Team for Research in
Ubiquitous Secure Technology

Automatically Generating Attacks on Webapps with Model Checking
Michael Martin

Citation
Michael Martin. "Automatically Generating Attacks on Webapps with Model Checking". Talk or presentation, 11, October, 2007.

Abstract
Cross-site scripting (XSS) and SQL injection errors are two prominent examples of taint-based vulnerabilities that are responsible for a large number of security breaches in recent years. This paper presents QED, a goal-directed model-checking system for locating software defects including these in large Java web applications.rnrnThe user provides a specification of undesirable behavior and the application to test. Based on the specification and the structure of the web application, QED harnesses the application for model checking and also performs a static analysis to remove unnecessary portions of the search space. The remaining state space can then be systematically checked. This checking is complete enough to also discover defects that only manifest themselves after multiple requests have been made to a web application.rnrnNot only does QED identify these vulnerabilities automatically, it proves the existence of errors by providing an example input of an attack and a program trace showing how the code is compromised. QED does make it easy for the application maintainer to recognize the errors and to make the necessary fix. In other words, unlike many other static analysis tools, QED does not generate any false-positive warnings. For a class of applications, QED can guarantee that it has found all the potential bugs in the program.rnrnQED combines techniques from advanced pointer analysis, dynamic monitoring, and model checking, combining the advantages of all three: QED provides a bound on errors in both directions, and can readily demonstrate how to trigger the bugs it finds.rnrnWe have run QED over a set of 3 Java web applications that use the popular Struts framework. In 130,000 lines of code, we found 10 SQL injections and 13 cross-site scripting errors.

Electronic downloads


Internal. This publication has been marked by the author for TRUST-only distribution, so electronic downloads are not available without logging in.
Citation formats  
  • HTML 
    Michael Martin. <a
href="http://www.truststc.org/pubs/302.html"
><i>Automatically Generating Attacks on Webapps
with Model Checking</i></a>, Talk or
presentation,  11, October, 2007.
  • Plain text 
    Michael Martin. "Automatically Generating Attacks on
Webapps with Model Checking". Talk or presentation, 
11, October, 2007.
  • BibTeX 
    @presentation{Martin07_AutomaticallyGeneratingAttacksOnWebappsWithModelChecking,
    author = {Michael Martin},
    title = {Automatically Generating Attacks on Webapps with
              Model Checking},
    day = {11},
    month = {October},
    year = {2007},
    abstract = {Cross-site scripting (XSS) and SQL injection
              errors are two prominent examples of taint-based
              vulnerabilities that are responsible for a large
              number of security breaches in recent years. This
              paper presents QED, a goal-directed model-checking
              system for locating software defects including
              these in large Java web applications.rnrnThe user
              provides a specification of undesirable behavior
              and the application to test. Based on the
              specification and the structure of the web
              application, QED harnesses the application for
              model checking and also performs a static analysis
              to remove unnecessary portions of the search
              space. The remaining state space can then be
              systematically checked. This checking is complete
              enough to also discover defects that only manifest
              themselves after multiple requests have been made
              to a web application.rnrnNot only does QED
              identify these vulnerabilities automatically, it
              proves the existence of errors by providing an
              example input of an attack and a program trace
              showing how the code is compromised. QED does make
              it easy for the application maintainer to
              recognize the errors and to make the necessary
              fix. In other words, unlike many other static
              analysis tools, QED does not generate any
              false-positive warnings. For a class of
              applications, QED can guarantee that it has found
              all the potential bugs in the program.rnrnQED
              combines techniques from advanced pointer
              analysis, dynamic monitoring, and model checking,
              combining the advantages of all three: QED
              provides a bound on errors in both directions, and
              can readily demonstrate how to trigger the bugs it
              finds.rnrnWe have run QED over a set of 3 Java web
              applications that use the popular Struts
              framework. In 130,000 lines of code, we found 10
              SQL injections and 13 cross-site scripting errors.},
    URL = {http://www.truststc.org/pubs/302.html}
}

Posted by Larry Rohrbough on 16 Oct 2007.
For additional information, see the Publications FAQ or contact webmaster at www truststc org.

Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.