• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
CRAXweb: Automatic Exploit Generation for Web Applications
 

CRAXweb: Automatic Exploit Generation for Web Applications

on

  • 738 views

This is my first seminar presentation. The presentation is based on the core paper: CRAXweb: Automatic Web Application Testing and Attack Generation. If you are interested in this research area, other ...

This is my first seminar presentation. The presentation is based on the core paper: CRAXweb: Automatic Web Application Testing and Attack Generation. If you are interested in this research area, other research methods of this research can be found at reference sections.

Statistics

Views

Total Views
738
Views on SlideShare
706
Embed Views
32

Actions

Likes
0
Downloads
8
Comments
0

3 Embeds 32

http://aungthurhahein.github.io 22
http://localhost 9
https://twitter.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    CRAXweb: Automatic Exploit Generation for Web Applications CRAXweb: Automatic Exploit Generation for Web Applications Presentation Transcript

    • Lehrstuhl für Informatik 4 1/161/2012 <Title> <Name LastName> Seminar in Computer Science Kip IrvineCRAXweb: Automatic Web Application Testing and Attack Generation1 Shih-Kun Huang ,Han-Lin Lu, Wai-Meng Leong ,Huan Liu National Chiao Tung University Presented by Aung Thu Rha Hein 5536871 1 “CRAXWweb:Automatic Web Application Testing and Attack Generation”, Software Security and Reliability (SERE), June 2013 IEEE 7th International Conference.
    • Lehrstuhl für Informatik 4 2/161/2012 <Title> <Name LastName> Seminar in Computer Science Outline 1. Introduction 2. Background -What is an exploit? -Dynamic Analysis -Semantic Execution 2. CRAXWeb: Automatic Web Application Testing and Attack Generation 4. Conclusions 5. References
    • Lehrstuhl für Informatik 4 3/161/2012 <Title> <Name LastName> Seminar in Computer Science ● Software bugs are common ● Especially in web applications ● Some bugs are more harmful ● It is difficult to detect manually ● Static analysis gives developer confusion and false positives ● Manual testing is not effective Introduction Motivation
    • Lehrstuhl für Informatik 4 4/161/2012 <Title> <Name LastName> Seminar in Computer Science ● Challenge ● How to find exploits, shellcode in the program ● Source code analysis alone is not enough ● Finding exploitable paths among program execution paths Introduction Problem Statements
    • Lehrstuhl für Informatik 4 5/161/2012 <Title> <Name LastName> Seminar in Computer Science ● To generate exploits for web-applications Introduction Research Objectives
    • Lehrstuhl für Informatik 4 6/161/2012 <Title> <Name LastName> Seminar in Computer Science ● Exploits techniques vary upon OS architectures ● Type of Exploits ● Stack Overflow Exploit ● Heap Corruption Exploit ● Format String Attack ● Attack Methodologies ● Remote Exploit ● Local Exploit ● Two Stage Exploit ● Tools for writing Exploits: LibExploit, Metasploit, CANVAS Background: Exploits What is an exploit?
    • Lehrstuhl für Informatik 4 7/161/2012 <Title> <Name LastName> Seminar in Computer Science Background: Exploits Stack Overflow Exploit Example #include <string.h> void foo (char *bar) { char c[12]; strcpy(c, bar); } int main (int argc, char **argv) { foo(argv[1]); }
    • Lehrstuhl für Informatik 4 8/161/2012 <Title> <Name LastName> Seminar in Computer Science Background: Exploits Stack Overflow Exploit Example
    • Lehrstuhl für Informatik 4 9/161/2012 <Title> <Name LastName> Seminar in Computer Science Background: Dynamic analysis Introduction ● Monitor code as it executes ● Usefulness of Dynamic analysis ● Precision of information ● Dependence on program inputs ● Four common dynamic analysis techniques: ● Dynamic taint analysis ● Forward symbolic execution ● Frequency Spectrum Analysis ● Coverage Concept Analysis ...
    • Lehrstuhl für Informatik 4 10/161/2012 <Title> <Name LastName> Seminar in Computer Science Background: Dynamic analysis Dynamic Taint Analysis ● To exploit program execution, ● use values from a trusted source ● attackers overwrite, tainted these values ● Taint Analysis Process 1. mark input data from untrusted sources tainted 2. monitor program execution to track how they propagated 3. check when tainted data is used in dangerous ways
    • Lehrstuhl für Informatik 4 11/161/2012 <Title> <Name LastName> Seminar in Computer Science Background: Dynamic analysis Dynamic Taint Analysis Attack detected using TaintCheck
    • Lehrstuhl für Informatik 4 12/161/2012 <Title> <Name LastName> Seminar in Computer Science Background:Dynamic analysis Symbolic Execution ● Key idea: generalize testing by using unknown ● symbolic variables in evaluation ● int f(1, 2)= int f(α1 , α2) ● Allows unknown symbolic variables in evaluation ● y = α; assert(f(y) == 2*y-1); ● If execution path depends on unknown, conceptually fork symbolic executor ● int f(int x) {if(x > 0) then return 2*x - 1; else return 10;}
    • Lehrstuhl für Informatik 4 13/161/2012 <Title> <Name LastName> Seminar in Computer Science Background:Dynamic analysis Symbolic Execution Example l …
    • Lehrstuhl für Informatik 4 14/161/2012 <Title> <Name LastName> Seminar in Computer Science Background:Dynamic analysis Symbolic Execution: Purpose ● E.g. Particular program points reachable? ● E.g. Is array access a[i] out of bounds? ● E.g. Generate concrete inputs that execute same paths ● With constraints solvers ● E.g. Z3, Yices, STP
    • Lehrstuhl für Informatik 4 15/161/2012 <Title> <Name LastName> Seminar in Computer Science Background:Dynamic analysis Symbolic Execution Limitations ● Scalability Issue when execution paths are large ● Source code, or equivalent is required ● Limitations in solving constraints ● cannot handle non-linear and very complex constraints
    • Lehrstuhl für Informatik 4 16/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper CRAXweb: Automatic Web Application Testing and Attack Generation
    • Lehrstuhl für Informatik 4 17/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper ● Implement AEG for large-scaled web applications ● Focus on XSS and SQLi attacks ● Based on Symbolic Socket or symbolic execution ● Single path concolic mode is used to reduce path- explosion ● Selective Symbolic Execution(S2E) ● Provide the ability to execute a specific part of program ● Simple Theorem Prover(STP) as a constraint solver ● Acunetix as web crawler Overview of CRAXweb
    • Lehrstuhl für Informatik 4 19/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper ● Generate test cases and exploits Exploit Generation: Constraint Solving
    • Lehrstuhl für Informatik 4 20/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper Exploit Generation:Constraint Solving x- exploit f(x)- expected attack script
    • Lehrstuhl für Informatik 4 21/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper ● To reduce overhead caused by symbolic execution ● Explore one path at a time Single Path Concolic Mode
    • Lehrstuhl für Informatik 4 22/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper Flow diagram of automatic process
    • Lehrstuhl für Informatik 4 23/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper ● S2E as symbolic environment Implementation:Symbolic Socket
    • Lehrstuhl für Informatik 4 24/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper ● Overall architecture for automatic exploit generator Implementation: Architecture
    • Lehrstuhl für Informatik 4 25/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper Implementation: Symbolic Response and Query Handler ● From Web Crawler to Symbolic Request
    • Lehrstuhl für Informatik 4 26/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper Implementation: Symbolic Response and Query Handler ● From symbolic response or query to exploit generator
    • Lehrstuhl für Informatik 4 27/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper Implementation: Exploit Generation
    • Lehrstuhl für Informatik 4 28/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper Implementation: Exploit Generation ● Algorithm to solve the exploit constraint
    • Lehrstuhl für Informatik 4 29/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper Results: Experiment Environment ● Host OS- Ubuntu 10.10 ● Guest Environment- emulated by Qemu ● Qemu- hosted Debian 5.07 and Windows XP ● Softwares- S2E 1.0 and MySQL as database handler
    • Lehrstuhl für Informatik 4 30/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper Results: Evaluation for different platforms
    • Lehrstuhl für Informatik 4 31/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper Results: Evaluation for Exploit Generation ● With test cases from Ardilla
    • Lehrstuhl für Informatik 4 32/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper Results: Evaluation for Exploit Generation ● With test cases from Ardilla
    • Lehrstuhl für Informatik 4 33/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper Results: Evaluation for Exploit Generation ● With Real world Applications
    • Lehrstuhl für Informatik 4 34/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper Results: Related works
    • Lehrstuhl für Informatik 4 35/161/2012 <Title> <Name LastName> Seminar in Computer Science Conclusions ● AEG is possible for web applications ● CRAXWeb uses ● Symbolic execution ● Concolic Testing ● However,Still have rooms for development ● for more exploit types ● to integration with browser
    • Lehrstuhl für Informatik 4 36/161/2012 <Title> <Name LastName> Seminar in Computer Science References Shih-Kun Huang,Han-Lin Lu ; Wai-Meng Leong ; Huan Liu, ”CRAXweb: Automatic Web Application Testing and Attack Generation”, Software Security and Reliability (SERE),IEEE 7th International Conference, June 2013 Shih-Kun Huang,Min-Hsiang Huang ; Po-Yen Huang ; Chung-Wei Lai ; Han-Lin Lu ; Wai-Meng Leong, “CRAX: Software Crash Analysis for Automatic Exploit Generation by Modeling Attacks as Symbolic Continuations” ,Software Security and Reliability (SERE), 2012 IEEE Sixth International Conference, June 2012 Thanassis Avgerinos and Sang Kil Cha and Brent Lim Tze Hao and David Brumley, “AEG: Automatic Exploit Generation”,Network and Distributed System Security Symposium, Feb 2012
    • Lehrstuhl für Informatik 4 37/161/2012 <Title> <Name LastName> Seminar in Computer Science References James Newsome,Dawn Song,”Dynamic Taint Analysis for Automatic Detection,An alysis, and Signature Generation of Exploitson Commodity Software”, Network and Distributed System Security Symposium, 2005 Cristian Cadar, Daniel Dunbar, Dawson Engler, “KLEE: Unassisted and Automatic Generation of High-CoverageTests for Complex Systems Programs”, USENIX Symposium on Operating Systems Design and Implementation, December 2008