Die Präsentation wird geladen. Bitte warten

Die Präsentation wird geladen. Bitte warten

SYSTEMATIC THOUGHT LEADERSHIP FOR INNOVATIVE BUSINESS Towards Security Vulnerability Detection by Source Code Model Checking Keqin Li April, 2010.

Veröffentlicht von:Alfihar Worster Geändert vor über 10 Jahren

Ähnliche Präsentationen

Präsentation zum Thema: "SYSTEMATIC THOUGHT LEADERSHIP FOR INNOVATIVE BUSINESS Towards Security Vulnerability Detection by Source Code Model Checking Keqin Li April, 2010."—  Präsentation transkript:

1 SYSTEMATIC THOUGHT LEADERSHIP FOR INNOVATIVE BUSINESS Towards Security Vulnerability Detection by Source Code Model Checking Keqin Li April, 2010

2 Motivation Programming guidelines Source code model checking Java PathFinder (JPF) Bandera, Kansas State University... Proposed approach Formalize programming guidelines as temporal properties Checking whether the programming guidelines are followed by source code model checking

3 © SAP 2008 / Standard Presentation / Page 3 1.Motivation 2.Security programming guidelines Secure logging Cross Site Scripting 3.Source code modeling checking Bandera tool set Temporal property specification in Bandera 4.Property Specification Secure logging Cross Site Scripting 5.Conclusion Overview

4 Secure logging Before sensitive information is logged, it must be encrypted in order to prevent information leakage Logging APIs Category myCat = Category.getCategory("/System/Database"); myCat.warningT("Sample message" + password); /* fatalT() ; errorT() ; infoT() ; pathT() ; debugT() ; */ Encryption APIs ISsfData data; profile = new SsfProfileKeyStore(keyStore, alias, null); result = data.encrypt(profile); © SAP 2009 / Page 4

5 Cross Site Scripting Cross-Site Scripting (XSS) attacks SAP Output Encoding Framework Four different cases

6 Case 1: string from a user is output between tags HTML Example [CASE1-A] Username [CASE1-B] © SAP 2007 / QUB Presentation / Page 6 Attack Example alert(); Encoding functions to be used static String escapeToHTML(String input); static String escapeToHTML(StringBuffer sb, String input, int maxLength); static String escapeToHTML(String input, int maxLength);

7 Case 1: Sample program © SAP 2007 / QUB Presentation / Page 7 public void doContent(String title) { String my_title, my_user; my_title = StringUtils.escapeToHTML(title); response.write( + my_title + ); if ((my_user = getUsernameByID(userid)) != null) { my_user = StringUtils.escapeToHTML(my_user, 30); response.write( Username + my_user + ); }

8 Case 2: string from a user is output inside tags, and the output is not a URL or style HTML Example © SAP 2007 / QUB Presentation / Page 8 Encoding functions to be used static String escapeToAttributeValue(String input); static String escapeToAttributeValue(StringBuffer sb, String input, int maxLength); static String escapeToAttributeValue(String input, int maxLength);

9 Case 3: string from a user is output which is a URL or style HTML Example © SAP 2007 / QUB Presentation / Page 9 Encoding functions to be used static String escapeToURL(String input); static String escapeToURL(StringBuffer sb, String input, int maxLength); static String escapeToURL(String input, int maxLength);

10 Case 4: string from a user is output inside a SCRIPT context HTML Example var a = [CASE4]; © SAP 2007 / QUB Presentation / Page 10 Encoding functions to be used static String escapeToJS(String input); static String escapeToJS(StringBuffer sb, String input, int maxLength); static String escapeToJS(String input, int maxLength);

11 © SAP 2008 / Standard Presentation / Page 11 Bandera Tool Set

12 Predicates in BSL © SAP 2008 / Standard Presentation / Page 12 Location insensitive Expression predicate EXP : Location sensitive defined in method header documentation Invocation predicate INVOKE [: ] Location predicate LOCATION [ ] [: ] ? Return predicate RETURN [: ]

13 Example © SAP 2007 / QUB Presentation / Page 13 expression predicate return predicate invocation predicate

14 Specifying temporal property © SAP 2007 / QUB Presentation / Page 14

15 © SAP 2008 / Standard Presentation / Page 15 Temporal property pattern Absence: A given state/event does not occur within a scope Existence: A given state/event must occur within a scope Universality: A given state/event occurs throughout a scope Precedence: A state/event P must always be preceded by a state/event Q within a scope Response: A state/event P must always be followed by a state/event Q within a scope...

16 Scopes © SAP 2007 / QUB Presentation / Page 16

17 http://patterns.projects.cis.ksu.edu/ © SAP 2007 / QUB Presentation / Page 17

18 Syntax © SAP 2007 / QUB Presentation / Page 18 Over the 555 example specifications we collected, 511 (92%) matched one of our patterns

19 Secure logging: target program © SAP 2007 / QUB Presentation / Page 19 void main () { String secret = new String() ; ISsfProfile profile = new ISsfProfile() ; /* secret.encrypt( profile ) ; */ Category myCat = new Category() ; myCat.warningT( secret ); }

20 Secure logging: auxiliary file © SAP 2007 / QUB Presentation / Page 20 Class String { public boolean isConf ; public String() { isConf = false ; } /** * @observable * INVOKE call(this, ISsfProfile profile ) ; */ public void encrypt ( ISsfProfile profile ) { } class Category { /** * @observable * INVOKE call(this, String m) ; */ public void errorT( String m ) { } /** * @observable * INVOKE call(this, String m ; */ public void warningT( String m ) { } a string is encrypted String mystr ; /* confidential */ => String mystr ; mystr.isConf = true ; a string is logged a string is confidential

21 Property formalization Informally If a string s is confidential, before errorT(s) or warningT(s) is called, s.encrypt() should be called Using LTL P = s.isConf ( Category.errorT.call(c, s) Category.warningT.call(c, s) ) S = String.encrypt.call(s, prof) F P ( P U (S P))) Using BSL S proceeds P globally © SAP 2007 / QUB Presentation / Page 21

22 F P ( P U (S P))) © SAP 2007 / QUB Presentation / Page 22 s1s1 s2s2 s3s3 s4s4 s5s5 s6s6 P FPFP S P P U (S P) Confidential string is logged Confidential string is encrypted

23 Procedure © SAP 2007 / QUB Presentation / Page 23... String str; /* confidential */... Pre-processor... String str; str.isConf = true;... Model Checker (Bandera)... S proceeds P globally... result... /** * @observable * INVOKE call(this, String m) ; */ public void errorT( String m ) { }...

24 Cross Site Scripting: target program © SAP 2007 / QUB Presentation / Page 24 public class SampleServlet extends HttpServlet { public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { // Use "request" to read incoming HTTP headers and HTML form data String input = request.getParameter(Input"); // Use "response" to specify the HTTP response line and headers PrintWriter out = response.getWriter(); // case 1 out.write(" "); // input = StringUtils.escapeToHTML(input); out.write(input); out.write(" "); // case 4 out.write(" ); // input = StringUtils.escapeToJS(input); out.write(input); out.write(" "); } }

25 Cross Site Scripting: auxiliary file class HttpServletRequest { public HttpServletRequest() { } /** * @observable * RETURN from_input(this, String str): ( $ret == str ) ; */ public String getParameter( String field ) { String temp_str = new String() ; return temp_str ; } class PrintWriter { public boolean js = false ; public PrintWriter() { } /** * @observable * INVOKE js_begin(this, String str): ( str == " " ) ; * INVOKE js_end(this, String str): ( str == " " ) ; * INVOKE call(this, String str); */ public void write( String str ) { if( str == ) js = true ; if( str == ) js = false ; } A string is obtained from user input JavaScript tags are output A string is output Output is between JavaScript tags

26 Continue © SAP 2007 / QUB Presentation / Page 26 class StringUtils { /** * @observable * INVOKE call(this, String str); */ static String escapeToHTML( String str ) { String temp_str = new String() ; return temp_str ; } /** * @observable * INVOKE call(this, String str); */ static String escapeToJS( String str ) { String temp_str = new String() ; return temp_str ; } Encoding function for CASE 1 is called Encoding function for CASE 4 is called

27 Property formalization 1 Informally If a string s is obtained from user input, before write(s) is called, escapeToHTML(s) or escapeToJS(s) should be called Using LTL R = HttpServletRequest.getParameter.from_input(s) S = StringUtils.escapeToHTML.call(s) StringUtils.escapeToJS.call(s) P = PrintWriter.write.call(s) F P (R (!P U (S !P))) U P Using BSL S responds to R before P © SAP 2007 / QUB Presentation / Page 27

28 F P (R (!P U (S !P))) U P © SAP 2007 / QUB Presentation / Page 28 s1s1 s2s2 s3s3 s4s4 s5s5 s6s6 User input is output P FPFP User input is obtained R User input is encoded S P !P U (S !P) (R (!P U (S !P))) U P ???

29 F P (R (!P U (S !P))) U P © SAP 2007 / QUB Presentation / Page 29 s1s1 s2s2 s3s3 s4s4 s5s5 s6s6 P FPFP R S P !P U (S !P) R (!P U (S !P)) (R (!P U (S !P))) U P

30 Property formalization 2 Informally If a string s is obtained from user input, and write(s) is called between write( ) and write( ), escapeToJS(s) should be called Using LTL R = HttpServletRequest.getParameter.from_input(s) S = StringUtils.escapeToJS.call(s) P = PrintWriter.write.call(s) (PrintWriter.js == true) F P (R (!P U (S !P))) U P Using BSL S responds to R before P © SAP 2007 / QUB Presentation / Page 30

31 Conclusion The first step Auxiliary files are made Properties are specified Benefits seen Additional effort needed for developers are minor Auxiliary files and property specification are provided by security and formal method experts, and could be used across projects Next steps Consider string assignment, concatenation, etc. Try bigger programs Improve Bandera 0.3 or find something else Try more programming guidelines

32 Thank you!

33 Background: Linear-time temporal logic © SAP 2007 / QUB Presentation / Page 33 Syntax ϕ ::= p | ( ϕ ) | ( ϕ ϕ ) | (G ϕ ) | (F ϕ ) | (X ϕ ) | ( ϕ U ϕ ) Evaluation An LTL formula is evaluated on a path, or a set of paths A set of paths satisfies ϕ if every path in the set satisfies ϕ Consider the path = s 1 s 2... ; we write i for the suffix starting at s i, i.e., i is s i s i+1...

34 Background: Semantics © SAP 2007 / QUB Presentation / Page 34 Using a model M = (S,, L), we define when a path satisfies an LTL formula via the satisfaction relation as follows p iff p L(s 1 ) ϕ iff ( ϕ ) ϕ 1 ϕ 2 iff ϕ 1 and ϕ 2 X ϕ iff 2 ϕ G ϕ iff for all i 1, i ϕ F ϕ iff for some i 1, i ϕ ϕ 1 U ϕ 2 iff there is some i 1 such that i ϕ 2 and for all j = 1,..., i – 1 we have j ϕ 1 An LTL formula ϕ is satisfied in a state s of a model M if ϕ is satisfied on every path starting at s ϕ 1 W ϕ 2 = ϕ 1 U ϕ 2 G ϕ 1

35 Secure logging © SAP 2007 / QUB Presentation / Page 35 Class String { public boolean isConf ; public boolean isEncrypted ; public String() { isConf = false ; isEncrypted = false ; } public void encrypt ( ISsfProfile profile ) { isEncrypted = true ; } class Category { /** * @observable * INVOKE call(this, String m) : * ( ( m.isConf == true ) * && ( m.isEncrypted == false ) ) ; */ public void errorT( String m ) { } /** * @observable * INVOKE call(this, String m): * ( ( m.isConf == true ) * && ( m.isEncrypted == false ) ) ; */ public void warningT( String m ) { } invocation predicate String mystr ; /* confidential */ => String mystr ; mystr.isConf = true ;

36 Formalization Using LTL G ( Category.errorT.call(c, s) Category.warningT.call(c, s) ) Using BSL forall[c: Category].forall[s: String] { Category.errorT.call(c, s) || Category.warningT.call(c, s) } is absent globally © SAP 2007 / QUB Presentation / Page 36

37 © SAP 2007 / Standard Presentation / Page 37 Copyright 2007 SAP AG All rights reserved No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, Duet, Business ByDesign, ByDesign, PartnerEdge and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned and associated logos displayed are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. The information in this document is proprietary to SAP. This document is a preliminary version and not subject to your license agreement or any other agreement with SAP. This document contains only intended strategies, developments, and functionalities of the SAP® product and is not intended to be binding upon SAP to any particular course of business, product strategy, and/or development. SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. This limitation shall not apply in cases of intent or gross negligence. The statutory liability for personal injury and defective products is not affected. SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages Weitergabe und Vervielfältigung dieser Publikation oder von Teilen daraus sind, zu welchem Zweck und in welcher Form auch immer, ohne die ausdrückliche schriftliche Genehmigung durch SAP AG nicht gestattet. In dieser Publikation enthaltene Informationen können ohne vorherige Ankündigung geändert werden. Einige von der SAP AG und deren Vertriebspartnern vertriebene Softwareprodukte können Softwarekomponenten umfassen, die Eigentum anderer Softwarehersteller sind. SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, Duet, Business ByDesign, ByDesign, PartnerEdge und andere in diesem Dokument erwähnte SAP-Produkte und Services sowie die dazugehörigen Logos sind Marken oder eingetragene Marken der SAP AG in Deutschland und in mehreren anderen Ländern weltweit. Alle anderen in diesem Dokument erwähnten Namen von Produkten und Services sowie die damit verbundenen Firmenlogos sind Marken der jeweiligen Unternehmen. Die Angaben im Text sind unverbindlich und dienen lediglich zu Informationszwecken. Produkte können länderspezifische Unterschiede aufweisen. Die in diesem Dokument enthaltenen Informationen sind Eigentum von SAP. Dieses Dokument ist eine Vorabversion und unterliegt nicht Ihrer Lizenzvereinbarung oder einer anderen Vereinbarung mit SAP. Dieses Dokument enthält nur vorgesehene Strategien, Entwicklungen und Funktionen des SAP®-Produkts und ist für SAP nicht bindend, einen bestimmten Geschäftsweg, eine Produktstrategie bzw. -entwicklung einzuschlagen. SAP übernimmt keine Verantwortung für Fehler oder Auslassungen in diesen Materialien. SAP garantiert nicht die Richtigkeit oder Vollständigkeit der Informationen, Texte, Grafiken, Links oder anderer in diesen Materialien enthaltenen Elemente. Diese Publikation wird ohne jegliche Gewähr, weder ausdrücklich noch stillschweigend, bereitgestellt. Dies gilt u. a., aber nicht ausschließlich, hinsichtlich der Gewährleistung der Marktgängigkeit und der Eignung für einen bestimmten Zweck sowie für die Gewährleistung der Nichtverletzung geltenden Rechts. SAP übernimmt keine Haftung für Schäden jeglicher Art, einschließlich und ohne Einschränkung für direkte, spezielle, indirekte oder Folgeschäden im Zusammenhang mit der Verwendung dieser Unterlagen. Diese Einschränkung gilt nicht bei Vorsatz oder grober Fahrlässigkeit. Die gesetzliche Haftung bei Personenschäden oder die Produkthaftung bleibt unberührt. Die Informationen, auf die Sie möglicherweise über die in diesem Material enthaltenen Hotlinks zugreifen, unterliegen nicht dem Einfluss von SAP, und SAP unterstützt nicht die Nutzung von Internetseiten Dritter durch Sie und gibt keinerlei Gewährleistungen oder Zusagen über Internetseiten Dritter ab. Alle Rechte vorbehalten.

Herunterladen ppt "SYSTEMATIC THOUGHT LEADERSHIP FOR INNOVATIVE BUSINESS Towards Security Vulnerability Detection by Source Code Model Checking Keqin Li April, 2010."

Ähnliche Präsentationen

March 2009 Refined. Simplified. Expanded. SAP Business One a Glance.

March 2009 Refined. Simplified. Expanded. SAP Business One a Glance.
EH&S Product Safety and Dangerous Goods Management Positioning Paper for SAP Best Practices Chemicals.

EH&S Product Safety and Dangerous Goods Management Positioning Paper for SAP Best Practices Chemicals.
EH&S Product Safety and Dangerous Goods Management Important Information for SAP Best Practices Chemicals (France)

EH&S Product Safety and Dangerous Goods Management Important Information for SAP Best Practices Chemicals (France)
SAP Demos Procedure Overview SAP Global Web Team January 17, 2008 sample for a picture in the title slide.

SAP Demos Procedure Overview SAP Global Web Team January 17, 2008 sample for a picture in the title slide.
Green IT Community Collaboration on a joint roadmap for Green IT solutions and services 26 March 2009.

Green IT Community Collaboration on a joint roadmap for Green IT solutions and services 26 March 2009.
Claudius Metze, ISM Healthcare

Claudius Metze, ISM Healthcare
SAP Merchandise Catalog How to Enter Custom Orders

SAP Merchandise Catalog How to Enter Custom Orders
SAP Demos Procedure Overview SAP Global Web Team January 17, 2008 sample for a picture in the title slide.

SAP Demos Procedure Overview SAP Global Web Team January 17, 2008 sample for a picture in the title slide.
Scenario Overview – 1 Purpose and Benefits: Purpose Benefits

Scenario Overview – 1 Purpose and Benefits: Purpose Benefits
SAP Best Practices 業種別および業種共通のノウハウを組み込んだパッケージ

SAP Best Practices 業種別および業種共通のノウハウを組み込んだパッケージ
Account and Contact Management SAP Best Practices for CRM

Account and Contact Management SAP Best Practices for CRM
Scenario Overview – 1 Purpose and Benefits: Purpose Benefits

Scenario Overview – 1 Purpose and Benefits: Purpose Benefits
Serial Number Management SAP Best Practices Baseline Package

Serial Number Management SAP Best Practices Baseline Package
Activity Management SAP Best Practices for CRM

Activity Management SAP Best Practices for CRM
Contribution Margin Planning SAP Best Practices for CP V1.603 (RU)

Contribution Margin Planning SAP Best Practices for CP V1.603 (RU)
Time Recording SAP Best Practices Baseline package

Time Recording SAP Best Practices Baseline package
Scenario Overview – 1 Purpose and Benefits: Purpose Benefits

Scenario Overview – 1 Purpose and Benefits: Purpose Benefits
Quotation-based Procurement SAP Best Practices for Retail (US)

Quotation-based Procurement SAP Best Practices for Retail (US)
Customer Order Management at POS SAP Best Practices for Retail (US)

Customer Order Management at POS SAP Best Practices for Retail (US)
Year-end Closing of Funds Management Overview

Year-end Closing of Funds Management Overview

Ähnliche Präsentationen

Google-Anzeigen