Security Applications of Formal Language Theory

We present a formal language theory approach to improving the security aspects of protocol design and message-based interactions in complex composed systems. We argue that these aspects are responsible for a large share of modern computing systems' insecurity. We show how our approach leads to advances in input validation, security modeling, attack surface reduction, and ultimately, software design and programming methodology. We cite examples based on real-world security flaws in common protocols, representing different classes of protocol complexity. We also introduce a formalization of an exploit development technique, the parse tree differential attack, made possible by our conception of the role of formal grammars in security. We also discuss the negative impact unnecessarily increased protocol complexity has on security. This paper provides a foundation for designing verifiable critical implementation components with considerably less burden to developers than is offered by the current state of the art. In addition, it offers a rich basis for further exploration in the areas of offensive analysis and, conversely, automated defense tools, and techniques.

[1]  Michael Howard,et al.  Measuring Relative Attack Surfaces , 2005 .

[2]  David K. Berlo,et al.  The Process Of Communication , 1960 .

[3]  Daniel J. Bernstein,et al.  Some thoughts on security after ten years of qmail 1.0 , 2007, CSAW '07.

[4]  Vern Paxson,et al.  Active mapping: resisting NIDS evasion without altering traffic , 2003, 2003 Symposium on Security and Privacy, 2003..

[5]  Alessandro Orso,et al.  Preventing SQL injection attacks using AMNESIA , 2006, ICSE.

[6]  Zhendong Su,et al.  The essence of command injection attacks in web applications , 2006, POPL '06.

[7]  Stephanie Forrest,et al.  Intrusion Detection Using Sequences of System Calls , 1998, J. Comput. Secur..

[8]  Alessandro Orso,et al.  A Classification of SQL Injection Attacks and Countermeasures , 2006, ISSSE.

[9]  Sergey Bratus,et al.  New Directions for Hardware-assisted Trusted Computing Policies (Position Paper) , 2009 .

[10]  DanielssonNils Anders Total parser combinators , 2010 .

[11]  Giovanni Vigna,et al.  A Learning-Based Approach to the Detection of SQL Attacks , 2005, DIMVA.

[12]  Leslie Lamport,et al.  Proving the Correctness of Multiprocess Programs , 1977, IEEE Transactions on Software Engineering.

[13]  Bryan Ford,et al.  Parsing expression grammars: a recognition-based syntactic foundation , 2004, POPL '04.

[14]  Alastair F. Donaldson,et al.  Software Model Checking , 2014, Computing Handbook, 3rd ed..

[15]  Bruce W. Weide,et al.  Using parse tree validation to prevent SQL injection attacks , 2005, SEM '05.

[16]  R. Hansen,et al.  Guns and Butter : Towards Formal Axioms of Input Validation , 2005 .

[17]  Adam Koprowski,et al.  TRX: A Formally Verified Parser Interpreter , 2010, Log. Methods Comput. Sci..

[18]  Roy T. Fielding,et al.  Hypertext Transfer Protocol - HTTP/1.1 , 1997, RFC.

[19]  Paul W. Abrahams,et al.  A final solution to the Dangling else of ALGOL 60 and related languages , 1966, CACM.

[20]  Alessandro Orso,et al.  Using positive tainting and syntax-aware evaluation to counter SQL injection attacks , 2006, SIGSOFT '06/FSE-14.

[21]  A. Avramides Studies in the Way of Words , 1992 .

[22]  David Cooper,et al.  Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile , 2008, RFC.

[23]  V. N. Venkatakrishnan,et al.  CANDID: Dynamic candidate evaluations for automatic prevention of SQL injection attacks , 2010, TSEC.

[24]  David A. Wagner,et al.  Mimicry attacks on host-based intrusion detection systems , 2002, CCS '02.

[25]  Peter Eckersley,et al.  How Unique Is Your Web Browser? , 2010, Privacy Enhancing Technologies.

[26]  A. One,et al.  Smashing The Stack For Fun And Profit , 1996 .

[27]  Fred B. Schneider,et al.  Enforceable security policies , 2000, TSEC.

[28]  Sang Joon Kim,et al.  A Mathematical Theory of Communication , 2006 .

[29]  Sagar Chaki,et al.  ASPIER: An Automated Framework for Verifying Security Protocol Implementations , 2009, 2009 22nd IEEE Computer Security Foundations Symposium.

[30]  Michael Sipser,et al.  Introduction to the Theory of Computation , 1996, SIGA.

[31]  S. Hadjiefthymiades,et al.  Hypertext Transfer Protocol (HTTP) , 1996 .

[32]  Zeki Bayram,et al.  XSLT Version 2.0 Is Turing-Complete: A Purely Transformation Based Proof , 2006, CIAA.

[33]  Géraud Sénizergues,et al.  L(A) = L(B)? Decidability Results from Complete Formal Systems , 2002, ICALP.

[34]  A. S. E C U R I T Y P R O B L E M M Ay B E T H E O R E T Vulnerable Compliance , 2022 .

[35]  Konstantinos Kemalis,et al.  SQL-IDS: a specification-based approach for SQL-injection detection , 2008, SAC '08.

[36]  Mark Handley,et al.  Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics , 2001, USENIX Security Symposium.

[37]  Fred B. Schneider,et al.  A Language-Based Approach to Security , 2001, Informatics.

[38]  Gavin Perkins,et al.  2009 in review. , 2010, Resuscitation.

[39]  Stephanie Forrest,et al.  Principles of a computer immune system , 1998, NSPW '97.

[40]  Thomas Henry Ptacek,et al.  Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection , 1998 .

[41]  Hovav Shacham,et al.  Return-Oriented Programming: Systems, Languages, and Applications , 2012, TSEC.

[42]  Tom Ridge,et al.  Simple, Functional, Sound and Complete Parsing for All Context-Free Grammars , 2011, CPP.

[43]  Carrie Gates,et al.  Challenging the anomaly detection paradigm: a provocative discussion , 2006, NSPW '06.

[44]  Konstantin Beznosov,et al.  Retrofitting Existing Web Applications with Effective Dynamic Protection Against SQL Injection Attacks , 2010, Int. J. Secur. Softw. Eng..

[45]  Aske Simon Christensen,et al.  Precise Analysis of String Expressions , 2003, SAS.

[46]  Vern Paxson,et al.  Outside the Closed World: On Using Machine Learning for Network Intrusion Detection , 2010, 2010 IEEE Symposium on Security and Privacy.

[47]  Premkumar T. Devanbu,et al.  JDBC checker: a static analysis tool for SQL/JDBC applications , 2004, Proceedings. 26th International Conference on Software Engineering.

[48]  Helen J. Wang,et al.  Discoverer: Automatic Protocol Reverse Engineering from Network Traces , 2007, USENIX Security Symposium.

[49]  W. Feek Communication works. , 1996, AIDS/STD health promotion exchange.

[50]  Tal Garfinkel,et al.  Traps and Pitfalls: Practical Problems in System Call Interposition Based Security Tools , 2003, NDSS.

[51]  Nils Anders Danielsson Total parser combinators , 2010, ICFP '10.

[52]  Vitaly Osipov,et al.  Format String Attacks , 2005 .

[53]  Noam Chomsky,et al.  On Certain Formal Properties of Grammars , 1959, Inf. Control..

[54]  Angelos Stavrou,et al.  SQLProb: a proxy-based architecture towards preventing SQL injection attacks , 2009, SAC '09.

[55]  Len Sassaman,et al.  PKI Layer Cake: New Collision Attacks against the Global X.509 Infrastructure , 2010, Financial Cryptography.

[56]  Seymour Ginsburg,et al.  Deterministic Context Free Languages , 1965, Inf. Control..

[57]  Robert W. Floyd,et al.  On ambiguity in phrase structure languages , 1962, CACM.

[58]  Sergey Bratus,et al.  Exploit Programming: From Buffer Overflows to "Weird Machines" and Theory of Computation , 2011, login Usenix Mag..

[59]  Stephan Kepser,et al.  A Simple Proof for the Turing-Completeness of XSLT and XQuery , 2004, Extreme Markup Languages®.

[60]  Richard Clayton,et al.  Failures in a Hybrid Content Blocking System , 2005, Privacy Enhancing Technologies.

[61]  Suraj C. Kothari,et al.  Preventing SQL injection attacks in stored procedures , 2006, Australian Software Engineering Conference (ASWEC'06).

[62]  Masahiko Takenaka,et al.  Extending Bleichenbacher's Forgery Attack , 2008, J. Inf. Process..

[63]  Matt Bishop,et al.  A Critical Analysis of Vulnerability Taxonomies , 1996 .

[64]  Premkumar T. Devanbu,et al.  Static checking of dynamically generated queries in database applications , 2004, Proceedings. 26th International Conference on Software Engineering.

[65]  Stephanie Forrest,et al.  Automated response using system-call delays , 2000 .

[66]  Hui-bo Jia,et al.  A Low-Cost Method to Intrusion Detection System Using Sequences of System Calls , 2009, 2009 Second International Conference on Information and Computing Science.

[67]  Alessandro Orso,et al.  AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks , 2005, ASE.

[68]  Lauretta O. Osho,et al.  Axiomatic Basis for Computer Programming , 2013 .

[69]  Ali Wajid,et al.  A Study on Visual Programming Extension of JavaScript , 2011 .

[70]  Suraj C. Kothari,et al.  Eliminating SQL Injection Attacks - A Transparent Defense Mechanism , 2006, 2006 Eighth IEEE International Symposium on Web Site Evolution (WSE'06).

[71]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[72]  Tadeusz Pietraszek,et al.  Defending Against Injection Attacks Through Context-Sensitive String Evaluation , 2005, RAID.

[73]  Andrew D. Gordon,et al.  Modular verification of security protocol code by typing , 2010, POPL '10.

[74]  Matthew Cook,et al.  Universality in Elementary Cellular Automata , 2004, Complex Syst..

[75]  Nick Mathewson,et al.  Practical Traffic Analysis: Extending and Resisting Statistical Disclosure , 2004, Privacy Enhancing Technologies.

[76]  Weibo Gong,et al.  Anomaly detection using call stack information , 2003, 2003 Symposium on Security and Privacy, 2003..

[77]  Bertrand Meyer,et al.  Applying 'design by contract' , 1992, Computer.

[78]  Sergey Bratus,et al.  A Patch for Postel's Robustness Principle , 2012, IEEE Security & Privacy.

[79]  Donald E. Knuth,et al.  On the Translation of Languages from Left to Right , 1965, Inf. Control..

[80]  Donald E. Knuth,et al.  Semantics of context-free languages , 1968, Mathematical systems theory.

[81]  H. Basten The Usability of Ambiguity Detection Methods for Context-Free Grammars , 2009, LDTA.

[82]  Roy T. Fielding,et al.  Uniform Resource Identifier (URI): Generic Syntax , 2005, RFC.

[83]  D. Over,et al.  Studies in the Way of Words. , 1989 .