research-article

Public Access

Chainsaw: Chained Automated Workflow-based Exploit Generation

Authors:

Abeer Alhuzali,

Birhanu Eshete,

V.N. VenkatakrishnanAuthors Info & Claims

CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

Pages 641 - 652

https://doi.org/10.1145/2976749.2978380

Published: 24 October 2016 Publication History

Abstract

We tackle the problem of automated exploit generation for web applications. In this regard, we present an approach that significantly improves the state-of-art in web injection vulnerability identification and exploit generation. Our approach for exploit generation tackles various challenges associated with typical web application characteristics: their multi-module nature, interposed user input, and multi-tier architectures using a database backend. Our approach develops precise models of application workflows, database schemas, and native functions to achieve high quality exploit generation. We implemented our approach in a tool called Chainsaw. Chainsaw was used to analyze 9 open source applications and generated over 199 first- and second-order injection exploits combined, significantly outperforming several related approaches.

References

[1]

T. Avgerinos, S. K. Cha, B. L. T. Hao, and D. Brumley. AEG: Automatic Exploit Generation. In NDSS, volume 11, pages 59--66, 2011.

[2]

D. Balzarotti, M. Cova, V. Felmetsger, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna. Saner: Composing static and dynamic analysis to validate sanitization in web applications. In 2008 IEEE Symposium on Security and Privacy (sp 2008), pages 387--401, 2008.

Digital Library

[3]

D. Balzarotti, M. Cova, V. V. Felmetsger, and G. Vigna. Multi-module Vulnerability Analysis of Web-based Applications. In the 14th ACM Conference on Computer and Communications Security (CCS), pages 25--35, 2007.

Digital Library

[4]

J. Bau, E. Bursztein, D. Gupta, and J. Mitchell. State of the art: Automated black-box web application vulnerability testing. In Proceedings of the 2010 IEEE Symposium on Security and Privacy, pages 332--345, 2010.

Digital Library

[5]

P. Bisht, T. Hinrichs, N. Skrupsky, and V. Venkatakrishnan. WAPTEC: Whitebox Analysis of Web Applications for Parameter Tampering Exploit Construction. In the 18th ACM conference on Computer and communications security, pages 575--586, 2011.

Digital Library

[6]

P. Bisht, A. P. Sistla, and V. Venkatakrishnan. Automatically preparing safe SQL queries. In International Conference on Financial Cryptography and Data Security, pages 272--288. Springer, 2010.

Digital Library

[7]

D. Brumley, P. Poosankam, D. Song, and J. Zheng. Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications. In Proceedings of the 2008 IEEE Symposium on Security and Privacy, 2008.

Digital Library

[8]

J. Dahse and T. Holz. Simulation of Built-in PHP Features for Precise Static Code Analysis. In Symposium on Network and Distributed System Security (NDSS), 2014.

[9]

J. Dahse and T. Holz. Static Detection of Second-Order Vulnerabilities in Web Applications. In 23rd USENIX Security Symposium (USENIX Security 14), pages 989--1003, 2014.

Digital Library

[10]

L. De Moura and N. Bjørner. Z3: An efficient smt solver. In Tools and Algorithms for the Construction and Analysis of Systems, pages 337--340. Springer, 2008.

[11]

D. Eppstein. Finding the k shortest paths. SIAM J. Comput., 28(2):652--673, Feb. 1999.

Digital Library

[12]

B. Eshete, A. Alhuzali, M. Monshizadeh, P. A. Porras, V. N. Venkatakrishnan, and V. Yegneswaran. EKHunter: A Counter-Offensive Toolkit for Exploit Kit Infiltration. In 22nd Annual Network and Distributed System Security Symposium, NDSS, 2015.

[13]

V. Haldar, D. Chandra, and M. Franz. Dynamic taint propagation for java. In 21st Annual Computer Security Applications Conference (ACSAC), pages 9--pp, 2005.

Digital Library

[14]

S. Horwitz, T. Reps, and D. Binkley. Interprocedural slicing using dependence graphs. In ACM SIGPLAN 1988 conference on Programming Language design and Implementation, pages 35--46, 1988.

Digital Library

[15]

H. Hu, Z. L. Chua, S. Adrian, P. Saxena, and Z. Liang. Automatic Generation of Data-Oriented Exploits. In 24th USENIX Security Symposium (USENIX Security 15), pages 177--192. USENIX Association, 2015.

Digital Library

[16]

S. Huang, H. Lu, W. Leong, and H. Liu. CRAXweb: Automatic Web Application Testing and Attack Generation. In IEEE 7th International Conference on Software Security and Reliability, SERE, pages 208--217, 2013.

Digital Library

[17]

Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D.-T. Lee, and S.-Y. Kuo. Securing web application code by static analysis and runtime protection. In Proceedings of the 13th International Conference on World Wide Web (WWW), pages 40--52, 2004.

Digital Library

[18]

N. Jovanovic, C. Kruegel, and E. Kirda. Pixy: A Static Analysis tool for Detecting Web Application Vulnerabilities. In Security and Privacy, 2006 IEEE Symposium on, pages 6--pp, 2006.

Digital Library

[19]

A. Kieyzun, P. J. Guo, K. Jayaraman, and M. D. Ernst. Automatic Creation of SQL Injection and Cross-Site Scripting Attacks. In IEEE 31st International Conference on Software Engineering (ICSE), pages 199--209, 2009.

Digital Library

[20]

V. B. Livshits and M. S. Lam. Finding Security Vulnerabilities in Java Applications with Static Analysis. In 14th USENIX Security Symposium, Baltimore, Maryland, USA, 2005.

Digital Library

[21]

M. Martin and M. S. Lam. Automatic generation of xss and sql injection attacks with goal-directed model checking. In Proceedings of the 17th conference on Security symposium, pages 31--43, 2008.

Digital Library

[22]

A. Nguyen-Tuong, S. Guarnieri, D. Greene, J. Shirley, and D. Evans. Automatically hardening web applications using precise tainting. In IFIP International Information Security Conference, pages 295--307. Springer, 2005.

[23]

M. Samuel, P. Saxena, and D. Song. Context-sensitive auto-sanitization in web templating languages using type qualifiers. In Proceedings of the 18th ACM conference on Computer and communications security, pages 587--600, 2011.

Digital Library

[24]

P. Saxena, D. Molnar, and B. Livshits. Scriptgard: automatic context-sensitive sanitization for large-scale legacy web applications. In Proceedings of the 18th ACM conference on Computer and communications security, pages 601--614, 2011.

Digital Library

[25]

F. Sun, L. Xu, and Z. Su. Static detection of access control vulnerabilities in web applications. In USENIX Security Symposium, 2011.

Digital Library

[26]

G. Wassermann and Z. Su. Sound and precise analysis of web applications for injection vulnerabilities. In ACM Sigplan Notices, volume 42, pages 32--41. ACM, 2007.

Digital Library

[27]

G. Wassermann, D. Yu, A. Chander, D. Dhurjati, H. Inamura, and Z. Su. Dynamic test input generation for web applications. In Proceedings of the 2008 international symposium on Software testing and analysis, pages 249--260, 2008.

Digital Library

[28]

Y. Xie and A. Aiken. Static Detection of Security Vulnerabilities in Scripting Languages. In USENIX Security, volume 6, pages 179--192, 2006.

Digital Library

[29]

F. Yu, M. Alkhalaf, and T. Bultan. Stranger: An automata-based string analysis tool for php. In International Conference on Tools and Algorithms for the Construction and Analysis of Systems, pages 154--157, 2010.

Digital Library

[30]

Y. Zheng, X. Zhang, and V. Ganesh. Z3-str: A Z3-based String Solver for Web Application Analysis. In Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering, pages 114--124, 2013.

Digital Library

Cited By

Yuan YLu YZhu KHuang HChen YZhang Y(2024)sqlFuzz: Directed Fuzzing for SQL Injection VulnerabilityElectronics10.3390/electronics1315294613:15(2946)Online publication date: 26-Jul-2024
https://doi.org/10.3390/electronics13152946
Ruan BLiu JZhang CLiang Z(2024)KernJC: Automated Vulnerable Environment Generation for Linux Kernel VulnerabilitiesProceedings of the 27th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3678890.3678891(384-402)Online publication date: 30-Sep-2024
https://dl.acm.org/doi/10.1145/3678890.3678891
Neef SKleissner LSeifert JQuek TGao DZhou JCardenas A(2024)What All the PHUZZ Is About: A Coverage-guided Fuzzer for Finding Vulnerabilities in PHP Web ApplicationsProceedings of the 19th ACM Asia Conference on Computer and Communications Security10.1145/3634737.3661137(1523-1538)Online publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1145/3634737.3661137
Show More Cited By

Index Terms

Chainsaw: Chained Automated Workflow-based Exploit Generation
1. Security and privacy
  1. Software and application security
    1. Software security engineering
    2. Web application security

Recommendations

SemFuzz: Semantics-based Automatic Generation of Proof-of-Concept Exploits
CCS '17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security

Patches and related information about software vulnerabilities are often made available to the public, aiming to facilitate timely fixes. Unfortunately, the slow paces of system updates (30 days on average) often present to the attackers enough time to ...
Talking About My Generation: Targeted DOM-based XSS Exploit Generation using Dynamic Data Flow Analysis
EuroSec '21: Proceedings of the 14th European Workshop on Systems Security

Since the invention of JavaScript 25 years ago, website functionality has been continuously shifting from the server-side to the client-side. Web browsers have evolved into an application platform, and HTML5 emerged as a first-class environment for ...
FAEG: Feature-Driven Automatic Exploit Generation
Internetware '23: Proceedings of the 14th Asia-Pacific Symposium on Internetware

Buffer overflow vulnerabilities are prevalent in software applications, and their automatic detection and exploitation are of great significance. Modern operating systems implement security mitigation to prevent the exploitation of these ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

October 2016

1924 pages

ISBN:9781450341394

DOI:10.1145/2976749

General Chairs:
Edgar Weippl
SBA Research, Austria
,
Stefan Katzenbeisser
TU Darmstadt, CYSEC, Germany
,
Program Chairs:
Christopher Kruegel
University of California, Santa Barbara, USA
,
Andrew Myers
Cornell University, USA
,
Shai Halevi
IBM Research, USA

Copyright © 2016 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 24 October 2016

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

DARPA
National Science Foundation

Conference

CCS'16

Sponsor:

SIGSAC

CCS'16: 2016 ACM SIGSAC Conference on Computer and Communications Security

October 24 - 28, 2016

Vienna, Austria

Acceptance Rates

CCS '16 Paper Acceptance Rate 137 of 831 submissions, 16%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

25
Total Citations
View Citations
1,770
Total Downloads

Downloads (Last 12 months)232
Downloads (Last 6 weeks)31

Reflects downloads up to 13 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Yuan YLu YZhu KHuang HChen YZhang Y(2024)sqlFuzz: Directed Fuzzing for SQL Injection VulnerabilityElectronics10.3390/electronics1315294613:15(2946)Online publication date: 26-Jul-2024
https://doi.org/10.3390/electronics13152946
Ruan BLiu JZhang CLiang Z(2024)KernJC: Automated Vulnerable Environment Generation for Linux Kernel VulnerabilitiesProceedings of the 27th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3678890.3678891(384-402)Online publication date: 30-Sep-2024
https://dl.acm.org/doi/10.1145/3678890.3678891
Neef SKleissner LSeifert JQuek TGao DZhou JCardenas A(2024)What All the PHUZZ Is About: A Coverage-guided Fuzzer for Finding Vulnerabilities in PHP Web ApplicationsProceedings of the 19th ACM Asia Conference on Computer and Communications Security10.1145/3634737.3661137(1523-1538)Online publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1145/3634737.3661137
Zhao CTu TWang CQin S(2023)VulPathsFinder: A Static Method for Finding Vulnerable Paths in PHP Applications Based on CPGApplied Sciences10.3390/app1316924013:16(9240)Online publication date: 14-Aug-2023
https://doi.org/10.3390/app13169240
Brito TFerreira MMonteiro MLopes PBarros MSantos JSantos N(2023)Study of JavaScript Static Analysis Tools for Vulnerability Detection in Node.js PackagesIEEE Transactions on Reliability10.1109/TR.2023.328630172:4(1324-1339)Online publication date: Dec-2023
https://doi.org/10.1109/TR.2023.3286301
Chen JLiang RZhang MZheng CHuang XLu HYu XTian Z(2023)Vulnerability Correlation, Multi-step Attack and Exploit Chain in Breach and Attack Simulation2023 IEEE 12th International Conference on Cloud Networking (CloudNet)10.1109/CloudNet59005.2023.10490046(398-402)Online publication date: 1-Nov-2023
https://doi.org/10.1109/CloudNet59005.2023.10490046
Marashdih AZaaba ZSuwais K(2023)An Enhanced Static Taint Analysis Approach to Detect Input Validation VulnerabilityJournal of King Saud University - Computer and Information Sciences10.1016/j.jksuci.2023.01.00935:2(682-701)Online publication date: Feb-2023
https://doi.org/10.1016/j.jksuci.2023.01.009
Shi YZhang YLuo TMao XYang M(2022)Precise (Un)Affected Version Analysis for Web VulnerabilitiesProceedings of the 37th IEEE/ACM International Conference on Automated Software Engineering10.1145/3551349.3556933(1-13)Online publication date: 10-Oct-2022
https://dl.acm.org/doi/10.1145/3551349.3556933
Luo CLi PMeng WYin HStavrou ACremers CShi E(2022)TCheckerProceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security10.1145/3548606.3559391(2175-2188)Online publication date: 7-Nov-2022
https://dl.acm.org/doi/10.1145/3548606.3559391
Wi SWoo SWhang JSon S(2022)HiddenCPG: Large-Scale Vulnerable Clone Detection Using Subgraph Isomorphism of Code Property GraphsProceedings of the ACM Web Conference 202210.1145/3485447.3512235(755-766)Online publication date: 25-Apr-2022
https://dl.acm.org/doi/10.1145/3485447.3512235
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents