Reverse-Engineering and Analysis of Access Control Models in Web Applications

RÉSUMÉ De nos jours, les applications Web sont omniprésentes et gèrent des quantités toujours plus importantes de données confidentielles. Afin de protéger ces données contre les attaques d'usagers mal intentionnés, des mécanismes de sécurité doivent être mis en place. Toutefois, sécuriser un logiciel est une tâche extrêmement ardue puisqu'une seule brèche est souvent suffisante pour compromettre la sécurité d'un système tout entier. Il n'est donc pas surprenant de constater que jour après jour les nouvelles font état de cyber attaques et de fuites de données confidentielles dans les systèmes informatiques. Afin de donner au lecteur une vague idée de l'ampleur du problème, considérons que différents organismes spécialisés en sécurité informatique rapportent qu'entre 85% et 98% des sites Web contiennent au moins une vulnérabilité sérieuse. Dans le cadre de cette thèse, nous nous concentrerons sur un aspect particulier de la sécurité logicielle, à savoir les modèles de contrôle d'accès. Les modèles de contrôle d'accès définissent les actions qu'un usager peut et ne peut pas faire dans un système. Malheureusement, années après années, les failles dans les modèles de contrôle d'accès trônent au sommet des palmarès des failles les plus communes et les plus critiques dans les applications Web. Toutefois, contrairement à d'autres types de faille de sécurité comme les injections SQL (SQLi) et le cross-site scripting (XSS), les failles de contrôle d'accès ont comparativement reçu peu d'attention de la communauté de recherche scientifique. Par ce travail de recherche, nous espérons renverser cette tendance. Bien que la sécurité des applications et les modèles de contrôle d'accès constituent les principaux thèmes sous-jacents de cette thèse, notre travail de recherche est aussi fortement teinté par le génie logiciel. Vous observerez en effet que notre travail s'applique toujours à des applications réelles et que les approches que nous développons sont toujours construites de manière à minimiser le fardeau de travail supplémentaire pour les développeurs. En d'autres mots, cette thèse porte sur la sécurité des applications en pratique. Dans le contexte de cette thèse, nous aborderons l'imposant défi d'investiguer des modèles de contrôle d'accès non spécifiés et souvent non documentés, tels que rencontrés dans les applications Web en code ouvert. En effet, les failles de contrôle d'accès se manifestent lorsqu'un usager est en mesure de faire des actions qu'il ne devrait pas pouvoir faire ou d'accéder à des données auxquelles il ne devrait pas avoir accès. En absence de spécifications de sécurité, déterminer qui devrait avoir les autorisations pour effectuer certaines actions ou accéder à certaines données n'est pas simple. Afin de surmonter ce défi, nous avons d'abord développé une nouvelle approche, appelée analyse de Traversement de Patrons de Sécurité (TPS), afin de faire la rétro-ingénierie de modèles de contrôle d'accès à partir du code source d'applications Web et ce, d'une manière rapide, précise et évolutive. Les résultats de l'analyse TPS donnent un portrait du modèle de contrôle d'accès tel qu'implémenté dans une application et servent de point de départ à des analyses plus poussées. Par exemple, les applications Web réelles comprennent souvent des centaines de privilèges qui protègent plusieurs centaines de fonctions et modules différents. En conséquence, les modèles de contrôle d'accès, tel qu'extraits par l'analyse TPS, peuvent être difficiles à interpréter du point de vue du développeur, principalement à cause de leurs taille. Afin de surmonter cette limitation, nous avons exploré comment l'analyse formelle de concepts peut faciliter la compréhension des modèles extraits en fournissant un support visuel ainsi qu'un cadre formel de raisonnement. Les résultats ont en effet démontrés que l'analyse formelle de concepts permet de mettre en lumière plusieurs propriétés des modèles de contrôle d'accès qui sont enfouies profondément dans le code des applications, qui sont invisibles aux administrateurs et aux développeurs, et qui peuvent causer des incompréhensions et des failles de sécurité. Au fil de nos investigations et de nos observations de plusieurs modèles de contrôle d'accès, nous avons aussi identifié des patrons récurrents, problématiques et indépendants des applications qui mènent à des failles de contrôle d'accès. La seconde partie de cette thèse présente les approches que nous avons développées afin de tirer profit des résultats de l'analyse TPS pour identifier automatiquement plusieurs types de failles de contrôle d'accès communes comme les vulnérabilités de navigation forcée, les erreurs sémantiques et les failles basées sur les clones à protection incohérentes. Chacune de ces approches interprète en effet les résultats de l'analyse TPS sous des angles différents afin d'identifier différents types de vulnérabilités dans les modèles de contrôle d'accès. Les vulnérabilités de navigation forcée se produisent lorsque des ressources sensibles ne sont pas adéquatement protégées contre les accès direct à leur URL. En utilisant les résultats de l'analyse TPS, nous avons montré comment nous sommes en mesure de détecter ces vulnérabilités de manière précise et très rapide (jusqu'à 890 fois plus rapidement que l'état de l'art). Les erreurs sémantiques se produisent quand des ressources sensibles sont protégées par des privilèges qui sont sémantiquement incorrects. Afin d'illustrer notre propos, dans le contexte d'une application Web, protéger l'accès à des ressources administratives avec un privilège destiné à restreindre le téléversement de fichiers est un exemple d'erreur sémantique. À notre connaissance, nous avons été les premiers à nous attaquer à ce problème et à identifier avec succès des erreurs sémantiques dans des modèles de contrôle d'accès. Nous avons obtenu de tels résultats en interprétant les résultats de l'analyse TPS à la lumière d'une technique de traitement de la langue naturelle appelée Latent Dirichlet Allocation. Finalement, en investiguant les résultats de l'analyse TPS à la lumière des informations fournies par une analyse de clones logiciels, nous avons été en mesure d'identifier davantage de nouvelles failles de contrôle d'accès. En résumé, nous avons exploré l'intuition selon laquelle il est attendu que les clones logiciels, qui sont des blocs de code syntaxiquement similaires, effectuent des opérations similaires dans un système et, conséquemment, qu'ils soient protégés de manière similaire. En investiguant les clones qui ne sont pas protégés de manière similaire, nous avons effectivement été en mesure de détecter et rapporter plusieurs nouvelles failles de sécurité dans les systèmes étudiés. En dépit des progrès significatifs que nous avons accomplis dans cette thèse, la recherche sur les modèles de contrôle d'accès et les failles de contrôle d'accès, spécialement d'un point de vue pratique n'en est encore qu'à ses débuts. D'un point de vue de génie logiciel, il reste encore beaucoup de travail à accomplir en ce qui concerne l'extraction, la modélisation, la compréhension et les tests de modèles de contrôle d'accès. Tout au long de cette thèse, nous discuterons comment les travaux présentés peuvent soutenir ces activités et suggérerons plusieurs avenues de recherche à explorer.----------ABSTRACT Nowadays, Web applications are ubiquitous and deal with increasingly large amounts of confidential data. In order to protect these data from malicious users, security mechanisms must be put in place. Securing software, however, is an extremely difficult task since a single breach is often sufficient to compromise the security of a system. Therefore, it is not surprising that day after day, we hear about cyberattacks and confidential data leaks in the news. To give the reader an idea, various reports suggest that between 85% and 98% of websites contain at least one serious vulnerability. In this thesis, we focus on one particular aspect of software security that is access control models. Access control models are critical security components that define the actions a user can and cannot do in a system. Year after year, several security organizations report access control flaws among the most prevalent and critical flaws in Web applications. However, contrary to other types of security flaws such as SQL injection (SQLi) and cross-site scripting (XSS), access control flaws comparatively received little attention from the research community. This research work attempts to reverse this trend. While application security and access control models are the main underlying themes of this thesis, our research work is also strongly anchored in software engineering. You will observe that our work is always based on real-world Web applications and that the approaches we developed are always built in such a way as to minimize the amount of work on that is required from developers. In other words, this thesis is about practical software security. In the context of this thesis, we tackle the highly challenging problem of investigating unspecified and often undocumented access control models in open source Web applications. Indeed, access control flaws occur when some user is able to perform operations he should not be able to do or access data he should be denied access to. In the absence of security specifications, determining who should have the authorization to perform specific operations or access specific data is not straightforward. In order to overcome this challenge, we first developed a novel approach, called the Security Pattern Traversal (SPT) analysis, to reverse-engineer access control models from the source code of applications in a fast, precise and scalable manner. Results from SPT analysis give a portrait of the access control model as implemented in an application and serve as a baseline for further analyzes. For example, real-world Web application, often define several hundred privileges that protect hundreds of different functions and modules. As a consequence, access control models, as reverse-engineered by SPT analysis, can be difficult to interpret from a developer point of view, due to their size. In order to provide better support to developers, we explored how Formal Concept Analysis (FCA) could facilitate comprehension by providing visual support as well as automated reasoning about the extracted access control models. Results indeed revealed how FCA could highlight properties about implemented access control models that are buried deep into the source code of applications, that are invisible to administrators and developers, and that can cause misunderstandings and vulnerabilities. Through investigation and observation of several Web applications, we also identified recurring and cross-application error-prone patterns in access control models. The second half of this thesis presents the approaches we developed to leverage SPT results to automatically capture these patterns that lead to access control flaws such as forced browsing vulnerabilities, semantic errors and security-discordant clone based errors. Each of these approaches interpret SPT analysis results from different angles to identify different kinds of access control flaws in Web applications. Forced browsing vulnerabilities occur when security-sensitive resources are not protected against direct access to their URL. Using results from SPT, we showed how we can detect such vulnerabilities in a precise and very fast (up to 890 times faster than state of the art) way. Semantic errors occur when security-sensitive resources are protected by semantically wrong privileges. To give the reader an idea, in the context of a Web application, protecting access to administrative resources with a privilege that is designed to restrict file uploads is an example of semantic error. To our knowledge, we were the first to tackle this problem and to successfully detect semantic errors in access control models. We achieved such results by interpreting results from SPT in the light of a natural language processing technique called Latent Dirichlet Allocation. Finally, by investigating SPT results in the light of software clones, we were able to detect yet other novel access control flaws. Simply put, we explored the intuition that code clones, that are blocks of code that are syntactically similar, are expected to perform similar operations in a system and, consequently, be protected by similar privileges. By investigating clones that are protected in different ways, called security-discordant clones, we were able to report several novel access control flaws in the investigated systems. Despite the significant advancements that were made through this thesis, research on access control models and access control flaws, especially from a practical, application-centric point of view, is still in the early stages. From a software engineering perspective, a lot of work remains to be done from the extraction, modelling, understanding and testing perspectives. Throughout this thesis we discuss how the presented work can help in these perspectives and suggest further lines of research

Security risk assessment in cloud computing domains

Cyber security is one of the primary concerns persistent across any computing platform. While addressing the apprehensions about security risks, an infinite amount of resources cannot be invested in mitigation measures since organizations operate under budgetary constraints. Therefore the task of performing security risk assessment is imperative to designing optimal mitigation measures, as it provides insight about the strengths and weaknesses of different assets affiliated to a computing platform. The objective of the research presented in this dissertation is to improve upon existing risk assessment frameworks and guidelines associated to different key assets of Cloud computing domains - infrastructure, applications, and users. The dissertation presents various informal approaches of performing security risk assessment which will help to identify the security risks confronted by the aforementioned assets, and utilize the results to carry out the required cost-benefit tradeoff analyses. This will be beneficial to organizations by aiding them in better comprehending the security risks their assets are exposed to and thereafter secure them by designing cost-optimal mitigation measures --Abstract, page iv

An Approach to Guide Users Towards Less Revealing Internet Browsers

When browsing the Internet, HTTP headers enable both clients and servers send extra data in their requests or responses such as the User-Agent string. This string contains information related to the sender’s device, browser, and operating system. Previous research has shown that there are numerous privacy and security risks result from exposing sensitive information in the User-Agent string. For example, it enables device and browser fingerprinting and user tracking and identification. Our large analysis of thousands of User-Agent strings shows that browsers differ tremendously in the amount of information they include in their User-Agent strings. As such, our work aims at guiding users towards using less exposing browsers. In doing so, we propose to assign an exposure score to browsers based on the information they expose and vulnerability records. Thus, our contribution in this work is as follows: first, provide a full implementation that is ready to be deployed and used by users. Second, conduct a user study to identify the effectiveness and limitations of our proposed approach. Our implementation is based on using more than 52 thousand unique browsers. Our performance and validation analysis show that our solution is accurate and efficient. The source code and data set are publicly available and the solution has been deployed

Deep Reinforcement Learning Driven Applications Testing

Applications have become indispensable in our lives, and ensuring their correctness is now a critical issue. Automatic system test case generation can significantly improve the testing process for these applications, which has recently motivated researchers to work on this problem, defining various approaches. However, most state-of-the-art approaches automatically generate test cases leveraging symbolic execution or random exploration techniques. This led to techniques that lose efficiency when dealing with an increasing number of program constraints and become inapplicable when conditions are too challenging to solve or even to formulate. This Ph.D. thesis proposes addressing current techniques' limitations by exploiting Deep Reinforcement Learning. Deep Reinforcement Learning (Deep RL) is a machine learning technique that does not require a labeled training set as input since the learning process is guided by the positive or negative reward experienced during the tentative execution of a task. Hence, it can be used to dynamically learn how to build a test suite based on the feedback obtained during past successful or unsuccessful attempts. This dissertation presents three novel techniques that exploit this intuition: ARES, RONIN, and IFRIT. Since functional testing and security testing are complementary, this Ph.D. thesis explores both testing techniques using the same approach for test cases generation. ARES is a Deep RL approach for functional testing of Android apps. RONIN addresses the issue of generating exploits for a subset of Android ICC vulnerabilities. Subsequently, to better expose the bugs discovered by previous techniques, this thesis presents IFRIT, a focused testing approach capable of increasing the number of test cases that can reach a specific target (i.e., a precise section or statement of an application) and their diversity. IFRIT has the ultimate goal of exposing faults affecting the given program point

Using design diversity and optimal adjudication for detecting malicious web scraping and malware samples

Due to the constantly evolving nature of cyber threats and attacks, organisations see an ever-growing requirement to develop more sophisticated defence systems to protect their networks and information. In an arms race such as this, employing as many techniques as possible is crucial for companies to stay ahead of would-be attackers. Design diversity is a technique with a significant history behind it, which has become more widely used as the availability of off-the-shelf defence software has become more commonplace. The simple concept behind design diversity is the age-old saying that ”two minds think better than one”. When combining multiple tools for cyber defence, it’s reasonable to expect that when these tools use different techniques, or work under different assumptions and configurations, they would also likely detect different threats. Hence, the security events that one tool misses or misclassifies, the other could correctly handle, and vice-versa. We would expect design diversity to remain an important design paradigm for as long as building a completely foolproof security system stays within the realms of impossibility. While design diversity is appealing, and it has been used to great success in the past, it is important to realise that any possible gains from using this technique are entirely dependent on how diverse the various tools are, and on the context in which it is applied. Applying design diversity will yield different results in different environments, so it is important that empirical results are provided in as many contexts as possible. In this work, we have looked at the use of design diversity in two major contexts. The first context deals with the question of detecting malicious web scraping activity. We have analysed three separate datasets provided to us by Amadeus - a global provider for the travel and tourism industry - which contain the HTTP traffic they observed within their network, as well as the alerts raised by two of their web scraping detectors. We studied how the combined performance potential of the two tools compares to their individual performances, in 1-out-of-2 (1oo2) and 2-out-of-2 (2oo2) adjudication schemes, meaning that a combined system raises an alert if any one of the internal tools does so as well, or the combined system only raises an alert if both internal tools do so, respectively. We’ve also identified several aspects that highlight the different alert patterns of both tools, which we use to explain the inherent diversity between the two. The second context in which we have studied the use of design diversity is in the use of machine learning models for the classification of malware and benign software samples. We’ve done this with the use of a dataset that looked at the performance of 37 different RNN machine learning models used to classify a pool of over 4000 software samples, which originated from a previously published paper whose authors we have collaborated with. With the higher number and degree of diversity of the detection tools (the machine learning models) in this study, we were able to expand our results with additional adjudication schemes, anywhere between 1oo10 and 10oo10, as well as more interesting schemes, such as simple majority schemes, e.g., 3oo5. Similarly to the first body of work, we studied and summarised the different aspects that led to diversity in the behaviour of machine learning models. When utilising multiple diverse systems, each producing a result, a voting or adjudication system is needed to decide on the overall system output/decision. The use of conventional adjudications schemes (e.g., 1-out-of-2) provides a useful first point for the use of design diversity, but these schemes may be deficient in comparison with others such as those that use optimal adjudication. As opposed to conventional adjudication schemes, where the individual outputs of each internal tool are not taken into account - i.e., a 1oo2 scheme does not care which one of its two internal tools raised an alert, only that one of them did - this is not the case for optimal adjudication. In optimal adjudication, the combined outputs of all the internal tools are called syndromes, and the output of the overall system is going to be dependent on which unique syndrome was generated for any given classification sample. This affords us several benefits, which we will detail in depth, primarily that specific tools can be given higher confidence over others, and that the error cost of generating false positive or false negative outputs can be taken into account when deciding the output of the overall system, such that we can optimise for the lowest error cost overall. We have looked at the use of optimal adjudication in particular with our second dataset concerning the use of machine learning models for the classification of software samples. We expand on the benefits afforded over using conventional adjudication schemes, and delve into the aspects that make the various machine learning models diverse from one another. We expect the results from this thesis will provide insight into the use of different adjudication schemes in the contexts we highlight (contexts in which, to the best of our knowledge, previous research has not been published), as well as provide guidance on the creation of such combined systems for use in security deployments beyond the contexts we have studied

Deep neural mobile networking

The next generation of mobile networks is set to become increasingly complex, as these struggle to accommodate tremendous data traffic demands generated by ever-more connected devices that have diverse performance requirements in terms of throughput, latency, and reliability. This makes monitoring and managing the multitude of network elements intractable with existing tools and impractical for traditional machine learning algorithms that rely on hand-crafted feature engineering. In this context, embedding machine intelligence into mobile networks becomes necessary, as this enables systematic mining of valuable information from mobile big data and automatically uncovering correlations that would otherwise have been too difficult to extract by human experts. In particular, deep learning based solutions can automatically extract features from raw data, without human expertise. The performance of artificial intelligence (AI) has achieved in other domains draws unprecedented interest from both academia and industry in employing deep learning approaches to address technical challenges in mobile networks. This thesis attacks important problems in the mobile networking area from various perspectives by harnessing recent advances in deep neural networks. As a preamble, we bridge the gap between deep learning and mobile networking by presenting a survey on the crossovers between the two areas. Secondly, we design dedicated deep learning architectures to forecast mobile traffic consumption at city scale. In particular, we tailor our deep neural network models to different mobile traffic data structures (i.e. data originating from urban grids and geospatial point-cloud antenna deployments) to deliver precise prediction. Next, we propose a mobile traffic super resolution (MTSR) technique to achieve coarse-to-fine grain transformations on mobile traffic measurements using generative adversarial network architectures. This can provide insightful knowledge to mobile operators about mobile traffic distribution, while effectively reducing the data post-processing overhead. Subsequently, the mobile traffic decomposition (MTD) technique is proposed to break the aggregated mobile traffic measurements into service-level time series, by using a deep learning based framework. With MTD, mobile operators can perform more efficient resource allocation for network slicing (i.e, the logical partitioning of physical infrastructure) and alleviate the privacy concerns that come with the extensive use of deep packet inspection. Finally, we study the robustness of network specific deep anomaly detectors with a realistic black-box threat model and propose reliable solutions for defending against attacks that seek to subvert existing network deep learning based intrusion detection systems (NIDS). Lastly, based on the results obtained, we identify important research directions that are worth pursuing in the future, including (i) serving deep learning with massive high-quality data (ii) deep learning for spatio-temporal mobile data mining (iii) deep learning for geometric mobile data mining (iv) deep unsupervised learning in mobile networks, and (v) deep reinforcement learning for mobile network control. Overall, this thesis demonstrates that deep learning can underpin powerful tools that address data-driven problems in the mobile networking domain. With such intelligence, future mobile networks can be monitored and managed more effectively and thus higher user quality of experience can be guaranteed