Transcription
Less is MoreQuantifying the Security Benefits of Debloating Web ApplicationsBabak Amin AzadPierre LaperdrixStony Brook UniversityNick Nikiforakis
What is software debloating?“Reducing the attack surface by removing pieces of code thatare not required by users.”Less is More: Quantifying the Security Benefits of Debloating Web Applications2
You’re vulnerable, but do you have to be?Web Cache Poisoning vulnerability on Drupal oisoningX-Original-URLX-Rewrite-URLLess is More: Quantifying the Security Benefits of Debloating Web Applications3
Debloating PipelineLess is More: Quantifying the Security Benefits of Debloating Web Applications4
Identifying important functionalities of an application Find tutorials for these applicationsAutomate them using SeleniumExample of tasks covered by tutorials1.2.3.4.5.6.LoginCreate a databaseCreate tablesRun queriesDrop database.What’s not covered by tutorialsTutorials1.2.Some pages on the front of the applicationError handlersLess is More: Quantifying the Security Benefits of Debloating Web Applications5
Expanding the breadth of coverageMonkey TestingSpiderVulnerability ScannerLess is More: Quantifying the Security Benefits of Debloating Web Applications6
Files covered by each testing toolLess is More: Quantifying the Security Benefits of Debloating Web Applications7
File & Function level debloating Remove the contents of unused files/functionsUse place holders Log information about execution of removed code Stop the execution flow to prevent entering an unknown stateLess is More: Quantifying the Security Benefits of Debloating Web Applications8
Results #1: Reduction of LLOC after debloatingFile Debloating- Average 33% reduction- WordPress: 9%- Magento: 65%(400 KLLOC)Function Debloating- Average 47% reduction ( 14%)- WordPress: 31% ( 22%)- Magento 71% ( 6%)Less is More: Quantifying the Security Benefits of Debloating Web Applications9
Results #2: Reduction of Cyclomatic ComplexityFile Debloating- Average of 32.5%reduction- WordPress: 6%- Magento: 74.3%Function Debloating- Average 50.3%reduction ( 18%)- WordPress: 24% ( 18%)- Magento 80.2% ( 6%)Less is More: Quantifying the Security Benefits of Debloating Web Applications10
Coverage of CVEs based on Usage ProfilesLess is More: Quantifying the Security Benefits of Debloating Web Applications11
Results #3: Reduction of CVEsApplicationStrategyTotal Removed CVEsFile Debloating4/2020 %Function Debloating12/2060 %File Debloating8/2138 %Function Debloating10/2147.6 %File Debloating0/200%Function Debloating2/2010 %File Debloating1/812.5 %Function Debloating3/837.5 %phpMyAdminMediaWikiWordPressMagentoLess is More: Quantifying the Security Benefits of Debloating Web Applications12
Types of vulnerabilities removed by debloating Crypto and cookie relatedvulnerabilities usually can’t beremoved by debloating.CSRF vulnerabilities are onlyremoved when the underlyingfeature is removed.Code execution vulnerabilitiescan either be removed or brokenby removing the POI gadgets.Less is More: Quantifying the Security Benefits of Debloating Web Applications13
Effect of external dependencies on software bloatBefore debloatingAfter function-level debloatingLLOC inmain AppLLOC inpackagesphpMyAdmin 4.7.036k82k26k (-26.2 %)10k (-88.3 %)MediaWiki 1.28.0133k51k54k (-58.8%)6k (-87.7 %)Magento 2.0.5396k213k182k (-54.2 %)34k (-84.0 %)ApplicationLLOC inmain AppLess is More: Quantifying the Security Benefits of Debloating Web ApplicationsLLOC inpackages14
Statistics about removed external packagesBeforedebloatingAfter function-level debloating# Packages# packagescompletelyremoved# packages with 30 %of lines removedphpMyAdmin 4.7.04538 (84 %)4MediaWiki 1.28.04024 (60 %)12Magento 2.0.57158 (82 %)2ApplicationBut if a package is never used, does it contribute to the attack surface?Less is More: Quantifying the Security Benefits of Debloating Web Applications15
PHP Object Injection (POI) attacks Unsafe object deserialization vulnerability is the target of this exploit.Attacker can control value of properties on injected objects.(Also known as Property Oriented Programming, POP)But the attacker cannot control execution of functions.The chain is made based on magic functions.Magic functions:The chain usually ends with a write to file systemconstruct()or a database transaction.toString()destruct()wakeup().Less is More: Quantifying the Security Benefits of Debloating Web Applications16
Results #4: Reduction of object injection gadgetsRemoved by DebloatingApplicationphpMyAdmin 4.7.0MediaWiki 1.28.0Magento 2.0.5PackageFileFunctionDoctrine Guzzle Monolog Doctrine Monolog Zendframework Less is More: Quantifying the Security Benefits of Debloating Web Applications17
Source code and the artifacts are publicly available Debloating pipeline to evaluate and debloat custom applicationsDebloated web applicationsSource code coverage informationCVE to source code mappings & Exploits https://debloating.comLess is More: Quantifying the Security Benefits of Debloating Web Applications18
Conclusion Debloating can reduce web applications attack surface significantly Up to 71 % reduction in LLOC Up to 60 % reduction in CVEs Up to 100 % removal of POI GadgetsWeb vulnerabilities & their exploitation is different, as a result web debloating isdifferent (Targeting actual vulnerabilities rather than dead code)We also need to focus on usability and performance of debloating schemesArtifacts and debloated applications are available at: https://debloating.comLess is More: Quantifying the Security Benefits of Debloating Web Applications19
Less is More: Quantifying the Security Benefits of Debloating Web Applications Conclusion Debloating can reduce web applications attack surface significantly Up to 7 1 % reduction in LLOC Up to 60 % reduction in CVEs Up to 100 % removal of POI Gadgets Web vulnerabilities & their exploitation is
