sooel son kathryn s. mckinley vitaly shmatikov · stat 1 stat 2 stat 1’ stat 2’ sensitive...
TRANSCRIPT
![Page 1: Sooel Son Kathryn S. McKinley Vitaly Shmatikov · Stat 1 Stat 2 Stat 1’ Stat 2’ Sensitive operation Vulnerable context Access-control check exit MATCH! Access-control check’](https://reader034.vdocuments.mx/reader034/viewer/2022042806/5f741f6b9fdac2015450955a/html5/thumbnails/1.jpg)
Sooel Son Kathryn S. McKinley Vitaly Shmatikov
UT Austin and Microsoft Research
![Page 2: Sooel Son Kathryn S. McKinley Vitaly Shmatikov · Stat 1 Stat 2 Stat 1’ Stat 2’ Sensitive operation Vulnerable context Access-control check exit MATCH! Access-control check’](https://reader034.vdocuments.mx/reader034/viewer/2022042806/5f741f6b9fdac2015450955a/html5/thumbnails/2.jpg)
… a developer exposes a reference to an internal implementation object… Without an access control check, attackers can access unauthorized data
![Page 3: Sooel Son Kathryn S. McKinley Vitaly Shmatikov · Stat 1 Stat 2 Stat 1’ Stat 2’ Sensitive operation Vulnerable context Access-control check exit MATCH! Access-control check’](https://reader034.vdocuments.mx/reader034/viewer/2022042806/5f741f6b9fdac2015450955a/html5/thumbnails/3.jpg)
(From WhiteHat Website Security Report 2012)
![Page 4: Sooel Son Kathryn S. McKinley Vitaly Shmatikov · Stat 1 Stat 2 Stat 1’ Stat 2’ Sensitive operation Vulnerable context Access-control check exit MATCH! Access-control check’](https://reader034.vdocuments.mx/reader034/viewer/2022042806/5f741f6b9fdac2015450955a/html5/thumbnails/4.jpg)
Exploits incomplete access-control enforcement
Index.php
If( !$_SESSION[‘user’] == ‘admin’ ) { die(“Unauthorized access”); } ……
CVE-2004-2144,CVE-2004-2257, CVE-2005-1688,CVE-2005-1697, CVE-2005-1698,CVE-2005-1827, CVE-2005-1654,CVE-2005-1668, CVE-2005-1892,CVE-2009-2960, CVE-2009-3168,CVE-2009-3597, CVE-2011-0316,CVE-2012-3030, CVE-2012-6451, ………
http://host/delete.php?id=victim_id
![Page 5: Sooel Son Kathryn S. McKinley Vitaly Shmatikov · Stat 1 Stat 2 Stat 1’ Stat 2’ Sensitive operation Vulnerable context Access-control check exit MATCH! Access-control check’](https://reader034.vdocuments.mx/reader034/viewer/2022042806/5f741f6b9fdac2015450955a/html5/thumbnails/5.jpg)
Make sure that every entry is locked with the proper access- control logic
![Page 6: Sooel Son Kathryn S. McKinley Vitaly Shmatikov · Stat 1 Stat 2 Stat 1’ Stat 2’ Sensitive operation Vulnerable context Access-control check exit MATCH! Access-control check’](https://reader034.vdocuments.mx/reader034/viewer/2022042806/5f741f6b9fdac2015450955a/html5/thumbnails/6.jpg)
Static program transformation tool for finding and fixing access-control bugs in PHP applications
Given an example of correct access control … 1. Finds calling contexts that do not implement
the correct access-control logic 2. Produces candidate repaired code that
prevents forced-browsing attacks
![Page 7: Sooel Son Kathryn S. McKinley Vitaly Shmatikov · Stat 1 Stat 2 Stat 1’ Stat 2’ Sensitive operation Vulnerable context Access-control check exit MATCH! Access-control check’](https://reader034.vdocuments.mx/reader034/viewer/2022042806/5f741f6b9fdac2015450955a/html5/thumbnails/7.jpg)
Example of access-
control logic
Access-control
template (ACT)
Apply ACT to fix the bugs
Validate the
repairs
![Page 8: Sooel Son Kathryn S. McKinley Vitaly Shmatikov · Stat 1 Stat 2 Stat 1’ Stat 2’ Sensitive operation Vulnerable context Access-control check exit MATCH! Access-control check’](https://reader034.vdocuments.mx/reader034/viewer/2022042806/5f741f6b9fdac2015450955a/html5/thumbnails/8.jpg)
If the user is NOT admin exit the program
Delete a certain user record
session_start();
if( !$_SESSION[‘admin’] != 1) { header(“Location: login.php”); exit; } …… …… $sql = mysql_query( “DELETE FROM domain_list WHERE
dn_name=‘” . $dn_name .”’” );
//@Access-control check
lockSession(); if(!empty($_SESSION['name']) && !empty($_SESSION['pass'])) { …… $logined = @mysql_affected_rows(); } if($logined !== 1 && !empty($_COOKIE[COOKIE_USER]) && !empty($_COOKIE[COOKIE_PASS])) { …… $logined = @mysql_affected_rows(); } if($logined !== 1) { unlockSessionAndDestroyAllCokies(); sleep(5); header('Location: '.QUERY_STRING_BLANK.'login'); die(); }
![Page 9: Sooel Son Kathryn S. McKinley Vitaly Shmatikov · Stat 1 Stat 2 Stat 1’ Stat 2’ Sensitive operation Vulnerable context Access-control check exit MATCH! Access-control check’](https://reader034.vdocuments.mx/reader034/viewer/2022042806/5f741f6b9fdac2015450955a/html5/thumbnails/9.jpg)
Compute an ACT Stat 1
Stat 2
Stat 3
Invoke B
Stat 4
Stat 5
Stat 6
Invoke C
Stat 7
Stat 8
Access-control check
Exit
Stat 2
Stat 5
Access-control check
Exit
![Page 10: Sooel Son Kathryn S. McKinley Vitaly Shmatikov · Stat 1 Stat 2 Stat 1’ Stat 2’ Sensitive operation Vulnerable context Access-control check exit MATCH! Access-control check’](https://reader034.vdocuments.mx/reader034/viewer/2022042806/5f741f6b9fdac2015450955a/html5/thumbnails/10.jpg)
Statement 1
Statement 2
Check 3
Statement 4
Sensitive-operation
C1 ACT
Stat 1
Stat 2
Access-control check
exit
Statement 5
Statement 6
Check 7
Statement 8
Sensitive-operation
C2 MATCH? MATCH?
Finds vulnerable contexts that do not implement the same logic as the ACT
![Page 11: Sooel Son Kathryn S. McKinley Vitaly Shmatikov · Stat 1 Stat 2 Stat 1’ Stat 2’ Sensitive operation Vulnerable context Access-control check exit MATCH! Access-control check’](https://reader034.vdocuments.mx/reader034/viewer/2022042806/5f741f6b9fdac2015450955a/html5/thumbnails/11.jpg)
ACT
Stat 1
Stat 2 Stat 1’
Stat 2’
Sensitive operation
Vulnerable context
Access-control check
exit
MATCH!
Stat 3’ Access-control check’
exit
Repaired context
Replicates ACT into the vulnerable context while reusing already existing statements
![Page 12: Sooel Son Kathryn S. McKinley Vitaly Shmatikov · Stat 1 Stat 2 Stat 1’ Stat 2’ Sensitive operation Vulnerable context Access-control check exit MATCH! Access-control check’](https://reader034.vdocuments.mx/reader034/viewer/2022042806/5f741f6b9fdac2015450955a/html5/thumbnails/12.jpg)
Stat 1
Stat 2 Stat 1
Stat 2
Sensitive operation
Access-control check
exit
Stat 3
Access-control check’
exit’
Recompute ACT – should be the same as before!
ACT Repaired context ACT(repaired)
No match? Issue a warning
![Page 13: Sooel Son Kathryn S. McKinley Vitaly Shmatikov · Stat 1 Stat 2 Stat 1’ Stat 2’ Sensitive operation Vulnerable context Access-control check exit MATCH! Access-control check’](https://reader034.vdocuments.mx/reader034/viewer/2022042806/5f741f6b9fdac2015450955a/html5/thumbnails/13.jpg)
10 open-source interactive PHP server apps Generated 38 repairs ◦ 31 correct ◦ 7 in addition to already existing access-control logic
28 partial repairs ◦ Reusing existing statements is important!
1 warning 1 unwanted side effect
![Page 14: Sooel Son Kathryn S. McKinley Vitaly Shmatikov · Stat 1 Stat 2 Stat 1’ Stat 2’ Sensitive operation Vulnerable context Access-control check exit MATCH! Access-control check’](https://reader034.vdocuments.mx/reader034/viewer/2022042806/5f741f6b9fdac2015450955a/html5/thumbnails/14.jpg)
include(‘class/common.php’) ; // [FixMeUp repair] $GR_newone = new COMMON( ) ; / / [FixMeUp repair] if (( $ SESSION [ ’ no ’ ] != 1)) { / / [FixMeUp repair] $GR_newone ->error( ’ Require admin priviledge’ , 1 , ‘CLOSE’ ) ; / / [FixMeUp repair] } …… //@SSO( ‘admin’) @unlink ( ‘data/’ . $_POST[ ‘id’ ] . ‘/’ . $_POST [ ‘filename’ ] );
include(‘class/common.php’) ; // existing statement $GR = new COMMON( ) ; // existing statement if (( $ SESSION [ ’ no ’ ] )) { / / [FixMeUp repair] $GR->error( ’ Require login procedure’ ) ; / / [FixMeUp repair] } …… //@SSO( ‘member’) @fwrite($tmpfs, $saveResult);
![Page 15: Sooel Son Kathryn S. McKinley Vitaly Shmatikov · Stat 1 Stat 2 Stat 1’ Stat 2’ Sensitive operation Vulnerable context Access-control check exit MATCH! Access-control check’](https://reader034.vdocuments.mx/reader034/viewer/2022042806/5f741f6b9fdac2015450955a/html5/thumbnails/15.jpg)
Warning: after applying the ACT, repaired code does not implement the same logic as the ACT
Program Entry |- include ‘conf.php’ ; |- includeonce ‘includes.php’; |- session_start( ) ; |- dbConnect ( ) ; |- if ( !verifyuser( ) ) { |- header ( ’ Location: . /login.php’ ) ; |- exit;
session_start(); //existing statement . . . if ($confirm==” ” ) { .... }else if( $confirm== ”yes” ) { dbConnect () ; // existing statement if ( !verifyuser ( ) ) // [FixMeUp repair] { header('Location: ./login.php');//[FixMeUp repair] exit; // [FixMeUp repair] } $sql = ”DELETE FROM blogdata WHERE postid = $postid”; $query = mysql_query( $sql ) or die( "Cannot query the database .<br>” . mysql_error() ); ..... }
![Page 16: Sooel Son Kathryn S. McKinley Vitaly Shmatikov · Stat 1 Stat 2 Stat 1’ Stat 2’ Sensitive operation Vulnerable context Access-control check exit MATCH! Access-control check’](https://reader034.vdocuments.mx/reader034/viewer/2022042806/5f741f6b9fdac2015450955a/html5/thumbnails/16.jpg)
Environmental data dependencies, eval Unwanted side effects
Stat 1’
Stat 2’
Sensitive Operation
Stat 3’
Stat 1
Stat 2
Access-control check
exit ?
![Page 17: Sooel Son Kathryn S. McKinley Vitaly Shmatikov · Stat 1 Stat 2 Stat 1’ Stat 2’ Sensitive operation Vulnerable context Access-control check exit MATCH! Access-control check’](https://reader034.vdocuments.mx/reader034/viewer/2022042806/5f741f6b9fdac2015450955a/html5/thumbnails/17.jpg)
Use fresh variable names
Do not replicate already existing statements
$local_var_1 = session_id()
$local_var_1_new = session_id()
session_start()
include “a.php”;
Access-control check
exit
session_start()
include “a.php”;
Sensitive Operation
![Page 18: Sooel Son Kathryn S. McKinley Vitaly Shmatikov · Stat 1 Stat 2 Stat 1’ Stat 2’ Sensitive operation Vulnerable context Access-control check exit MATCH! Access-control check’](https://reader034.vdocuments.mx/reader034/viewer/2022042806/5f741f6b9fdac2015450955a/html5/thumbnails/18.jpg)
Static detection of access-control bugs Dynamic detection of access-control bugs Dynamic repair of software bugs
![Page 19: Sooel Son Kathryn S. McKinley Vitaly Shmatikov · Stat 1 Stat 2 Stat 1’ Stat 2’ Sensitive operation Vulnerable context Access-control check exit MATCH! Access-control check’](https://reader034.vdocuments.mx/reader034/viewer/2022042806/5f741f6b9fdac2015450955a/html5/thumbnails/19.jpg)
FixMeUp computes code templates for access-control logic from examples
Finds and repairs access-control bugs in PHP applications ◦ Reuses existing statements ◦ Avoids introducing unwanted dependences
Successfully repaired 30 access-control bugs in 10 real-world PHP applications
![Page 20: Sooel Son Kathryn S. McKinley Vitaly Shmatikov · Stat 1 Stat 2 Stat 1’ Stat 2’ Sensitive operation Vulnerable context Access-control check exit MATCH! Access-control check’](https://reader034.vdocuments.mx/reader034/viewer/2022042806/5f741f6b9fdac2015450955a/html5/thumbnails/20.jpg)