control flow in web
play

Control-Flow in Web Applications William G.J. Halfond University of - PowerPoint PPT Presentation

Mar 16, 2023 •206 likes •459 views

Identifying Inter-Component Control-Flow in Web Applications William G.J. Halfond University of Southern California halfond@usc.edu Definition: Control-flow Relationship that shows which statements may execute after each other. I.e

  1. Identifying Inter-Component Control-Flow in Web Applications William G.J. Halfond University of Southern California halfond@usc.edu

  2. Definition: Control-flow Relationship that shows which statements may execute after each other. I.e sequencing information. Entry function OddorEven(int a) F 1 1. for(int i=0; i++; i<a){ T 2. if (i % 2 == 0) then 2 T F 3. print(i + “ is even.”) 3 4 4. else 5 5. print(i + “ is odd.”) 6 6. } Exit 2

  3. Motivating Scenario Verify user will be logged in before accessing shopping cart 1 — 8 represent control flow in web applications 3

  4. Types and Sources of Control-flow 1. Dynamically Generated HTML 2. JavaScript 3. HTTP Commands 4. Component Inclusion 5. Direct Entry/Access 4

  5. Why Not Use…. • Manual specification • Web crawlers • Traditional control-flow analysis Control Flow 5

  6. The Approach: Overview Web Application Program Analysis HTML Tool Servlet Servlets 6

  7. The Approach: Overview 15 ... 5 Login.jsp 31 Login.jsp 1 2 3 Entry Exit 6 7 8 9 1 4 0 1 3 Default.jsp Error.jsp Index.jsp ResetPassword.j Entry Entry Entry sp Entry Client 7

  8. The Approach: Running Example void service(Request req, Response resp) 21. out.print("</script>"); 1. JspWriter out = resp.getOutputStream(); 22. out.print("<h1>Login Page</h1>"); 2. String session = req.getParam("session"); 23. out.print("<form method=POST" + " action=‘ Login.jsp ’>"); 3. if (isValidSession(session)) 24. out.print ("<input type=hidden value=" + "‘login’ 4. sendHttpCmd(resp, 302, "Default.jsp"); name=session>"); 5. elsif (session.equals("login")) 25. out.print("User:<input type=text name=uname>"); 6. String login = req.getParam("uname"); 26. out.print("Password:<input type=" + "password 7. String password = req.getParam("pword"); name=pword>"); 8. if (isClean(login) && isClean(pword)) 27. out.print ("<input type=submit value=‘Login’>"); 9. if (loginOK(uname, pword)) 28. out.print ("<input type=submit value=‘Back’" + " 10. sendHttpCmd(resp, 302, "Default.jsp"); onClick =‘ goBack ()’>"); 12. else 29. out.print("</form>"); 13. sendHttpCmd(resp, 303, "Error.jsp"); 30. out.print("<a href =’ Reset.jsp ’>" + " Reset 15. else password</a>"); 16. out.print("<html><body>"); 31. out.print("</body></html>"); 17. out.print("<script language =’JavaScript’>"); 18. out.print("function goBack() {"); 19. out.print("window.location.href="Index.jsp"; 20. out.print("}"); 8

  9. The Approach: Step-by-Step 1. Use static analysis to identify dynamically generated HTML and JavaScript content 2. Identify parameter values to invocations of HTTP and Component Inclusion commands 3. Identify open entry methods for Direct Entry 9

  10. (1) Generated Content: Intuition Use static analysis to determine potential HTML and JavaScript output of each servlet, and then parse that output to identify relevant constructs and tags. For each method m, in each servlet: 1. Identify HTML content of each output statement 2. Group content along a path into HTML fragments 3. Add HTML fragment to m ’s summary Combine summaries up to root method Parse summaries of each root method 10

  11. (1) Generated Content: Algorithm 11

  12. (1) Generated Content: Example void service(Request req, Response resp) 21. out.print("</script>"); 1 1. JspWriter out = resp.getOutputStream(); 22. out.print("<h1>Login Page</h1>"); 2. String session = req.getParam("session"); 23. out.print("<form method=POST" + " action=‘ Login.jsp ’>"); 3. if (isValidSession(session)) 2 24. out.print ("<input type=hidden value=" + "‘login’ 4. sendHttpCmd(resp, 302, "Default.jsp"); name=session>"); 5. elsif (session.equals("login")) 3 25. out.print("User:<input type=text name=uname>"); 10 6. String login = req.getParam("uname"); 26. out.print("Password:<input type=" + "password 7. String password = req.getParam("pword"); name=pword>"); 8. if (isClean(login) && isClean(pword)) 27. out.print ("<input type=submit value=‘Login’>"); 14 11 4 9. if (loginOK(uname, pword)) 28. out.print ("<input type=submit value=‘Back’" + " 10. sendHttpCmd(resp, 302, "Default.jsp"); onClick =‘ goBack ()’>"); 12. else 29. out.print("</form>"); 15 12 5 13. sendHttpCmd(resp, 303, "Error.jsp"); 30. out.print("<a href =’ Reset.jsp ’>" + " Reset 15. else password</a>"); 16. out.print("<html><body>"); 31. out.print("</body></html>"); 6 17. out.print("<script language =’JavaScript’>"); 13 8 18. out.print("function goBack() {"); Identify HTML producing 19. out.print("window.location.href="Index.jsp"; statements, i.e. set GEN sets 9 7 20. out.print("}");

  13. (2) Parameter Analysis: Intuition 1. Identify invocations in code that call* 1. HTTP commands 2. Component Inclusion 2. Analyze parameters to determine value** 3. Interpret semantics of parameter values *Identify indirect invocations as well and use method summarization. **String analysis and reaching definitions 13

  14. (2) Parameter Analysis: Example resp.sendHttpMessage (302, “ Login.jsp ”); Use static analysis to identify these values Servlet.include (“ Common.jsp ”) 14

  15. (2) Parameter Analysis: Example sendHttpCmd(resp, 302, "Default.jsp"); Create method summary with placeholders, then substitute in actual values when we find an invocation of the summarized method. void sendHttpCmd(Response resp, int code, String msg) String location = "Location: "; location += urlEncode(msg); location += "\n\n"; resp.sendHttpMessage(code, location); 15

  16. (3) Entry Points Identify and mark methods that represent methods that can be invoked and provided with input by the user. Examples: doPost(), doGet(), _service() 16

  17. Inter-Component Control-flow Graph 15 ... 5 Login.jsp 31 Login.jsp 1 2 3 Entry Exit 6 7 8 9 10 4 13 Default.jsp Error.jsp Index.jsp ResetPassword.j Entry Entry Entry sp Entry Client 17

  18. The Approach: Running Example void service(Request req, Response resp) 21. out.print("</script>"); 1. JspWriter out = resp.getOutputStream(); 22. out.print("<h1>Login Page</h1>"); 2. String session = req.getParam("session"); 23. out.print("<form method=POST" + " action=‘ Login.jsp ’>"); 3. if (isValidSession(session)) 24. out.print ("<input type=hidden value=" + "‘login’ 4. sendHttpCmd(resp, 302, "Default.jsp"); name=session>"); 5. elsif (session.equals("login")) 25. out.print("User:<input type=text name=uname>"); 6. String login = req.getParam("uname"); 26. out.print("Password:<input type=" + "password 7. String password = req.getParam("pword"); name=pword>"); 8. if (isClean(login) && isClean(pword)) 27. out.print ("<input type=submit value=‘Login’>"); 9. if (loginOK(uname, pword)) 28. out.print ("<input type=submit value=‘Back’" + " 10. sendHttpCmd(resp, 302, "Default.jsp"); onClick =‘ goBack ()’>"); 12. else 29. out.print("</form>"); 13. sendHttpCmd(resp, 303, "Error.jsp"); 30. out.print("<a href =’ Reset.jsp ’>" + " Reset 15. else password</a>"); 16. out.print("<html><body>"); 31. out.print("</body></html>"); 17. out.print("<script language =’JavaScript’>"); 18. out.print("function goBack() {"); 19. out.print("window.location.href="Index.jsp"; 20. out.print("}"); 18

  19. Evaluation: Research Questions RQ1: Time to analyze web applications. RQ2: Precision of control-flow information. RQ3: Recall of control-flow information. Implemented approach in ICE (Inter- component Control-flow Extractor) • Soot, Indus, JSA, HTMLParser, Rhino for underlying analyses 19

  20. Subject Applications Application LOC Classes Servlets Bookstore 19,402 28 27 Classifieds 10,702 18 18 Daffodil 18,706 119 70 Employee Dir. 5,529 11 9 Events 7,164 13 12 Filelister 8,671 41 10 Portal 16,089 28 27 Webmail 17,078 81 24 20

  21. Other Approaches • Crawler: Automated exploration of web pages at runtime, based on Crawljax and a traditional static web page crawler • HTML only: Only uses step 1 of the approach, identifying dynamic HML content • Mimosa: Static analysis tool for detecting workflow attacks • SXS: Static analysis tool for detecting access control vulnerabilities 21

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

1 What Is Control-Flow Analysis? Loop Concepts Control-flow analysis discovers the flow of

1 What Is Control-Flow Analysis? Loop Concepts Control-flow analysis discovers the flow of

Control-Flow Analysis and Loop Detection Context Last time Data-flow Speeding up data-flow analysis Flow of data values from defs to uses Could alternatively be represented as a data dependence Today Control-flow analysis

516 views • 5 slides
Flow and Congestion Control CS 218 F2003 Oct 29, 03 Flow control goals Classification

Flow and Congestion Control CS 218 F2003 Oct 29, 03 Flow control goals Classification

Flow and Congestion Control CS 218 F2003 Oct 29, 03 Flow control goals Classification and overview of main techniques TCP Tahoe, Reno, Vegas TCP Westwood Readings: (1) Keshavs book Chapter on Flow Control; (2)

374 views • 22 slides
Control flow Conditionals and Control Flow l A conditional branch

Control flow Conditionals and Control Flow l A conditional branch

10/2/15 Control flow Conditionals and Control Flow l A conditional branch is sufficient to implement most control Condition codes flow constructs offered in higher

356 views • 12 slides
1 Why Why flow flow control? control? sender

1 Why Why flow flow control? control? sender

Lecture 7. Lecture 7. TCP mechanisms for: TCP mechanisms for: data transfer control / flow control error control congestion control Graphical examples (applet java) of several algorithms at:

589 views • 13 slides
Flow of Control Flow of Control Recitation 09/(11,12)/2008 CS 180 CS 180 Department of

Flow of Control Flow of Control Recitation 09/(11,12)/2008 CS 180 CS 180 Department of

Flow of Control Flow of Control Recitation 09/(11,12)/2008 CS 180 CS 180 Department of Computer Science, Purdue University Project 2 j Now posted on the class webpage. Due Wed, Sept. 17 at 10 pm. Start early All

663 views • 22 slides
V3 1/3/2015 Programming in C 1 Flow of Control Flow of control The order in which

V3 1/3/2015 Programming in C 1 Flow of Control Flow of control The order in which

V3 1/3/2015 Programming in C 1 Flow of Control Flow of control The order in which statements are executed Transfer of control When the next statement executed is not the next one in sequence 2 Flow of Control Control

310 views • 12 slides
Programming in C 1 Flow of Control Flow of control The order in which statements are

Programming in C 1 Flow of Control Flow of control The order in which statements are

Programming in C 1 Flow of Control Flow of control The order in which statements are executed Transfer of control When the next statement executed is not the next one in sequence 2 Flow of Control Control structures

540 views • 34 slides
Exceptional Control Flow: Hardware support for reacting to the rest of the world. Control Flow

Exceptional Control Flow: Hardware support for reacting to the rest of the world. Control Flow

Exceptional Control Flow: Hardware support for reacting to the rest of the world. Control Flow Processor: read instruction, execute it, go to next instruction, repeat Physical control flow Explicit changes: Jumps (conditional, unconditional)

428 views • 8 slides
ex 1. compare and test : conditions Aside: save conditions b,a computes a - b , sets flags,

ex 1. compare and test : conditions Aside: save conditions b,a computes a - b , sets flags,

Conditionals and Control Flow Two key pieces 1. Comparisons and tests: check conditions 2. Transfer control: choose next instruction Control flow Processor Control-Flow State Familiar C constructs Condition codes (a.k.a. flags ) if else l

191 views • 8 slides
Control Structures Lecture 4 COP 3014 Fall 2020 September 10, 2020 Control Flow Control flow

Control Structures Lecture 4 COP 3014 Fall 2020 September 10, 2020 Control Flow Control flow

Control Structures Lecture 4 COP 3014 Fall 2020 September 10, 2020 Control Flow Control flow refers to the specification of the order in which the individual statements, instructions or function calls of an imperative program are executed or

333 views • 19 slides
Python language: Control Flow The FOSSEE Group Department of Aerospace Engineering IIT Bombay

Python language: Control Flow The FOSSEE Group Department of Aerospace Engineering IIT Bombay

Python language: Control Flow The FOSSEE Group Department of Aerospace Engineering IIT Bombay Mumbai, India FOSSEE Team (FOSSEE IITB) Control flow 1 / 32 Outline Control flow 1 Basic Conditional flow Control flow 2 Basic Looping

560 views • 37 slides
Optimal Control of Plane Poiseuille Flow Workshop on Flow Control, Poitiers 11-14th Oct 04 J.

Optimal Control of Plane Poiseuille Flow Workshop on Flow Control, Poitiers 11-14th Oct 04 J.

Optimal Control of Plane Poiseuille Flow Workshop on Flow Control, Poitiers 11-14th Oct 04 J. Mckernan , J.F .Whidborne , G.Papadakis Cranfield University, U.K. Kings College, London, U.K. Optimal Control of

572 views • 22 slides
Control Flow Integrity Lujo Bauer 18-732 Spring 2015 Control Hijacking Arms Race Control

Control Flow Integrity Lujo Bauer 18-732 Spring 2015 Control Hijacking Arms Race Control

Control Flow Integrity Lujo Bauer 18-732 Spring 2015 Control Hijacking Arms Race Control Control Flow Flow Integrity Integrity Attacks Attacks 2 http://propercourse.blogspot.com/2010/05/i-believe-in-duct-tape.html CFI: Goal Provably

744 views • 41 slides
Processes, Exceptional Control Flow CSAPPe2, Chapter 8 Plan for Today Exceptional Control Flow

Processes, Exceptional Control Flow CSAPPe2, Chapter 8 Plan for Today Exceptional Control Flow

CIS330, Week 9 Processes, Exceptional Control Flow CSAPPe2, Chapter 8 Plan for Today Exceptional Control Flow Exceptions Process context switches Creating and destroying processes CIS330 Week 9 Control Flow Computers do Only One Thing

1.08k views • 85 slides
Control Flow CPU Sean Barker 1 Physical Control Flow Physical control flow &lt;startup&gt;

Control Flow CPU Sean Barker 1 Physical Control Flow Physical control flow &lt;startup&gt;

Control Flow CPU Sean Barker 1 Physical Control Flow Physical control flow &lt;startup&gt; inst 1 inst 2 Time inst 3 inst n &lt;shutdown&gt; Sean Barker 2 Operating System User-level Applications Operating System Hardware

453 views • 16 slides
A Compositional Logic A Compositional Logic for Control Flow for Control Flow Gang Tan, Boston

A Compositional Logic A Compositional Logic for Control Flow for Control Flow Gang Tan, Boston

A Compositional Logic A Compositional Logic for Control Flow for Control Flow Gang Tan, Boston College g , g Andrew W. Appel, Princeton University Jan 8 2006 Jan 8, 2006 1 Mobile Code Security Protect trusted system against

561 views • 26 slides
Measuring the Role of Greylisting and Nolisting in Fighting Spam F. Pagani 1 M. De Astis 2 M.

Measuring the Role of Greylisting and Nolisting in Fighting Spam F. Pagani 1 M. De Astis 2 M.

Measuring the Role of Greylisting and Nolisting in Fighting Spam F. Pagani 1 M. De Astis 2 M. Graziano 1 A. Lanzi 2 D. Balzarotti 1 1 Eurecom Sophia Antipolis, France 2 Universit` a degli Studi di Milano Milano, Italy International Conference

559 views • 43 slides
Sticky Content and the Structure of the Web Scott Duke Kominers Harvard University Workshop on

Sticky Content and the Structure of the Web Scott Duke Kominers Harvard University Workshop on

Sticky Content and the Structure of the Web Scott Duke Kominers Harvard University Workshop on the Economics of Networks, Systems, and Computation July 7, 2009 Scott Duke Kominers (Harvard) NetEcon09 July 7, 2009 1 / 17 Introduction

1.4k views • 136 slides
E-crime CS642: Computer Security Professor Ristenpart

E-crime CS642: Computer Security Professor Ristenpart

E-crime CS642: Computer Security Professor Ristenpart h/p://www.cs.wisc.edu/~rist/ rist at cs dot wisc dot edu University of Wisconsin CS 642 Spam,

1.21k views • 77 slides
ZigZag: Automa,cally Hardening Web Applica,ons Against Client- side Valida,on Vulnerabili,es

ZigZag: Automa,cally Hardening Web Applica,ons Against Client- side Valida,on Vulnerabili,es

ZigZag: Automa,cally Hardening Web Applica,ons Against Client- side Valida,on Vulnerabili,es PRESENTED BY SAI TEJ KANCHARLA Content Introduc,on Mo,va,on And Threat Model System Overview Invariant Detec,on Invariant

549 views • 26 slides
Good morning! Lecture will start at 10:45 (let's wait for everyone). If you have any

Good morning! Lecture will start at 10:45 (let's wait for everyone). If you have any

Good morning! Lecture will start at 10:45 (let's wait for everyone). If you have any question, please ask in the chat. Note that lecture will be recorded. Please write your name and student ID there:

680 views • 49 slides
Tiki Wiki CMS Groupware Jean-Marc Libs jyhem@tiki.org More than one tool for collaborating

Tiki Wiki CMS Groupware Jean-Marc Libs jyhem@tiki.org More than one tool for collaborating

Tiki Wiki CMS Groupware Jean-Marc Libs jyhem@tiki.org More than one tool for collaborating on writing the Tiki CMS The Tiki Wiki CMS Groupware software community obviously uses Tiki itself for collaboration and knowledge management. Yet,

351 views • 14 slides
Project Ideas Semester long projects of medium scope TAs presenting project ideas today

Project Ideas Semester long projects of medium scope TAs presenting project ideas today

Project Ideas Semester long projects of medium scope TAs presenting project ideas today Students can submit their own ideas Send to cs161projectidea@gmail.com To be approved by staff Short presentation of approved ideas this

355 views • 31 slides
Op Oper eration onal Ch Challe allenges to EW EW e effecti ectiven enes ess Air Mshl

Op Oper eration onal Ch Challe allenges to EW EW e effecti ectiven enes ess Air Mshl

Op Oper eration onal Ch Challe allenges to EW EW e effecti ectiven enes ess Air Mshl Daljit Singh PVSM AVSM VM (Retd) Indian Air Force Sequence Flashback Technological Advances Present Scenario Current Developments

499 views • 14 slides

More recommend