Detection and prevention of logic attacks against web applications through black-box analysis
The three-tier web architecture is becoming the de-facto solution for delivering information and business services over the Internet. The center of this architecture is a web application, which implements the business logic, accesses the information stored at the back-end database and interacts with the users through the front-end web server. As web applications get increasingly complex to support sophisticated business functionalities, an emerging class of vulnerabilities, which are referred to as logic vulnerabilities (a.k.a, logic flaws), have attracted increasing attention in recent years. The attacks that target on these vulnerabilities, which are referred to as logic attacks or state violation attacks, have posed serious security threats. To date, very few works have been devoted to the study of the logic vulnerabilities and effective measures to mitigate logic attacks are yet to be developed. Most existing works only target on one specific type of logic vulnerability, and are limited by the availability of application source code and the applicability to specific development languages and platforms. The major challenges come from the fact that application logic flaws and attacks are specific to the functionality of a particular web application and its implementation usually comes without an explicit logic specification. In this dissertation, we aim to address logic attacks against web applications in an automated, general and black-box way (i.e., without requiring the application source code). We present several techniques for automatically deriving the application logic specification by observing and extracting patterns from the interactions between the application and users, as well as the database. Then, we leverage the inferred logic specification for both runtime detection of logic attacks (i.e., defensive approach) and discovery of logic vulnerabilities within web applications (i.e., preventive approach). The defensive approach can be utilized to protect potentially vulnerable web applications that cannot be taken offline for vulnerability analysis, while the preventive approach can help the developers to identify and fix logic flaws within the application implementations so that they are immune to logic attacks. We implemented two prototype systems -- BLOCK and SENTINAL, based on our defensive techniques and three prototypes systems -- LogicScope, EXPELLER, BATMAN, based on our preventive techniques. These prototype systems have different features and focuses. We evaluate them over a set of real world open-source web applications. The experiment results demonstrate the effectiveness of our techniques and prototype systems.