Upload
adam-doupe
View
578
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Presentation at the 2011 ACM Conference on Computer and Communications Security (CCS) on the paper "Fear the EAR: Discovering and Mitigating Execution After Redirect Vulnerabilities"The paper is available here:http://cs.ucsb.edu/~adoupe/static/fear-the-ear-ccs2011.pdf
Citation preview
2. Motivation Everyone uses web applications Web applications are written by humans They have flaws Input sanitization flaws (XSS, SQLi) are mostprevalent Logic flaws are harder to detect than inputsanitization flawsDoup - 10/19/11 3. HTTP RedirectsGET /user/info HTTP/1.1Host: example.comHTTP/1.1 302 MovedLocation: http://example.com/loginGET /login HTTP/1.1Host: example.com Doup - 10/19/11 4. Execution After Redirect: Overview Developer issues a redirect assumingexecution will halt Redirect used as a goto This is how it appears from the browsersperspective However, code continues to executeDoup - 10/19/11 5. Execution After Redirect: Exampleclass TopicsController < ApplicationControllerdef update@topic = Topic.find(params[:id])if not current_user.is_admin?redirect_to(/)[email protected]_attributes(params[:topic])flash[:notice] = Topic updated!endend Doup - 10/19/11 6. EAR History 17 Common Vulnerabilities and Exposures(CVE) Starting in 2007 Difficult to find no consistent category Blog post about Cake PHP 2006 Resulted in a bug filed and documentationchanged Prior work on logic flaws Found EAR in J2EE web application No one recognized it as a systemic logic flawamongst web applications Doup - 10/19/11 7. EAR Security Challenge Attempt to observe familiarity to EARs Added EAR challenge to the 2010 iCTF Results 34 / 72 teams accessed page that redirectedthem and leaked information 12 of the 34 discovered and exploited thevulnerability Conclusion: teams not very familiarDoup - 10/19/11 8. Types of EARs Benign No confidentiality or integrity violated Vulnerable Allows for the unauthorized modification of theapplication state or discloses unauthorizeddataDoup - 10/19/11 9. EAR: Information Leakage Doup - 10/19/11 10. EAR: Nested Exampleclass UsersController < ApplicationController def ensure_adminunless current_user.is_admin? redirect_to(/) returnend end def deleteensure_admin()@user = User.find(params[:id])@user.delete()flash[:notice] = User Deleted endendDoup - 10/19/11 11. Outline Overview of Execution After Redirects EAR Detection Algorithm Results PreventionDoup - 10/19/11 12. EAR Detection: Overview Static source code analysis Attempt to find code that can possibly beexecuted after a redirect Distinguish between benign and vulnerableDoup - 10/19/11 13. EAR Detection: Overview1. Build CFG2. Find redirection methods3. Prune infeasible paths4. Detect EARs5. Classify as vulnerable Doup - 10/19/11 14. EAR Detection: Build Control FlowGraph CFG built using prior work Diamondback Ruby parser by Furr et al. Simplifies Ruby into easier-to-analyze format Compiles Ruby into a subset called Ruby Intermediate Language (RIL) CFG can be incomplete eval Rubys dynamic nature Doup - 10/19/11 15. EAR Detection: Build CFGclass UsersController < ApplicationControllerdef ensure_logged_inunless current_userredirect_to(/) and return trueend@logged_in_users += 1return falseenddef delete_allunless ensure_logged_in()returnUser.delete(:all)endendDoup - 10/19/11 16. EAR Detection: Build CFG _tmp_ = ensure_logged_inensure_logged_in() falsetrue current_user truefalseredirect_to(/)@logged_in_users return true += 1 return falsefalse true _tmp_ User.delete(:all)return nilreturn nil Doup - 10/19/11 17. EAR Detection: Find RedirectionMethods Find all program paths in the CFG that callthe Ruby on Rails method redirect_to Inter-procedural analysis Methods that call redirect_to are added tointeresting_methods All methods that call an interesting_methodare added to interesting_methods Rinse and repeat until a fixpoint is reachedDoup - 10/19/11 18. EAR Detection: Find Redirect_tmp_ =Methods ensure_logged_inensure_logged_in() falsetrue current_user truefalseredirect_to(/)@logged_in_users return true += 1 return falsefalse true _tmp_ User.delete(:all)return nilreturn nil Doup - 10/19/11 19. EAR Detection: Prune Infeasible _tmp_ =Paths ensure_logged_inensure_logged_in() falsetrue current_user truefalseredirect_to(/)@logged_in_users return true += 1 return falsefalse true _tmp_ User.delete(:all)return nilreturn nil Doup - 10/19/11 20. EAR Detection: Detect EARs _tmp_ = ensure_logged_inensure_logged_in() falsetrue current_user truefalseredirect_to(/)@logged_in_users return true += 1 return falsefalse true _tmp_ User.delete(:all)return nilreturn nil Doup - 10/19/11 21. EAR Detection: Classify as Vulnerable Simple heuristic Name of methods that modify database Search for these on path Doup - 10/19/11 22. Results 18,127 Ruby on Rails projects fromGitHub 1,173 projects contained 3,944 EARs 3,089 Benign EARs 855 Vulnerable EARs Doup - 10/19/11 23. EAR Email Notification 624 project maintainers notified 107 responded 49 confirmed the EAR we reported 26 told us that the app was demo or toy 3 pointed out false positives 6 NOFIX Rest thanked us but did not offer confirmation Doup - 10/19/11 24. Detection Effectiveness Manual verification of all vulnerable EARs 485 True vulnerable (56.7%) 325 False positives (vulnerable) (38.0%) 45 False positives (EARs) (5.3%) Manual verification of 200 random benignEARs 13 False positives (EARs) (6.5%) 0 False negatives (vulnerable)Doup - 10/19/11 25. True Positive Exampleclass BanksController < ApplicationControllerdef redirect_to_loginredirect_to(/login) and returnenddef createif not current_user.is_admin?redirect_to_login() and returnend@bank = Bank.create(params[:bank])endend Doup - 10/19/11 26. False Positive Exampleclass UsersController < ApplicationControllerdef updateif request.get?redirect_to(/users)endif request.post?@user = User.find(params[:id])@user.update_attributes(params[:user])endendend Doup - 10/19/11 27. EAR Detection: Limitations False negatives eval, send False positives Infeasible paths No type analysis Vulnerable EARs Doup - 10/19/11 28. Framework Susceptibility Analyzed 9 web frameworks Rails, Grails, Django, ASP.NET MVC, ZendFramework, CakePHP, CodeIgniter, J2EE,Struts Susceptible Ruby on Rails Grails J2EE StrutsDoup - 10/19/11 29. Prevention Secure design Django, ASP.NET MVC Terminate process or thread ASP.NET, CakePHP, Zend, CodeIgniter Patched Ruby on Rails Exception handlingDoup - 10/19/11 30. Contributions Described a relatively unknown webapplication vulnerability called ExecutionAfter Redirect (EAR) Developed an algorithm to statically detectEARs in Ruby on Rails applications Discovered many vulnerabilities in real-world open-source Ruby on Railsapplications Doup - 10/19/11 31. Questions?Code: http://github.com/adamdoupe/find_ear_railsEmail: [email protected]: @adamdoupeDoup - 10/19/11