web applications are used extensively in many areas
play

Web applications are used extensively in many areas: We will rely - PowerPoint PPT Presentation

Sep 11, 2022 •392 likes •872 views

Muath Alkhalaf 1 Shauvik Roy Choudhary 2 Mattia Fazzini 2 Tevfik Bultan 1 Alessandro Orso 2 Christopher Kruegel 1 1 UC Santa Barbara 2 Georgia Tech Web applications are used extensively in many areas: We will rely on web applications more in

  1. Muath Alkhalaf 1 Shauvik Roy Choudhary 2 Mattia Fazzini 2 Tevfik Bultan 1 Alessandro Orso 2 Christopher Kruegel 1 1 UC Santa Barbara 2 Georgia Tech

  2. Web applications are used extensively in many areas: ¡ We will rely on web applications more in the future: ¡ Web software is also rapidly replacing desktop applications ¡ 2

  3. IBM X-force report 3

  4. The user input comes in string form and must be validated before it ¡ can be used § Input validation uses string manipulation which is error prone We need to verify input validation to assure: ¡ § Correctness § Security § Consistency 4

  5. Web applications use the 3-tier Javascript • architecture Client Side Most web applications check the • inputs both on the client side and the server-side PHP Java Server Side This redundancy is necessary for • security reasons (client-side checks can be circumvented by malicious users) Not having client-side input • validation results in unnecessary communication with the server, degrading the responsiveness DB and performance of the application 5

  6. Size of Client Side code is growing rapidly ¡ Over 90% of web sites use javascript ¡ source: W3Techs 6 Source: According to an IBM study performed in 2010 - Salvatore Guarnieri

  7. True Input (valid) Validation Input Function False (Invalid) 7

  8. function validateEmail(form) { var emailStr = form["email"].value; if(emailStr.length == 0) { return true; } var r1 = new RegExp("( )|(@.*@)|(@\\.)"); var r2 = new RegExp("^[\\w]+@([\\w]+\\. [\\w]{2,4})$"); if(!r1.test(emailStr) && r2.test(emailStr)) { return true; } return false; } 8

  9. public boolean validateEmail(Object bean, Field f, ..) { String val = ValidatorUtils.getValueAsString(bean, f); Perl5Util u = new Perl5Util(); if (!(val == null || val.trim().length == 0)) { if ((!u.match("/( )|(@.*@)|(@\\.)/", val)) && u.match("/^[\\w]+@([\\w]+\\.[\\w]{2,4})$/”, val)){ return true; } else { return false; } } return true; } 9

  10. A function that accepts some bad input values Good True input (valid) Bad False input (Invalid) 10

  11. A function that rejects some good input values Good True input (valid) Bad False input (Invalid) 11

  12. How can we check the validation functions? ¡ One approach that has been used in the past: ¡ § Specify the input validation policy as a regular expression (attack patterns, max & min policies) and then use string analysis to check that validation functions conform to the given policy. Someone has to manually write the input validation policies ¡ If the input validation policies are specific for each web application, then the § developers have to write different policies for each application, which could be error prone 12

  13. The approach we present in this paper does not require ¡ developers to write specific policies ¡ Basic idea : Use the inherent redundancy in input validation to check the correctness of the input validation functions 13

  14. Request http://site.com/unsubscribe.jsp?email=john.doe@mail.com Web application (server side) public class FieldChecks { ... public boolean validateRequired (Object bean, Field field, ..){ String value = evaluateBean(bean, Internet field); if( (value==null) || (value.trim ().length()==0) ){ return false; } else{ return true; } } Confirmation Page ... } Java servlet Congratulations! Your account has been unsubscribed unsubscribe.jsp ... Submit HTML page Web server

  15. Request http://site.com/unsubscribe.jsp?email=john.doe@mail.com Web application (server side) public class FieldChecks { ... public boolean validateRequired (Object bean, Field field, ..){ String value = evaluateBean(bean, Reject Internet field); if( (value==null) || (value.trim ().length()==0) ){ return false; } else{ return true; } } Confirmation Page Confirmation Page ... ERROR } Java servlet Congratulations! Congratulations! Your account has been unsubscribed Your account has been unsubscribed unsubscribe.jsp ... ... Submit HTML page HTML page Web server

  16. Client Validation Server Validation Function Function Good True True input input False False Bad input ¡ Two problems may occur: ¡ Either the client side input validation function was under constrained and accepted bad inputs ¡ Or the server side input validation function was over constrained and rejected some good input 16

  17. Reject Web application (server side) public class FieldChecks { ... public boolean validateRequired (Object bean, Field field, ..){ String value = evaluateBean(bean, Internet field); if( (value==null) || (value.trim ().length()==0) ){ return false; } else{ return true; } } ... } Java servlet unsubscribe.jsp Submit Web server

  18. Client Validation Server Validation Function Function Good True True input input False False ¡ A problem may occur: ¡ the client side input validation function was over constrained and rejected some good input ¡ What happens when Input value is bad and the server accepts this value? 18

  19. Request …<script…>… http://site.com/unsubscribe.jsp?email=john.doe@mail.com Web application (server side) Submit public class FieldChecks { ... public boolean validateRequired (Object bean, Attac Field field, ..){ String value = evaluateBean(bean, Internet field); if( (value==null) || (value.trim ().length()==0) ){ return false; k } else{ return true; } } ... } Java servlet unsubscribe.jsp Web server

  20. Client Validation Server Validation Function Function True True False False Bad input ¡ The server side input validation function was under constrained and accepted bad inputs ¡ Serious security problem 20

  21. JS Task 2: Task 1: Client side Input validation Input validation mapping and modeling Java extraction using DFAs Server side Input validation operations Web application Task 3: Inconsistency Counter example identification and reporting Input validation DFAs

  22. JS Task 1: Client side Input validation mapping and Java extraction Server side Input validation operations Web application

  23. Web Application Analyzer Dynamic Extraction for JavaScript J2EE Web App Per Input Validation Configuration Static Extraction For each input, we obtain for Java Routines Domain information ¡ Web Deployment Multiple parameterized validation ¡ Descriptor functions with parameter values Path to access the web ¡ application form 23

  24. ¡ Why extraction § Lots of event handling, error reporting and rendering code Why dynamic? ¡ § Javascript is very dynamic § Object oriented § Prototype inheritance § Closures § Dynamically typed § eval 24

  25. Exec Path Dynamic Slice Run Application Dep Analysis Input ¡ Number of valid inputs Inputs are selected heuristically § ¡ Instrument execution HtmlUnit : browser simulator § Rhino : JS interpreter § ¡ Convert all accesses on objects and arrays to accesses on memory locations 25

  26. Parsing and CFG Transformations Construction and Slicing (uses Soot) Input validation routines Static Slice Control flow graph ¡ Transformations § Library call and parameter inlining § Framework specific modeling and transformation § Constant propagation and Dead code elimination Slicing (PDG based) ¡ § Forward slicing on input parameter § Backward slicing for the true path 26

  27. Task 2: Input validation modeling using DFAs Input validation DFAs

  28. Compute two automata for each input field: ¡ Client-Side DFA A c § ▪ L(A c ) Over approximation of set of values accepted by client-side input validation function Server-Side DFA A s § ▪ L(A s ) Over approximation of set of values accepted by server-side input validation function We use automata based static string analysis to compute L(A c ) and ¡ L(A s ) 28

  29. Static string analysis determines all possible values that a string l expression can take during any program execution We use automata based string analysis ¡ § Associate each string expression in the program with an automaton § The automaton accepts an over approximation of all possible values that the string expression can take during program execution We built our javascript string analysis on Closure compiler from ¡ Google and java string analysis on Soot Flow sensitive, intraprocedural and path sensitive ¡ 29

  30. Symbolic DFA representation Explicit DFA representation . 1 . . 0 2 30

  31. Σ * Due to . . . Lattice with . . . loops we . . . infinite height need fixpoint computation Ø We use an automata based widening operation to over-approximate ¡ the fixpoint § Widening operation over-approximates the union operations and accelerates the convergence of the fixpoint computation 31

  32. Modeling string operations ¡ c a b Input § CONCATENATION c ▪ y = x + “b” Output a b § REPLACEMENT a a d Input ▪ Language based replacement d ▪ replace(x, “a”, “d”) Output c d, a Input § RESTRICTION ▪ If (x = “a”){ … } a Output 32

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Geo-informatic Web-based Applications for Olive Oil Mills Wastes Disposal Areas Management

Geo-informatic Web-based Applications for Olive Oil Mills Wastes Disposal Areas Management

Geo-informatic Web-based Applications for Olive Oil Mills Wastes Disposal Areas Management Angelos Chliaoutakis 1 , Aris Kydonakis 1 , Apostolos Sarris 1 &amp; Nikos Papadopoulos 1 Maria K. Doula 2 &amp; Victor A. Kavvadias 2 1. Laboratory of

589 views • 17 slides
FOCUS AREAS FOCUS AREAS FOCUS AREAS FOCUS AREAS Our Our Vision Vision Our Our Vision

FOCUS AREAS FOCUS AREAS FOCUS AREAS FOCUS AREAS Our Our Vision Vision Our Our Vision

SOCIAL PROTECTION AND FORMALIZATION NATIONAL PRESENTATION ANTIGUA &amp; BARBUDA Geoffrey Joseph Deputy Director 15 March 2017 FOCUS AREAS FOCUS AREAS FOCUS AREAS FOCUS AREAS Our Our Vision Vision Our Our Vision Vision Our

323 views • 10 slides
Director of the Buckingham Lean Enterprise Unit and played extensively at LERC The version

Director of the Buckingham Lean Enterprise Unit and played extensively at LERC The version

accreditation| certification | community T HE B UCKINGHAM H OUSING R EPAIRS G AME P REVIEW The Buckingham Housing Repairs Game was created by John Bicheno, Director of the Buckingham Lean Enterprise Unit and played extensively at LERC The

740 views • 21 slides
Container-based virtualization Process-level Extensively used in Lightweight virtualization

Container-based virtualization Process-level Extensively used in Lightweight virtualization

C NTR Lightweight OS Containers Jrg Thalheim, Pramod Bhatotia Pedro Fonseca Baris Kasikci USENIX ATC 2018 Container-based virtualization Process-level Extensively used in Lightweight virtualization production isolation Namespaces

250 views • 22 slides
Science One Math March 11, 2019 Applications of Integration Computing areas Computing

Science One Math March 11, 2019 Applications of Integration Computing areas Computing

Science One Math March 11, 2019 Applications of Integration Computing areas Computing changes Computing volumes Computing probabilities Locating centre of mass of a lamina Key ideas slicing, approximating, adding

566 views • 28 slides
Science One Math March 1, 2017 Applications of Integration Computing areas Computing

Science One Math March 1, 2017 Applications of Integration Computing areas Computing

Science One Math March 1, 2017 Applications of Integration Computing areas Computing changes Computing volumes Computing probabilities Locating centre of mass of an object Work done by a non constant force Application of

464 views • 20 slides
Introducing Graham Bailey Graham Bailey has worked extensively in the field of advertising and

Introducing Graham Bailey Graham Bailey has worked extensively in the field of advertising and

Introducing Graham Bailey Graham Bailey has worked extensively in the field of advertising and marketing for a broad cross section of consumer goods manufacturers, industrial products, business to business markets and the charity sector. During

297 views • 13 slides
Contaminant Transport in Porous Media Flow of water through porous media is extensively studied

Contaminant Transport in Porous Media Flow of water through porous media is extensively studied

IIT Bombay Slide 2 Contaminant Transport in Porous Media Flow of water through porous media is extensively studied (seepage, consolidation and stability) The concept of hydraulic conductivity are well established. Chemical flows in soils are

442 views • 16 slides
TCP Overview Jeff Chase Duke University These slides draw extensively on material from Srini

TCP Overview Jeff Chase Duke University These slides draw extensively on material from Srini

TCP Overview Jeff Chase Duke University These slides draw extensively on material from Srini Seshan and Dave Andersen at CMU (mostly figures), and they also incorporate earlier material by Adolfo Rodriguez and Amin Vahdat. Some congestion

985 views • 75 slides
MATHEMATICS 1 CONTENTS Areas under a curve Consumer and producer surplus From marginal to

MATHEMATICS 1 CONTENTS Areas under a curve Consumer and producer surplus From marginal to

Applications of integrals BUSINESS MATHEMATICS 1 CONTENTS Areas under a curve Consumer and producer surplus From marginal to total Old exam question Further study 2 AREAS UNDER A CURVE How do we compute the area under the graph of a

443 views • 20 slides
Voter Referendum October 2, 2018 2 PM 8 PM We Did Our Homework Consulted extensively with

Voter Referendum October 2, 2018 2 PM 8 PM We Did Our Homework Consulted extensively with

Cedar Grove Public Schools Voter Referendum October 2, 2018 2 PM 8 PM We Did Our Homework Consulted extensively with the Cedar Grove Police Department Consulted with multiple law enforcement agents from the State Police, Port

642 views • 20 slides
The Food vs. Fuel Debate Ben Ridley, Credit Suisse AG Drawing extensively on the FAO Statistical

The Food vs. Fuel Debate Ben Ridley, Credit Suisse AG Drawing extensively on the FAO Statistical

11/6/2012 The Food vs. Fuel Debate Ben Ridley, Credit Suisse AG Drawing extensively on the FAO Statistical Yearbook 2012, and the OECD FAO Agricultural Outlook 2011 2020 In the news and often 2 1 11/6/2012 Food availability

351 views • 6 slides
Statewide Ground Source Heat Pump Assessment A R E P O R T F O R T H E D E N A L I C O M M

Statewide Ground Source Heat Pump Assessment A R E P O R T F O R T H E D E N A L I C O M M

Statewide Ground Source Heat Pump Assessment A R E P O R T F O R T H E D E N A L I C O M M I S S I O N Report Overview GSHP technology used extensively in the Lower 48 and internationally Limited cold climate applications

560 views • 21 slides
Signal Processing - Introduction Signal Processing Analogue/digital filters: extensively used

Signal Processing - Introduction Signal Processing Analogue/digital filters: extensively used

Instrumentation (and Signal Processing Process Control) Fall 1393 Bonab University Signal Processing - Introduction Signal Processing Analogue/digital filters: extensively used in sensor signal processing Pre-processing

894 views • 32 slides
Ground Source Heat Pumps in Cold Climates A R E P O R T F O R T H E D E N A L I C O M M I S

Ground Source Heat Pumps in Cold Climates A R E P O R T F O R T H E D E N A L I C O M M I S

Ground Source Heat Pumps in Cold Climates A R E P O R T F O R T H E D E N A L I C O M M I S S I O N Framing the Report GSHP technology used extensively in the Lower 48 and internationally Limited cold climate applications Little

890 views • 43 slides
Ground Source Heat Pumps in Cold Climates A R E P O R T F O R T H E D E N A L I C O M M I S

Ground Source Heat Pumps in Cold Climates A R E P O R T F O R T H E D E N A L I C O M M I S

Ground Source Heat Pumps in Cold Climates A R E P O R T F O R T H E D E N A L I C O M M I S S I O N Introduction GSHP technology used extensively in the Lower 48 and internationally Limited cold climate applications Little is

723 views • 53 slides
CO444H Pointer analysis Ben Livshits 1 Approaches to Finding Reliability and Security Bugs

CO444H Pointer analysis Ben Livshits 1 Approaches to Finding Reliability and Security Bugs

Datalog CO444H Pointer analysis Ben Livshits 1 Approaches to Finding Reliability and Security Bugs Static Analysis Tools Black-box Testing/Fuzzing 2 Coverity: a Static Analysis Company 3 Bug Report From Coverity Actual bug Path

701 views • 59 slides
Topic 19 (define x (cons 'a 'b)) Mutable Data Objects x --&gt; (a . b) Primitive mutators for

Topic 19 (define x (cons 'a 'b)) Mutable Data Objects x --&gt; (a . b) Primitive mutators for

Mutable data Basic operations like cons, car, cdr can construct list structure and select its parts, but cannot modify. Topic 19 (define x (cons 'a 'b)) Mutable Data Objects x --&gt; (a . b) Primitive mutators for pairs: set-car! And

460 views • 8 slides
Software Security: Defenses &amp; Principles CS 161: Computer Security Prof. Vern Paxson TAs:

Software Security: Defenses &amp; Principles CS 161: Computer Security Prof. Vern Paxson TAs:

Software Security: Defenses &amp; Principles CS 161: Computer Security Prof. Vern Paxson TAs: Jethro Beekman, Mobin Javed, Antonio Lupher, Paul Pearce &amp; Matthias Vallentin http://inst.eecs.berkeley.edu/~cs161/ January 29, 2013 Testing

964 views • 50 slides
Python and GraphQL Alec MacQueen Software Engineer @ Administrate Alec MacQueen - @macqueenism -

Python and GraphQL Alec MacQueen Software Engineer @ Administrate Alec MacQueen - @macqueenism -

Python and GraphQL Alec MacQueen Software Engineer @ Administrate Alec MacQueen - @macqueenism - Europython 2018 Alec MacQueen - @macqueenism - Europython 2018 vs Alec MacQueen - @macqueenism - Europython 2018 Maintainability Coupling

875 views • 36 slides
An OCL Map Type Edward Willink Willink Transformations Ltd Eclipse Foundation MMT Component

An OCL Map Type Edward Willink Willink Transformations Ltd Eclipse Foundation MMT Component

An OCL Map Type Edward Willink Willink Transformations Ltd Eclipse Foundation MMT Component co-Lead OCL Project Lead QVTd Project Lead QVTo Committer OMG (Model Driven Solutions) OCL 2.3, 2.4, 2.5 RTF Chair QVT 1.2, 1.3, 1.4 RTF Chair OCL

553 views • 7 slides
Everybody be Cool, This is a Robbery! Normal: Normal: Emphasis: Emphasis: Jean-Baptiste Bedrune

Everybody be Cool, This is a Robbery! Normal: Normal: Emphasis: Emphasis: Jean-Baptiste Bedrune

Color Scheme Color Scheme 52 29 89 89 89 89 55 32 89 89 40 68 121 37 121 200 208 200 226 194 194 153 153 255 153 153 150 153 153 0 Text Formatting Text Formatting Everybody be Cool, This is a Robbery! Normal:

766 views • 57 slides
Learning a Static Analyzer from Data Pavol Bielik Veselin Raychev Martin Vechev Department of

Learning a Static Analyzer from Data Pavol Bielik Veselin Raychev Martin Vechev Department of

Learning a Static Analyzer from Data Pavol Bielik Veselin Raychev Martin Vechev Department of Computer Science CAV 2017 ETH Zurich July 22-28, Heidelberg Writing a Static Analyzer Framework for Java Static Type Checker Static Type

805 views • 46 slides
Structure-aware fuzzing for real-world projects Rka Kovcs Etvs Lornd University,

Structure-aware fuzzing for real-world projects Rka Kovcs Etvs Lornd University,

Structure-aware fuzzing for real-world projects Rka Kovcs Etvs Lornd University, Hungary rekanikolett@gmail.com 1 Overview tutorial, no groundbreaking discoveries Motivation growing code size -&gt; growing number of bugs

387 views • 27 slides

More recommend