SlideShare a Scribd company logo

CRAXweb: Automatic Exploit Generation for Web Applications

Aung Thu Rha Hein
Aung Thu Rha Hein

This is my first seminar presentation. The presentation is based on the core paper: CRAXweb: Automatic Web Application Testing and Attack Generation. If you are interested in this research area, other research methods of this research can be found at reference sections.

TechnologyEducation
1 of 36
Download to read offline
Lehrstuhl für Informatik 4 1/161/2012 <Title> <Name LastName> Seminar in Computer Science Kip IrvineCRAXweb: Automatic Web Application Testing and Attack Generation1 Shih-Kun Huang ,Han-Lin Lu, Wai-Meng Leong ,Huan Liu National Chiao Tung University Presented by Aung Thu Rha Hein 5536871 1 “CRAXWweb:Automatic Web Application Testing and Attack Generation”, Software Security and Reliability (SERE), June 2013 IEEE 7th International Conference.
Lehrstuhl für Informatik 4 2/161/2012 <Title> <Name LastName> Seminar in Computer Science Outline 1. Introduction 2. Background -What is an exploit? -Dynamic Analysis -Semantic Execution 2. CRAXWeb: Automatic Web Application Testing and Attack Generation 4. Conclusions 5. References
Lehrstuhl für Informatik 4 3/161/2012 <Title> <Name LastName> Seminar in Computer Science ● Software bugs are common ● Especially in web applications ● Some bugs are more harmful ● It is difficult to detect manually ● Static analysis gives developer confusion and false positives ● Manual testing is not effective Introduction Motivation
Lehrstuhl für Informatik 4 4/161/2012 <Title> <Name LastName> Seminar in Computer Science ● Challenge ● How to find exploits, shellcode in the program ● Source code analysis alone is not enough ● Finding exploitable paths among program execution paths Introduction Problem Statements
Lehrstuhl für Informatik 4 5/161/2012 <Title> <Name LastName> Seminar in Computer Science ● To generate exploits for web-applications Introduction Research Objectives
Lehrstuhl für Informatik 4 6/161/2012 <Title> <Name LastName> Seminar in Computer Science ● Exploits techniques vary upon OS architectures ● Type of Exploits ● Stack Overflow Exploit ● Heap Corruption Exploit ● Format String Attack ● Attack Methodologies ● Remote Exploit ● Local Exploit ● Two Stage Exploit ● Tools for writing Exploits: LibExploit, Metasploit, CANVAS Background: Exploits What is an exploit?
Lehrstuhl für Informatik 4 7/161/2012 <Title> <Name LastName> Seminar in Computer Science Background: Exploits Stack Overflow Exploit Example #include <string.h> void foo (char *bar) { char c[12]; strcpy(c, bar); } int main (int argc, char **argv) { foo(argv[1]); }
Lehrstuhl für Informatik 4 8/161/2012 <Title> <Name LastName> Seminar in Computer Science Background: Exploits Stack Overflow Exploit Example
Lehrstuhl für Informatik 4 9/161/2012 <Title> <Name LastName> Seminar in Computer Science Background: Dynamic analysis Introduction ● Monitor code as it executes ● Usefulness of Dynamic analysis ● Precision of information ● Dependence on program inputs ● Four common dynamic analysis techniques: ● Dynamic taint analysis ● Forward symbolic execution ● Frequency Spectrum Analysis ● Coverage Concept Analysis ...
Lehrstuhl für Informatik 4 10/161/2012 <Title> <Name LastName> Seminar in Computer Science Background: Dynamic analysis Dynamic Taint Analysis ● To exploit program execution, ● use values from a trusted source ● attackers overwrite, tainted these values ● Taint Analysis Process 1. mark input data from untrusted sources tainted 2. monitor program execution to track how they propagated 3. check when tainted data is used in dangerous ways
Lehrstuhl für Informatik 4 11/161/2012 <Title> <Name LastName> Seminar in Computer Science Background: Dynamic analysis Dynamic Taint Analysis Attack detected using TaintCheck
Lehrstuhl für Informatik 4 12/161/2012 <Title> <Name LastName> Seminar in Computer Science Background:Dynamic analysis Symbolic Execution ● Key idea: generalize testing by using unknown ● symbolic variables in evaluation ● int f(1, 2)= int f(α1 , α2) ● Allows unknown symbolic variables in evaluation ● y = α; assert(f(y) == 2*y-1); ● If execution path depends on unknown, conceptually fork symbolic executor ● int f(int x) {if(x > 0) then return 2*x - 1; else return 10;}
Lehrstuhl für Informatik 4 13/161/2012 <Title> <Name LastName> Seminar in Computer Science Background:Dynamic analysis Symbolic Execution Example l …
Lehrstuhl für Informatik 4 14/161/2012 <Title> <Name LastName> Seminar in Computer Science Background:Dynamic analysis Symbolic Execution: Purpose ● E.g. Particular program points reachable? ● E.g. Is array access a[i] out of bounds? ● E.g. Generate concrete inputs that execute same paths ● With constraints solvers ● E.g. Z3, Yices, STP
Lehrstuhl für Informatik 4 15/161/2012 <Title> <Name LastName> Seminar in Computer Science Background:Dynamic analysis Symbolic Execution Limitations ● Scalability Issue when execution paths are large ● Source code, or equivalent is required ● Limitations in solving constraints ● cannot handle non-linear and very complex constraints
Lehrstuhl für Informatik 4 16/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper CRAXweb: Automatic Web Application Testing and Attack Generation
Lehrstuhl für Informatik 4 17/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper ● Implement AEG for large-scaled web applications ● Focus on XSS and SQLi attacks ● Based on Symbolic Socket or symbolic execution ● Single path concolic mode is used to reduce path- explosion ● Selective Symbolic Execution(S2E) ● Provide the ability to execute a specific part of program ● Simple Theorem Prover(STP) as a constraint solver ● Acunetix as web crawler Overview of CRAXweb
Lehrstuhl für Informatik 4 19/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper ● Generate test cases and exploits Exploit Generation: Constraint Solving
Lehrstuhl für Informatik 4 20/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper Exploit Generation:Constraint Solving x- exploit f(x)- expected attack script
Lehrstuhl für Informatik 4 21/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper ● To reduce overhead caused by symbolic execution ● Explore one path at a time Single Path Concolic Mode
Lehrstuhl für Informatik 4 22/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper Flow diagram of automatic process
Lehrstuhl für Informatik 4 23/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper ● S2E as symbolic environment Implementation:Symbolic Socket
Lehrstuhl für Informatik 4 24/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper ● Overall architecture for automatic exploit generator Implementation: Architecture
Lehrstuhl für Informatik 4 25/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper Implementation: Symbolic Response and Query Handler ● From Web Crawler to Symbolic Request
Lehrstuhl für Informatik 4 26/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper Implementation: Symbolic Response and Query Handler ● From symbolic response or query to exploit generator
Lehrstuhl für Informatik 4 27/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper Implementation: Exploit Generation
Lehrstuhl für Informatik 4 28/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper Implementation: Exploit Generation ● Algorithm to solve the exploit constraint
Lehrstuhl für Informatik 4 29/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper Results: Experiment Environment ● Host OS- Ubuntu 10.10 ● Guest Environment- emulated by Qemu ● Qemu- hosted Debian 5.07 and Windows XP ● Softwares- S2E 1.0 and MySQL as database handler
Lehrstuhl für Informatik 4 30/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper Results: Evaluation for different platforms
Lehrstuhl für Informatik 4 31/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper Results: Evaluation for Exploit Generation ● With test cases from Ardilla
Lehrstuhl für Informatik 4 32/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper Results: Evaluation for Exploit Generation ● With test cases from Ardilla
Lehrstuhl für Informatik 4 33/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper Results: Evaluation for Exploit Generation ● With Real world Applications
Lehrstuhl für Informatik 4 34/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper Results: Related works
Lehrstuhl für Informatik 4 35/161/2012 <Title> <Name LastName> Seminar in Computer Science Conclusions ● AEG is possible for web applications ● CRAXWeb uses ● Symbolic execution ● Concolic Testing ● However,Still have rooms for development ● for more exploit types ● to integration with browser
Lehrstuhl für Informatik 4 36/161/2012 <Title> <Name LastName> Seminar in Computer Science References Shih-Kun Huang,Han-Lin Lu ; Wai-Meng Leong ; Huan Liu, ”CRAXweb: Automatic Web Application Testing and Attack Generation”, Software Security and Reliability (SERE),IEEE 7th International Conference, June 2013 Shih-Kun Huang,Min-Hsiang Huang ; Po-Yen Huang ; Chung-Wei Lai ; Han-Lin Lu ; Wai-Meng Leong, “CRAX: Software Crash Analysis for Automatic Exploit Generation by Modeling Attacks as Symbolic Continuations” ,Software Security and Reliability (SERE), 2012 IEEE Sixth International Conference, June 2012 Thanassis Avgerinos and Sang Kil Cha and Brent Lim Tze Hao and David Brumley, “AEG: Automatic Exploit Generation”,Network and Distributed System Security Symposium, Feb 2012
Lehrstuhl für Informatik 4 37/161/2012 <Title> <Name LastName> Seminar in Computer Science References James Newsome,Dawn Song,”Dynamic Taint Analysis for Automatic Detection,An alysis, and Signature Generation of Exploitson Commodity Software”, Network and Distributed System Security Symposium, 2005 Cristian Cadar, Daniel Dunbar, Dawson Engler, “KLEE: Unassisted and Automatic Generation of High-CoverageTests for Complex Systems Programs”, USENIX Symposium on Operating Systems Design and Implementation, December 2008

Recommended

STAR: Stack Trace based Automatic Crash Reproduction
STAR: Stack Trace based Automatic Crash ReproductionSTAR: Stack Trace based Automatic Crash Reproduction
STAR: Stack Trace based Automatic Crash ReproductionSung Kim
 
Software Defect Prediction on Unlabeled Datasets
Software Defect Prediction on Unlabeled DatasetsSoftware Defect Prediction on Unlabeled Datasets
Software Defect Prediction on Unlabeled DatasetsSung Kim
 
CrashLocator: Locating Crashing Faults Based on Crash Stacks (ISSTA 2014)
CrashLocator: Locating Crashing Faults Based on Crash Stacks (ISSTA 2014)CrashLocator: Locating Crashing Faults Based on Crash Stacks (ISSTA 2014)
CrashLocator: Locating Crashing Faults Based on Crash Stacks (ISSTA 2014)Sung Kim
 
Automatically Generated Patches as Debugging Aids: A Human Study (FSE 2014)
Automatically Generated Patches as Debugging Aids: A Human Study (FSE 2014)Automatically Generated Patches as Debugging Aids: A Human Study (FSE 2014)
Automatically Generated Patches as Debugging Aids: A Human Study (FSE 2014)Sung Kim
 
Survey on Software Defect Prediction
Survey on Software Defect PredictionSurvey on Software Defect Prediction
Survey on Software Defect PredictionSung Kim
 
Personalized Defect Prediction
Personalized Defect PredictionPersonalized Defect Prediction
Personalized Defect PredictionSung Kim
 
A Survey on Automatic Software Evolution Techniques
A Survey on Automatic Software Evolution TechniquesA Survey on Automatic Software Evolution Techniques
A Survey on Automatic Software Evolution TechniquesSung Kim
 
Software testing: an introduction - 2017
Software testing: an introduction - 2017Software testing: an introduction - 2017
Software testing: an introduction - 2017XavierDevroey
 

Recommended

STAR: Stack Trace based Automatic Crash Reproduction
STAR: Stack Trace based Automatic Crash ReproductionSTAR: Stack Trace based Automatic Crash Reproduction
STAR: Stack Trace based Automatic Crash ReproductionSung Kim
 
Software Defect Prediction on Unlabeled Datasets
Software Defect Prediction on Unlabeled DatasetsSoftware Defect Prediction on Unlabeled Datasets
Software Defect Prediction on Unlabeled DatasetsSung Kim
 
CrashLocator: Locating Crashing Faults Based on Crash Stacks (ISSTA 2014)
CrashLocator: Locating Crashing Faults Based on Crash Stacks (ISSTA 2014)CrashLocator: Locating Crashing Faults Based on Crash Stacks (ISSTA 2014)
CrashLocator: Locating Crashing Faults Based on Crash Stacks (ISSTA 2014)Sung Kim
 
Automatically Generated Patches as Debugging Aids: A Human Study (FSE 2014)
Automatically Generated Patches as Debugging Aids: A Human Study (FSE 2014)Automatically Generated Patches as Debugging Aids: A Human Study (FSE 2014)
Automatically Generated Patches as Debugging Aids: A Human Study (FSE 2014)Sung Kim
 
Survey on Software Defect Prediction
Survey on Software Defect PredictionSurvey on Software Defect Prediction
Survey on Software Defect PredictionSung Kim
 
Personalized Defect Prediction
Personalized Defect PredictionPersonalized Defect Prediction
Personalized Defect PredictionSung Kim
 
A Survey on Automatic Software Evolution Techniques
A Survey on Automatic Software Evolution TechniquesA Survey on Automatic Software Evolution Techniques
A Survey on Automatic Software Evolution TechniquesSung Kim
 
Software testing: an introduction - 2017
Software testing: an introduction - 2017Software testing: an introduction - 2017
Software testing: an introduction - 2017XavierDevroey
 
Dissertation Defense
Dissertation DefenseDissertation Defense
Dissertation DefenseSung Kim
 
MTV15
MTV15MTV15
MTV15Rico Angell
 
Transfer defect learning
Transfer defect learningTransfer defect learning
Transfer defect learningSung Kim
 
TMPA-2017: Technology and Tools for Developing Industrial Software Test Suite...
TMPA-2017: Technology and Tools for Developing Industrial Software Test Suite...TMPA-2017: Technology and Tools for Developing Industrial Software Test Suite...
TMPA-2017: Technology and Tools for Developing Industrial Software Test Suite...Iosif Itkin
 
Specifics of static analyzer development and testing
Specifics of static analyzer development and testingSpecifics of static analyzer development and testing
Specifics of static analyzer development and testingAndrey Karpov
 
Search-driven String Constraint Solving for Vulnerability Detection
Search-driven String Constraint Solving for Vulnerability DetectionSearch-driven String Constraint Solving for Vulnerability Detection
Search-driven String Constraint Solving for Vulnerability DetectionLionel Briand
 
OORPT Dynamic Analysis
OORPT Dynamic AnalysisOORPT Dynamic Analysis
OORPT Dynamic Analysislienhard
 
TMPA-2017: Regression Testing with Semiautomatic Test Selection for Auditing ...
TMPA-2017: Regression Testing with Semiautomatic Test Selection for Auditing ...TMPA-2017: Regression Testing with Semiautomatic Test Selection for Auditing ...
TMPA-2017: Regression Testing with Semiautomatic Test Selection for Auditing ...Iosif Itkin
 
Improving Fault Localization for Simulink Models using Search-Based Testing a...
Improving Fault Localization for Simulink Models using Search-Based Testing a...Improving Fault Localization for Simulink Models using Search-Based Testing a...
Improving Fault Localization for Simulink Models using Search-Based Testing a...Lionel Briand
 
Survey on Software Defect Prediction (PhD Qualifying Examination Presentation)
Survey on Software Defect Prediction (PhD Qualifying Examination Presentation)Survey on Software Defect Prediction (PhD Qualifying Examination Presentation)
Survey on Software Defect Prediction (PhD Qualifying Examination Presentation)lifove
 
Survey on Software Defect Prediction
Survey on Software Defect PredictionSurvey on Software Defect Prediction
Survey on Software Defect Predictionlifove
 
Asim abdulkhaleq final phd dissertation defense
Asim abdulkhaleq final phd dissertation defenseAsim abdulkhaleq final phd dissertation defense
Asim abdulkhaleq final phd dissertation defenseAsim Abdulkhaleq, Dr.rer.nat
 
Heterogeneous Defect Prediction (

ESEC/FSE 2015)
Heterogeneous Defect Prediction (

ESEC/FSE 2015)Heterogeneous Defect Prediction (

ESEC/FSE 2015)
Heterogeneous Defect Prediction (

ESEC/FSE 2015)Sung Kim
 
System Testing of Timing Requirements based on Use Cases and Timed Automata
System Testing of Timing Requirements based on Use Cases and Timed AutomataSystem Testing of Timing Requirements based on Use Cases and Timed Automata
System Testing of Timing Requirements based on Use Cases and Timed AutomataLionel Briand
 
An Application-Oriented Approach for Computer Security Education
An Application-Oriented Approach for Computer Security EducationAn Application-Oriented Approach for Computer Security Education
An Application-Oriented Approach for Computer Security EducationXiao Qin
 
Software Analytics - Achievements and Challenges
Software Analytics - Achievements and ChallengesSoftware Analytics - Achievements and Challenges
Software Analytics - Achievements and ChallengesTao Xie
 
Software Architecture: Introduction to the abstraction (May 2014_Split)
Software Architecture: Introduction to the abstraction (May 2014_Split)Software Architecture: Introduction to the abstraction (May 2014_Split)
Software Architecture: Introduction to the abstraction (May 2014_Split)Henry Muccini
 
Security of OpenDaylight platform
Security of OpenDaylight platformSecurity of OpenDaylight platform
Security of OpenDaylight platformOpenDaylight
 
Windows Kernel & Driver Development
Windows Kernel & Driver DevelopmentWindows Kernel & Driver Development
Windows Kernel & Driver DevelopmentMarcus Botacin
 
Open64 compiler
Open64 compilerOpen64 compiler
Open64 compilerMaria Akther
 
Software Analytics: Towards Software Mining that Matters (2014)
Software Analytics: Towards Software Mining that Matters (2014)Software Analytics: Towards Software Mining that Matters (2014)
Software Analytics: Towards Software Mining that Matters (2014)Tao Xie
 
Se
SeSe
Seshirish dubey
 

More Related Content

What's hot

Dissertation Defense
Dissertation DefenseDissertation Defense
Dissertation DefenseSung Kim
 
Transfer defect learning
Transfer defect learningTransfer defect learning
Transfer defect learningSung Kim
 
TMPA-2017: Technology and Tools for Developing Industrial Software Test Suite...
TMPA-2017: Technology and Tools for Developing Industrial Software Test Suite...TMPA-2017: Technology and Tools for Developing Industrial Software Test Suite...
TMPA-2017: Technology and Tools for Developing Industrial Software Test Suite...Iosif Itkin
 
Specifics of static analyzer development and testing
Specifics of static analyzer development and testingSpecifics of static analyzer development and testing
Specifics of static analyzer development and testingAndrey Karpov
 
Search-driven String Constraint Solving for Vulnerability Detection
Search-driven String Constraint Solving for Vulnerability DetectionSearch-driven String Constraint Solving for Vulnerability Detection
Search-driven String Constraint Solving for Vulnerability DetectionLionel Briand
 
OORPT Dynamic Analysis
OORPT Dynamic AnalysisOORPT Dynamic Analysis
OORPT Dynamic Analysislienhard
 
TMPA-2017: Regression Testing with Semiautomatic Test Selection for Auditing ...
TMPA-2017: Regression Testing with Semiautomatic Test Selection for Auditing ...TMPA-2017: Regression Testing with Semiautomatic Test Selection for Auditing ...
TMPA-2017: Regression Testing with Semiautomatic Test Selection for Auditing ...Iosif Itkin
 
Improving Fault Localization for Simulink Models using Search-Based Testing a...
Improving Fault Localization for Simulink Models using Search-Based Testing a...Improving Fault Localization for Simulink Models using Search-Based Testing a...
Improving Fault Localization for Simulink Models using Search-Based Testing a...Lionel Briand
 
Survey on Software Defect Prediction (PhD Qualifying Examination Presentation)
Survey on Software Defect Prediction (PhD Qualifying Examination Presentation)Survey on Software Defect Prediction (PhD Qualifying Examination Presentation)
Survey on Software Defect Prediction (PhD Qualifying Examination Presentation)lifove
 
Survey on Software Defect Prediction
Survey on Software Defect PredictionSurvey on Software Defect Prediction
Survey on Software Defect Predictionlifove
 
Heterogeneous Defect Prediction (

ESEC/FSE 2015)
Heterogeneous Defect Prediction (

ESEC/FSE 2015)Heterogeneous Defect Prediction (

ESEC/FSE 2015)
Heterogeneous Defect Prediction (

ESEC/FSE 2015)Sung Kim
 
System Testing of Timing Requirements based on Use Cases and Timed Automata
System Testing of Timing Requirements based on Use Cases and Timed AutomataSystem Testing of Timing Requirements based on Use Cases and Timed Automata
System Testing of Timing Requirements based on Use Cases and Timed AutomataLionel Briand
 

What's hot (14)

Dissertation Defense
Dissertation DefenseDissertation Defense
Dissertation Defense
 
MTV15
MTV15MTV15
MTV15
 
Transfer defect learning
Transfer defect learningTransfer defect learning
Transfer defect learning
 
TMPA-2017: Technology and Tools for Developing Industrial Software Test Suite...
TMPA-2017: Technology and Tools for Developing Industrial Software Test Suite...TMPA-2017: Technology and Tools for Developing Industrial Software Test Suite...
TMPA-2017: Technology and Tools for Developing Industrial Software Test Suite...
 
Specifics of static analyzer development and testing
Specifics of static analyzer development and testingSpecifics of static analyzer development and testing
Specifics of static analyzer development and testing
 
Search-driven String Constraint Solving for Vulnerability Detection
Search-driven String Constraint Solving for Vulnerability DetectionSearch-driven String Constraint Solving for Vulnerability Detection
Search-driven String Constraint Solving for Vulnerability Detection
 
OORPT Dynamic Analysis
OORPT Dynamic AnalysisOORPT Dynamic Analysis
OORPT Dynamic Analysis
 
TMPA-2017: Regression Testing with Semiautomatic Test Selection for Auditing ...
TMPA-2017: Regression Testing with Semiautomatic Test Selection for Auditing ...TMPA-2017: Regression Testing with Semiautomatic Test Selection for Auditing ...
TMPA-2017: Regression Testing with Semiautomatic Test Selection for Auditing ...
 
Improving Fault Localization for Simulink Models using Search-Based Testing a...
Improving Fault Localization for Simulink Models using Search-Based Testing a...Improving Fault Localization for Simulink Models using Search-Based Testing a...
Improving Fault Localization for Simulink Models using Search-Based Testing a...
 
Survey on Software Defect Prediction (PhD Qualifying Examination Presentation)
Survey on Software Defect Prediction (PhD Qualifying Examination Presentation)Survey on Software Defect Prediction (PhD Qualifying Examination Presentation)
Survey on Software Defect Prediction (PhD Qualifying Examination Presentation)
 
Survey on Software Defect Prediction
Survey on Software Defect PredictionSurvey on Software Defect Prediction
Survey on Software Defect Prediction
 
Asim abdulkhaleq final phd dissertation defense
Asim abdulkhaleq final phd dissertation defenseAsim abdulkhaleq final phd dissertation defense
Asim abdulkhaleq final phd dissertation defense
 
Heterogeneous Defect Prediction (

ESEC/FSE 2015)
Heterogeneous Defect Prediction (

ESEC/FSE 2015)Heterogeneous Defect Prediction (

ESEC/FSE 2015)
Heterogeneous Defect Prediction (

ESEC/FSE 2015)
 
System Testing of Timing Requirements based on Use Cases and Timed Automata
System Testing of Timing Requirements based on Use Cases and Timed AutomataSystem Testing of Timing Requirements based on Use Cases and Timed Automata
System Testing of Timing Requirements based on Use Cases and Timed Automata
 

Similar to CRAXweb: Automatic Exploit Generation for Web Applications

An Application-Oriented Approach for Computer Security Education
An Application-Oriented Approach for Computer Security EducationAn Application-Oriented Approach for Computer Security Education
An Application-Oriented Approach for Computer Security EducationXiao Qin
 
Software Analytics - Achievements and Challenges
Software Analytics - Achievements and ChallengesSoftware Analytics - Achievements and Challenges
Software Analytics - Achievements and ChallengesTao Xie
 
Software Architecture: Introduction to the abstraction (May 2014_Split)
Software Architecture: Introduction to the abstraction (May 2014_Split)Software Architecture: Introduction to the abstraction (May 2014_Split)
Software Architecture: Introduction to the abstraction (May 2014_Split)Henry Muccini
 
Security of OpenDaylight platform
Security of OpenDaylight platformSecurity of OpenDaylight platform
Security of OpenDaylight platformOpenDaylight
 
Windows Kernel & Driver Development
Windows Kernel & Driver DevelopmentWindows Kernel & Driver Development
Windows Kernel & Driver DevelopmentMarcus Botacin
 
Software Analytics: Towards Software Mining that Matters (2014)
Software Analytics: Towards Software Mining that Matters (2014)Software Analytics: Towards Software Mining that Matters (2014)
Software Analytics: Towards Software Mining that Matters (2014)Tao Xie
 
Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chancePenetration testing dont just leave it to chance
Penetration testing dont just leave it to chanceDr. Anish Cheriyan (PhD)
 
Tales from the Dark Side: Ori Bendet Selenium Conference India 2016
Tales from the Dark Side: Ori Bendet Selenium Conference India 2016Tales from the Dark Side: Ori Bendet Selenium Conference India 2016
Tales from the Dark Side: Ori Bendet Selenium Conference India 2016Ori Bendet
 
iFL: An Interactive Environment for Understanding Feature Implementations
iFL: An Interactive Environment for Understanding Feature ImplementationsiFL: An Interactive Environment for Understanding Feature Implementations
iFL: An Interactive Environment for Understanding Feature ImplementationsICSM 2010
 
01_Introduction.ppt
01_Introduction.ppt01_Introduction.ppt
01_Introduction.pptAzanuddin1
 
An exploratory study of the state of practice of performance testing in Java-...
An exploratory study of the state of practice of performance testing in Java-...An exploratory study of the state of practice of performance testing in Java-...
An exploratory study of the state of practice of performance testing in Java-...corpaulbezemer
 
2012 ieee projects software engineering @ Seabirds ( Trichy, Chennai, Pondich...
2012 ieee projects software engineering @ Seabirds ( Trichy, Chennai, Pondich...2012 ieee projects software engineering @ Seabirds ( Trichy, Chennai, Pondich...
2012 ieee projects software engineering @ Seabirds ( Trichy, Chennai, Pondich...SBGC
 
Cloud Reliability: Decreasing outage frequency using fault injection
Cloud Reliability: Decreasing outage frequency using fault injectionCloud Reliability: Decreasing outage frequency using fault injection
Cloud Reliability: Decreasing outage frequency using fault injectionJorge Cardoso
 
Software Architecture - Allocation taxonomies: building, deployment and distr...
Software Architecture - Allocation taxonomies: building, deployment and distr...Software Architecture - Allocation taxonomies: building, deployment and distr...
Software Architecture - Allocation taxonomies: building, deployment and distr...Jose Emilio Labra Gayo
 
DRESD Project Presentation - December 2006
DRESD Project Presentation - December 2006DRESD Project Presentation - December 2006
DRESD Project Presentation - December 2006santa
 
An Easy To Deploy Penetration Testing Platform
An Easy To Deploy Penetration Testing PlatformAn Easy To Deploy Penetration Testing Platform
An Easy To Deploy Penetration Testing PlatformBo-Chun Peng
 
Priyanka Singh_testing_resume
Priyanka Singh_testing_resumePriyanka Singh_testing_resume
Priyanka Singh_testing_resumePriyanka Singh
 
[ENGLISH] TDC 2015 - PHP Trail - Tests and PHP Continuous Integration Enviro...
[ENGLISH] TDC 2015 - PHP Trail - Tests and PHP Continuous Integration Enviro...[ENGLISH] TDC 2015 - PHP Trail - Tests and PHP Continuous Integration Enviro...
[ENGLISH] TDC 2015 - PHP Trail - Tests and PHP Continuous Integration Enviro...Bruno Tanoue
 

Similar to CRAXweb: Automatic Exploit Generation for Web Applications (20)

An Application-Oriented Approach for Computer Security Education
An Application-Oriented Approach for Computer Security EducationAn Application-Oriented Approach for Computer Security Education
An Application-Oriented Approach for Computer Security Education
 
Software Analytics - Achievements and Challenges
Software Analytics - Achievements and ChallengesSoftware Analytics - Achievements and Challenges
Software Analytics - Achievements and Challenges
 
Software Architecture: Introduction to the abstraction (May 2014_Split)
Software Architecture: Introduction to the abstraction (May 2014_Split)Software Architecture: Introduction to the abstraction (May 2014_Split)
Software Architecture: Introduction to the abstraction (May 2014_Split)
 
Security of OpenDaylight platform
Security of OpenDaylight platformSecurity of OpenDaylight platform
Security of OpenDaylight platform
 
Windows Kernel & Driver Development
Windows Kernel & Driver DevelopmentWindows Kernel & Driver Development
Windows Kernel & Driver Development
 
Open64 compiler
Open64 compilerOpen64 compiler
Open64 compiler
 
Software Analytics: Towards Software Mining that Matters (2014)
Software Analytics: Towards Software Mining that Matters (2014)Software Analytics: Towards Software Mining that Matters (2014)
Software Analytics: Towards Software Mining that Matters (2014)
 
Se
SeSe
Se
 
Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chancePenetration testing dont just leave it to chance
Penetration testing dont just leave it to chance
 
Tales from the Dark Side: Ori Bendet Selenium Conference India 2016
Tales from the Dark Side: Ori Bendet Selenium Conference India 2016Tales from the Dark Side: Ori Bendet Selenium Conference India 2016
Tales from the Dark Side: Ori Bendet Selenium Conference India 2016
 
iFL: An Interactive Environment for Understanding Feature Implementations
iFL: An Interactive Environment for Understanding Feature ImplementationsiFL: An Interactive Environment for Understanding Feature Implementations
iFL: An Interactive Environment for Understanding Feature Implementations
 
01_Introduction.ppt
01_Introduction.ppt01_Introduction.ppt
01_Introduction.ppt
 
An exploratory study of the state of practice of performance testing in Java-...
An exploratory study of the state of practice of performance testing in Java-...An exploratory study of the state of practice of performance testing in Java-...
An exploratory study of the state of practice of performance testing in Java-...
 
2012 ieee projects software engineering @ Seabirds ( Trichy, Chennai, Pondich...
2012 ieee projects software engineering @ Seabirds ( Trichy, Chennai, Pondich...2012 ieee projects software engineering @ Seabirds ( Trichy, Chennai, Pondich...
2012 ieee projects software engineering @ Seabirds ( Trichy, Chennai, Pondich...
 
Cloud Reliability: Decreasing outage frequency using fault injection
Cloud Reliability: Decreasing outage frequency using fault injectionCloud Reliability: Decreasing outage frequency using fault injection
Cloud Reliability: Decreasing outage frequency using fault injection
 
Software Architecture - Allocation taxonomies: building, deployment and distr...
Software Architecture - Allocation taxonomies: building, deployment and distr...Software Architecture - Allocation taxonomies: building, deployment and distr...
Software Architecture - Allocation taxonomies: building, deployment and distr...
 
DRESD Project Presentation - December 2006
DRESD Project Presentation - December 2006DRESD Project Presentation - December 2006
DRESD Project Presentation - December 2006
 
An Easy To Deploy Penetration Testing Platform
An Easy To Deploy Penetration Testing PlatformAn Easy To Deploy Penetration Testing Platform
An Easy To Deploy Penetration Testing Platform
 
Priyanka Singh_testing_resume
Priyanka Singh_testing_resumePriyanka Singh_testing_resume
Priyanka Singh_testing_resume
 
[ENGLISH] TDC 2015 - PHP Trail - Tests and PHP Continuous Integration Enviro...
[ENGLISH] TDC 2015 - PHP Trail - Tests and PHP Continuous Integration Enviro...[ENGLISH] TDC 2015 - PHP Trail - Tests and PHP Continuous Integration Enviro...
[ENGLISH] TDC 2015 - PHP Trail - Tests and PHP Continuous Integration Enviro...
 

More from Aung Thu Rha Hein

Bioinformatics for Computer Scientists
Bioinformatics for Computer Scientists Bioinformatics for Computer Scientists
Bioinformatics for Computer Scientists Aung Thu Rha Hein
 
Analysis of hybrid image with FFT (Fast Fourier Transform)
Analysis of hybrid image with FFT (Fast Fourier Transform)Analysis of hybrid image with FFT (Fast Fourier Transform)
Analysis of hybrid image with FFT (Fast Fourier Transform)Aung Thu Rha Hein
 
Introduction to Common Weakness Enumeration (CWE)
Introduction to Common Weakness Enumeration (CWE)Introduction to Common Weakness Enumeration (CWE)
Introduction to Common Weakness Enumeration (CWE)Aung Thu Rha Hein
 
Private Browsing: A Window of Forensic Opportunity
Private Browsing: A Window of Forensic OpportunityPrivate Browsing: A Window of Forensic Opportunity
Private Browsing: A Window of Forensic OpportunityAung Thu Rha Hein
 
Digital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeDigital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeAung Thu Rha Hein
 
Survey & Review of Digital Forensic
Survey & Review of Digital ForensicSurvey & Review of Digital Forensic
Survey & Review of Digital ForensicAung Thu Rha Hein
 
Partitioned Based Regression Verification
Partitioned Based Regression VerificationPartitioned Based Regression Verification
Partitioned Based Regression VerificationAung Thu Rha Hein
 
Web application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresAung Thu Rha Hein
 
Can the elephants handle the no sql onslaught
Can the elephants handle the no sql onslaughtCan the elephants handle the no sql onslaught
Can the elephants handle the no sql onslaughtAung Thu Rha Hein
 
Fuzzy logic based students’ learning assessment
Fuzzy logic based students’ learning assessmentFuzzy logic based students’ learning assessment
Fuzzy logic based students’ learning assessmentAung Thu Rha Hein
 

More from Aung Thu Rha Hein (19)

Writing with ease
Writing with easeWriting with ease
Writing with ease
 
Bioinformatics for Computer Scientists
Bioinformatics for Computer Scientists Bioinformatics for Computer Scientists
Bioinformatics for Computer Scientists
 
Analysis of hybrid image with FFT (Fast Fourier Transform)
Analysis of hybrid image with FFT (Fast Fourier Transform)Analysis of hybrid image with FFT (Fast Fourier Transform)
Analysis of hybrid image with FFT (Fast Fourier Transform)
 
Introduction to Common Weakness Enumeration (CWE)
Introduction to Common Weakness Enumeration (CWE)Introduction to Common Weakness Enumeration (CWE)
Introduction to Common Weakness Enumeration (CWE)
 
Private Browsing: A Window of Forensic Opportunity
Private Browsing: A Window of Forensic OpportunityPrivate Browsing: A Window of Forensic Opportunity
Private Browsing: A Window of Forensic Opportunity
 
Network switching
Network switchingNetwork switching
Network switching
 
Digital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeDigital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research Challenge
 
Survey & Review of Digital Forensic
Survey & Review of Digital ForensicSurvey & Review of Digital Forensic
Survey & Review of Digital Forensic
 
Partitioned Based Regression Verification
Partitioned Based Regression VerificationPartitioned Based Regression Verification
Partitioned Based Regression Verification
 
Botnets 101
Botnets 101Botnets 101
Botnets 101
 
Session initiation protocol
Session initiation protocolSession initiation protocol
Session initiation protocol
 
TPC-H in MongoDB
TPC-H in MongoDBTPC-H in MongoDB
TPC-H in MongoDB
 
Web application security: Threats & Countermeasures
Web application security: Threats & CountermeasuresWeb application security: Threats & Countermeasures
Web application security: Threats & Countermeasures
 
Cloud computing security
Cloud computing securityCloud computing security
Cloud computing security
 
Can the elephants handle the no sql onslaught
Can the elephants handle the no sql onslaughtCan the elephants handle the no sql onslaught
Can the elephants handle the no sql onslaught
 
Fuzzy logic based students’ learning assessment
Fuzzy logic based students’ learning assessmentFuzzy logic based students’ learning assessment
Fuzzy logic based students’ learning assessment
 
Link state routing protocol
Link state routing protocolLink state routing protocol
Link state routing protocol
 
Chat bot analysis
Chat bot analysisChat bot analysis
Chat bot analysis
 
Data mining & column stores
Data mining & column storesData mining & column stores
Data mining & column stores
 

Recently uploaded

From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...Product School
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
 
"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor TurskyiFwdays
 
UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1DianaGray10
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlPeter Udo Diehl
 
Demystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyDemystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyJohn Staveley
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxAbida Shariff
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform EngineeringJemma Hussein Allen
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesThousandEyes
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Alison B. Lowndes
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsPaul Groth
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupCatarinaPereira64715
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...Elena Simperl
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance
 

Recently uploaded (20)

From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi
 
UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
 
Demystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyDemystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John Staveley
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 

CRAXweb: Automatic Exploit Generation for Web Applications

  • 1. Lehrstuhl für Informatik 4 1/161/2012 <Title> <Name LastName> Seminar in Computer Science Kip IrvineCRAXweb: Automatic Web Application Testing and Attack Generation1 Shih-Kun Huang ,Han-Lin Lu, Wai-Meng Leong ,Huan Liu National Chiao Tung University Presented by Aung Thu Rha Hein 5536871 1 “CRAXWweb:Automatic Web Application Testing and Attack Generation”, Software Security and Reliability (SERE), June 2013 IEEE 7th International Conference.
  • 2. Lehrstuhl für Informatik 4 2/161/2012 <Title> <Name LastName> Seminar in Computer Science Outline 1. Introduction 2. Background -What is an exploit? -Dynamic Analysis -Semantic Execution 2. CRAXWeb: Automatic Web Application Testing and Attack Generation 4. Conclusions 5. References
  • 3. Lehrstuhl für Informatik 4 3/161/2012 <Title> <Name LastName> Seminar in Computer Science ● Software bugs are common ● Especially in web applications ● Some bugs are more harmful ● It is difficult to detect manually ● Static analysis gives developer confusion and false positives ● Manual testing is not effective Introduction Motivation
  • 4. Lehrstuhl für Informatik 4 4/161/2012 <Title> <Name LastName> Seminar in Computer Science ● Challenge ● How to find exploits, shellcode in the program ● Source code analysis alone is not enough ● Finding exploitable paths among program execution paths Introduction Problem Statements
  • 5. Lehrstuhl für Informatik 4 5/161/2012 <Title> <Name LastName> Seminar in Computer Science ● To generate exploits for web-applications Introduction Research Objectives
  • 6. Lehrstuhl für Informatik 4 6/161/2012 <Title> <Name LastName> Seminar in Computer Science ● Exploits techniques vary upon OS architectures ● Type of Exploits ● Stack Overflow Exploit ● Heap Corruption Exploit ● Format String Attack ● Attack Methodologies ● Remote Exploit ● Local Exploit ● Two Stage Exploit ● Tools for writing Exploits: LibExploit, Metasploit, CANVAS Background: Exploits What is an exploit?
  • 7. Lehrstuhl für Informatik 4 7/161/2012 <Title> <Name LastName> Seminar in Computer Science Background: Exploits Stack Overflow Exploit Example #include <string.h> void foo (char *bar) { char c[12]; strcpy(c, bar); } int main (int argc, char **argv) { foo(argv[1]); }
  • 8. Lehrstuhl für Informatik 4 8/161/2012 <Title> <Name LastName> Seminar in Computer Science Background: Exploits Stack Overflow Exploit Example
  • 9. Lehrstuhl für Informatik 4 9/161/2012 <Title> <Name LastName> Seminar in Computer Science Background: Dynamic analysis Introduction ● Monitor code as it executes ● Usefulness of Dynamic analysis ● Precision of information ● Dependence on program inputs ● Four common dynamic analysis techniques: ● Dynamic taint analysis ● Forward symbolic execution ● Frequency Spectrum Analysis ● Coverage Concept Analysis ...
  • 10. Lehrstuhl für Informatik 4 10/161/2012 <Title> <Name LastName> Seminar in Computer Science Background: Dynamic analysis Dynamic Taint Analysis ● To exploit program execution, ● use values from a trusted source ● attackers overwrite, tainted these values ● Taint Analysis Process 1. mark input data from untrusted sources tainted 2. monitor program execution to track how they propagated 3. check when tainted data is used in dangerous ways
  • 11. Lehrstuhl für Informatik 4 11/161/2012 <Title> <Name LastName> Seminar in Computer Science Background: Dynamic analysis Dynamic Taint Analysis Attack detected using TaintCheck
  • 12. Lehrstuhl für Informatik 4 12/161/2012 <Title> <Name LastName> Seminar in Computer Science Background:Dynamic analysis Symbolic Execution ● Key idea: generalize testing by using unknown ● symbolic variables in evaluation ● int f(1, 2)= int f(α1 , α2) ● Allows unknown symbolic variables in evaluation ● y = α; assert(f(y) == 2*y-1); ● If execution path depends on unknown, conceptually fork symbolic executor ● int f(int x) {if(x > 0) then return 2*x - 1; else return 10;}
  • 13. Lehrstuhl für Informatik 4 13/161/2012 <Title> <Name LastName> Seminar in Computer Science Background:Dynamic analysis Symbolic Execution Example l …
  • 14. Lehrstuhl für Informatik 4 14/161/2012 <Title> <Name LastName> Seminar in Computer Science Background:Dynamic analysis Symbolic Execution: Purpose ● E.g. Particular program points reachable? ● E.g. Is array access a[i] out of bounds? ● E.g. Generate concrete inputs that execute same paths ● With constraints solvers ● E.g. Z3, Yices, STP
  • 15. Lehrstuhl für Informatik 4 15/161/2012 <Title> <Name LastName> Seminar in Computer Science Background:Dynamic analysis Symbolic Execution Limitations ● Scalability Issue when execution paths are large ● Source code, or equivalent is required ● Limitations in solving constraints ● cannot handle non-linear and very complex constraints
  • 16. Lehrstuhl für Informatik 4 16/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper CRAXweb: Automatic Web Application Testing and Attack Generation
  • 17. Lehrstuhl für Informatik 4 17/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper ● Implement AEG for large-scaled web applications ● Focus on XSS and SQLi attacks ● Based on Symbolic Socket or symbolic execution ● Single path concolic mode is used to reduce path- explosion ● Selective Symbolic Execution(S2E) ● Provide the ability to execute a specific part of program ● Simple Theorem Prover(STP) as a constraint solver ● Acunetix as web crawler Overview of CRAXweb
  • 18. Lehrstuhl für Informatik 4 19/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper ● Generate test cases and exploits Exploit Generation: Constraint Solving
  • 19. Lehrstuhl für Informatik 4 20/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper Exploit Generation:Constraint Solving x- exploit f(x)- expected attack script
  • 20. Lehrstuhl für Informatik 4 21/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper ● To reduce overhead caused by symbolic execution ● Explore one path at a time Single Path Concolic Mode
  • 21. Lehrstuhl für Informatik 4 22/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper Flow diagram of automatic process
  • 22. Lehrstuhl für Informatik 4 23/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper ● S2E as symbolic environment Implementation:Symbolic Socket
  • 23. Lehrstuhl für Informatik 4 24/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper ● Overall architecture for automatic exploit generator Implementation: Architecture
  • 24. Lehrstuhl für Informatik 4 25/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper Implementation: Symbolic Response and Query Handler ● From Web Crawler to Symbolic Request
  • 25. Lehrstuhl für Informatik 4 26/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper Implementation: Symbolic Response and Query Handler ● From symbolic response or query to exploit generator
  • 26. Lehrstuhl für Informatik 4 27/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper Implementation: Exploit Generation
  • 27. Lehrstuhl für Informatik 4 28/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper Implementation: Exploit Generation ● Algorithm to solve the exploit constraint
  • 28. Lehrstuhl für Informatik 4 29/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper Results: Experiment Environment ● Host OS- Ubuntu 10.10 ● Guest Environment- emulated by Qemu ● Qemu- hosted Debian 5.07 and Windows XP ● Softwares- S2E 1.0 and MySQL as database handler
  • 29. Lehrstuhl für Informatik 4 30/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper Results: Evaluation for different platforms
  • 30. Lehrstuhl für Informatik 4 31/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper Results: Evaluation for Exploit Generation ● With test cases from Ardilla
  • 31. Lehrstuhl für Informatik 4 32/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper Results: Evaluation for Exploit Generation ● With test cases from Ardilla
  • 32. Lehrstuhl für Informatik 4 33/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper Results: Evaluation for Exploit Generation ● With Real world Applications
  • 33. Lehrstuhl für Informatik 4 34/161/2012 <Title> <Name LastName> Seminar in Computer Science Research Paper Results: Related works
  • 34. Lehrstuhl für Informatik 4 35/161/2012 <Title> <Name LastName> Seminar in Computer Science Conclusions ● AEG is possible for web applications ● CRAXWeb uses ● Symbolic execution ● Concolic Testing ● However,Still have rooms for development ● for more exploit types ● to integration with browser
  • 35. Lehrstuhl für Informatik 4 36/161/2012 <Title> <Name LastName> Seminar in Computer Science References Shih-Kun Huang,Han-Lin Lu ; Wai-Meng Leong ; Huan Liu, ”CRAXweb: Automatic Web Application Testing and Attack Generation”, Software Security and Reliability (SERE),IEEE 7th International Conference, June 2013 Shih-Kun Huang,Min-Hsiang Huang ; Po-Yen Huang ; Chung-Wei Lai ; Han-Lin Lu ; Wai-Meng Leong, “CRAX: Software Crash Analysis for Automatic Exploit Generation by Modeling Attacks as Symbolic Continuations” ,Software Security and Reliability (SERE), 2012 IEEE Sixth International Conference, June 2012 Thanassis Avgerinos and Sang Kil Cha and Brent Lim Tze Hao and David Brumley, “AEG: Automatic Exploit Generation”,Network and Distributed System Security Symposium, Feb 2012
  • 36. Lehrstuhl für Informatik 4 37/161/2012 <Title> <Name LastName> Seminar in Computer Science References James Newsome,Dawn Song,”Dynamic Taint Analysis for Automatic Detection,An alysis, and Signature Generation of Exploitson Commodity Software”, Network and Distributed System Security Symposium, 2005 Cristian Cadar, Daniel Dunbar, Dawson Engler, “KLEE: Unassisted and Automatic Generation of High-CoverageTests for Complex Systems Programs”, USENIX Symposium on Operating Systems Design and Implementation, December 2008