Badger: Complexity Analysis with Fuzzing and Symbolic Execution

Hybrid testing approaches that involve fuzz testing and symbolic execution have shown promising results in achieving high code coverage, uncovering subtle errors and vulnerabilities in a variety of software applications. In this paper we describe Badger - a new hybrid approach for complexity analysis, with the goal of discovering vulnerabilities which occur when the worst-case time or space complexity of an application is significantly higher than the average case. Badger uses fuzz testing to generate a diverse set of inputs that aim to increase not only coverage but also a resource-related cost associated with each path. Since fuzzing may fail to execute deep program paths due to its limited knowledge about the conditions that influence these paths, we complement the analysis with a symbolic execution, which is also customized to search for paths that increase the resource-related cost. Symbolic execution is particularly good at generating inputs that satisfy various program conditions but by itself suffers from path explosion. Therefore, Badger uses fuzzing and symbolic execution in tandem, to leverage their benefits and overcome their weaknesses. We implemented our approach for the analysis of Java programs, based on Kelinci and Symbolic PathFinder. We evaluated Badger on Java applications, showing that our approach is significantly faster in generating worst-case executions compared to fuzzing or symbolic execution on their own

Security analyses for detecting deserialisation vulnerabilities : a thesis presented in partial fulfilment of the requirements for the degree of Doctor of Philosophy in Computer Science at Massey University, Palmerston North, New Zealand

An important task in software security is to identify potential vulnerabilities. Attackers exploit security vulnerabilities in systems to obtain confidential information, to breach system integrity, and to make systems unavailable to legitimate users. In recent years, particularly 2012, there has been a rise in reported Java vulnerabilities. One type of vulnerability involves (de)serialisation, a commonly used feature to store objects or data structures to an external format and restore them. In 2015, a deserialisation vulnerability was reported involving Apache Commons Collections, a popular Java library, which affected numerous Java applications. Another major deserialisation-related vulnerability that affected 55\% of Android devices was reported in 2015. Both of these vulnerabilities allowed arbitrary code execution on vulnerable systems by malicious users, a serious risk, and this came as a call for the Java community to issue patches to fix serialisation related vulnerabilities in both the Java Development Kit and libraries. Despite attention to coding guidelines and defensive strategies, deserialisation remains a risky feature and a potential weakness in object-oriented applications. In fact, deserialisation related vulnerabilities (both denial-of-service and remote code execution) continue to be reported for Java applications. Further, deserialisation is a case of parsing where external data is parsed from their external representation to a program's internal data structures and hence, potentially similar vulnerabilities can be present in parsers for file formats and serialisation languages. The problem is, given a software package, to detect either injection or denial-of-service vulnerabilities and propose strategies to prevent attacks that exploit them. The research reported in this thesis casts detecting deserialisation related vulnerabilities as a program analysis task. The goal is to automatically discover this class of vulnerabilities using program analysis techniques, and to experimentally evaluate the efficiency and effectiveness of the proposed methods on real-world software. We use multiple techniques to detect reachability to sensitive methods and taint analysis to detect if untrusted user-input can result in security violations. Challenges in using program analysis for detecting deserialisation vulnerabilities include addressing soundness issues in analysing dynamic features in Java (e.g., native code). Another hurdle is that available techniques mostly target the analysis of applications rather than library code. In this thesis, we develop techniques to address soundness issues related to analysing Java code that uses serialisation, and we adapt dynamic techniques such as fuzzing to address precision issues in the results of our analysis. We also use the results from our analysis to study libraries in other languages, and check if they are vulnerable to deserialisation-type attacks. We then provide a discussion on mitigation measures for engineers to protect their software against such vulnerabilities. In our experiments, we show that we can find unreported vulnerabilities in Java code; and how these vulnerabilities are also present in widely-used serialisers for popular languages such as JavaScript, PHP and Rust. In our study, we discovered previously unknown denial-of-service security bugs in applications/libraries that parse external data formats such as YAML, PDF and SVG

Invalidating web applications attacks by employing the right secure code

Tese de mestrado, Informática, Universidade de Lisboa, Faculdade de Ciências, 2019Desde o seu aparecimento, as aplicações web têm vindo a tornar-se cada vez mais populares e tornaram-se numa parte essencial das nossas vidas. Usamo-las todos os dias para fazer diversas tarefas tais como fazer compras, consultar o saldo da nossa conta bancária e entrar em contacto com os nossos familiares e amigos. Atualmente, as aplicações web são a forma mais utilizada para aceder aos serviços e recursos das organizações. No entanto, são conhecidas por conter vulnerabilidades no seu código-fonte. Estas vulnerabilidades, quando exploradas, podem causar danos severos às organizações como, por exemplo, o roubo de milhões de credenciais dos utilizadores e o acesso a informação confidencial, o que as torna num alvo apetecível para utilizadores mal intencionados. Por esta razão, é essencial que o acesso a serviços críticos tais como serviços de saúde e financeiros, seja feito através de aplicações web seguras. A utilização de código seguro nas aplicações é de uma importância extrema para obter aplicações seguras e garantir a segurança dos seus utilizadores. As vulnerabilidades são deixadas inadvertidamente no código-fonte por programadores porque estes não têm o conhecimento necessário para escrever código seguro ou porque os testes de software não dedicam tempo suficiente à segurança. Por outro lado, os programadores que utilizam nas suas aplicações funções seguras da linguagem de programação acreditam que as suas aplicações estão protegidas. No entanto, algumas destas funções não invalidam todos os ataques e deixam as aplicações vulneráveis. Este trabalho é focado na linguagem PHP porque esta é atualmente a linguagem de programação mais utilizada para o desenvolvimento de aplicações web. A linguagem PHP permite aos programadores realizarem ações que não seriam possíveis noutras linguagens, o que torna mais fácil aos programadores cometer erros. A linguagem PHP contém um grande número de funções seguras que podem ser utilizadas para remover vulnerabilidades dos diversos tipos. No entanto, uma grande maioria destas funções não é segura em todos os contextos ou é específica para um tipo de vulnerabilidade, o que cria a possibilidade de serem utilizadas incorretamente. Este problema torna mais fácil o aparecimento de vulnerabilidades se for tido em consideração o facto de uma grande parte dos cursos de programação existentes atualmente não dar ênfase suficiente à segurança. Por último, um outro fator que contribui para o aparecimento de vulnerabilidades é a complexidade das aplicações web atuais. Tal complexidade deve-se ao facto de as tecnologias disponíveis na web terem sofrido uma evolução significativa nos últimos anos, o que leva ao aumento da quantidade de linguagens de programação e funcionalidades que os programadores têm de conhecer. Atualmente, existe um grande número de ferramentas de análise estática destinadas a analisar código-fonte PHP e encontrar potenciais vulnerabilidades. Algumas destas ferramentas são baseadas em taint analysis e outras baseadas em análise dinâmica, execução simbólica, entre outras técnicas. Um problema conhecido destas ferramentas é o facto de, por vezes, reportarem vulnerabilidades que não são reais (falsos positivos), o que pode levar o programador a perder tempo à procura de problemas que não existem. Este tipo de ferramentas dá aos programadores relatórios em formatos variados e a esmagadora maioria delas deixa para o programador a tarefa de verificar se as vulnerabilidades reportadas são reais e removê-las caso o sejam. No entanto, muitas delas não dão informação sobre como remover as vulnerabilidades. Dado que muitos programadores estão mal informado acerca da escrita de código seguro, este processo nem sempre elimina as vulnerabilidades por completo. Apenas um pequeno número de ferramentas de análise estática realiza a correção automática do código-fonte das aplicações e as que o fazem muitas vezes têm limitações. Destas limitações, destaca-se o facto de inserirem código sintaticamente inválido que impede o funcionamento correto das aplicações, o que permite a introdução de melhorias nesta área. De entre os vários tipos de vulnerabilidades que podem ocorrer em aplicações web, os dois mais conhecidos são a injeção de SQL e o Cross-Site Scripting, que serão estudados em detalhe nesta dissertação. Esta dissertação tem dois objetivos principais: em primeiro lugar, estudar estes dois tipos de vulnerabilidades em aplicações web PHP, os diferentes ataques que as exploram e as diferentes formas de escrever código seguro para invalidar esses ataques através da utilização correta de funções seguras; em segundo lugar, desenvolver uma ferramenta capaz de inserir pequenas correções no código-fonte de uma aplicação web PHP de modo a remover vulnerabilidades sem alterar o comportamento original da mesma. As principais contribuições desta dissertação são as seguintes: um estudo dos diferentes tipos de ataques de injeção de SQL e Cross-Site Scripting contra aplicações web escritas em PHP; um estudo dos diferentes métodos de proteger aplicações web escritas em PHP e as situações em que os mesmos devem ser usados; o desenvolvimento de uma ferramenta capaz de remover vulnerabilidades de aplicações web escritas em PHP sem prejudicar o seu comportamento original; uma avaliação experimental da ferramenta desenvolvida com código PHP artificial gerado automaticamente e código PHP real. A solução proposta consiste no desenvolvimento de uma ferramenta de análise estática baseada em taint analysis que seja capaz de analisar programas PHP simplificados e, caso estejam vulneráveis, inserir linhas de código com correções simples que removam tais vulnerabilidades. Tudo isto sem alterar o comportamento original dos programas. A ferramenta desenvolvida limita-se exclusivamente à inserção de novas linhas de código, sem modificar as já existentes, para minimizar a probabilidade de tornar um programa sintaticamente inválido. Isto permite remover vulnerabilidades de aplicações web e, ao mesmo tempo, ensinar aos programadores como escrever código seguro. Os programas PHP simplificados que a ferramenta analisa consistem em ficheiros PHP contendo um único caminho do fluxo de controlo do programa original a que correspondem. Este programa simplificado não pode conter estruturas de decisão nem ciclos. A decisão de analisar programas simplificados foi tomada para permitir manter o foco desta dissertação na inserção de correções seguras, algo que atualmente apenas é feito por um pequeno número de ferramentas. Para avaliar a ferramenta desenvolvida, utilizámos cerca de 1700 casos de teste contendo código PHP artificial gerado automaticamente com vulnerabilidades de Cross-Site Scripting e seis aplicações web reais, escritas em PHP, contendo o mesmo tipo de vulnerabilidade. Foram também utilizados 100 casos de teste contendo código PHP artificial com vulnerabilidades de injeção de SQL. A ferramenta conseguiu analisar todos os ficheiros PHP. Relativamente à capacidade de a ferramenta inserir correções no código-fonte das aplicações, obtivemos resultados encorajadores: todos os ficheiros que foram corrigidos continham código PHP sintaticamente válido e apenas um ficheiro viu o seu comportamento original alterado. O ficheiro cujo comportamento foi alterado apresenta uma estrutura mais complexa do que a esperada para um programa simplificado, o que influenciou a execuc¸ ˜ao da nossa ferramenta neste caso. Relativamente à capacidade de a ferramenta detetar vulnerabilidades, verificámos que a mesma reportou algumas vulnerabilidades que não são reais. Tal situação aconteceu em parte devido ao uso de expressões regulares nas aplicações web, algo que causa muitas dificuldades a ferramentas de análise estática. Verificámos também que muitos dos falsos negativos (vulnerabilidades reais que não foram reportadas) se deveram ao contexto em que determinadas funções seguras são utilizadas, algo que, mais uma vez, causa muitas dificuldades a ferramentas deste tipo. As situações referidas aconteceram principalmente no código artificial, que não deve ser visto como representativo de aplicações web reais. Assim, podemos afirmar que a nossa ferramenta lida eficazmente com código PHP real, o que abre a porta à possibilidade de a mesma ser utilizada para corrigir vulnerabilidades em aplicações disponíveis ao público. Após esta avaliação experimental, concluímos que a solução desenvolvida cumpriu os objetivos principais para os quais foi concebida, ao ser capaz de remover vulnerabilidades sem prejudicar o comportamento original dos programas. A solução desenvolvida constitui uma melhoria nas capacidades das ferramentas de análise estática existentes atualmente, em especial das que realizam correção automática de código. O estudo realizado acerca destes dois tipos de vulnerabilidades permitiu também obter uma fonte de informação correta e confiável acerca das formas de escrever código seguro para prevenir os dois tipos de vulnerabilidades estudados em aplicações web escritas em PHP.Currently, web applications are the most common way to access companies’ services and resources. However, since their appearance, they are known to contain vulnerabilities in their source code. These vulnerabilities, when exploited, can cause serious damage to organizations, such as the theft of millions of user credentials and access to confidential data. For this reason, accessing critical services, such as health care and financial services, with safe web applications is crucial to its well-functioning. Often, vulnerabilities are left in the source code unintentionally by programmers because they do not have the necessary knowledge about how to write secure code. On the other hand, programmers that use secure functions from the programming language in their applications, employing thus secure code, believe that their applications are protected. However, some of those functions do not invalidate all attacks, leaving applications vulnerable. This dissertation has two main objectives: to study the diverse types of web application vulnerabilities, namely different attacks that exploit them, and different forms to build secure code for invalidating such attacks, and to develop a tool capable of protecting PHP web applications by inserting small corrections in their source code. The proposed solution was evaluated with both artificial and real code and the results showed that it can insert safe corrections while maintaining the original behavior of the web applications in the vast majority of the cases, which is very encouraging

Securing the Next Generation Web

With the ever-increasing digitalization of society, the need for secure systems is growing. While some security features, like HTTPS, are popular, securing web applications, and the clients we use to interact with them remains difficult.To secure web applications we focus on both the client-side and server-side. For the client-side, mainly web browsers, we analyze how new security features might solve a problem but introduce new ones. We show this by performing a systematic analysis of the new Content Security Policy (CSP)\ua0 directive navigate-to. In our research, we find that it does introduce new vulnerabilities, to which we recommend countermeasures. We also create AutoNav, a tool capable of automatically suggesting navigation policies for this directive. Finding server-side vulnerabilities in a black-box setting where\ua0 there is no access to the source code is challenging. To improve this, we develop novel black-box methods for automatically finding vulnerabilities. We\ua0 accomplish this by identifying key challenges in web scanning and combining the best of previous methods. Additionally, we leverage SMT solvers to\ua0 further improve the coverage and vulnerability detection rate of scanners.In addition to browsers, browser extensions also play an important role in the web ecosystem. These small programs, e.g. AdBlockers and password\ua0 managers, have powerful APIs and access to sensitive user data like browsing history. By systematically analyzing the extension ecosystem we find new\ua0 static and dynamic methods for detecting both malicious and vulnerable extensions. In addition, we develop a method for detecting malicious extensions\ua0 solely based on the meta-data of downloads over time. We analyze new attack vectors introduced by Google’s new vehicle OS, Android Automotive. This\ua0 is based on Android with the addition of vehicle APIs. Our analysis results in new attacks pertaining to safety, privacy, and availability. Furthermore, we\ua0 create AutoTame, which is designed to analyze third-party apps for vehicles for the vulnerabilities we found

Automatic static analysis of software performance

Performance is a critical component of software quality. Software performance can have drastic repercussions on an application, frustrating its users, breaking the functionality of its components, or even rendering it defenseless against hackers. Unfortunately, unlike in the program verification domain, robust analysis techniques for software performance are almost non-existent. In this thesis we formalize important classes of performance-related bugs and security vulnerabilities, and implement novel static analysis techniques for automatically detecting them in widely used open-source applications. Our tools are able to uncover 92 performance bugs and 47 security vulnerabilities, while analyzing hundreds of thousands of lines of code and reporting a modest amount of false positives. Our work opens a new avenue for research: the development of rigorous automatic analyses for effective software performance understanding, inspired by traditional research in functional verification.Computer Science

Hybrid Differential Software Testing

Differentielles Testen ist ein wichtiger Bestandteil der Qualitätssicherung von Software, mit dem Ziel Testeingaben zu generieren, die Unterschiede im Verhalten der Software deutlich machen. Solche Unterschiede können zwischen zwei Ausführungspfaden (1) in unterschiedlichen Programmversionen, aber auch (2) im selben Programm auftreten. In dem ersten Fall werden unterschiedliche Programmversionen mit der gleichen Eingabe untersucht, während bei dem zweiten Fall das gleiche Programm mit unterschiedlichen Eingaben analysiert wird. Die Regressionsanalyse, die Side-Channel Analyse, das Maximieren der Ausführungskosten eines Programms und die Robustheitsanalyse von Neuralen Netzwerken sind typische Beispiele für differentielle Softwareanalysen. Eine besondere Herausforderung liegt in der effizienten Analyse von mehreren Programmpfaden (auch über mehrere Programmvarianten hinweg). Die existierenden Ansätze sind dabei meist nicht (spezifisch) dafür konstruiert, unterschiedliches Verhalten präzise hervorzurufen oder sind auf einen Teil des Suchraums limitiert. Diese Arbeit führt das Konzept des hybriden differentiellen Software Testens (HyDiff) ein: eine hybride Analysetechnik für die Generierung von Eingaben zur Erkennung von semantischen Unterschieden in Software. HyDiff besteht aus zwei parallel laufenden Komponenten: (1) einem such-basierten Ansatz, der effizient Eingaben generiert und (2) einer systematischen Analyse, die auch komplexes Programmverhalten erreichen kann. Die such-basierte Komponente verwendet Fuzzing geleitet durch differentielle Heuristiken. Die systematische Analyse basiert auf Dynamic Symbolic Execution, das konkrete Eingaben bei der Analyse integrieren kann. HyDiff wird anhand mehrerer Experimente evaluiert, die in spezifischen Anwendungen im Bereich des differentiellen Testens ausgeführt werden. Die Resultate zeigen eine effektive Generierung von Testeingaben durch HyDiff, wobei es sich signifikant besser als die einzelnen Komponenten verhält.Differential software testing is important for software quality assurance as it aims to automatically generate test inputs that reveal behavioral differences in software. The concrete analysis procedure depends on the targeted result: differential testing can reveal divergences between two execution paths (1) of different program versions or (2) within the same program. The first analysis type would execute different program versions with the same input, while the second type would execute the same program with different inputs. Therefore, detecting regression bugs in software evolution, analyzing side-channels in programs, maximizing the execution cost of a program over multiple executions, and evaluating the robustness of neural networks are instances of differential software analysis with the goal to generate diverging executions of program paths. The key challenge of differential software testing is to simultaneously reason about multiple program paths, often across program variants, in an efficient way. Existing work in differential testing is often not (specifically) directed to reveal a different behavior or is limited to a subset of the search space. This PhD thesis proposes the concept of Hybrid Differential Software Testing (HyDiff) as a hybrid analysis technique to generate difference revealing inputs. HyDiff consists of two components that operate in a parallel setup: (1) a search-based technique that inexpensively generates inputs and (2) a systematic exploration technique to also exercise deeper program behaviors. HyDiff’s search-based component uses differential fuzzing directed by differential heuristics. HyDiff’s systematic exploration component is based on differential dynamic symbolic execution that allows to incorporate concrete inputs in its analysis. HyDiff is evaluated experimentally with applications specific for differential testing. The results show that HyDiff is effective in all considered categories and outperforms its components in isolation

Pre-deployment Analysis of Smart Contracts -- A Survey

Smart contracts are programs that execute transactions involving independent parties and cryptocurrencies. As programs, smart contracts are susceptible to a wide range of errors and vulnerabilities. Such vulnerabilities can result in significant losses. Furthermore, by design, smart contract transactions are irreversible. This creates a need for methods to ensure the correctness and security of contracts pre-deployment. Recently there has been substantial research into such methods. The sheer volume of this research makes articulating state-of-the-art a substantial undertaking. To address this challenge, we present a systematic review of the literature. A key feature of our presentation is to factor out the relationship between vulnerabilities and methods through properties. Specifically, we enumerate and classify smart contract vulnerabilities and methods by the properties they address. The methods considered include static analysis as well as dynamic analysis methods and machine learning algorithms that analyze smart contracts before deployment. Several patterns about the strengths of different methods emerge through this classification process

Improving Developers\u27 Understanding of Regex Denial of Service Tools through Anti-Patterns and Fix Strategies

Regular expressions are used for diverse purposes, including input validation and firewalls. Unfortunately, they can also lead to a security vulnerability called ReDoS (Regular Expression Denial of Service), caused by a super-linear worst-case execution time during regex matching. Due to the severity and prevalence of ReDoS, past work proposed automatic tools to detect and fix regexes. Although these tools were evaluated in automatic experiments, their usability has not yet been studied; usability has not been a focus of prior work. Our insight is that the usability of existing tools to detect and fix regexes will improve if we complement them with anti-patterns and fix strategies of vulnerable regexes. We developed novel anti-patterns for vulnerable regexes, and a collection of fix strategies to fix them. We derived our anti-patterns and fix strategies from a novel theory of regex infinite ambiguity—a necessary condition for regexes vulnerable to ReDoS. We proved the soundness and completeness of our theory. We evaluated the effectiveness of our anti-patterns, both in an automatic experiment and when applied manually. Then, we evaluated how much our anti-patterns and fix strategies improve developers’ understanding of the outcome of detection and fixing tools. Our evaluation found that our anti-patterns were effective over a large dataset of regexes (N=209,188): 100% precision and 99% recall, improving the state of the art 50% precision and 87% recall. Our anti-patterns were also more effective than the state of the art when applied manually (N=20): 100% developers applied them effectively vs. 50% for the state of the art. Finally, our anti-patterns and fix strategies increased developers’ understanding using automatic tools (N=9): from median “Very weakly” to median “Strongly” when detecting vulnerabilities, and from median “Very weakly” to median “Very strongly” when fixing them

Exploiting Input Sanitization for Regex Denial of Service

Web services use server-side input sanitization to guard against harmful input. Some web services publish their sanitization logic to make their client interface more usable, e.g., allowing clients to debug invalid requests locally. However, this usability practice poses a security risk. Specifically, services may share the regexes they use to sanitize input strings — and regex-based denial of service (ReDoS) is an emerging threat. Although prominent service outages caused by ReDoS have spurred interest in this topic, we know little about the degree to which live web services are vulnerable to ReDoS. In this paper, we conduct the first black-box study measuring the extent of ReDoS vulnerabilities in live web services. We apply the Consistent Sanitization Assumption: that client-side sanitization logic, including regexes, is consistent with the sanitization logic on the server-side. We identify a service’s regex-based input sanitization in its HTML forms or its API, find vulnerable regexes among these regexes, craft ReDoS probes, and pinpoint vulnerabilities. We analyzed the HTML forms of 1,000 services and the APIs of 475 services. Of these, 355 services publish regexes; 17 services publish unsafe regexes; and 6 services are vulnerable to ReDoS through their APIs (6 domains; 15 subdomains). Both Microsoft and Amazon Web Services patched their web services as a result of our disclosure. Since these vulnerabilities were from API specifications, not HTML forms, we proposed a ReDoS defense for a popular API validation library, and our patch has been merged. To summarize: in client-visible sanitization logic, some web services advertise ReDoS vulnerabilities in plain sight. Our results motivate short-term patches and long-term fundamental solutions