Efficient Patch-based Auditing for Web Application Vulnerabilities

POIROT is a system that, given a patch for a newly discovered security vulnerability in a web application, helps administrators detect past intrusions that exploited the vulnerability. POIROT records all requests to the server during normal operation, and given a patch, re-executes requests using both patched and unpatched software, and reports to the administrator any request that executes differently in the two cases. A key challenge with this approach is the cost of re-executing all requests, and POIROT introduces several techniques to reduce the time required to audit past requests, including filtering requests based on their control flow and memoization of intermediate results across different requests. A prototype of POIROT for PHP accurately detects attacks on older versions of MediaWiki and HotCRP, given subsequently released patches. POIROT's techniques allow it to audit past requests 12-51× faster than the time it took to originally execute the same requests, for patches to code executed by every request, under a realistic Media-Wiki workload.

[1]  Miguel Castro,et al.  Vigilante: end-to-end containment of internet worms , 2005, SOSP '05.

[2]  Eyal de Lara,et al.  The taser intrusion recovery system , 2005, SOSP '05.

[3]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[4]  Yuanyuan Zhou,et al.  PRES: probabilistic replay with execution sketching on multiprocessors , 2009, SOSP '09.

[5]  David A. Patterson,et al.  Undo for Operators: Building an Undoable E-mail Store , 2003, USENIX Annual Technical Conference, General Track.

[6]  Swarnendu Biswas,et al.  Regression Test Selection Techniques: A Survey , 2011, Informatica.

[7]  Yuanyuan Zhou,et al.  Efficient online validation with delta execution , 2009, ASPLOS.

[8]  Amin Vahdat,et al.  Transparent Result Caching , 1997, USENIX Annual Technical Conference.

[9]  Guillaume Pierre,et al.  Wikipedia workload analysis for decentralized hosting , 2009, Comput. Networks.

[10]  Sarfraz Khurshid,et al.  Efficiently Running Test Suites Using Abstract Undo Operations , 2011, 2011 IEEE 22nd International Symposium on Software Reliability Engineering.

[11]  David Brumley,et al.  Tachyon: Tandem Execution for Efficient Live Patch Testing , 2012, USENIX Security Symposium.

[12]  James Newsome,et al.  Dynamic Taint Analysis for Automatic Detection, Analysis, and SignatureGeneration of Exploits on Commodity Software , 2005, NDSS.

[13]  Umut A. Acar,et al.  Imperative self-adjusting computation , 2008, POPL '08.

[14]  Samuel T. King,et al.  Detecting past and present intrusions through vulnerability-specific predicates , 2005, SOSP '05.

[15]  Xi Wang,et al.  Intrusion Recovery Using Selective Re-execution , 2010, OSDI.

[16]  Frances E. Allen,et al.  Control-flow analysis , 2022 .

[17]  Eddie Kohler Hot Crap! , 2008, WOWCS.

[18]  Dawson R. Engler,et al.  EXE: automatically generating inputs of death , 2006, CCS '06.

[19]  Philip J. Guo,et al.  Using automatic persistent memoization to facilitate data analysis scripting , 2011, ISSTA '11.

[20]  Joseph Robert Horgan,et al.  Dynamic program slicing , 1990, PLDI '90.

[21]  Nickolai Zeldovich,et al.  Intrusion recovery for database-backed web applications , 2011, SOSP.

[22]  Xi Wang,et al.  Retroactive auditing , 2011, APSys.

[23]  Joseph Robert Horgan,et al.  Incremental regression testing , 1993, 1993 Conference on Software Maintenance.

[24]  Samuel T. King,et al.  Backtracking intrusions , 2003, SOSP '03.

[25]  Samuel T. King,et al.  ReVirt: enabling intrusion analysis through virtual-machine logging and replay , 2002, OPSR.

[26]  Hao Chen,et al.  Back to the Future: A Framework for Automatic Malware Removal and System Repair , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).