taic part 2010
play

TAIC PART 2010 Linguistic Security Testing for Textual Protocols - PowerPoint PPT Presentation

Dec 19, 2022 •545 likes •720 views

TAIC PART 2010 Linguistic Security Testing for Textual Protocols Authors Ben Kam, Tom Dean Queens University, Canada Linguistic Security Testing for Textual Protocols Goals and History 1. Protocol Tester Protocol Tester Group

  1. TAIC PART 2010 Linguistic Security Testing for Textual Protocols Authors Ben Kam, Tom Dean Queen’s University, Canada

  2. Linguistic Security Testing for Textual Protocols Goals and History 1. Protocol Tester • Protocol Tester Group – Queen’s University and RMC • Testing – binary-based network communication protocols (OSPF) • Protocols represented by context free grammar • Using a test planner to insert a different set of XML markup tags into the captured message sequences to guide the mutation • The set of mutation tags was hard coded 2. Extend our previous versions • Testing – text-based network communication protocols • Using protocol description file to insert XML markup tags • Some of mutation tags are generated automatically by using a program to analyze the grammar • Handling complex mutations • Protocol independent (HTTP, FTP, iCal …)

  3. Linguistic Security Testing for Textual Protocols Syntax-based Security Testing (SST) framework Request Network Capture Response server Request message sequence Marked Test cases Markup Replay Mutator up packet Replayed Response message sequence Original Response Oracle message sequence Test results

  4. Linguistic Security Testing for Textual Protocols Protocol Specification and Markup Include “http.grm” % partial HTTP grammar redefine entity_header define program … [request-message] | [SOAPAction] end define end redefine define request-message define SOAPAction [request-line][repeat headers_message] [soap_uri][soap_message] [CRLF][opt message_body] end define end define define soap_message define request-line [xml_declaration][open_soap_envelope] [method][space][request-uri][space] [soap_header] [soap_body][close_soap_envelope] [http-version][CRLF] end define end define The middle level XML SOAP protocol specification The partial low level HTTP protocol specification Example of HTTP request packet POST /return.asp HTTP/1.1 Host: 192.168.1.105 User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.11) Gecko/20071220 BonEcho/2.0.0.11 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate ………………..

  5. Linguistic Security Testing for Textual Protocols Protocol Specification and Markup define request_line % partial HTTP grammar <enumeratedLiteral>[method]</enumeratedLiteral> define program [space][request_uri][space] [http_version] [CRLF] [request-message] end define end define define request-message Nested Markup tag example [request-line][repeat headers_message] [CRLF][opt message_body] <enumeratedLiteral><caseSensitive>[method]</caseSensitive></enumeratedLiteral> end define define request-line [method][space][request-uri][space] Relation tag example [http-version][CRLF] define Content_Length end define 'Content-Length : [space] <length id="%" root="request_message" role="length"> [number]</length> The partial low level HTTP protocol specification end define define message_body <length id="%" root="request_message" role="value“> [repeat token_or_key]</length> end define

  6. Linguistic Security Testing for Textual Protocols Categorization of markup tags Types Tags Purpose Change to another terminal provided from grammar to alter Syntactic enumeratedLiteral the original semantics Change the terminal letters from caseSensitive upper case to lower case or vice Change the terminal character charSpecific Change the terminal date format dateSpecific Alter the terminal characters syntaxSpecific Lexical Change the terminal value to valueLimitation common boundary values Replace a string values with stringSpecific common alternate strings Indicates that the number marked by the length role gives the Relational length number of characters in the value role. The content identified by the tag is Custom jpeg an embedded jpeg image (e.g. file upload).

  7. Linguistic Security Testing for Textual Protocols Markup and mutate process Generate Combined Insert Markup Protocol program Description Mutation Mutants engine Mutation Marked up Insert Captured Mutants engine Packet Markup Packet Mutation Mutants engine

  8. Linguistic Security Testing for Textual Protocols Using Agile parsing techniques Generalized Markup Combined Protocol Specification Protocol Grammar Description Grammar Merge Program Generalized Protocol Grammar Markup Specification define http_version define http_version HTTP / [number] HTTP / [number] <charSpecific> [period] </charSpecific> [number] end define end define define period `. end define

  9. Linguistic Security Testing for Textual Protocols Markup and mutate process Generate Combined Insert Markup Protocol program Description Mutation Mutants engine Mutation Marked up Insert Captured Mutants engine Packet Markup Packet Mutation Mutants engine

  10. Linguistic Security Testing for Textual Protocols Marked up packets GET / HTTP/1<charSpecific>.</charSpecific>1 Host: 192.168.1.104 Accept-Language: en-us,en;q=0.5 GET / HTTP/1.1 Accept-Encoding: gzip,deflate Host: 192.168.1.104 GET / HTTP/1.1 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Accept-Language: en-us,en;q=0.5 Host: 192.168.1.104 Keep-Alive: 300 Accept-Encoding: gzip,deflate Accept-Language: en-us,en;q=0.5 Connection: keep-alive Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Accept-Encoding: gzip,deflate If-Modified-Since: <dateSpecific>03/10/1900</dateSpecific> 07:43:23 GMT Keep-Alive: 300 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 … Connection: keep-alive Keep-Alive: 300 If-Modified-Since: <dateSpecific>03/10/1900</dateSpecific> 07:43:23 GMT Connection: keep-alive … If-Modified-Since: <dateSpecific>03/10/1900</dateSpecific> 07:43:23 GMT … define http_version HTTP / [number] <charSpecific> [period] </charSpecific> [number] Marked up end define Packet define period `. end define

  11. Linguistic Security Testing for Textual Protocols Mutants examples GET / HTTP/1:1 Host: 192.168.1.104 GET / HTTP/1;1 Accept-Language: en-us,en;q=0.5 Host: 192.168.1.104 GET / HTTP/1@1 Accept-Encoding: gzip,deflate Accept-Language: en-us,en;q=0.5 Host: 192.168.1104 GET / HTTP/1#1 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Accept-Encoding: gzip,deflate Accept-Language: en-us,en;q=0.5 Host: 192.168.1.104 Keep-Alive: 300 GET / HTTP/1$1 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Accept-Encoding: gzip,deflate Accept-Language: en-us,en;q=0.5 Connection: keep-alive Host: 192.168.1.104 Keep-Alive: 300 GET / HTTP/1%1 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Accept-Encoding: gzip,deflate Marked up … Accept-Language: en-us,en;q=0.5 Connection: keep-alive Host: 192.168.1.104 Keep-Alive: 300 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 packet Mutation engine Accept-Encoding: gzip,deflate … Accept-Language: en-us,en;q=0.5 Connection: keep-alive Keep-Alive: 300 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Accept-Encoding: gzip,deflate … Connection: keep-alive Keep-Alive: 300 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 … Connection: keep-alive Keep-Alive: 300 … Connection: keep-alive …

  12. Linguistic Security Testing for Textual Protocols Experiments 1. Toy web applications • to validate the functionality of the framework • Interesting result – IIS accepted the undefined request method message Apache2 rejected the undefined request method message (method POST was changed to post) 2. kOrganizer • mutated iCal files – caseSensitive, charSpecific, dateSpecific, syntaxSpecific, valueLimitation, and stringSpecific • Xmacroplay instructs the kOrganizer to open and close the mutated iCal files • A total of 1026 test cases generated from a single iCalendar file • kOrganizer crashed by a 16Mb string (SIGSEGV - a segmentation violation) • The total running time was 244188 seconds (67.83 hours)

  13. Linguistic Security Testing for Textual Protocols SST vs other black box security testing tools Vulnerability reveal Cross-site scripting Directory traversal Bypass restriction Buffer overflows Denial of service Reference Session Fixation SQL injection Protocol Command Injection Methodology independent User Session No √ [1,2,6,7,8] WAVES No √ √ [3] Bypass No √ √ √ [5] SecuBat No √ √ [4] SST Yes √ √ √ √ √ √ √ √ -

  14. Linguistic Security Testing for Textual Protocols Conclusion and Future Work The contribution of this research • Creation of a light weight testing framework usable for most text-based communication protocols • Extension mechanism for easily adding new markup tags and mutators • Integration with external mutators for embedded binary data • We have demonstrated the framework with attacks on HTTP and iCalendar application • Protocol independent testing framework • Extended SST to handle higher level application protocols e.g. shopping cart protocol

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The 4+1 View Model of IndustryAcademia Collaboration Experiences PER RUNESON @ TAIC PART

The 4+1 View Model of IndustryAcademia Collaboration Experiences PER RUNESON @ TAIC PART

The 4+1 View Model of IndustryAcademia Collaboration Experiences PER RUNESON @ TAIC PART 2015 It takes two to tango T esting: Academic &amp; Industrial C onference Practice a nd Research T echniques Industry-academia anti-patterns 1.

280 views • 27 slides
Lessons learnt from using DSLs for Automated Software Testing TAIC-PART 2015 Mark Micallef,

Lessons learnt from using DSLs for Automated Software Testing TAIC-PART 2015 Mark Micallef,

Lessons learnt from using DSLs for Automated Software Testing TAIC-PART 2015 Mark Micallef, Christian Colombo PEST Research Lab, University of Malta Tuesday, April 07, 2015 Product Owner Developer Project Manager Tester / QA Isnt this

359 views • 17 slides
A Generic Approach to Run Mutation Analysis Siamak Haschemi and Stephan Weileder

A Generic Approach to Run Mutation Analysis Siamak Haschemi and Stephan Weileder

A Generic Approach to Run Mutation Analysis Siamak Haschemi and Stephan Weileder Humboldt-Universitt zu Berlin METRIK Research Training Group TAIC-PART 2010 Sonntag, 5. September 2010 Mutation Analysis 2 Sonntag, 5. September 2010

676 views • 51 slides
Welc elcome e to t o the e TAIC ICEP webi ebinar: Ov Over erview of of Nursi Nur sing

Welc elcome e to t o the e TAIC ICEP webi ebinar: Ov Over erview of of Nursi Nur sing

Welc elcome e to t o the e TAIC ICEP webi ebinar: Ov Over erview of of Nursi Nur sing Ed g Educa ucation Ar Aroun und th the W Worl rld 2018 TAICEP Webinar: Overview of Nursing Education Around the World Mark y you our c

1.14k views • 68 slides
A Multi-Criteria Decision Making Framework for Real Time Model-Based Testing M. AbouTrab, B.

A Multi-Criteria Decision Making Framework for Real Time Model-Based Testing M. AbouTrab, B.

A Multi-Criteria Decision Making Framework for Real Time Model-Based Testing M. AbouTrab, B. Alrouh, S. Counsell, R. M. Hierons and G. Ghinea Department of Information Systems and Computing, Brunel University, Uxbridge, UK TAIC PART 2010

418 views • 11 slides
Reverse engineering - traces to state machines Neil Walkinshaw and Kirill Bogdanov 1 1 Department

Reverse engineering - traces to state machines Neil Walkinshaw and Kirill Bogdanov 1 1 Department

Inference Competition Reverse engineering - traces to state machines Neil Walkinshaw and Kirill Bogdanov 1 1 Department of Computer Science The University of Sheffield TAIC PART, September 4, 2010 U. of Sheffield Reverse engineering - traces

660 views • 17 slides
DE PART ME NT OF HE AL T H &amp; HUMAN SE RVI CE S T Y 2010 BUDGE T L e o Pe lle gr

DE PART ME NT OF HE AL T H &amp; HUMAN SE RVI CE S T Y 2010 BUDGE T L e o Pe lle gr

DE PART ME NT OF HE AL T H &amp; HUMAN SE RVI CE S T Y 2010 BUDGE T L e o Pe lle gr ini Dir e c tor Se pte mbe r 22, 2010 He a lth &amp; Huma n Se rvic e s De pa rtme nta l Ove rvie w Dire c to r s Offic e

356 views • 33 slides
ARE CISQ RELIABILITY MEASURES PRACTICAL? A RESEARCH PERSPECTIVE Johannes Bruer , Reinhold

ARE CISQ RELIABILITY MEASURES PRACTICAL? A RESEARCH PERSPECTIVE Johannes Bruer , Reinhold

ARE CISQ RELIABILITY MEASURES PRACTICAL? A RESEARCH PERSPECTIVE Johannes Bruer , Reinhold Plsch, Manuel Windhager TAIC PART 2017, Tokyo WHAT TO EXPECT? Motivation for measuring reliability CISQ Standard Measuring tool MUSE

567 views • 17 slides
Reaching For Greatness Aaron Seigo Tampere, Finland | Akademy 2010 Part I an introduction Part

Reaching For Greatness Aaron Seigo Tampere, Finland | Akademy 2010 Part I an introduction Part

Reaching For Greatness Aaron Seigo Tampere, Finland | Akademy 2010 Part I an introduction Part 2 community dynamics reaching for greatness one team, one community many teams, one community varying targets unique goals, shared goals Part

739 views • 25 slides
2010 Standards 2010 Standards at ADA.gov Applies... New Construction Alterations

2010 Standards 2010 Standards at ADA.gov Applies... New Construction Alterations

9/4/2015 DOJs 2010 ADA Standards Overview of the Appendices B and D 2010 ADA Standards to 36 CFR part 1191 (2009) -- 2004 ADA for Accessible Design for Accessible Design Guidelines... and the requirements contained in 35.151 and

554 views • 17 slides
JOB DESCRI PTI ONS: Maximizing Compliance and Effectiveness Rev. 09.22.2010 PART ONE:

JOB DESCRI PTI ONS: Maximizing Compliance and Effectiveness Rev. 09.22.2010 PART ONE:

JOB DESCRI PTI ONS: Maximizing Compliance and Effectiveness Rev. 09.22.2010 PART ONE: Introduction and Legal Issues Job descriptions can be very useful to employers, employees and job applicants when carefully written and kept up-to-date. Job

1.3k views • 32 slides
The End of Frenville : Relief or More Confusion? July/August 2010 Paul M. Green As part of the

The End of Frenville : Relief or More Confusion? July/August 2010 Paul M. Green As part of the

The End of Frenville : Relief or More Confusion? July/August 2010 Paul M. Green As part of the overhaul of bankruptcy laws in 1978, Congress for the first time included the definition of claim as part of the Bankruptcy Code. A few years

428 views • 7 slides
Medical Applications of Pattern Recognition by Nee Yalabk HIBIT'10, Antalya,April 2010

Medical Applications of Pattern Recognition by Nee Yalabk HIBIT'10, Antalya,April 2010

Medical Applications of Pattern Recognition by Nee Yalabk HIBIT'10, Antalya,April 2010 Outline Part 1 :Introduction:Definitions and Terminology Part 2 :Historical Background Part 3 : PR Techniques used in Medicine and

601 views • 58 slides
Verification of Security Protocols Part I eronique Cortier 1 V September, 2010 Fosad 2010 1

Verification of Security Protocols Part I eronique Cortier 1 V September, 2010 Fosad 2010 1

Introduction on security protocols Formal models Unbounded number of sessions Verification of Security Protocols Part I eronique Cortier 1 V September, 2010 Fosad 2010 1 LORIA, CNRS 1/65 V eronique Cortier Verification of Security

1.29k views • 111 slides
Verification of Security Protocols Part II eronique Cortier 1 V September, 2010 Fosad 2010 1

Verification of Security Protocols Part II eronique Cortier 1 V September, 2010 Fosad 2010 1

Formal methods for protocols Cryptographic models Passive case Active case Verification of Security Protocols Part II eronique Cortier 1 V September, 2010 Fosad 2010 1 LORIA, CNRS 1/76 V eronique Cortier Verification of Security

1.92k views • 139 slides
Denotational Semantics 812 lectures for Part II CST 2010/11 Marcelo Fiore Course web page:

Denotational Semantics 812 lectures for Part II CST 2010/11 Marcelo Fiore Course web page:

Denotational Semantics 812 lectures for Part II CST 2010/11 Marcelo Fiore Course web page: http://www.cl.cam.ac.uk/teaching/1011/DenotSem/ 1 Lecture 1 Introduction 2 What is this course about? General area. Formal methods :

2.58k views • 192 slides
Deflating the Shifted Laplacian for the Helmholtz Equation Domenico Lahaye and helping friends

Deflating the Shifted Laplacian for the Helmholtz Equation Domenico Lahaye and helping friends

Introduction Accelerating the Complex Shifted Laplacian using Deflation Conclusions Deflating the Shifted Laplacian for the Helmholtz Equation Domenico Lahaye and helping friends DIAM - TU Delft PETSc Users Meeting Vienna, July 27th-30th,

394 views • 16 slides
Deflation in Coxeter Groups G Eric Moorhouse based on recent work (1993-present) of John H.

Deflation in Coxeter Groups G Eric Moorhouse based on recent work (1993-present) of John H.

Deflation in Coxeter Groups G Eric Moorhouse based on recent work (1993-present) of John H. Conway and Christopher S. Simons The cube defines an infinite Coxeter group. The cube has four 6-cycles (as induced subgraphs). ~ Deflate every A 5

751 views • 24 slides
Winning in Close Combat Ground Forces in Multi-Domain Battle Institute of Land Warfare

Winning in Close Combat Ground Forces in Multi-Domain Battle Institute of Land Warfare

2017 Global Force Symposium and Exposition Training and Doctrine Command Winning in Close Combat: Ground Forces in Multi-Domain Battle Innovation for Complex World Winning in Close Combat Ground Forces in Multi-Domain Battle Institute of Land

849 views • 23 slides
8.3 Networked Application 8.3 Networked Application History and Evolution History and

8.3 Networked Application 8.3 Networked Application History and Evolution History and

8.3 Networked Application 8.3 Networked Application History and Evolution History and Evolution Department of Defense (DoD) Department of Defense (DoD) SIMNET SIMNET Distributed Interactive Simulation (DIS)

94 views • 5 slides
Tracking beacon HTTP beacon http :// pixel . quantserve . com / seg / p- 6 fTutip 1 SMLM 2. js

Tracking beacon HTTP beacon http :// pixel . quantserve . com / seg / p- 6 fTutip 1 SMLM 2. js

Tracking beacon HTTP beacon http :// pixel . quantserve . com / seg / p- 6 fTutip 1 SMLM 2. js GET / seg / p- 6 fTutip 1 SMLM 2. js HTTP /1.1 Host : pixel . quantserve . com User-Agent : Mozilla /5.0 ( Macintosh ; U ; Intel Mac OS X 10.6; en-US ;

985 views • 15 slides
Theoretical approach Suppose we have estimated a joint distribution between seller quality and

Theoretical approach Suppose we have estimated a joint distribution between seller quality and

Designing Informative Rating Systems | Nikhil Garg &amp; Ramesh Johari Evidence from an Online Labor Market Such Ratings are terribly inflated scales We show that a simple intervention in deflate the rating system design deflates ratings

531 views • 4 slides
Deflation based preconditioning of linear systems of equations Martin H. Gutknecht Seminar for

Deflation based preconditioning of linear systems of equations Martin H. Gutknecht Seminar for

http://www.sam. ma th. et hz .h /~ mh g Deflation based preconditioning of linear systems of equations Martin H. Gutknecht Seminar for Applied Mathematics, ETH Zurich SC2011 International Conference on Scientific Computing Santa

439 views • 27 slides
On Minimal-Perimeter Latice Animals Gill Barequet, Gil Ben-Shachar Dept. of Computer Science,

On Minimal-Perimeter Latice Animals Gill Barequet, Gil Ben-Shachar Dept. of Computer Science,

On Minimal-Perimeter Latice Animals Gill Barequet, Gil Ben-Shachar Dept. of Computer Science, Technion, Haifa EuroCG 2020, Wrzburg, Germany What is a Lattice Animal? Polyominoes Polyhexes Polyiamonds Polycubes Definitions Term

576 views • 30 slides

More recommend