Die Präsentation wird geladen. Bitte warten

Die Präsentation wird geladen. Bitte warten

SYSTEMATIC THOUGHT LEADERSHIP FOR INNOVATIVE BUSINESS Towards Security Vulnerability Detection by Source Code Model Checking Keqin Li April, 2010.

Ähnliche Präsentationen


Präsentation zum Thema: "SYSTEMATIC THOUGHT LEADERSHIP FOR INNOVATIVE BUSINESS Towards Security Vulnerability Detection by Source Code Model Checking Keqin Li April, 2010."—  Präsentation transkript:

1 SYSTEMATIC THOUGHT LEADERSHIP FOR INNOVATIVE BUSINESS Towards Security Vulnerability Detection by Source Code Model Checking Keqin Li April, 2010

2 Motivation Programming guidelines Source code model checking Java PathFinder (JPF) Bandera, Kansas State University... Proposed approach Formalize programming guidelines as temporal properties Checking whether the programming guidelines are followed by source code model checking

3 © SAP 2008 / Standard Presentation / Page 3 1.Motivation 2.Security programming guidelines Secure logging Cross Site Scripting 3.Source code modeling checking Bandera tool set Temporal property specification in Bandera 4.Property Specification Secure logging Cross Site Scripting 5.Conclusion Overview

4 Secure logging Before sensitive information is logged, it must be encrypted in order to prevent information leakage Logging APIs Category myCat = Category.getCategory("/System/Database"); myCat.warningT("Sample message" + password); /* fatalT() ; errorT() ; infoT() ; pathT() ; debugT() ; */ Encryption APIs ISsfData data; profile = new SsfProfileKeyStore(keyStore, alias, null); result = data.encrypt(profile); © SAP 2009 / Page 4

5 Cross Site Scripting Cross-Site Scripting (XSS) attacks SAP Output Encoding Framework Four different cases

6 Case 1: string from a user is output between tags HTML Example [CASE1-A] Username [CASE1-B] © SAP 2007 / QUB Presentation / Page 6 Attack Example alert(); Encoding functions to be used static String escapeToHTML(String input); static String escapeToHTML(StringBuffer sb, String input, int maxLength); static String escapeToHTML(String input, int maxLength);

7 Case 1: Sample program © SAP 2007 / QUB Presentation / Page 7 public void doContent(String title) { String my_title, my_user; my_title = StringUtils.escapeToHTML(title); response.write( + my_title + ); if ((my_user = getUsernameByID(userid)) != null) { my_user = StringUtils.escapeToHTML(my_user, 30); response.write( Username + my_user + ); }

8 Case 2: string from a user is output inside tags, and the output is not a URL or style HTML Example © SAP 2007 / QUB Presentation / Page 8 Encoding functions to be used static String escapeToAttributeValue(String input); static String escapeToAttributeValue(StringBuffer sb, String input, int maxLength); static String escapeToAttributeValue(String input, int maxLength);

9 Case 3: string from a user is output which is a URL or style HTML Example © SAP 2007 / QUB Presentation / Page 9 Encoding functions to be used static String escapeToURL(String input); static String escapeToURL(StringBuffer sb, String input, int maxLength); static String escapeToURL(String input, int maxLength);

10 Case 4: string from a user is output inside a SCRIPT context HTML Example var a = [CASE4]; © SAP 2007 / QUB Presentation / Page 10 Encoding functions to be used static String escapeToJS(String input); static String escapeToJS(StringBuffer sb, String input, int maxLength); static String escapeToJS(String input, int maxLength);

11 © SAP 2008 / Standard Presentation / Page 11 Bandera Tool Set

12 Predicates in BSL © SAP 2008 / Standard Presentation / Page 12 Location insensitive Expression predicate EXP : Location sensitive defined in method header documentation Invocation predicate INVOKE [: ] Location predicate LOCATION [ ] [: ] ? Return predicate RETURN [: ]

13 Example © SAP 2007 / QUB Presentation / Page 13 expression predicate return predicate invocation predicate

14 Specifying temporal property © SAP 2007 / QUB Presentation / Page 14

15 © SAP 2008 / Standard Presentation / Page 15 Temporal property pattern Absence: A given state/event does not occur within a scope Existence: A given state/event must occur within a scope Universality: A given state/event occurs throughout a scope Precedence: A state/event P must always be preceded by a state/event Q within a scope Response: A state/event P must always be followed by a state/event Q within a scope...

16 Scopes © SAP 2007 / QUB Presentation / Page 16

17 © SAP 2007 / QUB Presentation / Page 17

18 Syntax © SAP 2007 / QUB Presentation / Page 18 Over the 555 example specifications we collected, 511 (92%) matched one of our patterns

19 Secure logging: target program © SAP 2007 / QUB Presentation / Page 19 void main () { String secret = new String() ; ISsfProfile profile = new ISsfProfile() ; /* secret.encrypt( profile ) ; */ Category myCat = new Category() ; myCat.warningT( secret ); }

20 Secure logging: auxiliary file © SAP 2007 / QUB Presentation / Page 20 Class String { public boolean isConf ; public String() { isConf = false ; } /** * INVOKE call(this, ISsfProfile profile ) ; */ public void encrypt ( ISsfProfile profile ) { } class Category { /** * INVOKE call(this, String m) ; */ public void errorT( String m ) { } /** * INVOKE call(this, String m ; */ public void warningT( String m ) { } a string is encrypted String mystr ; /* confidential */ => String mystr ; mystr.isConf = true ; a string is logged a string is confidential

21 Property formalization Informally If a string s is confidential, before errorT(s) or warningT(s) is called, s.encrypt() should be called Using LTL P = s.isConf ( Category.errorT.call(c, s) Category.warningT.call(c, s) ) S = String.encrypt.call(s, prof) F P ( P U (S P))) Using BSL S proceeds P globally © SAP 2007 / QUB Presentation / Page 21

22 F P ( P U (S P))) © SAP 2007 / QUB Presentation / Page 22 s1s1 s2s2 s3s3 s4s4 s5s5 s6s6 P FPFP S P P U (S P) Confidential string is logged Confidential string is encrypted

23 Procedure © SAP 2007 / QUB Presentation / Page String str; /* confidential */... Pre-processor... String str; str.isConf = true;... Model Checker (Bandera)... S proceeds P globally... result... /** * INVOKE call(this, String m) ; */ public void errorT( String m ) { }...

24 Cross Site Scripting: target program © SAP 2007 / QUB Presentation / Page 24 public class SampleServlet extends HttpServlet { public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { // Use "request" to read incoming HTTP headers and HTML form data String input = request.getParameter(Input"); // Use "response" to specify the HTTP response line and headers PrintWriter out = response.getWriter(); // case 1 out.write(" "); // input = StringUtils.escapeToHTML(input); out.write(input); out.write(" "); // case 4 out.write(" ); // input = StringUtils.escapeToJS(input); out.write(input); out.write(" "); } }

25 Cross Site Scripting: auxiliary file class HttpServletRequest { public HttpServletRequest() { } /** * RETURN from_input(this, String str): ( $ret == str ) ; */ public String getParameter( String field ) { String temp_str = new String() ; return temp_str ; } class PrintWriter { public boolean js = false ; public PrintWriter() { } /** * INVOKE js_begin(this, String str): ( str == " " ) ; * INVOKE js_end(this, String str): ( str == " " ) ; * INVOKE call(this, String str); */ public void write( String str ) { if( str == ) js = true ; if( str == ) js = false ; } A string is obtained from user input JavaScript tags are output A string is output Output is between JavaScript tags

26 Continue © SAP 2007 / QUB Presentation / Page 26 class StringUtils { /** * INVOKE call(this, String str); */ static String escapeToHTML( String str ) { String temp_str = new String() ; return temp_str ; } /** * INVOKE call(this, String str); */ static String escapeToJS( String str ) { String temp_str = new String() ; return temp_str ; } Encoding function for CASE 1 is called Encoding function for CASE 4 is called

27 Property formalization 1 Informally If a string s is obtained from user input, before write(s) is called, escapeToHTML(s) or escapeToJS(s) should be called Using LTL R = HttpServletRequest.getParameter.from_input(s) S = StringUtils.escapeToHTML.call(s) StringUtils.escapeToJS.call(s) P = PrintWriter.write.call(s) F P (R (!P U (S !P))) U P Using BSL S responds to R before P © SAP 2007 / QUB Presentation / Page 27

28 F P (R (!P U (S !P))) U P © SAP 2007 / QUB Presentation / Page 28 s1s1 s2s2 s3s3 s4s4 s5s5 s6s6 User input is output P FPFP User input is obtained R User input is encoded S P !P U (S !P) (R (!P U (S !P))) U P ???

29 F P (R (!P U (S !P))) U P © SAP 2007 / QUB Presentation / Page 29 s1s1 s2s2 s3s3 s4s4 s5s5 s6s6 P FPFP R S P !P U (S !P) R (!P U (S !P)) (R (!P U (S !P))) U P

30 Property formalization 2 Informally If a string s is obtained from user input, and write(s) is called between write( ) and write( ), escapeToJS(s) should be called Using LTL R = HttpServletRequest.getParameter.from_input(s) S = StringUtils.escapeToJS.call(s) P = PrintWriter.write.call(s) (PrintWriter.js == true) F P (R (!P U (S !P))) U P Using BSL S responds to R before P © SAP 2007 / QUB Presentation / Page 30

31 Conclusion The first step Auxiliary files are made Properties are specified Benefits seen Additional effort needed for developers are minor Auxiliary files and property specification are provided by security and formal method experts, and could be used across projects Next steps Consider string assignment, concatenation, etc. Try bigger programs Improve Bandera 0.3 or find something else Try more programming guidelines

32 Thank you!

33 Background: Linear-time temporal logic © SAP 2007 / QUB Presentation / Page 33 Syntax ϕ ::= p | ( ϕ ) | ( ϕ ϕ ) | (G ϕ ) | (F ϕ ) | (X ϕ ) | ( ϕ U ϕ ) Evaluation An LTL formula is evaluated on a path, or a set of paths A set of paths satisfies ϕ if every path in the set satisfies ϕ Consider the path = s 1 s 2... ; we write i for the suffix starting at s i, i.e., i is s i s i+1...

34 Background: Semantics © SAP 2007 / QUB Presentation / Page 34 Using a model M = (S,, L), we define when a path satisfies an LTL formula via the satisfaction relation as follows p iff p L(s 1 ) ϕ iff ( ϕ ) ϕ 1 ϕ 2 iff ϕ 1 and ϕ 2 X ϕ iff 2 ϕ G ϕ iff for all i 1, i ϕ F ϕ iff for some i 1, i ϕ ϕ 1 U ϕ 2 iff there is some i 1 such that i ϕ 2 and for all j = 1,..., i – 1 we have j ϕ 1 An LTL formula ϕ is satisfied in a state s of a model M if ϕ is satisfied on every path starting at s ϕ 1 W ϕ 2 = ϕ 1 U ϕ 2 G ϕ 1

35 Secure logging © SAP 2007 / QUB Presentation / Page 35 Class String { public boolean isConf ; public boolean isEncrypted ; public String() { isConf = false ; isEncrypted = false ; } public void encrypt ( ISsfProfile profile ) { isEncrypted = true ; } class Category { /** * INVOKE call(this, String m) : * ( ( m.isConf == true ) * && ( m.isEncrypted == false ) ) ; */ public void errorT( String m ) { } /** * INVOKE call(this, String m): * ( ( m.isConf == true ) * && ( m.isEncrypted == false ) ) ; */ public void warningT( String m ) { } invocation predicate String mystr ; /* confidential */ => String mystr ; mystr.isConf = true ;

36 Formalization Using LTL G ( Category.errorT.call(c, s) Category.warningT.call(c, s) ) Using BSL forall[c: Category].forall[s: String] { Category.errorT.call(c, s) || Category.warningT.call(c, s) } is absent globally © SAP 2007 / QUB Presentation / Page 36

37 © SAP 2007 / Standard Presentation / Page 37 Copyright 2007 SAP AG All rights reserved No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, Duet, Business ByDesign, ByDesign, PartnerEdge and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned and associated logos displayed are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. The information in this document is proprietary to SAP. This document is a preliminary version and not subject to your license agreement or any other agreement with SAP. This document contains only intended strategies, developments, and functionalities of the SAP® product and is not intended to be binding upon SAP to any particular course of business, product strategy, and/or development. SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. This limitation shall not apply in cases of intent or gross negligence. The statutory liability for personal injury and defective products is not affected. SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages Weitergabe und Vervielfältigung dieser Publikation oder von Teilen daraus sind, zu welchem Zweck und in welcher Form auch immer, ohne die ausdrückliche schriftliche Genehmigung durch SAP AG nicht gestattet. In dieser Publikation enthaltene Informationen können ohne vorherige Ankündigung geändert werden. Einige von der SAP AG und deren Vertriebspartnern vertriebene Softwareprodukte können Softwarekomponenten umfassen, die Eigentum anderer Softwarehersteller sind. SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, Duet, Business ByDesign, ByDesign, PartnerEdge und andere in diesem Dokument erwähnte SAP-Produkte und Services sowie die dazugehörigen Logos sind Marken oder eingetragene Marken der SAP AG in Deutschland und in mehreren anderen Ländern weltweit. Alle anderen in diesem Dokument erwähnten Namen von Produkten und Services sowie die damit verbundenen Firmenlogos sind Marken der jeweiligen Unternehmen. Die Angaben im Text sind unverbindlich und dienen lediglich zu Informationszwecken. Produkte können länderspezifische Unterschiede aufweisen. Die in diesem Dokument enthaltenen Informationen sind Eigentum von SAP. Dieses Dokument ist eine Vorabversion und unterliegt nicht Ihrer Lizenzvereinbarung oder einer anderen Vereinbarung mit SAP. Dieses Dokument enthält nur vorgesehene Strategien, Entwicklungen und Funktionen des SAP®-Produkts und ist für SAP nicht bindend, einen bestimmten Geschäftsweg, eine Produktstrategie bzw. -entwicklung einzuschlagen. SAP übernimmt keine Verantwortung für Fehler oder Auslassungen in diesen Materialien. SAP garantiert nicht die Richtigkeit oder Vollständigkeit der Informationen, Texte, Grafiken, Links oder anderer in diesen Materialien enthaltenen Elemente. Diese Publikation wird ohne jegliche Gewähr, weder ausdrücklich noch stillschweigend, bereitgestellt. Dies gilt u. a., aber nicht ausschließlich, hinsichtlich der Gewährleistung der Marktgängigkeit und der Eignung für einen bestimmten Zweck sowie für die Gewährleistung der Nichtverletzung geltenden Rechts. SAP übernimmt keine Haftung für Schäden jeglicher Art, einschließlich und ohne Einschränkung für direkte, spezielle, indirekte oder Folgeschäden im Zusammenhang mit der Verwendung dieser Unterlagen. Diese Einschränkung gilt nicht bei Vorsatz oder grober Fahrlässigkeit. Die gesetzliche Haftung bei Personenschäden oder die Produkthaftung bleibt unberührt. Die Informationen, auf die Sie möglicherweise über die in diesem Material enthaltenen Hotlinks zugreifen, unterliegen nicht dem Einfluss von SAP, und SAP unterstützt nicht die Nutzung von Internetseiten Dritter durch Sie und gibt keinerlei Gewährleistungen oder Zusagen über Internetseiten Dritter ab. Alle Rechte vorbehalten.


Herunterladen ppt "SYSTEMATIC THOUGHT LEADERSHIP FOR INNOVATIVE BUSINESS Towards Security Vulnerability Detection by Source Code Model Checking Keqin Li April, 2010."

Ähnliche Präsentationen


Google-Anzeigen