Using Static Program Analysis to Aid Intrusion Detection M. Egele - - PowerPoint PPT Presentation

using static program analysis to aid intrusion detection
SMART_READER_LITE
LIVE PREVIEW

Using Static Program Analysis to Aid Intrusion Detection M. Egele - - PowerPoint PPT Presentation

Mar 03, 2024 142 likes •934 views

Motivation Analysis Evaluation Summary Using Static Program Analysis to Aid Intrusion Detection M. Egele M. Szydlowski E. Kirda C. Kruegel Secure Systems Lab Vienna University of Technology SIG SIDAR Conference on Detection of

slide-1
SLIDE 1

Motivation Analysis Evaluation Summary

Using Static Program Analysis to Aid Intrusion Detection

  • M. Egele
  • M. Szydlowski
  • E. Kirda
  • C. Kruegel

Secure Systems Lab Vienna University of Technology

SIG SIDAR Conference on Detection of Intrusions and Malware & Vulnerability Assessment, 2006

  • M. Egele, M. Szydlowski, E. Kirda, C. Kruegel

Using Static Program Analysis to Aid Intrusion Detection

slide-2
SLIDE 2

Motivation Analysis Evaluation Summary

  • utline

1

Motivation

2

Analysis Mode of Operation Parse Application Sourcecode Find Parameter Entry Points Parameter Name Extraction Type Inference Value Extraction

3

Evaluation How We Evaluated Our Results Results Analysis Results Comparison with Log Data

  • M. Egele, M. Szydlowski, E. Kirda, C. Kruegel

Using Static Program Analysis to Aid Intrusion Detection

slide-3
SLIDE 3

Motivation Analysis Evaluation Summary

what we want to do and why

PHP is arguably the most prominent language to develop web-based applications Many exploits for vulnerabilities in PHP-applications exist User/attacker can influence the application mainly via its parameters We employ interprocedural dataflow analysis to gain knowledge about used parameters Especially types and possible values of parameters are interesting

  • M. Egele, M. Szydlowski, E. Kirda, C. Kruegel

Using Static Program Analysis to Aid Intrusion Detection

slide-4
SLIDE 4

Motivation Analysis Evaluation Summary

what we want to do and why

PHP is arguably the most prominent language to develop web-based applications Many exploits for vulnerabilities in PHP-applications exist User/attacker can influence the application mainly via its parameters We employ interprocedural dataflow analysis to gain knowledge about used parameters Especially types and possible values of parameters are interesting

  • M. Egele, M. Szydlowski, E. Kirda, C. Kruegel

Using Static Program Analysis to Aid Intrusion Detection

slide-5
SLIDE 5

Motivation Analysis Evaluation Summary

what we want to do and why

PHP is arguably the most prominent language to develop web-based applications Many exploits for vulnerabilities in PHP-applications exist User/attacker can influence the application mainly via its parameters We employ interprocedural dataflow analysis to gain knowledge about used parameters Especially types and possible values of parameters are interesting

  • M. Egele, M. Szydlowski, E. Kirda, C. Kruegel

Using Static Program Analysis to Aid Intrusion Detection

slide-6
SLIDE 6

Motivation Analysis Evaluation Summary

what we want to do and why

PHP is arguably the most prominent language to develop web-based applications Many exploits for vulnerabilities in PHP-applications exist User/attacker can influence the application mainly via its parameters We employ interprocedural dataflow analysis to gain knowledge about used parameters Especially types and possible values of parameters are interesting

  • M. Egele, M. Szydlowski, E. Kirda, C. Kruegel

Using Static Program Analysis to Aid Intrusion Detection

slide-7
SLIDE 7

Motivation Analysis Evaluation Summary

what we want to do and why

PHP is arguably the most prominent language to develop web-based applications Many exploits for vulnerabilities in PHP-applications exist User/attacker can influence the application mainly via its parameters We employ interprocedural dataflow analysis to gain knowledge about used parameters Especially types and possible values of parameters are interesting

  • M. Egele, M. Szydlowski, E. Kirda, C. Kruegel

Using Static Program Analysis to Aid Intrusion Detection

slide-8
SLIDE 8

Motivation Analysis Evaluation Summary

existing intrusion detection system

MAID tries to characterize web-requests through different models: Learning based intrusion detection system developed at the Secure Systems Lab TU Vienna. models include parameter presence/absence model, structural inference, token finder models . . . No a priori knowledge of applications it protects learning is basically done via logfile analysis In some cases unnecessary imprecision leads to many false positives → this is what we want to improve

  • M. Egele, M. Szydlowski, E. Kirda, C. Kruegel

Using Static Program Analysis to Aid Intrusion Detection

slide-9
SLIDE 9

Motivation Analysis Evaluation Summary

existing intrusion detection system

MAID tries to characterize web-requests through different models: Learning based intrusion detection system developed at the Secure Systems Lab TU Vienna. models include parameter presence/absence model, structural inference, token finder models . . . No a priori knowledge of applications it protects learning is basically done via logfile analysis In some cases unnecessary imprecision leads to many false positives → this is what we want to improve

  • M. Egele, M. Szydlowski, E. Kirda, C. Kruegel

Using Static Program Analysis to Aid Intrusion Detection

slide-10
SLIDE 10

Motivation Analysis Evaluation Summary

existing intrusion detection system

MAID tries to characterize web-requests through different models: Learning based intrusion detection system developed at the Secure Systems Lab TU Vienna. models include parameter presence/absence model, structural inference, token finder models . . . No a priori knowledge of applications it protects learning is basically done via logfile analysis In some cases unnecessary imprecision leads to many false positives → this is what we want to improve

  • M. Egele, M. Szydlowski, E. Kirda, C. Kruegel

Using Static Program Analysis to Aid Intrusion Detection

slide-11
SLIDE 11

Motivation Analysis Evaluation Summary

existing intrusion detection system

MAID tries to characterize web-requests through different models: Learning based intrusion detection system developed at the Secure Systems Lab TU Vienna. models include parameter presence/absence model, structural inference, token finder models . . . No a priori knowledge of applications it protects learning is basically done via logfile analysis In some cases unnecessary imprecision leads to many false positives → this is what we want to improve

  • M. Egele, M. Szydlowski, E. Kirda, C. Kruegel

Using Static Program Analysis to Aid Intrusion Detection

slide-12
SLIDE 12

Motivation Analysis Evaluation Summary Mode of Operation Parse Application Sourcecode Find Parameter Entry Points Parameter Name Extraction Type Inference Value Extraction

mode of operation

Output: Parameter Info Link Parameters and Usage Track Variable Values Variable Type Inference Identify Interesting Parameters Abstract Represen− tation Input: PHP Source File Parse Includes File and

Action performed parse the application source code

  • M. Egele, M. Szydlowski, E. Kirda, C. Kruegel

Using Static Program Analysis to Aid Intrusion Detection

slide-13
SLIDE 13

Motivation Analysis Evaluation Summary Mode of Operation Parse Application Sourcecode Find Parameter Entry Points Parameter Name Extraction Type Inference Value Extraction

mode of operation

Output: Parameter Info Link Parameters and Usage Track Variable Values Variable Type Inference Abstract Represen− tation Input: PHP Source File Parse Includes File and Identify Interesting Parameters

Action performed identify the parameters the application accepts

  • M. Egele, M. Szydlowski, E. Kirda, C. Kruegel

Using Static Program Analysis to Aid Intrusion Detection

slide-14
SLIDE 14

Motivation Analysis Evaluation Summary Mode of Operation Parse Application Sourcecode Find Parameter Entry Points Parameter Name Extraction Type Inference Value Extraction

mode of operation

Output: Parameter Info Abstract Represen− tation Input: PHP Source File Parse Includes File and Identify Interesting Parameters Variable Type Inference Track Variable Values Link Parameters and Usage

Action performed type inference on variables

  • M. Egele, M. Szydlowski, E. Kirda, C. Kruegel

Using Static Program Analysis to Aid Intrusion Detection

slide-15
SLIDE 15

Motivation Analysis Evaluation Summary Mode of Operation Parse Application Sourcecode Find Parameter Entry Points Parameter Name Extraction Type Inference Value Extraction

mode of operation

Output: Parameter Info Abstract Represen− tation Input: PHP Source File Parse Includes File and Identify Interesting Parameters Variable Type Inference Track Variable Values Link Parameters and Usage

Action performed variables values are tracked

  • M. Egele, M. Szydlowski, E. Kirda, C. Kruegel

Using Static Program Analysis to Aid Intrusion Detection

slide-16
SLIDE 16

Motivation Analysis Evaluation Summary Mode of Operation Parse Application Sourcecode Find Parameter Entry Points Parameter Name Extraction Type Inference Value Extraction

mode of operation

Output: Parameter Info Abstract Represen− tation Input: PHP Source File Parse Includes File and Identify Interesting Parameters Variable Type Inference Track Variable Values Link Parameters and Usage

Action performed parameter usage is examined

  • M. Egele, M. Szydlowski, E. Kirda, C. Kruegel

Using Static Program Analysis to Aid Intrusion Detection

slide-17
SLIDE 17

Motivation Analysis Evaluation Summary Mode of Operation Parse Application Sourcecode Find Parameter Entry Points Parameter Name Extraction Type Inference Value Extraction

parsing

Original Zend language parser was used Includes are resolved (constant expressions) Variables and functions are identified

  • M. Egele, M. Szydlowski, E. Kirda, C. Kruegel

Using Static Program Analysis to Aid Intrusion Detection

slide-18
SLIDE 18

Motivation Analysis Evaluation Summary Mode of Operation Parse Application Sourcecode Find Parameter Entry Points Parameter Name Extraction Type Inference Value Extraction

parsing

Original Zend language parser was used Includes are resolved (constant expressions) Variables and functions are identified

  • M. Egele, M. Szydlowski, E. Kirda, C. Kruegel

Using Static Program Analysis to Aid Intrusion Detection

slide-19
SLIDE 19

Motivation Analysis Evaluation Summary Mode of Operation Parse Application Sourcecode Find Parameter Entry Points Parameter Name Extraction Type Inference Value Extraction

parsing

Original Zend language parser was used Includes are resolved (constant expressions) Variables and functions are identified

  • M. Egele, M. Szydlowski, E. Kirda, C. Kruegel

Using Static Program Analysis to Aid Intrusion Detection

slide-20
SLIDE 20

Motivation Analysis Evaluation Summary Mode of Operation Parse Application Sourcecode Find Parameter Entry Points Parameter Name Extraction Type Inference Value Extraction

how parameters can be accessed in PHP

Parameter name is index into a parameter array e.g., $_GET, $_POST superglobals Via register_globals risky

  • M. Egele, M. Szydlowski, E. Kirda, C. Kruegel

Using Static Program Analysis to Aid Intrusion Detection

slide-21
SLIDE 21

Motivation Analysis Evaluation Summary Mode of Operation Parse Application Sourcecode Find Parameter Entry Points Parameter Name Extraction Type Inference Value Extraction

how parameters can be accessed in PHP

Parameter name is index into a parameter array e.g., $_GET, $_POST superglobals Via register_globals risky

  • M. Egele, M. Szydlowski, E. Kirda, C. Kruegel

Using Static Program Analysis to Aid Intrusion Detection

slide-22
SLIDE 22

Motivation Analysis Evaluation Summary Mode of Operation Parse Application Sourcecode Find Parameter Entry Points Parameter Name Extraction Type Inference Value Extraction

example on accessing parameters

1 class Util { 2 function getGet($var, $default = null) { 3 return (isset($_GET[$var])) 4 ? Util::dispelMagicQuotes($_GET[$var]) 5 : $default; 6 } 7 function getFormData($arg, $default = null) { 8 return (($val = Util::getPost($arg)) !== null) 9 ? $val 10 : Util::getGet($arg, $default); 11 } 12 } 13 14 $actionID = Util::getFormData(’actionid’)

  • M. Egele, M. Szydlowski, E. Kirda, C. Kruegel

Using Static Program Analysis to Aid Intrusion Detection

slide-23
SLIDE 23

Motivation Analysis Evaluation Summary Mode of Operation Parse Application Sourcecode Find Parameter Entry Points Parameter Name Extraction Type Inference Value Extraction

example on accessing parameters

1 class Util { 2 function getGet($var, $default = null) { 3 return (isset($_GET[$var])) 4 ? Util::dispelMagicQuotes($_GET[$var]) 5 : $default; 6 } 7 function getFormData($arg, $default = null) { 8 return (($val = Util::getPost($arg)) !== null) 9 ? $val 10 : Util::getGet($arg, $default); 11 } 12 } 13 14 $actionID = Util::getFormData(’actionid’)

  • M. Egele, M. Szydlowski, E. Kirda, C. Kruegel

Using Static Program Analysis to Aid Intrusion Detection

slide-24
SLIDE 24

Motivation Analysis Evaluation Summary Mode of Operation Parse Application Sourcecode Find Parameter Entry Points Parameter Name Extraction Type Inference Value Extraction

example on accessing parameters

1 class Util { 2 function getGet($var, $default = null) { 3 return (isset($_GET[$var])) 4 ? Util::dispelMagicQuotes($_GET[$var]) 5 : $default; 6 } 7 function getFormData($arg, $default = null) { 8 return (($val = Util::getPost($arg)) !== null) 9 ? $val 10 : Util::getGet($arg, $default); 11 } 12 } 13 14 $actionID = Util::getFormData(’actionid’)

  • M. Egele, M. Szydlowski, E. Kirda, C. Kruegel

Using Static Program Analysis to Aid Intrusion Detection

slide-25
SLIDE 25

Motivation Analysis Evaluation Summary Mode of Operation Parse Application Sourcecode Find Parameter Entry Points Parameter Name Extraction Type Inference Value Extraction

example on accessing parameters

1 class Util { 2 function getGet($var, $default = null) { 3 return (isset($_GET[$var])) 4 ? Util::dispelMagicQuotes($_GET[$var]) 5 : $default; 6 } 7 function getFormData($arg, $default = null) { 8 return (($val = Util::getPost($arg)) !== null) 9 ? $val 10 : Util::getGet($arg, $default); 11 } 12 } 13 14 $actionID = Util::getFormData(’actionid’)

  • M. Egele, M. Szydlowski, E. Kirda, C. Kruegel

Using Static Program Analysis to Aid Intrusion Detection

slide-26
SLIDE 26

Motivation Analysis Evaluation Summary Mode of Operation Parse Application Sourcecode Find Parameter Entry Points Parameter Name Extraction Type Inference Value Extraction

example on accessing parameters

1 class Util { 2 function getGet($var, $default = null) { 3 return (isset($_GET[$var])) 4 ? Util::dispelMagicQuotes($_GET[$var]) 5 : $default; 6 } 7 function getFormData($arg, $default = null) { 8 return (($val = Util::getPost($arg)) !== null) 9 ? $val 10 : Util::getGet($arg, $default); 11 } 12 } 13 14 $actionID = Util::getFormData(’actionid’)

  • M. Egele, M. Szydlowski, E. Kirda, C. Kruegel

Using Static Program Analysis to Aid Intrusion Detection

slide-27
SLIDE 27

Motivation Analysis Evaluation Summary Mode of Operation Parse Application Sourcecode Find Parameter Entry Points Parameter Name Extraction Type Inference Value Extraction

example on accessing parameters

1 class Util { 2 function getGet($var, $default = null) { 3 return (isset($_GET[$var])) 4 ? Util::dispelMagicQuotes($_GET[$var]) 5 : $default; 6 } 7 function getFormData($arg, $default = null) { 8 return (($val = Util::getPost($arg)) !== null) 9 ? $val 10 : Util::getGet($arg, $default); 11 } 12 } 13 14 $actionID = Util::getFormData(’actionid’)

  • M. Egele, M. Szydlowski, E. Kirda, C. Kruegel

Using Static Program Analysis to Aid Intrusion Detection

slide-28
SLIDE 28

Motivation Analysis Evaluation Summary Mode of Operation Parse Application Sourcecode Find Parameter Entry Points Parameter Name Extraction Type Inference Value Extraction

example on accessing parameters

1 class Util { 2 function getGet($var, $default = null) { 3 return (isset($_GET[$var])) 4 ? Util::dispelMagicQuotes($_GET[$var]) 5 : $default; 6 } 7 function getFormData($arg, $default = null) { 8 return (($val = Util::getPost($arg)) !== null) 9 ? $val 10 : Util::getGet($arg, $default); 11 } 12 } 13 14 $actionID = Util::getFormData(’actionid’)

  • M. Egele, M. Szydlowski, E. Kirda, C. Kruegel

Using Static Program Analysis to Aid Intrusion Detection

slide-29
SLIDE 29

Motivation Analysis Evaluation Summary Mode of Operation Parse Application Sourcecode Find Parameter Entry Points Parameter Name Extraction Type Inference Value Extraction

example on accessing parameters

1 class Util { 2 function getGet($var, $default = null) { 3 return (isset($_GET[$var])) 4 ? Util::dispelMagicQuotes($_GET[$var]) 5 : $default; 6 } 7 function getFormData($arg, $default = null) { 8 return (($val = Util::getPost($arg)) !== null) 9 ? $val 10 : Util::getGet($arg, $default); 11 } 12 } 13 14 $actionID = Util::getFormData(’actionid’)

  • M. Egele, M. Szydlowski, E. Kirda, C. Kruegel

Using Static Program Analysis to Aid Intrusion Detection

slide-30
SLIDE 30

Motivation Analysis Evaluation Summary Mode of Operation Parse Application Sourcecode Find Parameter Entry Points Parameter Name Extraction Type Inference Value Extraction

how we find the parameter names

1

Dataflow analysis at procedural level

2

Interprocedural analysis for function calls (recursive)

3

This information can be used for the parameter presence/absence model of our IDS

  • M. Egele, M. Szydlowski, E. Kirda, C. Kruegel

Using Static Program Analysis to Aid Intrusion Detection

slide-31
SLIDE 31

Motivation Analysis Evaluation Summary Mode of Operation Parse Application Sourcecode Find Parameter Entry Points Parameter Name Extraction Type Inference Value Extraction

how we find the parameter names

1

Dataflow analysis at procedural level

2

Interprocedural analysis for function calls (recursive)

3

This information can be used for the parameter presence/absence model of our IDS

  • M. Egele, M. Szydlowski, E. Kirda, C. Kruegel

Using Static Program Analysis to Aid Intrusion Detection

slide-32
SLIDE 32

Motivation Analysis Evaluation Summary Mode of Operation Parse Application Sourcecode Find Parameter Entry Points Parameter Name Extraction Type Inference Value Extraction

how we find the parameter names

1

Dataflow analysis at procedural level

2

Interprocedural analysis for function calls (recursive)

3

This information can be used for the parameter presence/absence model of our IDS

  • M. Egele, M. Szydlowski, E. Kirda, C. Kruegel

Using Static Program Analysis to Aid Intrusion Detection

slide-33
SLIDE 33

Motivation Analysis Evaluation Summary Mode of Operation Parse Application Sourcecode Find Parameter Entry Points Parameter Name Extraction Type Inference Value Extraction

parameter types - valuable information

Very useful for the IDS (e.g., integers {-}?[0-9]+) PHP only has dynamic types (e.g., no int $x) and every value is dynamically typecast to whatever type expected by a given

  • peration

Type inference through applied operations via type matrix, special cases include:

&&,||,xor,! always return boolean . always returns string &,|,ˆ string iff operands are string - integer otherwise

  • M. Egele, M. Szydlowski, E. Kirda, C. Kruegel

Using Static Program Analysis to Aid Intrusion Detection

slide-34
SLIDE 34

Motivation Analysis Evaluation Summary Mode of Operation Parse Application Sourcecode Find Parameter Entry Points Parameter Name Extraction Type Inference Value Extraction

parameter types - valuable information

Very useful for the IDS (e.g., integers {-}?[0-9]+) PHP only has dynamic types (e.g., no int $x) and every value is dynamically typecast to whatever type expected by a given

  • peration

Type inference through applied operations via type matrix, special cases include:

&&,||,xor,! always return boolean . always returns string &,|,ˆ string iff operands are string - integer otherwise

  • M. Egele, M. Szydlowski, E. Kirda, C. Kruegel

Using Static Program Analysis to Aid Intrusion Detection

slide-35
SLIDE 35

Motivation Analysis Evaluation Summary Mode of Operation Parse Application Sourcecode Find Parameter Entry Points Parameter Name Extraction Type Inference Value Extraction

parameter types - valuable information

Very useful for the IDS (e.g., integers {-}?[0-9]+) PHP only has dynamic types (e.g., no int $x) and every value is dynamically typecast to whatever type expected by a given

  • peration

Type inference through applied operations via type matrix, special cases include:

&&,||,xor,! always return boolean . always returns string &,|,ˆ string iff operands are string - integer otherwise

  • M. Egele, M. Szydlowski, E. Kirda, C. Kruegel

Using Static Program Analysis to Aid Intrusion Detection

slide-36
SLIDE 36

Motivation Analysis Evaluation Summary Mode of Operation Parse Application Sourcecode Find Parameter Entry Points Parameter Name Extraction Type Inference Value Extraction

parameter types - valuable information

Very useful for the IDS (e.g., integers {-}?[0-9]+) PHP only has dynamic types (e.g., no int $x) and every value is dynamically typecast to whatever type expected by a given

  • peration

Type inference through applied operations via type matrix, special cases include:

&&,||,xor,! always return boolean . always returns string &,|,ˆ string iff operands are string - integer otherwise

  • M. Egele, M. Szydlowski, E. Kirda, C. Kruegel

Using Static Program Analysis to Aid Intrusion Detection

slide-37
SLIDE 37

Motivation Analysis Evaluation Summary Mode of Operation Parse Application Sourcecode Find Parameter Entry Points Parameter Name Extraction Type Inference Value Extraction

parameter types - valuable information

Very useful for the IDS (e.g., integers {-}?[0-9]+) PHP only has dynamic types (e.g., no int $x) and every value is dynamically typecast to whatever type expected by a given

  • peration

Type inference through applied operations via type matrix, special cases include:

&&,||,xor,! always return boolean . always returns string &,|,ˆ string iff operands are string - integer otherwise

  • M. Egele, M. Szydlowski, E. Kirda, C. Kruegel

Using Static Program Analysis to Aid Intrusion Detection

slide-38
SLIDE 38

Motivation Analysis Evaluation Summary Mode of Operation Parse Application Sourcecode Find Parameter Entry Points Parameter Name Extraction Type Inference Value Extraction

parameter types - valuable information

Very useful for the IDS (e.g., integers {-}?[0-9]+) PHP only has dynamic types (e.g., no int $x) and every value is dynamically typecast to whatever type expected by a given

  • peration

Type inference through applied operations via type matrix, special cases include:

&&,||,xor,! always return boolean . always returns string &,|,ˆ string iff operands are string - integer otherwise

  • M. Egele, M. Szydlowski, E. Kirda, C. Kruegel

Using Static Program Analysis to Aid Intrusion Detection

slide-39
SLIDE 39

Motivation Analysis Evaluation Summary Mode of Operation Parse Application Sourcecode Find Parameter Entry Points Parameter Name Extraction Type Inference Value Extraction

parameter types

1

Try to infer as many variables as possible via the operator-type matrix

2

If a parameter is linked to a variable, assume the parameter has the same type as the variable. 1 $x = $_GET[’THE_X’]; 2 if ($x == 42) 3 echo “x is 42”; 4 else 5 echo “error x is not 42”

3

Use the more general type if there is a conflict

  • M. Egele, M. Szydlowski, E. Kirda, C. Kruegel

Using Static Program Analysis to Aid Intrusion Detection

slide-40
SLIDE 40

Motivation Analysis Evaluation Summary Mode of Operation Parse Application Sourcecode Find Parameter Entry Points Parameter Name Extraction Type Inference Value Extraction

parameter types

1

Try to infer as many variables as possible via the operator-type matrix

2

If a parameter is linked to a variable, assume the parameter has the same type as the variable. 1 $x = $_GET[’THE_X’]; 2 if ($x == 42) 3 echo “x is 42”; 4 else 5 echo “error x is not 42”

3

Use the more general type if there is a conflict

  • M. Egele, M. Szydlowski, E. Kirda, C. Kruegel

Using Static Program Analysis to Aid Intrusion Detection

slide-41
SLIDE 41

Motivation Analysis Evaluation Summary Mode of Operation Parse Application Sourcecode Find Parameter Entry Points Parameter Name Extraction Type Inference Value Extraction

parameter types

1

Try to infer as many variables as possible via the operator-type matrix

2

If a parameter is linked to a variable, assume the parameter has the same type as the variable. 1 $x = $_GET[’THE_X’]; 2 if ($x == 42) 3 echo “x is 42”; 4 else 5 echo “error x is not 42”

3

Use the more general type if there is a conflict

  • M. Egele, M. Szydlowski, E. Kirda, C. Kruegel

Using Static Program Analysis to Aid Intrusion Detection

slide-42
SLIDE 42

Motivation Analysis Evaluation Summary Mode of Operation Parse Application Sourcecode Find Parameter Entry Points Parameter Name Extraction Type Inference Value Extraction

possible value sets

1

Direct comparison via literal

2

Indirect comparison via switch-case construct

3

sanitation code (e.g., regexp, built-in functions) – annotations possible

4

This information can be used for the structural models and character distribution models of our IDS

  • M. Egele, M. Szydlowski, E. Kirda, C. Kruegel

Using Static Program Analysis to Aid Intrusion Detection

slide-43
SLIDE 43

Motivation Analysis Evaluation Summary Mode of Operation Parse Application Sourcecode Find Parameter Entry Points Parameter Name Extraction Type Inference Value Extraction

possible value sets

1

Direct comparison via literal

2

Indirect comparison via switch-case construct

3

sanitation code (e.g., regexp, built-in functions) – annotations possible

4

This information can be used for the structural models and character distribution models of our IDS

  • M. Egele, M. Szydlowski, E. Kirda, C. Kruegel

Using Static Program Analysis to Aid Intrusion Detection

slide-44
SLIDE 44

Motivation Analysis Evaluation Summary Mode of Operation Parse Application Sourcecode Find Parameter Entry Points Parameter Name Extraction Type Inference Value Extraction

possible value sets

1

Direct comparison via literal

2

Indirect comparison via switch-case construct

3

sanitation code (e.g., regexp, built-in functions) – annotations possible

4

This information can be used for the structural models and character distribution models of our IDS

  • M. Egele, M. Szydlowski, E. Kirda, C. Kruegel

Using Static Program Analysis to Aid Intrusion Detection

slide-45
SLIDE 45

Motivation Analysis Evaluation Summary Mode of Operation Parse Application Sourcecode Find Parameter Entry Points Parameter Name Extraction Type Inference Value Extraction

possible value sets

1

Direct comparison via literal

2

Indirect comparison via switch-case construct

3

sanitation code (e.g., regexp, built-in functions) – annotations possible

4

This information can be used for the structural models and character distribution models of our IDS

  • M. Egele, M. Szydlowski, E. Kirda, C. Kruegel

Using Static Program Analysis to Aid Intrusion Detection

slide-46
SLIDE 46

Motivation Analysis Evaluation Summary Mode of Operation Parse Application Sourcecode Find Parameter Entry Points Parameter Name Extraction Type Inference Value Extraction

the annotation used for SquirrelMail

SquirrelMail uses the sqgetGlobalVar function to retrieve its parameters. first argument: name of the parameter second argument: reference to the variable that should receive the value annotation: sqgetGlobalVar:1:2 code: sqgetGlobalVar(’THE_X’, &$x) now the analyzer knows that $x holds the value of the parameter THE_X

  • M. Egele, M. Szydlowski, E. Kirda, C. Kruegel

Using Static Program Analysis to Aid Intrusion Detection

slide-47
SLIDE 47

Motivation Analysis Evaluation Summary Mode of Operation Parse Application Sourcecode Find Parameter Entry Points Parameter Name Extraction Type Inference Value Extraction

the annotation used for SquirrelMail

SquirrelMail uses the sqgetGlobalVar function to retrieve its parameters. first argument: name of the parameter second argument: reference to the variable that should receive the value annotation: sqgetGlobalVar:1:2 code: sqgetGlobalVar(’THE_X’, &$x) now the analyzer knows that $x holds the value of the parameter THE_X

  • M. Egele, M. Szydlowski, E. Kirda, C. Kruegel

Using Static Program Analysis to Aid Intrusion Detection

slide-48
SLIDE 48

Motivation Analysis Evaluation Summary Mode of Operation Parse Application Sourcecode Find Parameter Entry Points Parameter Name Extraction Type Inference Value Extraction

1 $otherparam = Util::getFormData("otherparam"); 2 $param = array( 3 "name" => "pizzaman", 4 "value" => Util::getFormData("param"), 5 "info" => "something boring"); 6 $thirdparam = do_something($_POST["thirdparam"]); 7 8 $strippedparam = stripslashes($param["value"]); 9 if ($strippedparam == "something") 10 ... 11 switch ($otherparam) { 12 case "something else": 13 ... 14 } 15 preg_match("/^([0-9]4).*", $thirdparam, $number);

  • M. Egele, M. Szydlowski, E. Kirda, C. Kruegel

Using Static Program Analysis to Aid Intrusion Detection

slide-49
SLIDE 49

Motivation Analysis Evaluation Summary Mode of Operation Parse Application Sourcecode Find Parameter Entry Points Parameter Name Extraction Type Inference Value Extraction

1 $otherparam = Util::getFormData("otherparam"); 2 $param = array( 3 "name" => "pizzaman", 4 "value" => Util::getFormData("param"), 5 "info" => "something boring"); 6 $thirdparam = do_something($_POST["thirdparam"]); 7 8 $strippedparam = stripslashes($param["value"]); 9 if ($strippedparam == "something") 10 ... 11 switch ($otherparam) { 12 case "something else": 13 ... 14 } 15 preg_match("/^([0-9]4).*", $thirdparam, $number);

  • M. Egele, M. Szydlowski, E. Kirda, C. Kruegel

Using Static Program Analysis to Aid Intrusion Detection

slide-50
SLIDE 50

Motivation Analysis Evaluation Summary Mode of Operation Parse Application Sourcecode Find Parameter Entry Points Parameter Name Extraction Type Inference Value Extraction

1 $otherparam = Util::getFormData("otherparam"); 2 $param = array( 3 "name" => "pizzaman", 4 "value" => Util::getFormData("param"), 5 "info" => "something boring"); 6 $thirdparam = do_something($_POST["thirdparam"]); 7 8 $strippedparam = stripslashes($param["value"]); 9 if ($strippedparam == "something") 10 ... 11 switch ($otherparam) { 12 case "something else": 13 ... 14 } 15 preg_match("/^([0-9]4).*", $thirdparam, $number);

  • M. Egele, M. Szydlowski, E. Kirda, C. Kruegel

Using Static Program Analysis to Aid Intrusion Detection

slide-51
SLIDE 51

Motivation Analysis Evaluation Summary Mode of Operation Parse Application Sourcecode Find Parameter Entry Points Parameter Name Extraction Type Inference Value Extraction

1 $otherparam = Util::getFormData("otherparam"); 2 $param = array( 3 "name" => "pizzaman", 4 "value" => Util::getFormData("param"), 5 "info" => "something boring"); 6 $thirdparam = do_something($_POST["thirdparam"]); 7 8 $strippedparam = stripslashes($param["value"]); 9 if ($strippedparam == "something") 10 ... 11 switch ($otherparam) { 12 case "something else": 13 ... 14 } 15 preg_match("/^([0-9]4).*", $thirdparam, $number);

  • M. Egele, M. Szydlowski, E. Kirda, C. Kruegel

Using Static Program Analysis to Aid Intrusion Detection

slide-52
SLIDE 52

Motivation Analysis Evaluation Summary Mode of Operation Parse Application Sourcecode Find Parameter Entry Points Parameter Name Extraction Type Inference Value Extraction

1 $otherparam = Util::getFormData("otherparam"); 2 $param = array( 3 "name" => "pizzaman", 4 "value" => Util::getFormData("param"), 5 "info" => "something boring"); 6 $thirdparam = do_something($_POST["thirdparam"]); 7 8 $strippedparam = stripslashes($param["value"]); 9 if ($strippedparam == "something") 10 ... 11 switch ($otherparam) { 12 case "something else": 13 ... 14 } 15 preg_match("/^([0-9]4).*", $thirdparam, $number);

  • M. Egele, M. Szydlowski, E. Kirda, C. Kruegel

Using Static Program Analysis to Aid Intrusion Detection

slide-53
SLIDE 53

Motivation Analysis Evaluation Summary Mode of Operation Parse Application Sourcecode Find Parameter Entry Points Parameter Name Extraction Type Inference Value Extraction

1 $otherparam = Util::getFormData("otherparam"); 2 $param = array( 3 "name" => "pizzaman", 4 "value" => Util::getFormData("param"), 5 "info" => "something boring"); 6 $thirdparam = do_something($_POST["thirdparam"]); 7 8 $strippedparam = stripslashes($param["value"]); 9 if ($strippedparam == "something") 10 ... 11 switch ($otherparam) { 12 case "something else": 13 ... 14 } 15 preg_match("/^([0-9]4).*", $thirdparam, $number);

  • M. Egele, M. Szydlowski, E. Kirda, C. Kruegel

Using Static Program Analysis to Aid Intrusion Detection

slide-54
SLIDE 54

Motivation Analysis Evaluation Summary Mode of Operation Parse Application Sourcecode Find Parameter Entry Points Parameter Name Extraction Type Inference Value Extraction

1 $otherparam = Util::getFormData("otherparam"); 2 $param = array( 3 "name" => "pizzaman", 4 "value" => Util::getFormData("param"), 5 "info" => "something boring"); 6 $thirdparam = do_something($_POST["thirdparam"]); 7 8 $strippedparam = stripslashes($param["value"]); 9 if ($strippedparam == "something") 10 ... 11 switch ($otherparam) { 12 case "something else": 13 ... 14 } 15 preg_match("/^([0-9]4).*", $thirdparam, $number);

  • M. Egele, M. Szydlowski, E. Kirda, C. Kruegel

Using Static Program Analysis to Aid Intrusion Detection

slide-55
SLIDE 55

Motivation Analysis Evaluation Summary Mode of Operation Parse Application Sourcecode Find Parameter Entry Points Parameter Name Extraction Type Inference Value Extraction

1 $otherparam = Util::getFormData("otherparam"); 2 $param = array( 3 "name" => "pizzaman", 4 "value" => Util::getFormData("param"), 5 "info" => "something boring"); 6 $thirdparam = do_something($_POST["thirdparam"]); 7 8 $strippedparam = stripslashes($param["value"]); 9 if ($strippedparam == "something") 10 ... 11 switch ($otherparam) { 12 case "something else": 13 ... 14 } 15 preg_match("/^([0-9]4).*", $thirdparam, $number);

  • M. Egele, M. Szydlowski, E. Kirda, C. Kruegel

Using Static Program Analysis to Aid Intrusion Detection

slide-56
SLIDE 56

Motivation Analysis Evaluation Summary Mode of Operation Parse Application Sourcecode Find Parameter Entry Points Parameter Name Extraction Type Inference Value Extraction

1 $otherparam = Util::getFormData("otherparam"); 2 $param = array( 3 "name" => "pizzaman", 4 "value" => Util::getFormData("param"), 5 "info" => "something boring"); 6 $thirdparam = do_something($_POST["thirdparam"]); 7 8 $strippedparam = stripslashes($param["value"]); 9 if ($strippedparam == "something") 10 ... 11 switch ($otherparam) { 12 case "something else": 13 ... 14 } 15 preg_match("/^([0-9]4).*", $thirdparam, $number);

  • M. Egele, M. Szydlowski, E. Kirda, C. Kruegel

Using Static Program Analysis to Aid Intrusion Detection

slide-57
SLIDE 57

Motivation Analysis Evaluation Summary Mode of Operation Parse Application Sourcecode Find Parameter Entry Points Parameter Name Extraction Type Inference Value Extraction

1 $otherparam = Util::getFormData("otherparam"); 2 $param = array( 3 "name" => "pizzaman", 4 "value" => Util::getFormData("param"), 5 "info" => "something boring"); 6 $thirdparam = do_something($_POST["thirdparam"]); 7 8 $strippedparam = stripslashes($param["value"]); 9 if ($strippedparam == "something") 10 ... 11 switch ($otherparam) { 12 case "something else": 13 ... 14 } 15 preg_match("/^([0-9]4).*", $thirdparam, $number);

  • M. Egele, M. Szydlowski, E. Kirda, C. Kruegel

Using Static Program Analysis to Aid Intrusion Detection

slide-58
SLIDE 58

Motivation Analysis Evaluation Summary Mode of Operation Parse Application Sourcecode Find Parameter Entry Points Parameter Name Extraction Type Inference Value Extraction

1 $otherparam = Util::getFormData("otherparam"); 2 $param = array( 3 "name" => "pizzaman", 4 "value" => Util::getFormData("param"), 5 "info" => "something boring"); 6 $thirdparam = do_something($_POST["thirdparam"]); 7 8 $strippedparam = stripslashes($param["value"]); 9 if ($strippedparam == "something") 10 ... 11 switch ($otherparam) { 12 case "something else": 13 ... 14 } 15 preg_match("/^([0-9]4).*", $thirdparam, $number);

  • M. Egele, M. Szydlowski, E. Kirda, C. Kruegel

Using Static Program Analysis to Aid Intrusion Detection

slide-59
SLIDE 59

Motivation Analysis Evaluation Summary How We Evaluated Our Results Results Analysis Results Comparison with Log Data

how we evaluated our results

Evaluation is divided into two parts: Standalone Analysis of five real world web-applications Crosscheck of some of these results with actual log data

  • nly GET requests, since POST requests not logged

We were able to find all parameters that actually appeared in the logs

  • M. Egele, M. Szydlowski, E. Kirda, C. Kruegel

Using Static Program Analysis to Aid Intrusion Detection

slide-60
SLIDE 60

Motivation Analysis Evaluation Summary How We Evaluated Our Results Results Analysis Results Comparison with Log Data

how we evaluated our results

Evaluation is divided into two parts: Standalone Analysis of five real world web-applications Crosscheck of some of these results with actual log data

  • nly GET requests, since POST requests not logged

We were able to find all parameters that actually appeared in the logs

  • M. Egele, M. Szydlowski, E. Kirda, C. Kruegel

Using Static Program Analysis to Aid Intrusion Detection

slide-61
SLIDE 61

Motivation Analysis Evaluation Summary How We Evaluated Our Results Results Analysis Results Comparison with Log Data

web applications under examination

We analyzed the following popular web applications Application Parameters Details Percentage Horde2/IMP3.1 153 47 31% Squirrelmail 1.4.6-rc1 268 91 34% phpBB 2.0.17 316 82 26% Horde3/IMP4.0.2 298 64 21% PHP iCalendar 2.1 23 15 65%

  • M. Egele, M. Szydlowski, E. Kirda, C. Kruegel

Using Static Program Analysis to Aid Intrusion Detection

slide-62
SLIDE 62

Motivation Analysis Evaluation Summary How We Evaluated Our Results Results Analysis Results Comparison with Log Data

info on parameters found

Examples of our findings Details for parameters ≈ 35% → information for IDS Horde2: actionID TYPE_INT values: 0,1,101,102, . . . Horde3: actionID TYPE_STRING values: ’add_address’, ’add_attachment’, . . . iCalendar: getdate TYPE_STRING preg_match("/([0-9]4)([0-9]2)([0-9]2)/")

  • M. Egele, M. Szydlowski, E. Kirda, C. Kruegel

Using Static Program Analysis to Aid Intrusion Detection

slide-63
SLIDE 63

Motivation Analysis Evaluation Summary How We Evaluated Our Results Results Analysis Results Comparison with Log Data

info on parameters found

Examples of our findings Details for parameters ≈ 35% → information for IDS Horde2: actionID TYPE_INT values: 0,1,101,102, . . . Horde3: actionID TYPE_STRING values: ’add_address’, ’add_attachment’, . . . iCalendar: getdate TYPE_STRING preg_match("/([0-9]4)([0-9]2)([0-9]2)/")

  • M. Egele, M. Szydlowski, E. Kirda, C. Kruegel

Using Static Program Analysis to Aid Intrusion Detection

slide-64
SLIDE 64

Motivation Analysis Evaluation Summary How We Evaluated Our Results Results Analysis Results Comparison with Log Data

info on parameters found

Examples of our findings Details for parameters ≈ 35% → information for IDS Horde2: actionID TYPE_INT values: 0,1,101,102, . . . Horde3: actionID TYPE_STRING values: ’add_address’, ’add_attachment’, . . . iCalendar: getdate TYPE_STRING preg_match("/([0-9]4)([0-9]2)([0-9]2)/")

  • M. Egele, M. Szydlowski, E. Kirda, C. Kruegel

Using Static Program Analysis to Aid Intrusion Detection

slide-65
SLIDE 65

Motivation Analysis Evaluation Summary How We Evaluated Our Results Results Analysis Results Comparison with Log Data

crosscheck with real log data

Results for Horde2/IMP 3.1 Timeframe: three months, 30.000 accesses name: reason type: TYPE_STRING values: ’failed’, ’logout’, ’session’ exact matches to, cc, bcc only information TYPE_STRING f filename to download-dialog (relict) replaced by MIME-Header parsing

  • M. Egele, M. Szydlowski, E. Kirda, C. Kruegel

Using Static Program Analysis to Aid Intrusion Detection

slide-66
SLIDE 66

Motivation Analysis Evaluation Summary How We Evaluated Our Results Results Analysis Results Comparison with Log Data

crosscheck with real log data

Results for Horde2/IMP 3.1 Timeframe: three months, 30.000 accesses name: reason type: TYPE_STRING values: ’failed’, ’logout’, ’session’ exact matches to, cc, bcc only information TYPE_STRING f filename to download-dialog (relict) replaced by MIME-Header parsing

  • M. Egele, M. Szydlowski, E. Kirda, C. Kruegel

Using Static Program Analysis to Aid Intrusion Detection

slide-67
SLIDE 67

Motivation Analysis Evaluation Summary How We Evaluated Our Results Results Analysis Results Comparison with Log Data

crosscheck with real log data

Results for Horde2/IMP 3.1 Timeframe: three months, 30.000 accesses name: reason type: TYPE_STRING values: ’failed’, ’logout’, ’session’ exact matches to, cc, bcc only information TYPE_STRING f filename to download-dialog (relict) replaced by MIME-Header parsing

  • M. Egele, M. Szydlowski, E. Kirda, C. Kruegel

Using Static Program Analysis to Aid Intrusion Detection

slide-68
SLIDE 68

Motivation Analysis Evaluation Summary How We Evaluated Our Results Results Analysis Results Comparison with Log Data

crosscheck with real log data

Results for Horde2/IMP 3.1 Timeframe: three months, 30.000 accesses name: reason type: TYPE_STRING values: ’failed’, ’logout’, ’session’ exact matches to, cc, bcc only information TYPE_STRING f filename to download-dialog (relict) replaced by MIME-Header parsing

  • M. Egele, M. Szydlowski, E. Kirda, C. Kruegel

Using Static Program Analysis to Aid Intrusion Detection

slide-69
SLIDE 69

Motivation Analysis Evaluation Summary How We Evaluated Our Results Results Analysis Results Comparison with Log Data

crosscheck with real log data

Results for Squirrelmail Timeframe: three weeks, 13.000 accesses name: smaction type: TYPE_STRING values: ’draft’, ’edit_as_new’, ’forward’, ’forward_as_attachment’, ’reply’, ’reply_all’ exact matches what, where type: TYPE_STRING dynamic search parameters

  • M. Egele, M. Szydlowski, E. Kirda, C. Kruegel

Using Static Program Analysis to Aid Intrusion Detection

slide-70
SLIDE 70

Motivation Analysis Evaluation Summary How We Evaluated Our Results Results Analysis Results Comparison with Log Data

crosscheck with real log data

Results for Squirrelmail Timeframe: three weeks, 13.000 accesses name: smaction type: TYPE_STRING values: ’draft’, ’edit_as_new’, ’forward’, ’forward_as_attachment’, ’reply’, ’reply_all’ exact matches what, where type: TYPE_STRING dynamic search parameters

  • M. Egele, M. Szydlowski, E. Kirda, C. Kruegel

Using Static Program Analysis to Aid Intrusion Detection

slide-71
SLIDE 71

Motivation Analysis Evaluation Summary How We Evaluated Our Results Results Analysis Results Comparison with Log Data

crosscheck with real log data

Results for Squirrelmail Timeframe: three weeks, 13.000 accesses name: smaction type: TYPE_STRING values: ’draft’, ’edit_as_new’, ’forward’, ’forward_as_attachment’, ’reply’, ’reply_all’ exact matches what, where type: TYPE_STRING dynamic search parameters

  • M. Egele, M. Szydlowski, E. Kirda, C. Kruegel

Using Static Program Analysis to Aid Intrusion Detection

slide-72
SLIDE 72

Motivation Analysis Evaluation Summary How We Evaluated Our Results Results Analysis Results Comparison with Log Data

crosscheck with real log data

Evaluation shows that we were able to find all parameters in the sourcecode that are actually used For about 35%, detailed information on these parameters could be deduced by our analyzer This additional information can be used to improve the precision of our IDS

  • M. Egele, M. Szydlowski, E. Kirda, C. Kruegel

Using Static Program Analysis to Aid Intrusion Detection

slide-73
SLIDE 73

Motivation Analysis Evaluation Summary How We Evaluated Our Results Results Analysis Results Comparison with Log Data

crosscheck with real log data

Evaluation shows that we were able to find all parameters in the sourcecode that are actually used For about 35%, detailed information on these parameters could be deduced by our analyzer This additional information can be used to improve the precision of our IDS

  • M. Egele, M. Szydlowski, E. Kirda, C. Kruegel

Using Static Program Analysis to Aid Intrusion Detection

slide-74
SLIDE 74

Motivation Analysis Evaluation Summary How We Evaluated Our Results Results Analysis Results Comparison with Log Data

crosscheck with real log data

Evaluation shows that we were able to find all parameters in the sourcecode that are actually used For about 35%, detailed information on these parameters could be deduced by our analyzer This additional information can be used to improve the precision of our IDS

  • M. Egele, M. Szydlowski, E. Kirda, C. Kruegel

Using Static Program Analysis to Aid Intrusion Detection

slide-75
SLIDE 75

Motivation Analysis Evaluation Summary How We Evaluated Our Results Results Analysis Results Comparison with Log Data

details on phpBB

Scenario: December 2005 mass defacement of phpBB 2.0.17 Exploit modifies the GLOBALS array via: profile.php?GLOBALS[...] Parameter presence and absence model → GLOBALS not a parameter of the web-application

  • M. Egele, M. Szydlowski, E. Kirda, C. Kruegel

Using Static Program Analysis to Aid Intrusion Detection

slide-76
SLIDE 76

Motivation Analysis Evaluation Summary How We Evaluated Our Results Results Analysis Results Comparison with Log Data

details on phpBB

Scenario: December 2005 mass defacement of phpBB 2.0.17 Exploit modifies the GLOBALS array via: profile.php?GLOBALS[...] Parameter presence and absence model → GLOBALS not a parameter of the web-application

  • M. Egele, M. Szydlowski, E. Kirda, C. Kruegel

Using Static Program Analysis to Aid Intrusion Detection

slide-77
SLIDE 77

Motivation Analysis Evaluation Summary How We Evaluated Our Results Results Analysis Results Comparison with Log Data

details on phpBB

Scenario: December 2005 mass defacement of phpBB 2.0.17 Exploit modifies the GLOBALS array via: profile.php?GLOBALS[...] Parameter presence and absence model → GLOBALS not a parameter of the web-application

  • M. Egele, M. Szydlowski, E. Kirda, C. Kruegel

Using Static Program Analysis to Aid Intrusion Detection

slide-78
SLIDE 78

Motivation Analysis Evaluation Summary

Summary

Parameter name detection via inter-procedural dataflow analysis Determine types and possible values of parameters based on their use by the application Would have been able to detect real-world exploit

  • M. Egele, M. Szydlowski, E. Kirda, C. Kruegel

Using Static Program Analysis to Aid Intrusion Detection