Sound and Precise Malware Analysis for Android via Pushdown Reachability and Entry-Point Saturation

We present Anadroid, a static malware analysis framework for Android apps. Anadroid exploits two techniques to soundly raise precision: (1) it uses a pushdown system to precisely model dynamically dispatched interprocedural and exception-driven control-flow; (2) it uses Entry-Point Saturation (EPS) to soundly approximate all possible interleavings of asynchronous entry points in Android applications. (It also integrates static taint-flow analysis and least permissions analysis to expand the class of malicious behaviors which it can catch.) Anadroid provides rich user interface support for human analysts which must ultimately rule on the "maliciousness" of a behavior. To demonstrate the effectiveness of Anadroid's malware analysis, we had teams of analysts analyze a challenge suite of 52 Android applications released as part of the Auto- mated Program Analysis for Cybersecurity (APAC) DARPA program. The first team analyzed the apps using a ver- sion of Anadroid that uses traditional (finite-state-machine-based) control-flow-analysis found in existing malware analysis tools; the second team analyzed the apps using a version of Anadroid that uses our enhanced pushdown-based control-flow-analysis. We measured machine analysis time, human analyst time, and their accuracy in flagging malicious applications. With pushdown analysis, we found statistically significant (p < 0.05) decreases in time: from 85 minutes per app to 35 minutes per app in human plus machine analysis time; and statistically significant (p < 0.05) increases in accuracy with the pushdown-driven analyzer: from 71% correct identification to 95% correct identification.Comment: Appears in 3rd Annual ACM CCS workshop on Security and Privacy in SmartPhones and Mobile Devices (SPSM'13), Berlin, Germany, 201

Some security issues for web based frameworks

This report investigates whether a vulnerability found in one web framework may be used to find a vulnerability in a different web framework. To test this hypothesis, several open source applications were installed in a secure test environment together with security analysis tools. Each one of the applications were developed using a different software framework. The results show that a vulnerability identified in one framework can often be used to find similar vulnerabilities in other frameworks. Crosssite scripting security issues are the most likely to succeed when being applied to more than one framework

Automated server-side model for recognition of security vulnerabilities in scripting languages

With the increase of global accessibility of web applications, maintaining a reasonable security level for both user data and server resources has become an extremely challenging issue. Therefore, static code analysis systems can help web developers to reduce time and cost. In this paper, a new static analysis model is proposed. This model is designed to discover the security problems in scripting languages. The proposed model is implemented in a prototype SCAT, which is a static code analysis Tool. SCAT applies the phases of the proposed model to catch security vulnerabilities in PHP 5.3. Empirical results attest that the proposed prototype is feasible and is able to contribute to the security of real-world web applications. SCAT managed to detect 94% of security vulnerabilities found in the testing benchmarks; this clearly indicates that the proposed model is able to provide an effective solution to complicated web systems by offering benefits of securing private data for users and maintaining web application stability for web applications providers

Security analyses for detecting deserialisation vulnerabilities : a thesis presented in partial fulfilment of the requirements for the degree of Doctor of Philosophy in Computer Science at Massey University, Palmerston North, New Zealand

An important task in software security is to identify potential vulnerabilities. Attackers exploit security vulnerabilities in systems to obtain confidential information, to breach system integrity, and to make systems unavailable to legitimate users. In recent years, particularly 2012, there has been a rise in reported Java vulnerabilities. One type of vulnerability involves (de)serialisation, a commonly used feature to store objects or data structures to an external format and restore them. In 2015, a deserialisation vulnerability was reported involving Apache Commons Collections, a popular Java library, which affected numerous Java applications. Another major deserialisation-related vulnerability that affected 55\% of Android devices was reported in 2015. Both of these vulnerabilities allowed arbitrary code execution on vulnerable systems by malicious users, a serious risk, and this came as a call for the Java community to issue patches to fix serialisation related vulnerabilities in both the Java Development Kit and libraries. Despite attention to coding guidelines and defensive strategies, deserialisation remains a risky feature and a potential weakness in object-oriented applications. In fact, deserialisation related vulnerabilities (both denial-of-service and remote code execution) continue to be reported for Java applications. Further, deserialisation is a case of parsing where external data is parsed from their external representation to a program's internal data structures and hence, potentially similar vulnerabilities can be present in parsers for file formats and serialisation languages. The problem is, given a software package, to detect either injection or denial-of-service vulnerabilities and propose strategies to prevent attacks that exploit them. The research reported in this thesis casts detecting deserialisation related vulnerabilities as a program analysis task. The goal is to automatically discover this class of vulnerabilities using program analysis techniques, and to experimentally evaluate the efficiency and effectiveness of the proposed methods on real-world software. We use multiple techniques to detect reachability to sensitive methods and taint analysis to detect if untrusted user-input can result in security violations. Challenges in using program analysis for detecting deserialisation vulnerabilities include addressing soundness issues in analysing dynamic features in Java (e.g., native code). Another hurdle is that available techniques mostly target the analysis of applications rather than library code. In this thesis, we develop techniques to address soundness issues related to analysing Java code that uses serialisation, and we adapt dynamic techniques such as fuzzing to address precision issues in the results of our analysis. We also use the results from our analysis to study libraries in other languages, and check if they are vulnerable to deserialisation-type attacks. We then provide a discussion on mitigation measures for engineers to protect their software against such vulnerabilities. In our experiments, we show that we can find unreported vulnerabilities in Java code; and how these vulnerabilities are also present in widely-used serialisers for popular languages such as JavaScript, PHP and Rust. In our study, we discovered previously unknown denial-of-service security bugs in applications/libraries that parse external data formats such as YAML, PDF and SVG

A Hybrid Graph Neural Network Approach for Detecting PHP Vulnerabilities

This paper presents DeepTective, a deep learning approach to detect vulnerabilities in PHP source code. Our approach implements a novel hybrid technique that combines Gated Recurrent Units and Graph Convolutional Networks to detect SQLi, XSS and OSCI vulnerabilities leveraging both syntactic and semantic information. We evaluate DeepTective and compare it to the state of the art on an established synthetic dataset and on a novel real-world dataset collected from GitHub. Experimental results show that DeepTective achieves near perfect classification on the synthetic dataset, and an F1 score of 88.12% on the realistic dataset, outperforming related approaches. We validate DeepTective in the wild by discovering 4 novel vulnerabilities in established WordPress plugins.Comment: A poster version of this paper appeared as https://doi.org/10.1145/3412841.344213

Realistic vulnerability injections in PHP web applications

Tese de mestrado em Segurança Informática, apresentada à Universidade de Lisboa, através da Faculdade de Ciências, 2011A injecção de vulnerabilidades é uma área que recebeu relativamente pouca atenção da comunidade científica, provavelmente por o seu objectivo ser aparentemente contrário ao propósito de fazer as aplicações mais seguras. Esta pode no entanto ser usada em variadas áreas que a fazem merecedora de ser investigada, tais como a criação automática de exemplos educacionais de código vulnerável, testar mecanismos de segurança em profundidade, e a avaliação de detectores de vulnerabilidades e de equipas de segurança. Esta tese propõe uma arquitectura para uma ferramenta de injecção de vulnerabilidades genérica que permite a inserção de vulnerabilidades num programa, e aproveita a vasta investigação existente sobre detecção de vulnerabilidades. A arquitectura é também extensível, suportando a adição de novas vulnerabilidades para serem injectadas. Foi também implementado e avaliado um protótipo baseado nesta arquitectura por forma a perceber se a arquitectura era implementável. O protótipo consegue injectar a maior parte das vulnerabilidades da class taint-style, desde que em aplicações web desenvolvidas em PHP. Esta tese contém também um estudo sobre as vulnerabilidades presentes nas últimas versões de algumas aplicações PHP bem conhecidas, que permite perceber quais os tipos de vulnerabilidade mais comuns. Este estudo conclui que as vulnerabilidades que o protótipo permite já incluem a maioria das vulnerabilidades que aparecem habitualmente em aplicações PHP. Finalmente, várias aplicações PHP foram usadas na avaliação. O protótipo foi usado para injectar diversas vulnerabilidades sobre estas aplicações, e após isso as injecções foram analisadas à mão para verificar se uma vulnerabilidade tinha sido criada ou não. Os resultados mostram que o protótipo consegue não só injectar uma grande quantidade de vulnerabilidades mas também que estas são atacáveis e realistas.Vulnerability injection is a field that has received relatively little attention by the research community, probably because its objective is apparently contrary to the purpose of making applications more secure. It can however be used in a variety of areas that make it worthy of research, such as the automatic creation of educational examples of vulnerable code, testing defense in depth mechanisms, and the evaluation of both vulnerability scanners and security teams. This thesis proposes an architecture for a generic vulnerability injection tool that allows the insertion of vulnerabilities in a program, and leverages from the vast work available on vulnerability detection. The architecture is also extensible, supporting the addition of new vulnerabilities to inject. A prototype implementing the architecture was developed and evaluated to analyze the feasibility of the architecture. The prototype targets PHP web applications, and is able to inject most taintstyle type vulnerabilities. The thesis also contains a study on the vulnerabilities present in the latest versions of some well known PHP applications, providing a better understanding of which are the most common types of vulnerabilities. This study shows that the vulnerabilities that the prototype is able to inject already includes the majority of the vulnerabilities that appear in PHP web applications. Finally, several PHP applications were used in the evaluation. These were subject to injections using the prototype, after which they were analyzed by hand to see whether a vulnerability was created or not. The results show that the prototype can not only inject a great amount of vulnerabilities but that they are actually attackable