Security Slicing for Auditing XML, XPath, and SQL Injection Vulnerabilities

.lusoftware verification & validationVVS

Security Slicing for Auditing XML, XPath, and SQL Injection

VulnerabilitiesJulian Thomé, Lwin Khin Shar and Lionel Briand

1

Source

req.getParameter("password");

Account :

Password:

Submit

Source

Sink

NodeList nl = xpath.evaluate(q, doc, XPathConstants.NODESET);

String q = "/users/user[@nick='" + account + "' and @password='" + password + "']";

Sink

password = req.getParameter("password");

Account :

Password:

Submit

XPath Injection

password = req.getParameter("password");

Account :

Password:

Submit

test' or '1'='1

XPath Injection

Account :

Password:

Submit

test' or '1'='1

password = "test' or '1'='1";

XPath Injection




XPath Injection




XPath Injection


String q = "/users/user[@nick='' and @password='test' or '1'='1']";


XPath Injection


String q = "/users/user[@nick='' and @password='test' or '1'='1']";

XPath Injection

NodeList nl = xpath.evaluate( "/users/user[@nick='' and @password='test' or '1'='1']",doc, XPathConstants.NODESET);

XPath Injection

Taint Analysis

Taint Analysis

Focus on Integrity

No Filtering

False Positives

Security Slicing

System Dependence Graph

Construction

Chopping


Construction

Filtering

Chopping

Security Slices


Construction

// …

allowUser(req.getParameter(“account”), req.getParameter(“password”));// …

protected boolean allowUser(String account, String password) {

// …org.w3c.dom.Document doc = builder.parse("db.xml");// …XPath xpath = xPathfactory.newXPath();String q = "/database/table[@name='customers']/entry[@nick='"

+ account + "' and @password='" + password + "']";// …NodeList nl = (NodeList) xpath.evaluate(q,doc,

XPathConstants.NODESET);// …

}

Filtering

Chopping

SDG Construction

Security Slices

“account”

getParameter()

account = getParameter()

fpar0 … ret

account

password = getParameter()

allowUser()

account password

password

… q= … nl = xpath.evaluate() …

evaluate()

apar0 …

fpar0 … ret

“account”

getParameter()


fpar0 … ret

account


allowUser()

account password

password


evaluate()

apar0 …

fpar0 … ret

account

account password

password

q= …

apar0

account

account password

password

q= …

apar0

account

account password

password

q= …

apar0

Filtering

Chopping

SDG Construction

Security Slices

Declassification

HH LL

HL

LH

HH

LL

HL

LH

High ConfidentialityHigh Integrity

Low ConfidentialityHigh Integrity

Low ConfidentialityLow Integrity

High ConfidentialityLow Integrity

HH LLHL

LH

HH LL

HL

LH

Secret

HH LL

HL

LH

WritableSecret

HH LL

HL

LH

WritableSecret

HH LL

HL

LH

WritableSecret

account

account password

password

q= …

apar0

account

account password

password

q= …

apar0

HL HL

HH

HH LL

HL

LH

account

account password

password

q= …

apar0

HL HL

HH

HH LL

HL

LH


account = ESAPI.encoder().encodeForXPath(account);password = ESAPI.encoder().encodeForXPath(password);




}

“account”

getParameter()


fpar0 … ret

account


allowUser()

account password

password


encodeForXpath()

apar0 … ret

evaluate()

apar0 …

fpar0 … ret

…

…

HL HL

HH

HL HH

account

account password

password

q= …

apar0 … ret

apar0

HL HL

HH

HL HH

HH LL

HL

LH

account

account password

password

q= …

apar0 … ret

apar0

HL HL

HH

HL HH

account

account password

password

q= …

apar0 … ret

apar0

HL HL

HH

HL HH

HH LL

HL

LH

Known-Good Irrelevant

Automated Fixing





}

password

password

q= …

apar0

HL

HH

protected boolean allowUser(String account, String password) {// …org.w3c.dom.Document doc = builder.parse("db.xml");// …XPath xpath = xPathfactory.newXPath();

String q = "/database/table[@name=‘customers’]/entry[@nick='" + ESAPI.encoder().encodeForXPath(account) +

"' and @password='" + ESAPI.encoder().encodeForXPath(password) + "']";

// …NodeList nl = (NodeList) xpath.evaluate(q,doc,


}

Filtering

Chopping

SDG Construction

Security Slices

Contributions

Filtering

Chopping

SDG Construction

Security Slices

Automatic detection of sources, sinks and declassifiers

Extensive library of sources, sinks and declassifiers

Filtering

Chopping

SDG Construction

Security Slices

Extraction of path conditions, control dependencies,

data dependencies

Threat Categorisation

Automatic annotation of sources, sinks and declassifiers

Filtering

Chopping

SDG Construction

Security Slices

Information Flow Control/ Declassification

Known-Good/Irrelevant

Automated Fixing

Filtering

Chopping

SDG Construction

Security Slices

Evaluation

Test SubjectsSubject KLOC #Servlets #Sources #Sinks #Declassifiers

XML XPath SQL XML XPath SQLWebGoat 24.6 14 40 3 1 29 0 0 25

Roller 52.4 3 14 13 0 0 11 0 0Pebble 36.5 3 6 7 0 0 3 0 0Regain 23.1 1 1 1 0 0 3 0 0PubSub 1.9 4 16 3 4 0 4 0 0

Comparison between Chopping and Security Slicing

#SDG

Nod

es

1

10

100

1000

10000

100000

1000000

WebGoat Roller Pebble Regain PubSub

SDG Construction Chopping Security Slicing

Comparison between Chopping and Security Slicing

#SDG

Nod

es

1

10

100

1000

10000

100000

1000000

SDG Construction Chopping Security Slicing

Total Mean Median

Chopping

SecSlicing

#Chops to be audited0 20 40 60 80

21

73

Execution Time in msSubject SDG

GenerationSource/SinkIdentification Chopping Filtering Total

WebGoat 124,301 504 12,266 694 137,765Roller 23,815 56 763 69 24,703Pebble 4,570 20 128 53 4,771Regain 44,311 40 285 30 44,666PubSub 39,213 85 965 153 40,416

Future Work

String Operations + Path Conditions

Threat ModelsString Operations + Path Conditions

Threat Models

Constraint Solver

String Operations + Path Conditions

Software

Security Slicing for Auditing XML, XPath, and SQL Injection Vulnerabilities