SlideShare a Scribd company logo

Automated Patching for Vulnerable Source Code

Download as PPTX, PDF
Vladimir Kochetkov
Vladimir Kochetkov

Vladimir Kochetkov discusses automated patching for vulnerable source code. He describes how symbolic execution and generating a symbolic execution context graph (SECG) can be used to understand vulnerabilities and generate patches. The SECG represents the control flow graph of a program with additional context about symbolic variables. This allows finding formal symptoms of vulnerabilities, generating attack vectors, and eliminating symptoms through patching, such as adding validation, sanitization, or typing to make the minimum necessary changes while preserving functionality. He demonstrates this process with an SQL injection example and discusses generating patches for other attack types like buffer overflows.

1 of 60
Automated Patching for Vulnerable Source Code Vladimir Kochetkov Application Inspector/Compiling Applications Analysis/Team Lead Positive Technologies Positive Hack Days V
Disclaimer
Who are we?
Developers of PT Application Inspector!
Application Inspector ― Strong dogfooding ― Analysis is performed on the limit of ?AST approaches ― Generation of attack vectors ― The Big Red Button Concept ― A proprietary solution
Application Inspector ― Integration with PT Application Firewall (aka virtual patches) Well... still we want more
What do we want?
To generate patches for the source code!!
How to catch the vulnerability? ― Know "how it shouldn't be": necessary and sufficient formal symptoms of vulnerabilities ― Know "how it is": prove the existence of these symptoms in the analyzed code ― Build an attack vector based on the revealed set of symptoms
Formal symptoms of injection ― Potentially vulnerable operation PVO(text): operation of direct or indirect "text" interpretation in a formal language ― text = transform(argument), where argument – number of arguments passed to the EP entry point, and transform – the function of intermediate transformations ― There is at least one set of such values of EP elements that can be reached. At these values the syntax tree structure of the "text" value, that reaches PVO, changes.
Formalizability of vulnerabilities Strictly formalizable Poorly formalizable Injections Access Control Buffer Overflow Session Management Heap Overflow CSRF Integer Overflow Concurrency Memory Management Domain(Logical) … …
What do we have?
Symbolic Execution Context Graph!
Disclaimer There is just a review. Further details will be presented at SIBECRYPT’15 Novosibirsk, September 7-12, 2015
Symbolic Execution Context Graph! SECG is a graph, an isomorphic CFG, each of its vertices contains information on the context of symbolic execution The context of symbolic execution - a condition for accessing the current point of execution + a set of conditional states of all objects and variables that can be reached within the current scope
Symbolic Execution Context Graph ε {}
Symbolic Execution Context Graph ε { parm' { ε Request.Params["parm1"] } }
Symbolic Execution Context Graph Request.Params["cond1"] == "true" { parm' { ε Request.Params["parm1"] } }
Symbolic Execution Context Graph Request.Params["cond1"] != "true" { parm' { Request.Params["cond1"] != "true" Request.Params["parm1"] } }
Symbolic Execution Context Graph Request.Params["cond1"] != "true" && Request.Params["cond2"] == "true" { parm' { Request.Params["cond1"] != "true" Request.Params["parm1"] } }
Symbolic Execution Context Graph Request.Params["cond1"] != "true" && Request.Params["cond2"] != "true" { parm' { Request.Params["cond1"] != "true" Request.Params["parm1"] } }
Symbolic Execution Context Graph Request.Params["cond1"] != "true" { parm' { Request.Params["cond2"] == "true" Request.Params["parm2"] || Request.Params["cond2"] != "true" "<div>Harmless value</div>" } }
Request.Params["cond1"] != "true" { parm' { Request.Params["cond2"] == "true" Request.Params["parm2"] || Request.Params["cond2"] != "true" "<div>Harmless value</div>" } } Symbolic Execution Context Graph Using the SECG for each PVO we can...
Figure out a vulnerability formula!
Vulnerability formula Request.Params["cond1"] != "true" ⇒ Response.Write( "<a href="" + parm ∈ { Request.Params["cond2"] == "true" ⇒ Request.Params["parm2"] ; Request.Params["cond2"] != "true" ⇒ "<div>Harmless value</div>" } + "">" )
Vulnerability formula Request.Params["cond1"] != "true" ⇒ Response.Write( "<a href="" + parm ∈ { Request.Params["cond2"] == "true" ⇒ Request.Params["parm2"] } + "">" )
Vulnerability formula Request.Params["cond1"] != "true" && Request.Params["cond2"] == "true" ⇒ Response.Write( "<a href="" + Request.Params["parm2"] + "">" )
Vulnerability formula Request.Params["cond1"] != "true" && Request.Params["cond2"] == "true" ⇒ Response.Write( "<a href="" + Request.Params["parm2"] + "">" ) What value of Request.Params["parm2"] will result in exceeding the limits of the token?
The one that is defined by the type of the injection point!
<a href=" "> The type of the injection point is figured out by syntactic heuristics applied to the vulnerable expression on either side of the point. Finding the type of the injection point
Vulnerability formula Request.Params["cond1"] != "true" && Request.Params["cond2"] == "true" && (Request.Params["parm2"] == ""><script>alert(0)</script>" || Request.Params["parm2"] == ""onmouseover="alert(0)") ⇒ Response.Write( "<a href="" + Request.Params["parm2"] + "">" )
Vulnerability formula Request.Params["cond1"] != "true" && Request.Params["cond2"] == "true" && (Request.Params["parm2"] == ""><script>alert(0)</script>" || Request.Params["parm2"] == ""onmouseover="alert(0)") ⇒ Response.Write( "<a href="" + Request.Params["parm2"] + "">" ) As a result of finding the values unknown in the context of the vulnerability formula you can get... - -
A contextual attack vector!
The contextual attack vector Vulnerable expression: "<a href="" + Request.Params["parm2"] + "">" The type of the injection point: HTML: 2-quoted attribute value Vector variables: Request.Params["parm2"] = ""><script>alert(0)</script>" Conditional variables: Request.Params["cond1"] = "__AI_akhivldp" Request.Params["cond2"] = "true"
What is missing?
SECG gives us anything we need!* * it also gives us anything we don't need yet
The proper patch ― Makes a minimum of changes ― Keeps the semantics of the code ― Solves the problem ― Never makes more problems
― Know "how it shouldn't be": necessary and sufficient formal symptoms of vulnerabilities ― Know "how it is": prove the existence of these symptoms in the analyzed code ― eliminate at least one of the required symptoms by changing the code How to generate a patch?
Symptoms of injection that can be eliminated ― Potentially vulnerable operation PVO(text): operation of direct or indirect "text" interpretation in a formal language ― text = transform(argument), where argument – number of arguments passed to the EPentry point, and transform – the function of intermediate transformations ― At least one set of such values of the EP elements exists and is likely to be achieved. At these values the syntax tree structure of the "text" value, that reaches PVO, changes.
Ways to eliminate the injection http://www.slideshare.net/kochetkov.vladimir/how-to-develop- a-secure-web-application-and-stay-in-mind-phdays-3/87 • Typing • Validation • Sanitization
Attack vector vs patch Attack vector Patch It suffices to find a single path from the entry point to the PVO and a single set of values of vector variables It is necessary to find all paths from the entry point to the PVO and all sets of values of vector variables The type of the injection point can be figured out by using heuristics The type of the injection point must be figured out strictly along with its semantics The availability of the application may be compromised The application should stay available
Strong finding the type of the injection point Step #1: replace each taint source in the vulnerable expression by an unique special character: <a href='∅'> Step #2: parse the string with the modified parser of an island language that allows using special characters in the arbitrary token. Step #3: find in the parsing tree the vertex containing a special character and define the type of the injection point on the basis of the vertex type. Step #4: According to the type injection point define its semantics.
Opening bracket: < Tag name: a Attribute definition Attribute name: href Assignment sign 2-quoted attr. value:Closing bracket: > Strong finding the type of the injection point 2-quoted attribute (semantic: URL) value
Keeps the semantics of the code - The priority of countermeasures: 1) Typing 2) Sanitizing 3) Validation - Consideration of all conditions for executing the PVO as well as values of its arguments during typing and sanitizing - Applying countermeasures exactly at the source of the vulnerability
Typing
Typing 2-quoted attribute (semantic: URL) value - typing is possible Recording a dangerous value to parm
Typing
Sanitizing
Sanitizing Text (semantic: TEXT) value - typing is not possible, sanitizing may be applied Recording a dangerous value to parm
Sanitizing
Validation
Validation Typing and sanitizing are not possible, validation is possible
Validation
Any patches for other attack types? √ Injections √ Buffer Overflow √ Heap Overflow √ Integer Overflow ? Memory Management Attacks ? Access Control Attacks ? Session Fixation ? CSRF x Race Conditions x Domain(Logical) Attacks
When do we want it?
Right now!!!
{DEMO}
Any questions? Vladimir Kochetkov vkochetkov@ptsecurity.com @kochetkov_v Application Inspector/Compiling Applications Analysis/Team Lead Positive Technologies
Automated Patching for Vulnerable Source Code

Recommended

A Post About Analyzing PHP
A Post About Analyzing PHPA Post About Analyzing PHP
A Post About Analyzing PHP
Andrey Karpov
 
An Experiment with Checking the glibc Library
An Experiment with Checking the glibc LibraryAn Experiment with Checking the glibc Library
An Experiment with Checking the glibc Library
Andrey Karpov
 
Checking the Source Code of FlashDevelop with PVS-Studio
Checking the Source Code of FlashDevelop with PVS-StudioChecking the Source Code of FlashDevelop with PVS-Studio
Checking the Source Code of FlashDevelop with PVS-Studio
PVS-Studio
 
Static Analysis in IDEA
Static Analysis in IDEAStatic Analysis in IDEA
Static Analysis in IDEA
HamletDRC
 
PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...
PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...
PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...
Rouven Weßling
 
Refactoring
RefactoringRefactoring
Refactoring
Mikalai Alimenkou
 
Writing more complex models (continued)
Writing more complex models (continued)Writing more complex models (continued)
Writing more complex models (continued)
Mohamed Samy
 
Static Analysis and AST Transformations
Static Analysis and AST TransformationsStatic Analysis and AST Transformations
Static Analysis and AST Transformations
HamletDRC
 

Recommended

A Post About Analyzing PHP
A Post About Analyzing PHPA Post About Analyzing PHP
A Post About Analyzing PHP
Andrey Karpov
 
An Experiment with Checking the glibc Library
An Experiment with Checking the glibc LibraryAn Experiment with Checking the glibc Library
An Experiment with Checking the glibc Library
Andrey Karpov
 
Checking the Source Code of FlashDevelop with PVS-Studio
Checking the Source Code of FlashDevelop with PVS-StudioChecking the Source Code of FlashDevelop with PVS-Studio
Checking the Source Code of FlashDevelop with PVS-Studio
PVS-Studio
 
Static Analysis in IDEA
Static Analysis in IDEAStatic Analysis in IDEA
Static Analysis in IDEA
HamletDRC
 
PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...
PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...
PHPcon Poland - Static Analysis of PHP Code – How the Heck did I write so man...
Rouven Weßling
 
Refactoring
RefactoringRefactoring
Refactoring
Mikalai Alimenkou
 
Writing more complex models (continued)
Writing more complex models (continued)Writing more complex models (continued)
Writing more complex models (continued)
Mohamed Samy
 
Static Analysis and AST Transformations
Static Analysis and AST TransformationsStatic Analysis and AST Transformations
Static Analysis and AST Transformations
HamletDRC
 
C++ Code as Seen by a Hypercritical Reviewer
C++ Code as Seen by a Hypercritical ReviewerC++ Code as Seen by a Hypercritical Reviewer
C++ Code as Seen by a Hypercritical Reviewer
Andrey Karpov
 
Антон Бикинеев, Writing good std::future&lt; C++ >
Антон Бикинеев, Writing good std::future&lt; C++ >Антон Бикинеев, Writing good std::future&lt; C++ >
Антон Бикинеев, Writing good std::future&lt; C++ >
Sergey Platonov
 
Analyzing Firebird 3.0
Analyzing Firebird 3.0Analyzing Firebird 3.0
Analyzing Firebird 3.0
Ekaterina Milovidova
 
Exceptions and Exception Handling in C++
Exceptions and Exception Handling in C++Exceptions and Exception Handling in C++
Exceptions and Exception Handling in C++
IRJET Journal
 
Java 7 new features
Java 7 new featuresJava 7 new features
Java 7 new features
Shivam Goel
 
Memories of Bug Fixes
Memories of Bug FixesMemories of Bug Fixes
Memories of Bug Fixes
Sung Kim
 
PVS-Studio is ready to improve the code of Tizen operating system
PVS-Studio is ready to improve the code of Tizen operating systemPVS-Studio is ready to improve the code of Tizen operating system
PVS-Studio is ready to improve the code of Tizen operating system
Andrey Karpov
 
The Little Unicorn That Could
The Little Unicorn That CouldThe Little Unicorn That Could
The Little Unicorn That Could
PVS-Studio
 
Insecure coding in C (and C++)
Insecure coding in C (and C++)Insecure coding in C (and C++)
Insecure coding in C (and C++)
Olve Maudal
 
Cppcheck and PVS-Studio compared
Cppcheck and PVS-Studio comparedCppcheck and PVS-Studio compared
Cppcheck and PVS-Studio compared
PVS-Studio
 
Linux version of PVS-Studio couldn't help checking CodeLite
Linux version of PVS-Studio couldn't help checking CodeLiteLinux version of PVS-Studio couldn't help checking CodeLite
Linux version of PVS-Studio couldn't help checking CodeLite
PVS-Studio
 
The First C# Project Analyzed
The First C# Project AnalyzedThe First C# Project Analyzed
The First C# Project Analyzed
PVS-Studio
 
Python and Ruby implementations compared by the error density
Python and Ruby implementations compared by the error densityPython and Ruby implementations compared by the error density
Python and Ruby implementations compared by the error density
PVS-Studio
 
Best Bugs from Games: Fellow Programmers' Mistakes
Best Bugs from Games: Fellow Programmers' MistakesBest Bugs from Games: Fellow Programmers' Mistakes
Best Bugs from Games: Fellow Programmers' Mistakes
Andrey Karpov
 
Testing RESTful Webservices using the REST-assured framework
Testing RESTful Webservices using the REST-assured frameworkTesting RESTful Webservices using the REST-assured framework
Testing RESTful Webservices using the REST-assured framework
Micha Kops
 
PVS-Studio is there to help CERN: analysis of Geant4 project
PVS-Studio is there to help CERN: analysis of Geant4 projectPVS-Studio is there to help CERN: analysis of Geant4 project
PVS-Studio is there to help CERN: analysis of Geant4 project
PVS-Studio
 
Re-analysis of Umbraco code
Re-analysis of Umbraco codeRe-analysis of Umbraco code
Re-analysis of Umbraco code
PVS-Studio
 
Better Code through Lint and Checkstyle
Better Code through Lint and CheckstyleBetter Code through Lint and Checkstyle
Better Code through Lint and Checkstyle
Marc Prengemann
 
Writing more complex models
Writing more complex modelsWriting more complex models
Writing more complex models
Mohamed Samy
 
Analysis of the Trans-Proteomic Pipeline (TPP) project
Analysis of the Trans-Proteomic Pipeline (TPP) projectAnalysis of the Trans-Proteomic Pipeline (TPP) project
Analysis of the Trans-Proteomic Pipeline (TPP) project
PVS-Studio
 
A fresh eye on Oracle VM VirtualBox
A fresh eye on Oracle VM VirtualBoxA fresh eye on Oracle VM VirtualBox
A fresh eye on Oracle VM VirtualBox
PVS-Studio
 
DEF CON 27 - AMIT WAISEL and HILA COHEN - malproxy
DEF CON 27 - AMIT WAISEL and HILA COHEN - malproxyDEF CON 27 - AMIT WAISEL and HILA COHEN - malproxy
DEF CON 27 - AMIT WAISEL and HILA COHEN - malproxy
Felipe Prado
 

More Related Content

What's hot

C++ Code as Seen by a Hypercritical Reviewer
C++ Code as Seen by a Hypercritical ReviewerC++ Code as Seen by a Hypercritical Reviewer
C++ Code as Seen by a Hypercritical Reviewer
Andrey Karpov
 
Антон Бикинеев, Writing good std::future&lt; C++ >
Антон Бикинеев, Writing good std::future&lt; C++ >Антон Бикинеев, Writing good std::future&lt; C++ >
Антон Бикинеев, Writing good std::future&lt; C++ >
Sergey Platonov
 
Analyzing Firebird 3.0
Analyzing Firebird 3.0Analyzing Firebird 3.0
Analyzing Firebird 3.0
Ekaterina Milovidova
 
Exceptions and Exception Handling in C++
Exceptions and Exception Handling in C++Exceptions and Exception Handling in C++
Exceptions and Exception Handling in C++
IRJET Journal
 
Java 7 new features
Java 7 new featuresJava 7 new features
Java 7 new features
Shivam Goel
 
Memories of Bug Fixes
Memories of Bug FixesMemories of Bug Fixes
Memories of Bug Fixes
Sung Kim
 
PVS-Studio is ready to improve the code of Tizen operating system
PVS-Studio is ready to improve the code of Tizen operating systemPVS-Studio is ready to improve the code of Tizen operating system
PVS-Studio is ready to improve the code of Tizen operating system
Andrey Karpov
 
The Little Unicorn That Could
The Little Unicorn That CouldThe Little Unicorn That Could
The Little Unicorn That Could
PVS-Studio
 
Insecure coding in C (and C++)
Insecure coding in C (and C++)Insecure coding in C (and C++)
Insecure coding in C (and C++)
Olve Maudal
 
Cppcheck and PVS-Studio compared
Cppcheck and PVS-Studio comparedCppcheck and PVS-Studio compared
Cppcheck and PVS-Studio compared
PVS-Studio
 
Linux version of PVS-Studio couldn't help checking CodeLite
Linux version of PVS-Studio couldn't help checking CodeLiteLinux version of PVS-Studio couldn't help checking CodeLite
Linux version of PVS-Studio couldn't help checking CodeLite
PVS-Studio
 
The First C# Project Analyzed
The First C# Project AnalyzedThe First C# Project Analyzed
The First C# Project Analyzed
PVS-Studio
 
Python and Ruby implementations compared by the error density
Python and Ruby implementations compared by the error densityPython and Ruby implementations compared by the error density
Python and Ruby implementations compared by the error density
PVS-Studio
 
Best Bugs from Games: Fellow Programmers' Mistakes
Best Bugs from Games: Fellow Programmers' MistakesBest Bugs from Games: Fellow Programmers' Mistakes
Best Bugs from Games: Fellow Programmers' Mistakes
Andrey Karpov
 
Testing RESTful Webservices using the REST-assured framework
Testing RESTful Webservices using the REST-assured frameworkTesting RESTful Webservices using the REST-assured framework
Testing RESTful Webservices using the REST-assured framework
Micha Kops
 
PVS-Studio is there to help CERN: analysis of Geant4 project
PVS-Studio is there to help CERN: analysis of Geant4 projectPVS-Studio is there to help CERN: analysis of Geant4 project
PVS-Studio is there to help CERN: analysis of Geant4 project
PVS-Studio
 
Re-analysis of Umbraco code
Re-analysis of Umbraco codeRe-analysis of Umbraco code
Re-analysis of Umbraco code
PVS-Studio
 
Better Code through Lint and Checkstyle
Better Code through Lint and CheckstyleBetter Code through Lint and Checkstyle
Better Code through Lint and Checkstyle
Marc Prengemann
 
Writing more complex models
Writing more complex modelsWriting more complex models
Writing more complex models
Mohamed Samy
 
Analysis of the Trans-Proteomic Pipeline (TPP) project
Analysis of the Trans-Proteomic Pipeline (TPP) projectAnalysis of the Trans-Proteomic Pipeline (TPP) project
Analysis of the Trans-Proteomic Pipeline (TPP) project
PVS-Studio
 

What's hot (20)

C++ Code as Seen by a Hypercritical Reviewer
C++ Code as Seen by a Hypercritical ReviewerC++ Code as Seen by a Hypercritical Reviewer
C++ Code as Seen by a Hypercritical Reviewer
 
Антон Бикинеев, Writing good std::future&lt; C++ >
Антон Бикинеев, Writing good std::future&lt; C++ >Антон Бикинеев, Writing good std::future&lt; C++ >
Антон Бикинеев, Writing good std::future&lt; C++ >
 
Analyzing Firebird 3.0
Analyzing Firebird 3.0Analyzing Firebird 3.0
Analyzing Firebird 3.0
 
Exceptions and Exception Handling in C++
Exceptions and Exception Handling in C++Exceptions and Exception Handling in C++
Exceptions and Exception Handling in C++
 
Java 7 new features
Java 7 new featuresJava 7 new features
Java 7 new features
 
Memories of Bug Fixes
Memories of Bug FixesMemories of Bug Fixes
Memories of Bug Fixes
 
PVS-Studio is ready to improve the code of Tizen operating system
PVS-Studio is ready to improve the code of Tizen operating systemPVS-Studio is ready to improve the code of Tizen operating system
PVS-Studio is ready to improve the code of Tizen operating system
 
The Little Unicorn That Could
The Little Unicorn That CouldThe Little Unicorn That Could
The Little Unicorn That Could
 
Insecure coding in C (and C++)
Insecure coding in C (and C++)Insecure coding in C (and C++)
Insecure coding in C (and C++)
 
Cppcheck and PVS-Studio compared
Cppcheck and PVS-Studio comparedCppcheck and PVS-Studio compared
Cppcheck and PVS-Studio compared
 
Linux version of PVS-Studio couldn't help checking CodeLite
Linux version of PVS-Studio couldn't help checking CodeLiteLinux version of PVS-Studio couldn't help checking CodeLite
Linux version of PVS-Studio couldn't help checking CodeLite
 
The First C# Project Analyzed
The First C# Project AnalyzedThe First C# Project Analyzed
The First C# Project Analyzed
 
Python and Ruby implementations compared by the error density
Python and Ruby implementations compared by the error densityPython and Ruby implementations compared by the error density
Python and Ruby implementations compared by the error density
 
Best Bugs from Games: Fellow Programmers' Mistakes
Best Bugs from Games: Fellow Programmers' MistakesBest Bugs from Games: Fellow Programmers' Mistakes
Best Bugs from Games: Fellow Programmers' Mistakes
 
Testing RESTful Webservices using the REST-assured framework
Testing RESTful Webservices using the REST-assured frameworkTesting RESTful Webservices using the REST-assured framework
Testing RESTful Webservices using the REST-assured framework
 
PVS-Studio is there to help CERN: analysis of Geant4 project
PVS-Studio is there to help CERN: analysis of Geant4 projectPVS-Studio is there to help CERN: analysis of Geant4 project
PVS-Studio is there to help CERN: analysis of Geant4 project
 
Re-analysis of Umbraco code
Re-analysis of Umbraco codeRe-analysis of Umbraco code
Re-analysis of Umbraco code
 
Better Code through Lint and Checkstyle
Better Code through Lint and CheckstyleBetter Code through Lint and Checkstyle
Better Code through Lint and Checkstyle
 
Writing more complex models
Writing more complex modelsWriting more complex models
Writing more complex models
 
Analysis of the Trans-Proteomic Pipeline (TPP) project
Analysis of the Trans-Proteomic Pipeline (TPP) projectAnalysis of the Trans-Proteomic Pipeline (TPP) project
Analysis of the Trans-Proteomic Pipeline (TPP) project
 

Similar to Automated Patching for Vulnerable Source Code

A fresh eye on Oracle VM VirtualBox
A fresh eye on Oracle VM VirtualBoxA fresh eye on Oracle VM VirtualBox
A fresh eye on Oracle VM VirtualBox
PVS-Studio
 
DEF CON 27 - AMIT WAISEL and HILA COHEN - malproxy
DEF CON 27 - AMIT WAISEL and HILA COHEN - malproxyDEF CON 27 - AMIT WAISEL and HILA COHEN - malproxy
DEF CON 27 - AMIT WAISEL and HILA COHEN - malproxy
Felipe Prado
 
QA Lab: тестирование ПО. Станислав Шмидт: "Self-testing REST APIs with API Fi...
QA Lab: тестирование ПО. Станислав Шмидт: "Self-testing REST APIs with API Fi...QA Lab: тестирование ПО. Станислав Шмидт: "Self-testing REST APIs with API Fi...
QA Lab: тестирование ПО. Станислав Шмидт: "Self-testing REST APIs with API Fi...
GeeksLab Odessa
 
Static Analysis: The Art of Fighting without Fighting
Static Analysis: The Art of Fighting without FightingStatic Analysis: The Art of Fighting without Fighting
Static Analysis: The Art of Fighting without Fighting
Rob Ragan
 
API first with Swagger and Scala by Slava Schmidt
API first with Swagger and Scala by Slava SchmidtAPI first with Swagger and Scala by Slava Schmidt
API first with Swagger and Scala by Slava Schmidt
JavaDayUA
 
Drilling the Async Library
Drilling the Async LibraryDrilling the Async Library
Drilling the Async Library
Knoldus Inc.
 
Looking for Bugs in MonoDevelop
Looking for Bugs in MonoDevelopLooking for Bugs in MonoDevelop
Looking for Bugs in MonoDevelop
PVS-Studio
 
Long-Awaited Check of CryEngine V
Long-Awaited Check of CryEngine VLong-Awaited Check of CryEngine V
Long-Awaited Check of CryEngine V
PVS-Studio
 
20160225 OWASP Atlanta Prevoty RASP
20160225 OWASP Atlanta Prevoty RASP20160225 OWASP Atlanta Prevoty RASP
20160225 OWASP Atlanta Prevoty RASP
chadtindel
 
Cpcs302 1
Cpcs302 1Cpcs302 1
Cpcs302 1
guest5de1a5
 
Mining SQL Injection and Cross Site Scripting Vulnerabilities using Hybrid Pr...
Mining SQL Injection and Cross Site Scripting Vulnerabilities using Hybrid Pr...Mining SQL Injection and Cross Site Scripting Vulnerabilities using Hybrid Pr...
Mining SQL Injection and Cross Site Scripting Vulnerabilities using Hybrid Pr...
Lionel Briand
 
Code Generation for Azure with .net
Code Generation for Azure with .netCode Generation for Azure with .net
Code Generation for Azure with .net
Marco Parenzan
 
VCCFinder: Finding Potential Vulnerabilities in Open-Source Projects to Assis...
VCCFinder: Finding Potential Vulnerabilities in Open-Source Projects to Assis...VCCFinder: Finding Potential Vulnerabilities in Open-Source Projects to Assis...
VCCFinder: Finding Potential Vulnerabilities in Open-Source Projects to Assis...
Stefano Dalla Palma
 
Мечтают ли WAF'ы о статанализаторах
Мечтают ли WAF'ы о статанализаторахМечтают ли WAF'ы о статанализаторах
Мечтают ли WAF'ы о статанализаторах
Positive Hack Days
 
Do WAFs dream of static analyzers
Do WAFs dream of static analyzersDo WAFs dream of static analyzers
Do WAFs dream of static analyzers
Vladimir Kochetkov
 
Real-World WebAppSec Flaws - Examples and Countermeasues
Real-World WebAppSec Flaws - Examples and CountermeasuesReal-World WebAppSec Flaws - Examples and Countermeasues
Real-World WebAppSec Flaws - Examples and Countermeasues
volvent
 
what is compiler and five phases of compiler
what is compiler and five phases of compilerwhat is compiler and five phases of compiler
what is compiler and five phases of compiler
adilmehmood93
 
Александр Куцан: "Static Code Analysis in C++"
Александр Куцан: "Static Code Analysis in C++" Александр Куцан: "Static Code Analysis in C++"
Александр Куцан: "Static Code Analysis in C++"
Anna Shymchenko
 
20160211 OWASP Charlotte RASP
20160211 OWASP Charlotte RASP20160211 OWASP Charlotte RASP
20160211 OWASP Charlotte RASP
chadtindel
 
Javascript
JavascriptJavascript
Javascript
Gita Kriz
 

Similar to Automated Patching for Vulnerable Source Code (20)

A fresh eye on Oracle VM VirtualBox
A fresh eye on Oracle VM VirtualBoxA fresh eye on Oracle VM VirtualBox
A fresh eye on Oracle VM VirtualBox
 
DEF CON 27 - AMIT WAISEL and HILA COHEN - malproxy
DEF CON 27 - AMIT WAISEL and HILA COHEN - malproxyDEF CON 27 - AMIT WAISEL and HILA COHEN - malproxy
DEF CON 27 - AMIT WAISEL and HILA COHEN - malproxy
 
QA Lab: тестирование ПО. Станислав Шмидт: "Self-testing REST APIs with API Fi...
QA Lab: тестирование ПО. Станислав Шмидт: "Self-testing REST APIs with API Fi...QA Lab: тестирование ПО. Станислав Шмидт: "Self-testing REST APIs with API Fi...
QA Lab: тестирование ПО. Станислав Шмидт: "Self-testing REST APIs with API Fi...
 
Static Analysis: The Art of Fighting without Fighting
Static Analysis: The Art of Fighting without FightingStatic Analysis: The Art of Fighting without Fighting
Static Analysis: The Art of Fighting without Fighting
 
API first with Swagger and Scala by Slava Schmidt
API first with Swagger and Scala by Slava SchmidtAPI first with Swagger and Scala by Slava Schmidt
API first with Swagger and Scala by Slava Schmidt
 
Drilling the Async Library
Drilling the Async LibraryDrilling the Async Library
Drilling the Async Library
 
Looking for Bugs in MonoDevelop
Looking for Bugs in MonoDevelopLooking for Bugs in MonoDevelop
Looking for Bugs in MonoDevelop
 
Long-Awaited Check of CryEngine V
Long-Awaited Check of CryEngine VLong-Awaited Check of CryEngine V
Long-Awaited Check of CryEngine V
 
20160225 OWASP Atlanta Prevoty RASP
20160225 OWASP Atlanta Prevoty RASP20160225 OWASP Atlanta Prevoty RASP
20160225 OWASP Atlanta Prevoty RASP
 
Cpcs302 1
Cpcs302 1Cpcs302 1
Cpcs302 1
 
Mining SQL Injection and Cross Site Scripting Vulnerabilities using Hybrid Pr...
Mining SQL Injection and Cross Site Scripting Vulnerabilities using Hybrid Pr...Mining SQL Injection and Cross Site Scripting Vulnerabilities using Hybrid Pr...
Mining SQL Injection and Cross Site Scripting Vulnerabilities using Hybrid Pr...
 
Code Generation for Azure with .net
Code Generation for Azure with .netCode Generation for Azure with .net
Code Generation for Azure with .net
 
VCCFinder: Finding Potential Vulnerabilities in Open-Source Projects to Assis...
VCCFinder: Finding Potential Vulnerabilities in Open-Source Projects to Assis...VCCFinder: Finding Potential Vulnerabilities in Open-Source Projects to Assis...
VCCFinder: Finding Potential Vulnerabilities in Open-Source Projects to Assis...
 
Мечтают ли WAF'ы о статанализаторах
Мечтают ли WAF'ы о статанализаторахМечтают ли WAF'ы о статанализаторах
Мечтают ли WAF'ы о статанализаторах
 
Do WAFs dream of static analyzers
Do WAFs dream of static analyzersDo WAFs dream of static analyzers
Do WAFs dream of static analyzers
 
Real-World WebAppSec Flaws - Examples and Countermeasues
Real-World WebAppSec Flaws - Examples and CountermeasuesReal-World WebAppSec Flaws - Examples and Countermeasues
Real-World WebAppSec Flaws - Examples and Countermeasues
 
what is compiler and five phases of compiler
what is compiler and five phases of compilerwhat is compiler and five phases of compiler
what is compiler and five phases of compiler
 
Александр Куцан: "Static Code Analysis in C++"
Александр Куцан: "Static Code Analysis in C++" Александр Куцан: "Static Code Analysis in C++"
Александр Куцан: "Static Code Analysis in C++"
 
20160211 OWASP Charlotte RASP
20160211 OWASP Charlotte RASP20160211 OWASP Charlotte RASP
20160211 OWASP Charlotte RASP
 
Javascript
JavascriptJavascript
Javascript
 

More from Vladimir Kochetkov

Практическое использование средств криптографии в .NET, Java и PHP
Практическое использование средств криптографии в .NET, Java и PHPПрактическое использование средств криптографии в .NET, Java и PHP
Практическое использование средств криптографии в .NET, Java и PHP
Vladimir Kochetkov
 
AppSec -- хакерский путь
AppSec -- хакерский путьAppSec -- хакерский путь
AppSec -- хакерский путь
Vladimir Kochetkov
 
Подводные камни прикладной криптографии, I
Подводные камни прикладной криптографии, IПодводные камни прикладной криптографии, I
Подводные камни прикладной криптографии, I
Vladimir Kochetkov
 
Философия Application Security
Философия Application SecurityФилософия Application Security
Философия Application Security
Vladimir Kochetkov
 
Современные подходы к SAST
Современные подходы к SASTСовременные подходы к SAST
Современные подходы к SAST
Vladimir Kochetkov
 
Подводные камни System.Security.Cryptography
Подводные камни System.Security.CryptographyПодводные камни System.Security.Cryptography
Подводные камни System.Security.Cryptography
Vladimir Kochetkov
 
Взломать Web-сайт на ASP.NET? Сложно, но можно!
Взломать Web-сайт на ASP.NET? Сложно, но можно!Взломать Web-сайт на ASP.NET? Сложно, но можно!
Взломать Web-сайт на ASP.NET? Сложно, но можно!
Vladimir Kochetkov
 
Hack an ASP .NET website? Hard, but possible!
Hack an ASP .NET website? Hard, but possible! Hack an ASP .NET website? Hard, but possible!
Hack an ASP .NET website? Hard, but possible!
Vladimir Kochetkov
 
Прикладная теория Application Security
Прикладная теория Application SecurityПрикладная теория Application Security
Прикладная теория Application Security
Vladimir Kochetkov
 
Исключительно простая теория AppSec .NET
Исключительно простая теория AppSec .NETИсключительно простая теория AppSec .NET
Исключительно простая теория AppSec .NET
Vladimir Kochetkov
 
Автоматическая генерация патчей для уязвимого исходного кода
Автоматическая генерация патчей для уязвимого исходного кодаАвтоматическая генерация патчей для уязвимого исходного кода
Автоматическая генерация патчей для уязвимого исходного кода
Vladimir Kochetkov
 
How to Develop a Secure Web Application and Stay in Mind? (PHDays 3)
How to Develop a Secure Web Application and Stay in Mind? (PHDays 3)How to Develop a Secure Web Application and Stay in Mind? (PHDays 3)
How to Develop a Secure Web Application and Stay in Mind? (PHDays 3)
Vladimir Kochetkov
 
Как разработать защищенное веб-приложение и не сойти при этом с ума (вебинар)
Как разработать защищенное веб-приложение и не сойти при этом с ума (вебинар)Как разработать защищенное веб-приложение и не сойти при этом с ума (вебинар)
Как разработать защищенное веб-приложение и не сойти при этом с ума (вебинар)
Vladimir Kochetkov
 
Как разработать защищенное веб-приложение и не сойти при этом с ума? (PHDays 3)
Как разработать защищенное веб-приложение и не сойти при этом с ума? (PHDays 3)Как разработать защищенное веб-приложение и не сойти при этом с ума? (PHDays 3)
Как разработать защищенное веб-приложение и не сойти при этом с ума? (PHDays 3)
Vladimir Kochetkov
 

More from Vladimir Kochetkov (14)

Практическое использование средств криптографии в .NET, Java и PHP
Практическое использование средств криптографии в .NET, Java и PHPПрактическое использование средств криптографии в .NET, Java и PHP
Практическое использование средств криптографии в .NET, Java и PHP
 
AppSec -- хакерский путь
AppSec -- хакерский путьAppSec -- хакерский путь
AppSec -- хакерский путь
 
Подводные камни прикладной криптографии, I
Подводные камни прикладной криптографии, IПодводные камни прикладной криптографии, I
Подводные камни прикладной криптографии, I
 
Философия Application Security
Философия Application SecurityФилософия Application Security
Философия Application Security
 
Современные подходы к SAST
Современные подходы к SASTСовременные подходы к SAST
Современные подходы к SAST
 
Подводные камни System.Security.Cryptography
Подводные камни System.Security.CryptographyПодводные камни System.Security.Cryptography
Подводные камни System.Security.Cryptography
 
Взломать Web-сайт на ASP.NET? Сложно, но можно!
Взломать Web-сайт на ASP.NET? Сложно, но можно!Взломать Web-сайт на ASP.NET? Сложно, но можно!
Взломать Web-сайт на ASP.NET? Сложно, но можно!
 
Hack an ASP .NET website? Hard, but possible!
Hack an ASP .NET website? Hard, but possible! Hack an ASP .NET website? Hard, but possible!
Hack an ASP .NET website? Hard, but possible!
 
Прикладная теория Application Security
Прикладная теория Application SecurityПрикладная теория Application Security
Прикладная теория Application Security
 
Исключительно простая теория AppSec .NET
Исключительно простая теория AppSec .NETИсключительно простая теория AppSec .NET
Исключительно простая теория AppSec .NET
 
Автоматическая генерация патчей для уязвимого исходного кода
Автоматическая генерация патчей для уязвимого исходного кодаАвтоматическая генерация патчей для уязвимого исходного кода
Автоматическая генерация патчей для уязвимого исходного кода
 
How to Develop a Secure Web Application and Stay in Mind? (PHDays 3)
How to Develop a Secure Web Application and Stay in Mind? (PHDays 3)How to Develop a Secure Web Application and Stay in Mind? (PHDays 3)
How to Develop a Secure Web Application and Stay in Mind? (PHDays 3)
 
Как разработать защищенное веб-приложение и не сойти при этом с ума (вебинар)
Как разработать защищенное веб-приложение и не сойти при этом с ума (вебинар)Как разработать защищенное веб-приложение и не сойти при этом с ума (вебинар)
Как разработать защищенное веб-приложение и не сойти при этом с ума (вебинар)
 
Как разработать защищенное веб-приложение и не сойти при этом с ума? (PHDays 3)
Как разработать защищенное веб-приложение и не сойти при этом с ума? (PHDays 3)Как разработать защищенное веб-приложение и не сойти при этом с ума? (PHDays 3)
Как разработать защищенное веб-приложение и не сойти при этом с ума? (PHDays 3)
 

Automated Patching for Vulnerable Source Code

  • 1.
  • 2. Automated Patching for Vulnerable Source Code Vladimir Kochetkov Application Inspector/Compiling Applications Analysis/Team Lead Positive Technologies Positive Hack Days V
  • 6. Application Inspector ― Strong dogfooding ― Analysis is performed on the limit of ?AST approaches ― Generation of attack vectors ― The Big Red Button Concept ― A proprietary solution
  • 7. Application Inspector ― Integration with PT Application Firewall (aka virtual patches) Well... still we want more
  • 8. What do we want?
  • 9. To generate patches for the source code!!
  • 10. How to catch the vulnerability? ― Know "how it shouldn't be": necessary and sufficient formal symptoms of vulnerabilities ― Know "how it is": prove the existence of these symptoms in the analyzed code ― Build an attack vector based on the revealed set of symptoms
  • 11. Formal symptoms of injection ― Potentially vulnerable operation PVO(text): operation of direct or indirect "text" interpretation in a formal language ― text = transform(argument), where argument – number of arguments passed to the EP entry point, and transform – the function of intermediate transformations ― There is at least one set of such values of EP elements that can be reached. At these values the syntax tree structure of the "text" value, that reaches PVO, changes.
  • 12. Formalizability of vulnerabilities Strictly formalizable Poorly formalizable Injections Access Control Buffer Overflow Session Management Heap Overflow CSRF Integer Overflow Concurrency Memory Management Domain(Logical) … …
  • 13. What do we have?
  • 15. Disclaimer There is just a review. Further details will be presented at SIBECRYPT’15 Novosibirsk, September 7-12, 2015
  • 16. Symbolic Execution Context Graph! SECG is a graph, an isomorphic CFG, each of its vertices contains information on the context of symbolic execution The context of symbolic execution - a condition for accessing the current point of execution + a set of conditional states of all objects and variables that can be reached within the current scope
  • 18. Symbolic Execution Context Graph ε { parm' { ε Request.Params["parm1"] } }
  • 19. Symbolic Execution Context Graph Request.Params["cond1"] == "true" { parm' { ε Request.Params["parm1"] } }
  • 20. Symbolic Execution Context Graph Request.Params["cond1"] != "true" { parm' { Request.Params["cond1"] != "true" Request.Params["parm1"] } }
  • 21. Symbolic Execution Context Graph Request.Params["cond1"] != "true" && Request.Params["cond2"] == "true" { parm' { Request.Params["cond1"] != "true" Request.Params["parm1"] } }
  • 22. Symbolic Execution Context Graph Request.Params["cond1"] != "true" && Request.Params["cond2"] != "true" { parm' { Request.Params["cond1"] != "true" Request.Params["parm1"] } }
  • 23. Symbolic Execution Context Graph Request.Params["cond1"] != "true" { parm' { Request.Params["cond2"] == "true" Request.Params["parm2"] || Request.Params["cond2"] != "true" "<div>Harmless value</div>" } }
  • 24. Request.Params["cond1"] != "true" { parm' { Request.Params["cond2"] == "true" Request.Params["parm2"] || Request.Params["cond2"] != "true" "<div>Harmless value</div>" } } Symbolic Execution Context Graph Using the SECG for each PVO we can...
  • 25. Figure out a vulnerability formula!
  • 26. Vulnerability formula Request.Params["cond1"] != "true" ⇒ Response.Write( "<a href="" + parm ∈ { Request.Params["cond2"] == "true" ⇒ Request.Params["parm2"] ; Request.Params["cond2"] != "true" ⇒ "<div>Harmless value</div>" } + "">" )
  • 27. Vulnerability formula Request.Params["cond1"] != "true" ⇒ Response.Write( "<a href="" + parm ∈ { Request.Params["cond2"] == "true" ⇒ Request.Params["parm2"] } + "">" )
  • 28. Vulnerability formula Request.Params["cond1"] != "true" && Request.Params["cond2"] == "true" ⇒ Response.Write( "<a href="" + Request.Params["parm2"] + "">" )
  • 29. Vulnerability formula Request.Params["cond1"] != "true" && Request.Params["cond2"] == "true" ⇒ Response.Write( "<a href="" + Request.Params["parm2"] + "">" ) What value of Request.Params["parm2"] will result in exceeding the limits of the token?
  • 30. The one that is defined by the type of the injection point!
  • 31. <a href=" "> The type of the injection point is figured out by syntactic heuristics applied to the vulnerable expression on either side of the point. Finding the type of the injection point
  • 32. Vulnerability formula Request.Params["cond1"] != "true" && Request.Params["cond2"] == "true" && (Request.Params["parm2"] == ""><script>alert(0)</script>" || Request.Params["parm2"] == ""onmouseover="alert(0)") ⇒ Response.Write( "<a href="" + Request.Params["parm2"] + "">" )
  • 33. Vulnerability formula Request.Params["cond1"] != "true" && Request.Params["cond2"] == "true" && (Request.Params["parm2"] == ""><script>alert(0)</script>" || Request.Params["parm2"] == ""onmouseover="alert(0)") ⇒ Response.Write( "<a href="" + Request.Params["parm2"] + "">" ) As a result of finding the values unknown in the context of the vulnerability formula you can get... - -
  • 35. The contextual attack vector Vulnerable expression: "<a href="" + Request.Params["parm2"] + "">" The type of the injection point: HTML: 2-quoted attribute value Vector variables: Request.Params["parm2"] = ""><script>alert(0)</script>" Conditional variables: Request.Params["cond1"] = "__AI_akhivldp" Request.Params["cond2"] = "true"
  • 37. SECG gives us anything we need!* * it also gives us anything we don't need yet
  • 38. The proper patch ― Makes a minimum of changes ― Keeps the semantics of the code ― Solves the problem ― Never makes more problems
  • 39. ― Know "how it shouldn't be": necessary and sufficient formal symptoms of vulnerabilities ― Know "how it is": prove the existence of these symptoms in the analyzed code ― eliminate at least one of the required symptoms by changing the code How to generate a patch?
  • 40. Symptoms of injection that can be eliminated ― Potentially vulnerable operation PVO(text): operation of direct or indirect "text" interpretation in a formal language ― text = transform(argument), where argument – number of arguments passed to the EPentry point, and transform – the function of intermediate transformations ― At least one set of such values of the EP elements exists and is likely to be achieved. At these values the syntax tree structure of the "text" value, that reaches PVO, changes.
  • 41. Ways to eliminate the injection http://www.slideshare.net/kochetkov.vladimir/how-to-develop- a-secure-web-application-and-stay-in-mind-phdays-3/87 • Typing • Validation • Sanitization
  • 42. Attack vector vs patch Attack vector Patch It suffices to find a single path from the entry point to the PVO and a single set of values of vector variables It is necessary to find all paths from the entry point to the PVO and all sets of values of vector variables The type of the injection point can be figured out by using heuristics The type of the injection point must be figured out strictly along with its semantics The availability of the application may be compromised The application should stay available
  • 43. Strong finding the type of the injection point Step #1: replace each taint source in the vulnerable expression by an unique special character: <a href='∅'> Step #2: parse the string with the modified parser of an island language that allows using special characters in the arbitrary token. Step #3: find in the parsing tree the vertex containing a special character and define the type of the injection point on the basis of the vertex type. Step #4: According to the type injection point define its semantics.
  • 44. Opening bracket: < Tag name: a Attribute definition Attribute name: href Assignment sign 2-quoted attr. value:Closing bracket: > Strong finding the type of the injection point 2-quoted attribute (semantic: URL) value
  • 45. Keeps the semantics of the code - The priority of countermeasures: 1) Typing 2) Sanitizing 3) Validation - Consideration of all conditions for executing the PVO as well as values of its arguments during typing and sanitizing - Applying countermeasures exactly at the source of the vulnerability
  • 47. Typing 2-quoted attribute (semantic: URL) value - typing is possible Recording a dangerous value to parm
  • 50. Sanitizing Text (semantic: TEXT) value - typing is not possible, sanitizing may be applied Recording a dangerous value to parm
  • 53. Validation Typing and sanitizing are not possible, validation is possible
  • 55. Any patches for other attack types? √ Injections √ Buffer Overflow √ Heap Overflow √ Integer Overflow ? Memory Management Attacks ? Access Control Attacks ? Session Fixation ? CSRF x Race Conditions x Domain(Logical) Attacks
  • 56. When do we want it?
  • 59. Any questions? Vladimir Kochetkov vkochetkov@ptsecurity.com @kochetkov_v Application Inspector/Compiling Applications Analysis/Team Lead Positive Technologies