Sound and Precise Analysis of Web Applications for Injection Vulnerabilities

Gary Wassermann and Zhendong SuUC Davis

Slides from http://wwwcsif.cs.ucdavis.edu/~wassermg/research/ Made some additions/clarifications!

SQL Injection Vulnerabilities

• 2006: 14% of CVEs were SQLCIVs (2nd most)• Percent of attacks likely much higher

– Web applications are accessible– Databases hold valuable information

Web browser DatabaseApplication

User input SQL Query

Example<?

$sid = addslashes($_GET[‘sid’]);

$query = “SELECT * FROM carts WHERE sid = ”.$sid;

mysql_query($query);

?>

On malicious input: SELECT * FROM carts

WHERE sid = 78 OR 1 = 1

Result: Returns information from all shopping carts.

( () )

Informal Characterization[POPL’06]

During runtime, we can see that the parse tree changed to a completely different structure from the one we had in mind.

Past Approaches

• Runtime checks– Benefits: easy to be precise– State of the Art: lexical or syntactic confinement

• Drawback: We pay many times the overhead of a correctly-placed check

• Static analysis– Benefits

• Early bug detection • Analyze code fragments• No runtime overhead

– State of the Art: static taint analysis

Static Checking for SQLCIVs

Dataflow Graph Code

addslashes()

$sid = addslashes($_GET[‘sid’]);

$query = “SELECT…”.$sid;

mysql_query($query);

.

$_GET[‘sid’]

$sid

$query

SELECT…

Static Checking for SQLCIVs

Static Taint Analysis Code

U

T

T

T

addslashes()

Source

Sink

Sanitizer

false negative!

Integrity

$sid = addslashes($_GET[‘sid’]);

$query = “SELECT…”.$sid;

mysql_query($query);

.

Static Checking for SQLCIVs

Static Taint Analysis Our Goal

U

U’T

T

T

addslashes()

Source

Sink

Sanitizer U

TU’

addslashes()

Source

Sink

false negative!

check against policy

Transformation

T

Integrity (Integrity x String)* Set

. .

Static Checking for SQLCIVs

Our Goal

U’

U

TU’

addslashes()

Source

Sinkcheck against policy

Transformation

T

(Integrity x String)* Set

How can we:• model semantics of

transformation?• track integrity classes

through transformations?• check the value at the sink

against our policy?.

SQLCIV analysis Framework

Static Taint Analysis Compliance Check

$_GET[‘sid’]

$sid

$query

SELECT…

String Analysis

addslashes()

• CFGs model string sets• Construct extended CFG

from dataflow graph

GETsid ! *

Sid ! addslashes(GETsid)C ! SELECT…Query ! C Sid

[Min05]

.

SELECT… $sid

$_GET[‘sid’]

String Analysis

U’

U

TU’

addslashes()

T

• CFGs model string sets• Construct extended CFG

from dataflow graph

GETsid ! *

Sid ! addslashes(GETsid)C ! SELECT…Query ! C Sid

[Min05]

.

$query

Modeling String Transformations

• Finite State Transducers model string functions

• Use FSTs to turn extended CFG into CFG

GETsid ! *

Sid ! addslashes(GETsid)C ! SELECT…Query ! C Sid

\ /

' / '

A / \A

\ / \

O\'Brian ! O'Brian

stripslashes()

B / B

Input Output

A 2 b{'}B 2 b{\}

S ! a S ! S XX !

a*

S01 ! aX11 ! [0-9]S01 ! S01 X11

Tracking Integrity Classes

0 1a-z0-9

S01X11

[a-z][0-9]*

• Find CFG-FSA intersection via CFL-reachability

• Propagate labels to corresponding nonterminals

• Use this algorithm to find CFG’s image over FST

a[0-9]*

S ! a S ! S XX !

a*

S01 ! aX11 ! [0-9]S01 ! S01 X11

Tracking Integrity Classes

0 1a-z0-9

S01X11

[a-z][0-9]*

• Find CFG-FSA intersection via CFL-reachability

• Propagate labels to corresponding nonterminals

• Use this algorithm to find CFG’s image over FST

a[0-9]*

S ! a S ! S XX !

a*

S01 ! a X11 ! [0-9]S01 ! S01 X11

Tracking Integrity Classes

0 1a-z0-9

S01X11

[a-z][0-9]*

• Find CFG-FSA intersection via CFL-reachability

• Propagate labels to corresponding nonterminals

• Use this algorithm to find CFG’s image over FST

a[0-9]*

Policy Conformance• Use SQL grammar as reference grammar• Check “literals” case with regular languages

• Untrusted input – not in quoted context, not numeric, includes SQL code– DIRECT if immediately affected by user– INDIRECT if affected by previous query answer

GETsid’ ! ( b{’} [ {\’} )*

Sid ! GETsid’C ! SELECT * FROM users WHERE id =Query ! C Sid

Evaluation: Results

• Modified Minamide’s PHP String Analyzer• Evaluated on 6 real-world PHP web apps

Subject

Lines Time (h:mm:ss) Errors

String-TaintPolicy

Conformance

Direct Indirect

Real False

Claroline 169,479 3:04:11 0:02:22 30 11 24

e107 132,862 1:08:05 0:01:39 4 8 15

EVE 904 0:00:01 0:00:04 4 0 1

Tiger 14,350 3:14:07 3:27:50 0 3 2

Utopia 5,438 0:13:10 0:00:48 14 2 12

Warp 24,365 0:00:52 0:04:49 0 0 0

issetisset(($$_GET_GET[[‘userid’‘userid’])]) ?? $userid = $_GET[‘userid’] :

$userid = ‘’;

if (!eregi(‘[0-9]+’, $userid)) {

unp_msg(‘invalid user ID.’);

exit;

}

$getuser = $DB-> query(“SELECT * FROM `unp_user` WHERE userid=‘$userid’”);

Example Vulnerability

Should be ‘^[0-9]+$’

False Positive

CASTING PROBLEMS

Indirect Error

Verified

?Returned from DB

Conclusions

• Achieved accurate checking for SQLCIVs by tracking string values and sources

• Successfully applied to real-world PHP programs and found subtle vulnerabilities

• Future work:– Improve error reports – Apply to XSS