-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathindex.html
More file actions
305 lines (289 loc) · 19.9 KB
/
index.html
File metadata and controls
305 lines (289 loc) · 19.9 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
<meta name="description" content="">
<meta name="author" content="">
<title>< is > : Quantifying the Security Benefits of Debloating Web Applications</title>
<!-- Bootstrap core CSS -->
<link href="vendor/bootstrap/css/bootstrap.min.css" rel="stylesheet">
<link rel="stylesheet" href="https://use.fontawesome.com/releases/v5.8.1/css/all.css" integrity="sha384-50oBUHEmvpQ+1lW4y57PTFmhCaXp0ML5d60M1M7uH2+nqUivzIebhndOJK28anvf" crossorigin="anonymous">
<link href="vendor/custom.css" rel="stylesheet">
<link rel="stylesheet" href="vendor/highlightjs/styles/default.css">
<link href="https://fonts.googleapis.com/css?family=Varela+Round" rel="stylesheet">
</head>
<body>
<!-- Navigation -->
<nav class="navbar navbar-expand-sm navbar-dark bg-dark static-top">
<div class="container">
<a class="navbar-brand" href="./" data-toggle="tooltip" data-placement="bottom" title="Less is More">< is ></a>
<button class="navbar-toggler" type="button" data-toggle="collapse" data-target="#navbarResponsive" aria-controls="navbarResponsive" aria-expanded="false" aria-label="Toggle navigation">
<span class="navbar-toggler-icon"></span>
</button>
<div class="collapse navbar-collapse" id="navbarResponsive">
<ul class="navbar-nav ml-auto">
<li class="nav-item active">
<a class="nav-link" href="#introduction">Introduction
<span class="sr-only">(current)</span>
</a>
</li>
<li class="nav-item">
<a class="nav-link" href="#architecture">Architecture</a>
</li>
<li class="nav-item">
<a class="nav-link" href="#sourcecode">Source Code</a>
</li>
<li class="nav-item">
<a class="nav-link" href="walkthrough.html">Walkthrough</a>
</li>
<li class="nav-item">
<a class="nav-link" href="#about">About</a>
</li>
<li class="nav-item">
<a class="nav-link" href="#FAQ">FAQ</a>
</li>
</ul>
</div>
</div>
</nav>
<!-- Page Content -->
<div class="container">
<div class="row">
<div class="col-lg-12 text-center">
<h1 class="mt-5 logo" data-toggle="tooltip" data-placement="top" title="Less is More">< is ></h1>
<p class="lead">Quantifying the Security Benefits of Debloating Web Applications</p>
</div>
</div>
<!-- Introduction -->
<div class="row">
<div class="col-lg-12 text-center">
<hr />
</div>
<div class="col-lg-12">
<a class="anchor" name="introduction"></a>
<h4 class="mt-1"><i class="fas fa-info"></i> Introduction</h1>
<p>The main idea of software debloating is to reduce software's attack surface by removing pieces of code that are not required by users. In this study, we analyze four popular PHP applications (phpMyAdmin, MediaWiki, Magento and WordPress) and show that a reduction of up to 71% in Logical Lines of Code, up to 60% in historic CVEs and up to 100% in Object Injection Gadgets is possible. Essentially, by removing unused functionality and libraries from the application we can significantly reduce the attack surface.</p>
<p><i class="fas fa-file-pdf"></i> The paper is available at <a href="https://www.securitee.org/files/debloating_usec2019.pdf">https://www.securitee.org/files/debloating_usec2019.pdf</a></p>
<p>
<h6 class="mt-1"><i class="fas fa-file-powerpoint"></i> Slides</h1>
<ul>
<li>
<a href="https://www.usenix.org/sites/default/files/conference/protected-files/sec19_slides_azad.pdf">Usenix Security 2019</a>
</li>
<li>
<a href="./OWASP_DC_Debloating_Public.pdf">OWASP Appsec DC 2019</a>
</li>
</ul>
</p>
<p>
<h6 class="mt-1"><i class="fas fa-video"></i> Videos</h1>
<ul>
<li>
<a href="https://www.youtube.com/watch?v=EbKpD0bj89A">Usenix Security 2019 Talk</a>
</li>
<li>
<a href="https://primetime.bluejeans.com/a2m/events/playback/3de88bdb-3c08-46d3-a6b0-7ce54e475662">Georgia Tech Cyber Security Series</a>
</li>
</ul>
</p>
</div>
</div>
<!-- Architecture -->
<div class="row">
<div class="col-lg-12 text-center">
<hr />
</div>
<div class="col-lg-12">
<a class="anchor" name="architecture"></a>
<h4 class="mt-1"><i class="fas fa-layer-group"></i> Architecture</h1>
<p>
This system is comprised of three docker images:<br />
<ul>
<li>
<b>"web"</b> container hosts the web applications. It runs Apache with PHP 5.6 (To support older version of applications for our study) and uses XDebug to record code coverage information. Web container is accessible at http://localhost:8085 by default.
</li>
<li>
<b>"db"</b> includes the main database (code_coverage) with CVE mappings and coverage information along with database files required to run desired web applications.
</li>
<li>
<b>"admin"</b> container hosts the administation panel and debloating logic. Adding new software, mapping new CVEs and viewing which vulnerable lines within the application were triggered during the usage of the application are possible. Moreover, you can remove unused files and functions using this panel after executing desired functionality of the application and recording its code coverage. Web and Admin map to the same volume and access the same web applications. Admin panel is accessible at http://localhost:8086/admin.
</li>
</ul>
</p>
<p>
<h5><i class="fas fa-code-branch"></i> Extending the framework</h5>
<b>- Admin Panel:</b> The admin panel that contains the debloating logic and reporting UI is hosted under <span class="path">web/admin</span> directory.
<br />
<b>- Database Schema:</b> The schema of the database along with CVE mappings for the four web applications is located at <span class="path">database/Schema/db_template_with_vulns_pma_mwk_mgt_wordpress.sql</span>.
<br />
<b>- Recording Code Coverage:</b> PHP auto_prepend is used to record code coverage of PHP files. The file that is injected in all PHP files handles the code coverage life cycle and records the information in the database is accessible at <span class="path">codecoverage/start_xdebug.php</span>
<br />
<b>- Parsing PHP Files:</b> We use <a target="_blank" href="https://github.com/nikic/PHP-Parser">PHP-Parser</a> to parse and rewrite PHP files.
<br />
<b>- File Debloating:</b> File debloating is implemented under <span class="path">web/admin/application/controllers/Software_file.php:debloat_files($id)</span>. We match each file with the list of covered files in the database and remove those which were never executed.
<br />
<b>- Function Debloating:</b> Function level debloating uses a compiler pass implemented inside DebloatFunctionVisitor class within <span class="path">web/admin/application/controllers/Software_file.php</span>. debloat_functions($fk_software_files_description) function is responsible for this action. For each function, we check if any of the executable lines within that function were executed during the tests. If no line within a function is executed, then we remove the function and replace it with the place holder.
<br />
<b>- Calls To Removed Files/Functions:</b> We use a place holder to fill removed files and functions to stop further execution of the PHP code within the path that includes a removed functionality. This stops the application from entering the states that were not anticipated by developers. This place holder can be modified within Software_file.php. It currently shows an HTML error message to the user with the actual file or function that was removed and logs this event in the error_log of Apache.
</p>
</div>
</div>
<!-- Source Code -->
<div class="row">
<div class="col-lg-12 text-center">
<hr />
</div>
<div class="col-lg-12">
<a class="anchor" name="sourcecode"></a>
<h4 class="mt-1"><i class="fas fa-code"></i> Source Code</h1>
<p>
<b>Mapping of vulnerabilities to source code: </b>You can separately download the mapping of vulnerabilities to source code of applications. To ensure that the mappings point to the correct lines, use the specific version of applications that we used (Links are available below).
<br />
<i class="fas fa-link"></i> Mapped CVEs to vulnerable files and lines <a href="cve_to_line_mapping.csv">(CSV file)</a>.
<br />
<i class="fas fa-link"></i> Mapped CVEs to vulnerable functions <a href="cve_to_function_mapping.csv">(CSV file)</a>.
</p>
<p><b>Pre-configured applications: </b>Four pre-configured docker images that host versions of web applications used in our study along with File and Function level debloated versions are accessible below:</p>
<ul class="dashed">
<li>
phpMyAdmin Docker images: <a target="_blank" href="https://drive.google.com/open?id=13FRRJ2JyCISaFPg_AKnVGMHSW1ANuVIW"><i class="fas fa-download pad-l-5"></i> Download</a> (includes phpMyAdmin 4.0.0, 4.4.0, 4.6.0, 4.7.0)
</li>
<li>
MediaWiki Docker images: <a target="_blank" href="https://drive.google.com/open?id=1wTu7sYQzOXxztVmMPpx9y-oSsUgy2YrK"><i class="fas fa-download pad-l-5"></i> Download</a> (includes MediaWiki 1.19.1, 1.21.1, 1.23.0, 1.24.0, 1.28.0)
</li>
<li>
Magento Docker images: <a target="_blank" href="https://drive.google.com/open?id=1ianawSu_liqj61zwkrO5W1VPm_ZeOQ3q"><i class="fas fa-download pad-l-5"></i> Download</a> (includes Magento 1.9.0, 2.0.5)
</li>
<li>
WordPress Docker images: <a target="_blank" href="https://drive.google.com/open?id=1uabcZ6ImodRhl0iJDIp6CSteBtAZUFVr"><i class="fas fa-download pad-l-5"></i> Download</a> (includes WordPress 3.9, 4.0, 4.2.3, 4.6, 4.7, 4.7.1)
</li>
</ul>
<p>Current web application configuration expects each web application to reside in the "web" directory itself. To test file and function level debloated variants, simply move their directories up from file_debloating or function_debloating directories to web.
<br /><i class="fas fa-link"></i> The source code is hosted on Github at <a target="_blank" href="https://github.com/silverfoxy/PHPDebloating">https://github.com/silverfoxy/PHPDebloating</a>.
<br />* docker and docker-compose packages are required to run this code.
</p>
<p><b>Running the container: </b>In order to build and run docker containers, after downloading your desired template, navigate to its root directory and run:
<pre><code class="bash">docker-compose up</code></pre>
you can access the web applications at http://localhost:8085 and reports at http://localhost:8086/admin.
</p>
<p><b>Running the usage profiles: </b>
In the paper, we mention Tutorials mapped through Selenium scripts. Monkey tests based on Gremlinsjs. Spider and Scanner from BurpSuite.
<ul class="dashed">
<li>
<b>Tutorials (Selenium scripts):</b> The scripts are located under <span class="path">Tests/Selenium-Tests/application_name</span>. It requires Chrome and Firefox (only for Magento 2.0.5 tests) along with the webdrivers and selenium to run. Most of the tests will execute successfully regardless of the platform.
<br />* Magento 2.0.5 tests are stable only on Ubuntu and may sometimes fail to click certain buttons on Windows or Mac.
</li>
<li>
<b>Monkey tests:</b> The scripts are located under <span class="path">Tests/GremlinsJS/application_name.js</span>. Install <a target="_blank" href="https://tampermonkey.net/">Tampermonkey</a> extension on Chrome and import javascript files. Navigate to the target application and enable the script from Tampermonkey. To limit their execution time we used Tab sleep timer extension. We run separate tests for admin/registered/unregistered users.
</li>
<li>
<b>Spider:</b> <a target="_blank" href="https://portswigger.net/burp/communitydownload">BurpSuite Community Edition</a> was used in our study. Point the spider to the home page of the application and give it the credentials to login.
</li>
<li>
<b>Vulnerability Scanner:</b> The scanner module from <a target="_blank" href="https://portswigger.net/requestfreetrial/pro">BurpSuite Pro</a> was used for this part.
</li>
</ul>
</p>
<p><b>Debloating a new web application:</b> To add a new web application, follow these steps:
<ol>
<li>
Move your web application files to "web" directory and make sure <span class="path">Dockerfiles/web/Dockerfile</span> installs the required dependencies and prepares the web server.
</li>
<li>
By placing the database backup sql file under <span class="path">Dockerfiles/db/entrypoint/</span> the database will be restored upon building the image. ِYour web application can access the database container at "db".
</li>
<li>
Under administration panel, add your web application directory to the database. Update destructors and exit calls to comply to our structure under Debloating menu by adding your web application files to the database.
</li>
<li>
Generate usage traffic that represents how users interact with the application to record code coverage.
</li>
<li>
Map any known vulnerabilities to your application if you want to measure the effectiveness of debloating in terms of removed vulnerabilities.
</li>
<li>
Under administration panel in Debloating page, choose your desired debloating granularity (File or Function level). Next, the application will be debloated and you will see a report on which files/functions were removed.
<br />* Make sure you maintain a separate copy of your original application as debloating will remove certain parts of your application.
</li>
</ol>
</p>
<p>
<a class="anchor" name="cookies"></a>
<b>Mapping web applications to versions in the database:</b> The debloating engine needs to know which version of web applications is being used, you can either use cookies or environment variables to pass this information to the back end.
</p>
<b>- Cookie:</b> By setting the following cookies, the backend knows which application is being tested.
<ul>
<li>test_group: name of test category (e.g. "pma470_tutorials")</li>
<li>test_name: name of specific test (e.g. "drop database")</li>
<li>software_id: from code_coverage database (e.g. "1" for phpMyAdmin)</li>
<li>software_version_id: from code_coverage database (e.g. "1" for phpMyAdmin 4.0.0)</li>
</ul>
<b>- Environment Variables:</b> These values can be set within .htaccess in root directory of each web application. Values from cookies will override this setting. This method is specially useful where it is not possible to manually set cookies within the testing software for example the spider or scanner.
<ul>
<li>SetEnv lim_test_group "mgt205_scanner"</li>
<li>SetEnv lim_test_name "mgt205_scanner"</li>
<li>SetEnv lim_software_id "3"</li>
<li>SetEnv lim_software_version_id "11"</li>
</ul>
<b>Temporarily Disabling Code Coverage Recording:</b> Sometimes we need to stop code coverage reporting. To do that, stop PHP from prepending the code coverage logic to all PHP files by adding the following code to .htaccess.
<br />
<ul>
<li>php_value auto_prepend_file none</li>
</ul>
</div>
</div>
<!-- About -->
<div class="row">
<div class="col-lg-12 text-center">
<hr />
</div>
<div class="col-lg-12">
<a class="anchor" name="about"></a>
<h4 class="mt-1"><i class="fas fa-users"></i> About</h1>
<p>We are a team of security researchers at PragSec Lab, Stony Brook University (<a target="_blank" href="https://securitee.org">https://securitee.org</a>).<br />For any queries or questions contact Babak Amin Azad at <a href="mailto:baminazad@cs.stonybrook.edu">baminazad@cs.stonybrook.edu</a></p>
</div>
</div>
<!-- FAQ -->
<div class="row">
<div class="col-lg-12 text-center">
<hr />
</div>
<div class="col-lg-12">
<a class="anchor" name="FAQ"></a>
<h4 class="mt-1"><i class="fas fa-question"></i> FAQ</h1>
<p>
<b>- What does a debloated application look like in action?</b><br />
Unless you trigger a removed part of the application, everything else looks identical. And a custom error message is displayed if a removed feature is executed. Here's a video of an exploit attempt on CVE-2016-4010 failing on debloated version of Magento 2.0.5. This attempt fails because the gadget chain relies on Credis_client class (redis client for Magento) being present which is removed after debloating.
</p>
<div class="row">
<div class="col-lg-2"></div>
<div class="col-lg-8 embed-responsive embed-responsive-16by9" style="margin-bottom: 25px">
<video controls>
<source type="video/mp4" src="https://github.com/pragseclab/debloating.github.io/raw/master/demo.mp4">
</video>
</div>
</div>
<p>
<b>- How are Object Injection Gadgets extracted?</b><br />
Our current study is based on known gadget chains from popular PHP packages reported at <a target="_blank" href="https://github.com/ambionics/phpggc">PHPGGC library</a>. After we debloat the web applications, we checked if these gadgets (the whole file or the magic functions) are removed or not.
</p>
<p>
<b>- Can I run this software in a production environment?</b><br />
XDebug, the PHP extension that is used to record line level code coverage hooks into Zend engine and has a noticeable overhead. In our setup, based on the four applications we tested, the page load time was increased 2-4 times. As such, this overhead may be unacceptable based on your setup. One solution is to record the coverage on a subset of users by load balancing. Another solution is to use record-and-replay proxies to record real traffic to the application and replay them offline.<br />
A third solution is to optimize XDebug's code coverage engine and make it more efficient for our need. Currently it overloads over 47 op codes. As only detecting the coverage of files or functions is enough for our architecture, we can extend this module or use in-house implementations that decorate functions with code that records the coverage and achieve an acceptable overhead.
</p>
</div>
</div>
<!-- Bootstrap core JavaScript -->
<script src="vendor/jquery/jquery.min.js"></script>
<script src="vendor/bootstrap/js/bootstrap.bundle.min.js"></script>
<script src="vendor/highlightjs/highlight.pack.js"></script>
<script>
$(document).ready(function(){
hljs.initHighlightingOnLoad();
$('[data-toggle="tooltip"]').tooltip();
});
</script>
</body>
</html>