Assistance au développement et au test d’applications sécurisées

Soutenance de thèse

Présentée par : Loukmen REGAINIA

12 Juin 2018

Sous la direction de :

Pr. Sébastien SALVA
Dr. Cédric BOUHOURS

Implementing secure software
- expertise, knowledge, time consuming
Software security is essential and should be considered as early as possible
Developers are provided with a plethora of documents:

Vulnerabilities, Attacks, Weaknesses, etc
Security Principles and best practices
Security Patterns

Introduction

Weakness
Vulnerability
Attack
Threat
Security Principle

Introduction

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVE-2018-8045 (Joomla 3.5.0 - 3.8.5)

CAPEC-66: SQL Injection

In depth defense

Relying on user input

Security patterns

A pattern is a generic solution to a recurrent problem

Security patterns

A pattern is a generic solution to a recurrent problem

security

SP := (C,P,S)

Security patterns

Context

Problem

Solution

Schumacher et al. 2001

Security patterns

A pattern is generic

Must be integrated

Difficult and error prone task

Security patterns

Pattern

Application model

Pattern Integration

Security patterns

A security pattern is not an island M. Schumacher et al.

K.Yskout et al.

Contributions

Measure Security Pattern integration quality
Measure Security Pattern effectiveness against vulnerabilities
Knowledge Base design and fulfillment
Security Pattern classifications
Security and Pattern testing

Security Pattern integration
Security Pattern classification
Security and Pattern testing
Conclusions and Perspectives

Outline

1 :Security Pattern integration

Introduction

Where:

M the UML model of the application
V = {V1,..,Vn} a set of Vulnerabilities
SP = {Sp1,..,Spk} a set of Security Patterns
Pvi , Pspj sets of Vulnerability i, and Security Pattern j LTL (Linear Temporal Logic) generic properties

Wants to protect

Against

Using

Dev

Big picture

1. SP choice

2.SP integration

3.structural

4.behavioral

5.Measure the Integration quality

6.M still vulnerable

Vulnerability coefficient

c_s(Sp)

c_b(Sp)

q(Sp)

c_v(v)

Vulnerabilities V

2. Pattern integration (Structural)

2. Pattern integration (Behavioral)

3. Structural integration quality

With the Disclosure Coefficient of the Pattern i

0\leq Cs(sp_i)\leq 1

Cs(InterceptingValidator) = 1

4. Behavioral integration quality

4. Linear Temporal Logic (LTL)

Generic :

Instantiated :

4. Behavioral integration quality

0 \leq c_b(Sp_i) = \sum_{p\in P_b(Sp_i)} mc(p).w_{p}\leq1

where:

mc(p)=1~if ~M \vDash p~and ~mc(p)=0~ otherwise

w_{p}\in \mathbb{R}_0^+ ~ and ~\sum_{p \in P_b(Sp_i)} w_{p} = 1

K. Yoon 1995

Simple Additive Weighting

5. Overall integration quality

0\leq q(Sp_i)=\dfrac{(C_s(Sp_i)+C_b(Sp_i))}{2}\leq1

0\leq Q=\sum_{Sp_i \in SP} q(Sp_i).w_{Sp_i}\leq1

A Pattern Sp

The set SP

w_{Sp_i}\in \mathbb{R}_0^+ ~ and ~\sum_{Sp_i\in SP}~ w_{Sp_i} = 1

where

6. Pattern effectiveness

0\leq c_v(v_i) = \dfrac{\sum_{p\in P_{v_i}} Sat(p)}{card(P_{v_i})} \leq 1

Overall vulnerability coefficient

We check whether M is still vulnerable

Chapter Conclusions

Open issues :

A Pattern cannot be the silver bullet against a vulnerability
Need to use other patterns Difficult to choose patterns

Wants to protect

Against

Using

Dev

Published in :

CIEL 2015
Softeng 2016
TSI 2016

2 : Security Pattern classification

Open problems

Many Security Patterns difficult choice
One Security Pattern cannot protect an application
Directly associating a Pattern and an Attack or a Weakness is awkward
Security Patterns are inter-related

Big Picture

3 Security Patterns classifications WRT:

Weaknesses
Attacks and Weaknesses
Attack steps and techniques

Classification Meta-model

Objective : Classify patterns w.r.t weaknesses

Classification Extraction

Security Activity Graphs generation

Weakness

Principle

Pattern

Split

S.Ardi et al. 2006

Classification Meta-model

Objective : Classify patterns w.r.t Attack steps and techniques

Classification Extraction

Attack Defense Trees

An ADTree can be expressed with :

\wedge^{o/p} ~~~~ Conjunction

\vee^{o/p}~~~~Disjunction

\vec{\wedge}^{o/p}~~~Sequential~Conjunction~(SAND)

c^{o/p}~~~Countermeasures

Opponent "o"

Proponent"p"

Algebra (ADTerms):

Graphical:

B.Kordy et al. 2014

ADTree generation

Chapter Conclusions

We presented :

Data Integration methods
3 classifications comply with
- Navigability
- Unambiguity
- Usefulness
Automatic generation of :
- Security Activity Graphs
- Attack Defense Trees

Perspectives:

Generate tests from ADTrees to test attacks and security patterns

Knowledge base

Published in :

AICSSA 2016
ICISSP 2017
CRISIS 2017
RSIS 2018

3 : Security and Pattern testing

We propose:

Pragmatic approach to guide developers in choosing security solutions and writing concrete test cases for :
- Checking whether the application is vulnerable
- Checking whether pattern observable consequences are absent

Writing concrete security tests is long and difficult
Testing security patterns (Generic) is difficult

Open Problems

Meta-model

Method steps

Initial ADTree

ADTree for each CAPEC attack

step 1

step 2

step 3-4

Final ADTree

Test Suite (Stubs)

step 5

Test Suite (Completed)

Application Under Test

Test Verdicts

step 6

step 7

Step 1: Initial ADTree T

CAPEC-66: SQL Injection
CAPEC-244: XSS Targeting URI Placeholders

Step 2: ADTree Generation

The form of the tree depends on the Knowledge base

Step 3-4: Final ADTree

Basic Attack Defence Step (BADStep)

T_f

c^p(st,sp)

Step 5: Test Suite Generation

SC(T_f),~ is~ the~ set~ of ~clauses~ of~ the~ disjunctive

Let ~\iota(T_f)~ be ~the ~ADTerm~ of ~T_f

The ~set ~of ~attack ~scenarios ~of~ T_f,~ denoted

normal~form ~of ~\iota(T_f)~over ~BADStep(T_f) ~

TS = \{ TC(b) | b= c^p(st,sp) \in BADstep(s) ~and~ s \in SC(T_f)\}

Attack Scenario

Test Suite

Step 6: Test Suite Completion

Given

When

Then

Procedure

Completed using pentesting tools

A procedure is generic if reusable in a context

Step 7: Test Suite Execution

Let:

Local test verdicts

-b=c^p(st,SP) \in BADStep(T_f)

-F = P(\{Fail_{sp_i}|sp_i\in SP\}\backslash \phi

-TC(b)\in TS

Verdict(TC(b) \vert \vert AUT) =

-VUL = \{Pass_{st}\}

-VUL/VIOLATE = \{Pass_{st}\} \times F

-NVUL = \{Fail_{st}\}

-NVUL/VIOLATE = \{Fail_{st}\} \times F

Step 7: Test Suite Execution

Final test verdicts

s \in SC(T_f)~a~test~scenario, ~BADStep(s) = \{ b_1,..., b_n\}

-Vulnerable(b_i)= true~if~Verdict (TC(b_i)||AUT) \in \{VUL, VUL/VIOLATE\}

-\sigma : BADStep(s) \rightarrow \{true, false\}~a ~substitution~\{b_1 \rightarrow (Vulnerable(b_1),...,

Vulnerable(b_i)= false~otherwise

b_n \rightarrow ~Vulnerable(b_n)\}

-Vulnerable(T_f) = true ~~ if ~ \exists~ s ~\in SC(T_f) : eval~(s\sigma) ~ returns ~true

Vulnerable(T_f) = false ~otherwise

-Unsat^c(SP(T_f)) = true ~ if ~ \exists ~b ~\in BADStep(T_f),~ Verdict (TC(b)||AUT) \in \{VUL

/VIOLATE, NVUL/VIOLATE\}; Unsat^c(SP(T_f)) = false~ otherwise.

Method Evaluation

24 participants to evaluate :
- Comprehensibility
- Accuracy
- Efficiency
Security pattern choice w.r.t :
- SQL Injection
- Cross site scripting
Writing test cases

Part 1 (1h30):

Basic documents

Part 2(1h30):

Basic documents
ADTrees
GWT test cases

Method Evaluation

Comprehensibility	Part 1	Part 2
Pattern choice	00.0%	33%
Understanding Attacks	41.7%	87.5%
Understanding Patterns	37.5%	87.5%
Writing test cases	33.3%	58.3%

Method Evaluation

Accuracy	Part 1	Part 2
Pattern choice (correct)	00.0%	62.5%
Writing test cases (correct)	0.1%	78.1%

Method Evaluation

Efficiency	Part 1	Part 2
Pattern choice	32 m	14 m
Writing test cases	46 m	60 m

Chapter conclusions

We proposed :

Knowledge base for test case generation
Test case generation and execution
- Check vulnerability
- Check observable pattern consequences
Evaluation with 24 participants

Issues :