Lehrstuhl für Informatik 4
1/161/2012 <Title> <Name LastName> Seminar in Computer Science
Kip IrvineCRAXweb: Automatic Web...
Lehrstuhl für Informatik 4
2/161/2012 <Title> <Name LastName> Seminar in Computer Science
Outline
1. Introduction
2. Backg...
Lehrstuhl für Informatik 4
3/161/2012 <Title> <Name LastName> Seminar in Computer Science
●
Software bugs are common
●
Esp...
Lehrstuhl für Informatik 4
4/161/2012 <Title> <Name LastName> Seminar in Computer Science
●
Challenge
●
How to find exploi...
Lehrstuhl für Informatik 4
5/161/2012 <Title> <Name LastName> Seminar in Computer Science
●
To generate exploits for web-a...
Lehrstuhl für Informatik 4
6/161/2012 <Title> <Name LastName> Seminar in Computer Science
●
Exploits techniques vary upon ...
Lehrstuhl für Informatik 4
7/161/2012 <Title> <Name LastName> Seminar in Computer Science
Background: Exploits
Stack Overf...
Lehrstuhl für Informatik 4
8/161/2012 <Title> <Name LastName> Seminar in Computer Science
Background: Exploits
Stack Overf...
Lehrstuhl für Informatik 4
9/161/2012 <Title> <Name LastName> Seminar in Computer Science
Background: Dynamic analysis
Int...
Lehrstuhl für Informatik 4
10/161/2012 <Title> <Name LastName> Seminar in Computer Science
Background: Dynamic analysis
Dy...
Lehrstuhl für Informatik 4
11/161/2012 <Title> <Name LastName> Seminar in Computer Science
Background: Dynamic analysis
Dy...
Lehrstuhl für Informatik 4
12/161/2012 <Title> <Name LastName> Seminar in Computer Science
Background:Dynamic analysis
Sym...
Lehrstuhl für Informatik 4
13/161/2012 <Title> <Name LastName> Seminar in Computer Science
Background:Dynamic analysis
Sym...
Lehrstuhl für Informatik 4
14/161/2012 <Title> <Name LastName> Seminar in Computer Science
Background:Dynamic analysis
Sym...
Lehrstuhl für Informatik 4
15/161/2012 <Title> <Name LastName> Seminar in Computer Science
Background:Dynamic analysis
Sym...
Lehrstuhl für Informatik 4
16/161/2012 <Title> <Name LastName> Seminar in Computer Science
Research Paper
CRAXweb: Automat...
Lehrstuhl für Informatik 4
17/161/2012 <Title> <Name LastName> Seminar in Computer Science
Research Paper
●
Implement AEG ...
Lehrstuhl für Informatik 4
19/161/2012 <Title> <Name LastName> Seminar in Computer Science
Research Paper
●
Generate test ...
Lehrstuhl für Informatik 4
20/161/2012 <Title> <Name LastName> Seminar in Computer Science
Research Paper
Exploit Generati...
Lehrstuhl für Informatik 4
21/161/2012 <Title> <Name LastName> Seminar in Computer Science
Research Paper
●
To reduce over...
Lehrstuhl für Informatik 4
22/161/2012 <Title> <Name LastName> Seminar in Computer Science
Research Paper
Flow diagram of ...
Lehrstuhl für Informatik 4
23/161/2012 <Title> <Name LastName> Seminar in Computer Science
Research Paper
●
S2E as symboli...
Lehrstuhl für Informatik 4
24/161/2012 <Title> <Name LastName> Seminar in Computer Science
Research Paper
●
Overall archit...
Lehrstuhl für Informatik 4
25/161/2012 <Title> <Name LastName> Seminar in Computer Science
Research Paper
Implementation: ...
Lehrstuhl für Informatik 4
26/161/2012 <Title> <Name LastName> Seminar in Computer Science
Research Paper
Implementation: ...
Lehrstuhl für Informatik 4
27/161/2012 <Title> <Name LastName> Seminar in Computer Science
Research Paper
Implementation: ...
Lehrstuhl für Informatik 4
28/161/2012 <Title> <Name LastName> Seminar in Computer Science
Research Paper
Implementation: ...
Lehrstuhl für Informatik 4
29/161/2012 <Title> <Name LastName> Seminar in Computer Science
Research Paper
Results: Experim...
Lehrstuhl für Informatik 4
30/161/2012 <Title> <Name LastName> Seminar in Computer Science
Research Paper
Results: Evaluat...
Lehrstuhl für Informatik 4
31/161/2012 <Title> <Name LastName> Seminar in Computer Science
Research Paper
Results: Evaluat...
Lehrstuhl für Informatik 4
32/161/2012 <Title> <Name LastName> Seminar in Computer Science
Research Paper
Results: Evaluat...
Lehrstuhl für Informatik 4
33/161/2012 <Title> <Name LastName> Seminar in Computer Science
Research Paper
Results: Evaluat...
Lehrstuhl für Informatik 4
34/161/2012 <Title> <Name LastName> Seminar in Computer Science
Research Paper
Results: Related...
Lehrstuhl für Informatik 4
35/161/2012 <Title> <Name LastName> Seminar in Computer Science
Conclusions
●
AEG is possible f...
Lehrstuhl für Informatik 4
36/161/2012 <Title> <Name LastName> Seminar in Computer Science
References
Shih-Kun Huang,Han-L...
Lehrstuhl für Informatik 4
37/161/2012 <Title> <Name LastName> Seminar in Computer Science
References
James Newsome,Dawn S...
Upcoming SlideShare
Loading in...5
×

CRAXweb: Automatic Exploit Generation for Web Applications

928

Published on

This is my first seminar presentation. The presentation is based on the core paper: CRAXweb: Automatic Web Application Testing and Attack Generation. If you are interested in this research area, other research methods of this research can be found at reference sections.

Published in: Technology, Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
928
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
15
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "CRAXweb: Automatic Exploit Generation for Web Applications"

  1. 1. Lehrstuhl für Informatik 4 1/161/2012 <Title> <Name LastName> Seminar in Computer Science Kip IrvineCRAXweb: Automatic Web Application Testing and Attack Generation1 Shih-Kun Huang ,Han-Lin Lu, Wai-Meng Leong ,Huan Liu National Chiao Tung University Presented by Aung Thu Rha Hein 5536871 1 “CRAXWweb:Automatic Web Application Testing and Attack Generation”, Software Security and Reliability (SERE), June 2013 IEEE 7th International Conference.
  2. 2. Lehrstuhl für Informatik 4 2/161/2012 <Title> <Name LastName> Seminar in Computer Science Outline 1. Introduction 2. Background -What is an exploit? -Dynamic Analysis -Semantic Execution 2. CRAXWeb: Automatic Web Application Testing and Attack Generation 4. Conclusions 5. References
  3. 3. Lehrstuhl für Informatik 4 3/161/2012 <Title> <Name LastName> Seminar in Computer Science ● Software bugs are common ● Especially in web applications ● Some bugs are more harmful ● It is difficult to detect manually ● Static analysis gives developer confusion and false positives ● Manual testing is not effective Introduction Motivation
  4. 4. Lehrstuhl für Informatik 4 4/161/2012 <Title> <Name LastName> Seminar in Computer Science ● Challenge ● How to find exploits, shellcode in the program ● Source code analysis alone is not enough ● Finding exploitable paths among program execution paths Introduction Problem Statements
  5. 5. Lehrstuhl für Informatik 4 5/161/2012 <Title> <Name LastName> Seminar in Computer Science ● To generate exploits for web-applications Introduction Research Objectives
  6. 6. Lehrstuhl für Informatik 4 6/161/2012 <Title> <Name LastName> Seminar in Computer Science ● Exploits techniques vary upon OS architectures ● Type of Exploits ● Stack Overflow Exploit ● Heap Corruption Exploit ● Format String Attack ● Attack Methodologies ● Remote Exploit ● Local Exploit ● Two Stage Exploit ● Tools for writing Exploits: LibExploit, Metasploit, CANVAS Background: Exploits What is an exploit?
  7. 7. Lehrstuhl für Informatik 4 7/161/2012 <Title> <Name LastName> Seminar in Computer Science Background: Exploits Stack Overflow Exploit Example #include <string.h> void foo (char *bar) { char c[12]; strcpy(c, bar); } int main (int argc, char **argv) { foo(argv[1]); }
  8. 8. Lehrstuhl für Informatik 4 8/161/2012 <Title> <Name LastName> Seminar in Computer Science Background: Exploits Stack Overflow Exploit Example
  9. 9. Lehrstuhl für Informatik 4 9/161/2012 <Title> <Name LastName> Seminar in Computer Science Background: Dynamic analysis Introduction ● Monitor code as it executes ● Usefulness of Dynamic analysis ● Precision of information ● Dependence on program inputs ● Four common dynamic analysis techniques: ● Dynamic taint analysis ● Forward symbolic execution ● Frequency Spectrum Analysis ● Coverage Concept Analysis ...
  10. 10. Lehrstuhl für Informatik 4 10/161/2012 <Title> <Name LastName> Seminar in Computer Science Background: Dynamic analysis Dynamic Taint Analysis ● To exploit program execution, ● use values from a trusted source ● attackers overwrite, tainted these values ● Taint Analysis Process 1. mark input data from untrusted sources tainted 2. monitor program execution to track how they propagated 3. check when tainted data is used in dangerous ways
  11. 11. Lehrstuhl für Informatik 4 11/161/2012 <Title> <Name LastName> Seminar in Computer Science Background: Dynamic analysis Dynamic Taint Analysis Attack detected using TaintCheck
  12. 12. Lehrstuhl für Informatik 4 12/161/2012 <Title> <Name LastName> Seminar in Computer Science Background:Dynamic analysis Symbolic Execution ● Key idea: generalize testing by using unknown ● symbolic variables in evaluation ● int f(1, 2)= int f(α1 , α2) ● Allows unknown symbolic variables in evaluation ● y = α; assert(f(y) == 2*y-1); ● If execution path depends on unknown, conceptually fork symbolic executor ● int f(int x) {if(x > 0) then return 2*x - 1; else return 10;}
  13. 13. Lehrstuhl für Informatik 4 13/161/2012 <Title> <Name LastName> Seminar in Computer Science Background:Dynamic analysis Symbolic Execution Example l …
  14. 14. Lehrstuhl für Informatik 4 14/161/2012 <Title> <Name LastName> Seminar in Computer Science Background:Dynamic analysis Symbolic Execution: Purpose ● E.g. Particular program points reachable? ● E.g. Is array access a[i] out of bounds? ● E.g. Generate concrete inputs that execute same paths ● With constraints solvers ● E.g. Z3, Yices, STP
  15. 15. Lehrstuhl für Informatik 4 15/161/2012 <Title> <Name LastName> Seminar in Computer Science Background:Dynamic analysis Symbolic Execution Limitations ● Scalability Issue when execution paths are large ● Source code, or equivalent is required ● Limitations in solving constraints ● cannot handle non-linear and very complex constraints
  16. 16. Lehrstuhl für Informatik 4 16/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper CRAXweb: Automatic Web Application Testing and Attack Generation
  17. 17. Lehrstuhl für Informatik 4 17/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper ● Implement AEG for large-scaled web applications ● Focus on XSS and SQLi attacks ● Based on Symbolic Socket or symbolic execution ● Single path concolic mode is used to reduce path- explosion ● Selective Symbolic Execution(S2E) ● Provide the ability to execute a specific part of program ● Simple Theorem Prover(STP) as a constraint solver ● Acunetix as web crawler Overview of CRAXweb
  18. 18. Lehrstuhl für Informatik 4 19/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper ● Generate test cases and exploits Exploit Generation: Constraint Solving
  19. 19. Lehrstuhl für Informatik 4 20/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper Exploit Generation:Constraint Solving x- exploit f(x)- expected attack script
  20. 20. Lehrstuhl für Informatik 4 21/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper ● To reduce overhead caused by symbolic execution ● Explore one path at a time Single Path Concolic Mode
  21. 21. Lehrstuhl für Informatik 4 22/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper Flow diagram of automatic process
  22. 22. Lehrstuhl für Informatik 4 23/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper ● S2E as symbolic environment Implementation:Symbolic Socket
  23. 23. Lehrstuhl für Informatik 4 24/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper ● Overall architecture for automatic exploit generator Implementation: Architecture
  24. 24. Lehrstuhl für Informatik 4 25/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper Implementation: Symbolic Response and Query Handler ● From Web Crawler to Symbolic Request
  25. 25. Lehrstuhl für Informatik 4 26/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper Implementation: Symbolic Response and Query Handler ● From symbolic response or query to exploit generator
  26. 26. Lehrstuhl für Informatik 4 27/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper Implementation: Exploit Generation
  27. 27. Lehrstuhl für Informatik 4 28/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper Implementation: Exploit Generation ● Algorithm to solve the exploit constraint
  28. 28. Lehrstuhl für Informatik 4 29/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper Results: Experiment Environment ● Host OS- Ubuntu 10.10 ● Guest Environment- emulated by Qemu ● Qemu- hosted Debian 5.07 and Windows XP ● Softwares- S2E 1.0 and MySQL as database handler
  29. 29. Lehrstuhl für Informatik 4 30/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper Results: Evaluation for different platforms
  30. 30. Lehrstuhl für Informatik 4 31/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper Results: Evaluation for Exploit Generation ● With test cases from Ardilla
  31. 31. Lehrstuhl für Informatik 4 32/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper Results: Evaluation for Exploit Generation ● With test cases from Ardilla
  32. 32. Lehrstuhl für Informatik 4 33/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper Results: Evaluation for Exploit Generation ● With Real world Applications
  33. 33. Lehrstuhl für Informatik 4 34/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper Results: Related works
  34. 34. Lehrstuhl für Informatik 4 35/161/2012 <Title> <Name LastName> Seminar in Computer Science Conclusions ● AEG is possible for web applications ● CRAXWeb uses ● Symbolic execution ● Concolic Testing ● However,Still have rooms for development ● for more exploit types ● to integration with browser
  35. 35. Lehrstuhl für Informatik 4 36/161/2012 <Title> <Name LastName> Seminar in Computer Science References Shih-Kun Huang,Han-Lin Lu ; Wai-Meng Leong ; Huan Liu, ”CRAXweb: Automatic Web Application Testing and Attack Generation”, Software Security and Reliability (SERE),IEEE 7th International Conference, June 2013 Shih-Kun Huang,Min-Hsiang Huang ; Po-Yen Huang ; Chung-Wei Lai ; Han-Lin Lu ; Wai-Meng Leong, “CRAX: Software Crash Analysis for Automatic Exploit Generation by Modeling Attacks as Symbolic Continuations” ,Software Security and Reliability (SERE), 2012 IEEE Sixth International Conference, June 2012 Thanassis Avgerinos and Sang Kil Cha and Brent Lim Tze Hao and David Brumley, “AEG: Automatic Exploit Generation”,Network and Distributed System Security Symposium, Feb 2012
  36. 36. Lehrstuhl für Informatik 4 37/161/2012 <Title> <Name LastName> Seminar in Computer Science References James Newsome,Dawn Song,”Dynamic Taint Analysis for Automatic Detection,An alysis, and Signature Generation of Exploitson Commodity Software”, Network and Distributed System Security Symposium, 2005 Cristian Cadar, Daniel Dunbar, Dawson Engler, “KLEE: Unassisted and Automatic Generation of High-CoverageTests for Complex Systems Programs”, USENIX Symposium on Operating Systems Design and Implementation, December 2008
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×