language agnostic injection language agnostic injection
play

LANGUAGE-AGNOSTIC INJECTION LANGUAGE-AGNOSTIC INJECTION DETECTION - PowerPoint PPT Presentation

Apr 28, 2023 •364 likes •640 views

LANGUAGE-AGNOSTIC INJECTION LANGUAGE-AGNOSTIC INJECTION DETECTION DETECTION Lars Hermerschmidt, Andreas Straub, Goran Piskachev injections grow on trees 1 SHOTGUN UNPARSER SHOTGUN UNPARSER 1 if (recursive || print_dir_name) 2 { 3 if

  1. LANGUAGE-AGNOSTIC INJECTION LANGUAGE-AGNOSTIC INJECTION DETECTION DETECTION Lars Hermerschmidt, Andreas Straub, Goran Piskachev injections grow on trees 1

  2. SHOTGUN UNPARSER SHOTGUN UNPARSER 1 if (recursive || print_dir_name) 2 { 3 if (!first) 4 DIRED_PUTCHAR ('\n'); 5 first = false ; 6 DIRED_INDENT (); 7 PUSH_CURRENT_DIRED_POS (&subdired_obstack); 8 dired_pos += quote_name (stdout, realname ? realname : name 9 dirname_quoting_options, NULL ); 10 PUSH_CURRENT_DIRED_POS (&subdired_obstack); 11 DIRED_FPUTS_LITERAL (":\n", stdout); 12 } https://github.com/wertarbyte/coreutils/blob/master/src/ls.c 1 mkdir "1 2 1" 3 mkdir 2 4 ls | wc -l 2

  3. WHY DO INJECTIONS EXIST? WHY DO INJECTIONS EXIST? Shotgun Unparsers cause Injection Vulnerabilities 3

  4. WHY DO INJECTIONS EXIST? WHY DO INJECTIONS EXIST? Shotgun Unparsers cause Injection Vulnerabilities But why? 3

  5. WHY DO INJECTIONS EXIST? WHY DO INJECTIONS EXIST? Shotgun Unparsers cause Injection Vulnerabilities But why? Correct Unparser Generators are not used 3

  6. WHY DO INJECTIONS EXIST? WHY DO INJECTIONS EXIST? Shotgun Unparsers cause Injection Vulnerabilities But why? Correct Unparser Generators are not used But why? 3

  7. WHY DO INJECTIONS EXIST? WHY DO INJECTIONS EXIST? Shotgun Unparsers cause Injection Vulnerabilities But why? Correct Unparser Generators are not used But why? IO is "soo simple", let's just use the core libs 3

  8. WHY DO INJECTIONS EXIST? WHY DO INJECTIONS EXIST? Shotgun Unparsers cause Injection Vulnerabilities But why? Correct Unparser Generators are not used But why? IO is "soo simple", let's just use the core libs But why? 3

  9. WHY DO INJECTIONS EXIST? WHY DO INJECTIONS EXIST? Shotgun Unparsers cause Injection Vulnerabilities But why? Correct Unparser Generators are not used But why? IO is "soo simple", let's just use the core libs But why? Core libs don't provide secure input handling 3

  10. WHY DO INJECTIONS EXIST? WHY DO INJECTIONS EXIST? Shotgun Unparsers cause Injection Vulnerabilities But why? Correct Unparser Generators are not used But why? IO is "soo simple", let's just use the core libs But why? Core libs don't provide secure input handling But why? 3

  11. WHY DO INJECTIONS EXIST? WHY DO INJECTIONS EXIST? Shotgun Unparsers cause Injection Vulnerabilities But why? Correct Unparser Generators are not used But why? IO is "soo simple", let's just use the core libs But why? Core libs don't provide secure input handling But why? Lacking Awareness for the problem 3

  12. WHY DO INJECTIONS EXIST? WHY DO INJECTIONS EXIST? Shotgun Unparsers cause Injection Vulnerabilities But why? Correct Unparser Generators are not used But why? IO is "soo simple", let's just use the core libs But why? Core libs don't provide secure input handling But why? Lacking Awareness for the problem But why? 3

  13. WHY DO INJECTIONS EXIST? WHY DO INJECTIONS EXIST? Shotgun Unparsers cause Injection Vulnerabilities But why? Correct Unparser Generators are not used But why? IO is "soo simple", let's just use the core libs But why? Core libs don't provide secure input handling But why? Lacking Awareness for the problem But why? Core libs don't provide secure input handling 3

  14. RELATED WORK RELATED WORK Language specific static and dynamic analysis: SQLi, XSS, ... are well known Language agnostic dynamic aka fuzzing: Parsers are known to be broken AUTOGRAM uses dynamic taint tracking: Grammar reconstruction from a given parser Our contribution: Language agnostic detection of injections for textual languages Awareness Detection is never complete; Use a constructive approach like McHammerCoder to solve the injection problem. 4

  15. THE SOLUTION THE SOLUTION Show, don't tell 5

  16. PROBLEM SPACE PROBLEM SPACE Detecting unparsers Identifying injections in a given unparser Generate attacks Extract full grammar 6

  17. APPROACH OVERVIEW APPROACH OVERVIEW Guided fuzzing using language keyword information Keywords are extracted from unparse trees (UPTs) UPTs are inferred automatically using dynamic program analysis 7

  18. UPT INFERENCE UPT INFERENCE 8

  19. UPT INFERENCE UPT INFERENCE 9

  20. UPT INFERENCE UPT INFERENCE 10

  21. UPT INFERENCE UPT INFERENCE 11

  22. UPTS AND KEYWORDS UPTS AND KEYWORDS Keywords have no origin in any input They are created by the unparser Their location in the UPT shows where (structurally) they are valid in the language 12

  23. FUZZING FUZZING generate targeted injection candidates based on keywords example: "break out" of string-enclosing quotation marks evaluate injection success by comparing parse trees run both original input and modified input through unparser-parser round-trip compare structures of resulting parse trees if the parse tree changed, an injection was found 13

  24. RESULTS RESULTS Promising results in case studies very accurate UPTs found (implanted) injection vulnerabilities structural keyword information can significantly improve fuzzing caveat: not a quantitative evaluation Fuzzing automatically yields PoC exploits 14

  25. KEY OBSERVATIONS KEY OBSERVATIONS "Recursive descent unparsers" exist common in ad-hoc implementations Difference to Taint Tracking: leveraging structural information to identify keywords and their scope Requires structural variability in unparser outputs poor UPTs in "template-based" unparsers reduced to common taint tracking better use a sample output for mutation fuzzing 15

  26. CONCLUSION CONCLUSION Language-agnostic Injection Detection works for recursive descent unparsers use keywords from UPTs in fuzzing Awareness Creating output is not just writing an array of bytes Injections might exist in all your unparses Call to Action Every programming language's core library deserves an (un)parser 16

  27. QUESTIONS? QUESTIONS? Lars: @bob5ec on Twitter Andreas: andy@strb.org MARGOTUA code on GitHub 17

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a

A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a

A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a password manager is a good idea! SQL injection is ironic SQL injection is funny Overviewtrated Account Summary Account: Account: "SELECT

445 views • 32 slides
ViLBERT: Pretraining Task-Agnostic Visiolinguistic Representations for Vision-and-Language Tasks

ViLBERT: Pretraining Task-Agnostic Visiolinguistic Representations for Vision-and-Language Tasks

ViLBERT: Pretraining Task-Agnostic Visiolinguistic Representations for Vision-and-Language Tasks - Jiasen Lu et al. (NeurIPS 2019) Presented by - Chinmoy Samant, cs59688 Overview Introduction Motivation Approach BERT

1.9k views • 60 slides
Environment-agnostic Multitask Learning for Natural Language Grounded Navigation Xin (Eric) Wang

Environment-agnostic Multitask Learning for Natural Language Grounded Navigation Xin (Eric) Wang

Environment-agnostic Multitask Learning for Natural Language Grounded Navigation Xin (Eric) Wang *, Vihan Jain*, Engene Ie, William Yang Wang, Zornitsa Kozareva, Sujith Ravi Research Conference 2018 Natural Language Grounded Navigation Command

401 views • 24 slides
5.2) Injections (part 2) Shell Injection, XML Injection, LDAP injection Emmanuel Benoist Spring

5.2) Injections (part 2) Shell Injection, XML Injection, LDAP injection Emmanuel Benoist Spring

5.2) Injections (part 2) Shell Injection, XML Injection, LDAP injection Emmanuel Benoist Spring Term 2016 Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 1 Table of Contents Injection in PHP

995 views • 73 slides
A1 (Part 3): Injection Blind SQL Injection Blind SQL Injection SQL injectio ion that tricks ks

A1 (Part 3): Injection Blind SQL Injection Blind SQL Injection SQL injectio ion that tricks ks

A1 (Part 3): Injection Blind SQL Injection Blind SQL Injection SQL injectio ion that tricks ks databases into reveal l information by way of the success or failure of injected querie ies Analogous example le: Login prompt that stops ps

602 views • 14 slides
MANA for MPI MPI-Agnostic Network-Agnostic Transparent Checkpointing Rohan Garg, *Gregory Price,

MANA for MPI MPI-Agnostic Network-Agnostic Transparent Checkpointing Rohan Garg, *Gregory Price,

MANA for MPI MPI-Agnostic Network-Agnostic Transparent Checkpointing Rohan Garg, *Gregory Price, and Gene Cooperman Northeastern University Why checkpoint, and why transparently? Whether for maintenance, analysis, time-sharing, load balancing,

778 views • 40 slides
Web Security 1 last time: command injection placing user input in more complicated language SQL

Web Security 1 last time: command injection placing user input in more complicated language SQL

Web Security 1 last time: command injection placing user input in more complicated language SQL shell commands input accidentally treated as commands in language instead of single value (e.g. argument/string constant) defenses: better APIs:

630 views • 50 slides
Injection mismatch type of injection mismatch will lead to an emittance blow-up. Off axis

Injection mismatch type of injection mismatch will lead to an emittance blow-up. Off axis

Injection mismatch: As a rule, proton/ion accelerators need their full aperture at injection, thus avoiding mismatch allows a beam of larger normalized emittance * and containing more Protons. In proton/ion ring accelerators any Injection

454 views • 4 slides
A1 (Part 1): Injection Command and Code injection A1 Injection Tricking an application

A1 (Part 1): Injection Command and Code injection A1 Injection Tricking an application

A1 (Part 1): Injection Command and Code injection A1 Injection Tricking an application into executing commands or code embedded in data Data and code mixing! Often injected into interpreters SQL, PHP, Python, JavaScript, LDAP,

377 views • 14 slides
INJECTION GEL www.eurastechnology.com WHAT IS INJECTION GEL? An injectable gel is a flexible

INJECTION GEL www.eurastechnology.com WHAT IS INJECTION GEL? An injectable gel is a flexible

TECHNOLOGY APPLICATIONS FOR HYDRO ISOLATION AND REPAIR OF UNDERGROUND FACILITIES INJECTION GEL www.eurastechnology.com WHAT IS INJECTION GEL? An injectable gel is a flexible mass of mineral origin, for both dry and wet surfaces solvent-free,

466 views • 29 slides
INJECTION GEL www.eurastechnology.com WHAT IS INJECTION GEL? An injectable gel is a flexible

INJECTION GEL www.eurastechnology.com WHAT IS INJECTION GEL? An injectable gel is a flexible

TECHNOLOGY APPLICATIONS FOR HYDRO ISOLATION AND REPAIR OF UNDERGROUND FACILITIES INJECTION GEL www.eurastechnology.com WHAT IS INJECTION GEL? An injectable gel is a flexible mass of mineral origin, for both dry and wet surfaces solvent-free,

487 views • 21 slides
Combining Axiom Injection and Knowledge Base Completion for Efficient Natural Language Inference

Combining Axiom Injection and Knowledge Base Completion for Efficient Natural Language Inference

Combining Axiom Injection and Knowledge Base Completion for Efficient Natural Language Inference Masashi Yoshikawa, Koji Mineshima, Hiroshi Noji, Daisuke Bekki Nara Institute of Science and Technology Ochanomizu University Artificial

549 views • 35 slides
Injection Safety Every Provider s Responsibility Outline Safe Injection

Injection Safety Every Provider s Responsibility Outline Safe Injection

Injection Safety Every Provider s Responsibility Outline Safe Injection Practices The ONE and ONLY Campaign Outbreak History Mistaken Beliefs A Call to Action Resources and Information

591 views • 20 slides
Pool-based Agnostic Pool-based Agnostic Experiment Design Experiment Design in Linear

Pool-based Agnostic Pool-based Agnostic Experiment Design Experiment Design in Linear

ECML2008 Sep. 15-19, 2008 Pool-based Agnostic Pool-based Agnostic Experiment Design Experiment Design in Linear Regression in Linear Regression Masashi Sugiyama (Tokyo Tech.) Shinichi Nakajima (Nikon) 2 Linear Regression Linear

437 views • 25 slides
Reaction Injection Molding (RIM)- Low Quantity Injection Molding for the Life Sciences Industry

Reaction Injection Molding (RIM)- Low Quantity Injection Molding for the Life Sciences Industry

Reaction Injection Molding (RIM)- Low Quantity Injection Molding for the Life Sciences Industry Presented by: Ken Schweitz, President and Doug Culbertson, VP Business Development of Premold Corp Section I. Advantages of RIM Economical

441 views • 29 slides
C0 2 / Acid Gas Injection Well Injection Well Conversion Prepared for the 5 Th Well Bore

C0 2 / Acid Gas Injection Well Injection Well Conversion Prepared for the 5 Th Well Bore

C0 2 / Acid Gas Injection Well Injection Well Conversion Prepared for the 5 Th Well Bore Integrity Network Meeting. Calgary Alberta May 14, 2009 Agenda Wellbore integrity Well design with annular integrity Well design without

443 views • 22 slides
CLIF is a Load Injection Framework a new initiative of ObjectWeb consortium's Java Middleware

CLIF is a Load Injection Framework a new initiative of ObjectWeb consortium's Java Middleware

CLIF is a Load Injection Framework a new initiative of ObjectWeb consortium's Java Middleware Open Benchmarking project Bruno Dillenseger, France Telecom R&D, Distributed Systems Architecture lab bruno.dillenseger@francetelecom.com Emmanuel

286 views • 24 slides
More robust I2C designs with a new fault-injection driver Wolfram Sang, Consultant / Renesas

More robust I2C designs with a new fault-injection driver Wolfram Sang, Consultant / Renesas

More robust I2C designs with a new fault-injection driver Wolfram Sang, Consultant / Renesas ELCE17 Wolfram Sang, Consultant / Renesas Robust I2C with fault-injection ELCE17 1 / 24 Motivation It really got personal I2C maintainer since

257 views • 24 slides
Particle Acceleration Particle Acceleration and Injection Problem in Shocks and Injection

Particle Acceleration Particle Acceleration and Injection Problem in Shocks and Injection

Particle Acceleration Particle Acceleration and Injection Problem in Shocks and Injection Problem in Shocks Masahiro Hoshino Masahiro Hoshino University of Tokyo University of Tokyo Acknowledgments for Advice and Comments: A. Amano, Y.

350 views • 23 slides
Long Baseline NF a la NuMAX J. Pasternak, IC London/STFC-RAL-ISIS D. Kelliher, STFC-RAL-ASTeC 11

Long Baseline NF a la NuMAX J. Pasternak, IC London/STFC-RAL-ISIS D. Kelliher, STFC-RAL-ASTeC 11

Decay Ring Design for Long Baseline NF a la NuMAX J. Pasternak, IC London/STFC-RAL-ISIS D. Kelliher, STFC-RAL-ASTeC 11 August 2015, CBPF, Rio De Janeiro, Brazil, nufact15 Outline Introduction IDS-NF decay ring FDDF ring for NuMax

368 views • 26 slides
Direct Routing: Algorithms and Complexity Costas Busch, RPI Malik Magdon-Ismail, RPI Marios

Direct Routing: Algorithms and Complexity Costas Busch, RPI Malik Magdon-Ismail, RPI Marios

Direct Routing: Algorithms and Complexity Costas Busch, RPI Malik Magdon-Ismail, RPI Marios Mavronicolas, Univ. Cyprus Paul Spirakis, Univ. Patras 1 Outline 1. Direct Routing. 2. Direct Routing is Hard. 3. Approximation Algorithms

404 views • 22 slides
SQL Injection Attack 1 Brief Tutorial of SQL MySQL: an open-source relational database

SQL Injection Attack 1 Brief Tutorial of SQL MySQL: an open-source relational database

SQL Injection Attack 1 Brief Tutorial of SQL MySQL: an open-source relational database management system Log in to MySQL Create a Database : SHOW DATABSES command: list existing databases. Create a new database called

521 views • 30 slides
Calibrating semi-analytic V T s against reweighted injection V T s Daniel Wysocki and

Calibrating semi-analytic V T s against reweighted injection V T s Daniel Wysocki and

Calibrating semi-analytic V T s against reweighted injection V T s Daniel Wysocki and Richard OShaughnessy Rochester Institute of Technology LIGO R&D Call Monday, October 1, 2018 LIGO-T1800427-v1 D. Wysocki, R. OShaughnessy

271 views • 14 slides
JWT Parkour Attacking JSON WEB TOKENS Louis Ny ff enegger @PentesterLab

JWT Parkour Attacking JSON WEB TOKENS Louis Ny ff enegger @PentesterLab

JWT Parkour Attacking JSON WEB TOKENS Louis Ny ff enegger @PentesterLab louis@pentesterlab.com About me Security Engineer Pentester/Code Reviewer/Security consultant/Security architect/IANAC Run a website to help people learn security

1.28k views • 79 slides

More recommend