLACK HISTORY MONTH 2014 African Americans in the Sciences BLACK HISTORY IS AMERICAN HISTORY

BLACK HISTORY MONTH 2014 African Americans in the Sciences BLACK HISTORY IS AMERICAN HISTORY HIGHLIGHTED OF BLACK ACHIEVEMENTS The creative contributions in all fields throughout the world. With this background, both Black students

635 views • 46 slides
Example of Black Body Spectra for different temperatures What is the best known example of a black

Example of Black Body Spectra for different temperatures What is the best known example of a black

Example of Black Body Spectra for different temperatures What is the best known example of a black body source? What is the best known example of a black body source? Hint Temperature = 2.7 K Planck Radiation Law Cosmic Microwave

504 views • 32 slides
Black Country Annual Economic Review 2018 May 2018 The Black Country Economy continues to Grow

Black Country Annual Economic Review 2018 May 2018 The Black Country Economy continues to Grow

Black Country Annual Economic Review 2018 May 2018 The Black Country Economy continues to Grow Source: Office for National Statistics, Regional Accounts, 2017 2 3 3 Business stock in the Black Country is at its highest since 2004 Black

532 views • 19 slides
Black Pre-Law Students Association (BPLSA) REQUEST TO FUND ATTENDANCE TO THE NATIONAL BLACK

Black Pre-Law Students Association (BPLSA) REQUEST TO FUND ATTENDANCE TO THE NATIONAL BLACK

Black Pre-Law Students Association (BPLSA) REQUEST TO FUND ATTENDANCE TO THE NATIONAL BLACK PRE-LAW CONFERENCE VALENCIA SCOTT | PRESIDENT SHONDREYA LANDRUM | INTERNAL AFFAIRS VICE PRESIDENT Our Organization Purpose - Goals The Black

589 views • 16 slides
5 Rules 1 Red Black Tree Properties - A 1. Every Node Is Either RED or BLACK 2. Every NILL Node

5 Rules 1 Red Black Tree Properties - A 1. Every Node Is Either RED or BLACK 2. Every NILL Node

Red Black Tree 5 Rules 1 Red Black Tree Properties - A 1. Every Node Is Either RED or BLACK 2. Every NILL Node Is BLACK sometimes referred to as a "Null Leaf" Red Black Tree Properties - B 3. Every RED Node Has Two Black Child

1.14k views • 100 slides
Black Hills Power CIS Testing Importance to your TIMP Programs And Black Hills Powers

Black Hills Power CIS Testing Importance to your TIMP Programs And Black Hills Powers

Black Hills Power CIS Testing Importance to your TIMP Programs And Black Hills Powers Lessons Learned WHO WE ARE Black Hills Corporation is a diversified energy service company operating in several western states. o Corporate Offices

626 views • 39 slides
Queensnake recovery, distribution and stewardship in Huron County 1 2 Queensnake ( Regina

Queensnake recovery, distribution and stewardship in Huron County 1 2 Queensnake ( Regina

Queensnake recovery, distribution and stewardship in Huron County 1 2 Queensnake ( Regina septemvittata) Small to medium semi-aquatic snake Brown to olive back with narrow black stripes Belly is pale yellow with narrow black stripes

368 views • 34 slides
Estimation of Theoretically Consistent Stochastic Frontier Functions in R Arne Henningsen

Estimation of Theoretically Consistent Stochastic Frontier Functions in R Arne Henningsen

Estimation of Theoretically Consistent Stochastic Frontier Functions in R Arne Henningsen Department of Agricultural Economics University of Kiel, Germany Outline Theoretically Consistent Stochastic Frontier Functions Arne Henningsen

246 views • 12 slides
Section 3.3: Dummies and Interactions Jared S. Murray The University of Texas at Austin McCombs

Section 3.3: Dummies and Interactions Jared S. Murray The University of Texas at Austin McCombs

Section 3.3: Dummies and Interactions Jared S. Murray The University of Texas at Austin McCombs School of Business 1 Example: Detecting Sex Discrimination Imagine you are a trial lawyer and you want to file a suit against a company for salary

697 views • 31 slides
1 THE FEAST Leviticus 23:41-43 And ye shall keep it a Feast unto the LORD seven days in the year.

1 THE FEAST Leviticus 23:41-43 And ye shall keep it a Feast unto the LORD seven days in the year.

1 THE FEAST Leviticus 23:41-43 And ye shall keep it a Feast unto the LORD seven days in the year. It shall be a statute for ever in your generations: ye shall celebrate it in the seventh month. Ye shall dwell in booths seven days ; all that are

973 views • 40 slides
Matthew Series Lesson #007 October 13, 2013 Dean Bible Ministries www.deanbible.org Dr. Robert

Matthew Series Lesson #007 October 13, 2013 Dean Bible Ministries www.deanbible.org Dr. Robert

Matthew Series Lesson #007 October 13, 2013 Dean Bible Ministries www.deanbible.org Dr. Robert L. Dean, Jr. The Presentation of the King The Chronology from the Birth of Jesus Shepherds visit Jesus, Luke 2:820 Jesus is

411 views • 19 slides
Data Handling A N D R E W N O R M A N Talk Overview 2 Infrastructure & Tools

Data Handling A N D R E W N O R M A N Talk Overview 2 Infrastructure & Tools

Data Handling A N D R E W N O R M A N Talk Overview 2 Infrastructure & Tools Data Transport Monitoring Operations FIFE Workshop Data Handling The Problem 3 Moving data is hard We have a LOT of data FIFE

569 views • 26 slides
MySlice overview Jordan Aug e, Lo c Baron (UPMC) OpenLab plugfest January 23-25, 2013

MySlice overview Jordan Aug e, Lo c Baron (UPMC) OpenLab plugfest January 23-25, 2013

Overview of MySlice Extending MySlice with Gateways Extending MySlice with plugins MySlice overview Jordan Aug e, Lo c Baron (UPMC) OpenLab plugfest January 23-25, 2013 Paris, France MySlice overview 1 / 16 Jordan Aug e,

792 views • 44 slides
Symbolic Finite Automata Margus Veanes April 5, 2014 VSSE'14, Grenoble, France 1 Overview

Symbolic Finite Automata Margus Veanes April 5, 2014 VSSE'14, Grenoble, France 1 Overview

Applications of Symbolic Finite Automata Margus Veanes April 5, 2014 VSSE'14, Grenoble, France 1 Overview Are SFAs applicable to analysis of software evolution? automata modulo theories S ymbolic Finite Automaton (SFA) Main

887 views • 35 slides
Local Government Funding Reform: Settlement 2019/20 and the Road Ahead 1 Outline for the

Local Government Funding Reform: Settlement 2019/20 and the Road Ahead 1 Outline for the

Local Government Funding Reform: Settlement 2019/20 and the Road Ahead 1 Outline for the briefing today 2019/20 Provisional Settlement and NNDR1 2019/20 Funding Reform Consultations Fair Funding Business Rates Retention 2

809 views • 70 slides

More recommend