Please insert a figure in the master transparency.

KIT – University of the State of Baden-Wuerttemberg and National Research Center of the Helmholtz Association

Certifiable Trustworthy IT Systems

www.kit.edu

flickr.com/photos/85638163@N00/4627233065/sizes/l/in/photostream/

SPaCiTE – Web Application Testing Engine

Matthias Büchler, Johan Oudinet, and Alexander Pretschner

April 21, 2012

M. Büchler, J. Oudinet, A. Pretschner2 SPaCiTE – Web Application Testing Engine

Motivation / Purpose of the Tool

Secure Model: M ⊨ φ Is Web Application Secure ?

Web Application

How does a secure model help to answer this question?

M. Büchler, J. Oudinet, A. Pretschner3 SPaCiTE – Web Application Testing Engine

Motivation / Purpose of the Tool

Client Side Server Side

M. Büchler, J. Oudinet, A. Pretschner4 SPaCiTE – Web Application Testing Engine

Motivation / Purpose of the Tool

M. Büchler, J. Oudinet, A. Pretschner5 SPaCiTE – Web Application Testing Engine

SPaCiTE Workflow

How SPaCiTE executes test cases (attack traces) based on secure

models

M. Büchler, J. Oudinet, A. Pretschner6 SPaCiTE – Web Application Testing Engine

The Secure Model – Abstract Messages

M. Büchler, J. Oudinet, A. Pretschner7 SPaCiTE – Web Application Testing Engine

The Secure Model – Horn Clauses

M. Büchler, J. Oudinet, A. Pretschner8 SPaCiTE – Web Application Testing Engine

The Secure Model – The Honest User

M. Büchler, J. Oudinet, A. Pretschner9 SPaCiTE – Web Application Testing Engine

The Secure Model – The Server

M. Büchler, J. Oudinet, A. Pretschner10 SPaCiTE – Web Application Testing Engine

The Secure Model – Secrecy Goal

M. Büchler, J. Oudinet, A. Pretschner11 SPaCiTE – Web Application Testing Engine

Model-Based Flaw Injection Library

<configuration>

<ACflaw><funcname>isAuthorizedTo*</funcname>

</ACflaw>

</configuration>

M. Büchler, J. Oudinet, A. Pretschner12 SPaCiTE – Web Application Testing Engine

Model Checking

SATMCCL-ATSE

OFMC

Reuse AVANTSSAR Backends

M. Büchler, J. Oudinet, A. Pretschner13 SPaCiTE – Web Application Testing Engine

Abstract Attack Trace

<tom> ->* webServer : login(tom,password(tom,webServer))

webServer -> <tom> : listStaffOf(tom)

<tom> *-> webServer : viewProfileOf(jerry)

webServer *->* <tom> : profileOf(jerry)

M. Büchler, J. Oudinet, A. Pretschner14 SPaCiTE – Web Application Testing Engine

Transform AAT to WAAL

Configuration Information

How are abstract messages translated into actions

How is a viewProfileOf message generated in the browser?

M. Büchler, J. Oudinet, A. Pretschner15 SPaCiTE – Web Application Testing Engine

Transform AAT to WAAL

How are abstract messages translated into actions

M. Büchler, J. Oudinet, A. Pretschner16 SPaCiTE – Web Application Testing Engine

Transform AAT to WAAL

Translate WAAL actions to Java source code

Embed them into a test execution engine skeleton

M. Büchler, J. Oudinet, A. Pretschner17 SPaCiTE – Web Application Testing Engine

Execution

Execute the test case

Recovery actions might be needed

M. Büchler, J. Oudinet, A. Pretschner18 SPaCiTE – Web Application Testing Engine

Example of a Recovery Action

M. Büchler, J. Oudinet, A. Pretschner19 SPaCiTE – Web Application Testing Engine

M. Büchler, J. Oudinet, A. Pretschner20 SPaCiTE – Web Application Testing Engine

Verdict

M. Büchler, J. Oudinet, A. Pretschner21 SPaCiTE – Web Application Testing Engine

Conclusion

Semi-automatic security testing of web applicationsAutomatic at browser level

May request help from a test expert at HTTP level

Interesting abstract attack traces were generated by injecting relevant source code level faults into the model

Relevant fault = known vulnerability that have been exploited to violate any security goal in the secure model.

We were able to reproduce all 4 Abstract Attack Traces coming from 2 RBAC and 2 XSS models

M. Büchler, J. Oudinet, A. Pretschner22 SPaCiTE – Web Application Testing Engine

Future Work

Target different vulnerabilities and security goals

Address side effects during recovery actions

Extend the tool when global observation is not possible

Integration work as part of SPaCiOS EU project

www.spacios.eu

* Demo on request, or visit: http://zvi.ipd.kit.edu/26_500.php

M. Büchler, J. Oudinet, A. Pretschner23 SPaCiTE – Web Application Testing Engine

Model-Based Flaw Injection Library

Mutation Operator represent vulnerabilities at model level

They combine a security property and a vulnerability

M. Büchler, J. Oudinet, A. Pretschner24 SPaCiTE – Web Application Testing Engine

Assumptions and Limitations

Secure model must exist → If not, try to make use of model inference

Each abstract message must be mappable to WAAL actionsthat means every abstract message must be expressed in terms of generating and/or verifying actions at browser level

that doesn’t imply that action must be performed in browser → see Recovery Actions

→ If not, WAAL actions can be bypassed and abstract message is directly mapped to protocol level messages (no guidance by SPaCiTE)

Used model checker considers the Dolev Yao Model for the intruder behavior

Intruder is the network (Every component must be wrapped by a Proxy to have global observation property)

No side effects during recovery actions

Deterministic system