Shih-Kun Huang

Web application security assessment by fault injection and behavior monitoring

As a large and complex application platform, the World Wide Web is capable of delivering a broad range of sophisticated applications. However, many Web applications go through rapid development phases with extremely short turnaround time, making it difficult to eliminate vulnerabilities. Here we analyze the design of Web application security assessment mechanisms in order to identify poor coding practices that render Web applications vulnerable to attacks such as SQL injection and cross-site scripting. We describe the use of a number of software-testing techniques (including dynamic analysis, black-box testing, fault injection, and behavior monitoring), and suggest mechanisms for applying these techniques to Web applications. Real-world situations are used to test a tool we named the Web Application Vulnerability and Error Scanner (WAVES, an open-source project available at http://waves.sourceforge.net) and to compare it with other tools. Our results show that WAVES is a feasible platform for assessing Web application security.

Cocktail Watermarking on Images

A novel image protection scheme named “cocktail watermarking” improves over current spread-spectrum watermarking approaches. Two watermarks, which play complementary roles, are simultaneously embedded into an original image. The new watermarking scheme has the characteristic that, no matter what an attack is, at least one watermark typically survives well and can be detected. Results of extensive experiments indicate that our cocktail watermarking scheme is effective in resisting various attacks.

A testing framework for Web application security assessment

The rapid development phases and extremely short turnaround time of Web applications make it difficult to eliminate their vulnerabilities. Here we study how software testing techniques such as fault injection and runtime monitoring can be applied to Web applications. We implemented our proposed mechanisms in the Web Application Vulnerability and Error Scanner (WAVES)--a black-box testing framework for automated Web application security assessment. Real-world situations are used to test WAVES and to compare it with other tools. Our results show that WAVES is a feasible platform for assessing Web application security.

CRAX: Software Crash Analysis for Automatic Exploit Generation by Modeling Attacks as Symbolic Continuations

We present a simple framework capable of automatically generating attacks that exploit control flow hijacking vulnerabilities. We analyze given software crashes and perform symbolic execution in concolic mode, using a whole system environment model. The framework uses an end-to-end approach to generate exploits for various applications, including 16 medium scale benchmark programs, and several large scale applications, such as Mplayer (a media player), Unrar (an archiver) and Foxit(a pdf reader), with stack/heap overflow, off-by-one overflow, use of uninitialized variable, format string vulnerabilities. Notably, these applications have been typically regarded as fuzzing preys, but still require a manual process with security knowledge to produce mitigation-hardened exploits. Using our system to produce exploits is a fully automated and straightforward process for crashed software without source. We produce the exploits within six minutes for medium scale of programs, and as long as 80 minutes for mplayer (about 500,000 LOC), after constraint reductions. Our results demonstrate that the link between software bugs and security vulnerabilities can be automatically bridged.

Software Crash Analysis for Automatic Exploit Generation on Binary Programs

This paper presents a new method, capable of automatically generating attacks on binary programs from software crashes. We analyze software crashes with a symbolic failure model by performing concolic executions following the failure directed paths, using a whole system environment model and concrete address mapped symbolic memory in S2 E. We propose a new selective symbolic input method and lazy evaluation on pseudo symbolic variables to handle symbolic pointers and speed up the process. This is an end-to-end approach able to create exploits from crash inputs or existing exploits for various applications, including most of the existing benchmark programs, and several large scale applications, such as a word processor (Microsoft office word), a media player (mpalyer), an archiver (unrar), or a pdf reader (foxit). We can deal with vulnerability types including stack and heap overflows, format string, and the use of uninitialized variables. Notably, these applications have become software fuzz testing targets, but still require a manual process with security knowledge to produce mitigation-hardened exploits. Using this method to generate exploits is an automated process for software failures without source code. The proposed method is simpler, more general, faster, and can be scaled to larger programs than existing systems. We produce the exploits within one minute for most of the benchmark programs, including mplayer. We also transform existing exploits of Microsoft office word into new exploits within four minutes. The best speedup is 7,211 times faster than the initial attempt. For heap overflow vulnerability, we can automatically exploit the unlink() macro of glibc, which formerly requires sophisticated hacking efforts.

Efficient proxy signcryption scheme with provable CCA and CMA security

For facilitating the confidential transaction with delegation such as on-line proxy auction and business contract signing by an authorized proxy, we propose an efficient proxy signcryption scheme from pairings. Our scheme allows an original signer to delegate his signing power to a proxy one such that the latter can signcrypt a plaintext on behalf of the former. The signcrypted message can only be decrypted by a designated recipient who is also responsible for verifying the recovered proxy signature. To deal with a later dispute over repudiation, the designated recipient can easily announce the ordinary proxy signature for public verification without extra computational efforts. To guarantee the realistic applicability, we demonstrate that our scheme outperforms previous works in terms of functionalities and computational efficiency. Moreover, the security requirement of confidentiality against indistinguishability under adaptive chosen-ciphertext attacks (IND-CCA2) and that of unforgeability against existential forgery under adaptive chosen-message attacks (EF-CMA) are proved in random oracle models.

CRAXweb: Automatic Web Application Testing and Attack Generation

This paper proposes to test web applications and generate the feasible exploits automatically, including cross-site scripting and SQL injection attacks. We test the web applications with initial random inputs by detecting symbolic queries to SQL servers or symbolic responses to HTTP servers. After symbolic outputs detected, we are able to generate attack strings and reproduce the results, emulating the manual attack behavior. In contrast with other traditional detection and prevention methods, we can determine the presence of vulnerabilities and prove the feasibility of attacks. This automatic generation process is based on a dynamic software testing method-symbolic execution by S2E. We have applied this automatic process to several known vulnerabilities on large-scale open source web applications, and generated the attack strings successfully. Our method is web platform independent, covering PHP, JSP, Rails, and Django due to the supports of the whole system environment of S2E.

Two-way coloring approaches for method dispatching in object-oriented programming systems

In object-oriented systems, heavy message sending has slowed down the execution efficiency. Most of the current solutions are based on message tables according to a class-hierarchy to develop more efficient method searching algorithms. An approach with little space overhead and constant dispatch time is proposed. The general strategy is called the two-way coloring technique. The algorithm can be applied in both typed and untyped object-oriented languages. For typed languages, the space overhead is not greater than the conventional approaches, but it can dispatch methods in the same situations as untyped languages. For untyped languages, the constraint for dispatch is not decreased and the space overhead is not much higher, but it can dispatch methods in constant time. Based on the comparison with conventional approaches, the proposed approach demonstrates its advantages on space overhead, dispatching speed, and applicability. Several case studies are presented as a comparison with existing run time dispatch mechanisms.<<ETX>>

Object-oriented program behavior analysis based on control patterns

Code-patterns are statically recurring structures specific to a programming language. It can be parallel to aid in designing software systems for solving particular problems. Contrary to compilation assistance of code-patterns, control-patterns are dynamically recurring structures invoked during program execution time. It can be used for benchmarking OO-programs and underlying architecture like Java and Java-VM. We propose a run-time profiler based on control patterns and show that all run-time trace can be represented by a directed graph, a constrained output and a Boolean function. A transformed graph can be fed into a data-mining analyzer to find out the recurring structure representing run-time behaviors.

CRAXDroid: Automatic Android System Testing by Selective Symbolic Execution

Mobile devices such as smart phones and tablet PCs are becoming common personal devices. The business model of a central software market is also thriving and turning into a major distribution source of software packages on those devices. However, these devices often contain personal private information and can be used to conduct operations involving data leakage and payment events like sending SMS. As a result, the quality of software on mobile devices becomes a critical issue. We aim at checking whether software off the shelf contains defective behavior or potential vulnerabilities, and aiding the official APP or third party markets to ensure their software without privacy issues. We have built a platform for android APP testing, by revising our software quality assurance and exploit generation platform, called CRAX, to apply in the Android platform. It is called the CRAXDroid that allows any inputs to be the testing sources to the APP without source code. These approaches are based on the symbolic execution technique and android emulator. By automatically exploring execution paths, we can find potential software defects. We perform several experiments on Android applications to prove the feasibility of our method.