Command injection attacks exploit flaws in software. The present inventors recognize that one solution to prevent such attacks would be to avoid software flaws by using safe programming practices or programming constructs that do not allow such flaws. While this approach may be technically feasible, in many instances it is not practical. First, it would be impractical to redesign or re-implement the large body of legacy software that already exists. Second, even for newly-developed software, time-to-market pressure favors the quick delivery of new features over careful security considerations. Third, many software applications are produced by programmers that have not been properly trained in best security practices. And fourth, a software application is often created by composition with other software components whose provenance and adherence to security best practices can be of dubious quality. In short, not only are command injection attacks severe, they are here to stay for the foreseeable future.
Overview
An aspect of an embodiment of the present invention provides, among other things, a method, system, and computer readable medium for protecting software against a class of attacks known as “command injection attacks” that exploit common vulnerabilities found in software. The #1 and #2 listed items on MITRE's 2011 list of the “Top 25 Most Dangerous Software Errors” (https://cwe.mitre.org/top25/index.html) and the #1 and #2 listed flaws on the Open Web Application Security Project “Top 10 Application Security Risks” (https://www.owasp.org/index.php/Top_10_2010-Main) enable attackers to craft command injection attacks. Similarly, the #4 listed item on MITRE's list—“Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)”—enables attacker to craft command injection attacks. Still yet, the #23 listed item on MITRE's list—“Uncontrolled Format String”—enables attacker to craft command injection attacks.
These attacks are dangerous because they will frequently allow attackers to completely take over the software, steal data, or prevent the software from working at all.
Accordingly, an aspect of an invention of the present invention provides an efficient solution for thwarting command injection attacks and for allowing software to continue operating despite attempts at subverting software.
An aspect of the present invention provides for, but not limited thereto, an approach for preventing or mitigating command injection attacks; and accordingly it recognizes that various attacks inject a payload that then gets processed by the software to carry out the attackers' intentions. The problem is that software vulnerabilities allow the malicious attacker payload to be processed normally as if it were a non-malicious payload.
The attack payload can be viewed as foreign genetic material that will typically not be present in the native software. Thus, one approach of stopping command injection attacks is to track all external data processed by software, e.g., network input, data entered in a web form, files uploaded to a server, and monitor its use in security-critical commands. If such data is detected, the software can refuse to carry out the command. Such an approach is referred to as taint propagation. The present inventors recognize that while such an approach may be effective in terms of stopping command injection attacks, this approach is not practical as tracking the flow of data through a software program is expensive and severely impacts performance.
Instead of keeping track of external (potentially malicious) data, an aspect of an embodiment of the present invention provides a method, system, and computer readable medium to identify native genetic material, such as but not limited thereto, command fragments. An aspect of an embodiment of the present invention scans software for fragments that can be used to form commands issued by the software. Whenever the software issues a command, the method or system of the present invention can intercept the command and uses a matching algorithm or method to reassemble the command using the identified fragments. The method or system of the present invention detects an attempted attack by looking for critical parts of the command that do not originate from the previously identified fragments. Once an attack is detected, the method or system of the present invention performs an analysis to determine the type of attacks, and then is able to remediate the attack to allow the software to continue normal operation.
By identifying native genetic material used to form a command (instead of attempting to track foreign material), an aspect of an embodiment of the present invention provides an approach that dispenses with expensive taint propagation techniques.
Furthermore, an aspect of an embodiment of the present invention provides an approach that is transparent and can be automatically applied to software already installed on a computing system, without necessarily involving the original software manufacturer, and without requiring modifications to the software program to be protected.
Accordingly, an aspect of various embodiments of the present invention is that it would have wide applicability. In particular, an aspect of an embodiment of the present invention can be used to secure any software that is network-enabled. An aspect of an embodiment of the present invention protects software against a severe class of attacks known as command injection attacks. Examples of such attacks include Structured Query Language (SQL) Injection Attacks (e.g., database attack), operating system (OS) Command Injection Attacks, Cross-Site Scripting Attacks, LDAP Injection Attacks, XML Injection Attacks, Cross-Site Scripting (XSS) Attacks, and format string attacks. Command injection attacks exploit the #1, #2, #4 and #23 software errors as described in MITRE's list of Top 25 Most Dangerous Software Errors. Further, an aspect of an embodiment of the present invention also allows many software programs to continue normal operation even after an attempted attack.
An aspect of an embodiment of the present invention protects software even after the software manufacturer has shipped it. An aspect of an embodiment of the present invention does not require users to modify the program. An aspect of an embodiment of the present invention can even be applied directly to programs shipped in binary form. Furthermore, modern software makes frequent use of third-party components whose quality may be unknown or untrusted. Accordingly, an aspect of an embodiment of the present invention allows such software to be built with security protection despite these third party components.
The novel aspects of the present invention provides, but not limited thereto, a process and algorithms (and related system and computer readable medium) for determining fragments, reassembling fragments to match commands to determine whether a command is safe or suspicious, such as a potential attack, and allowing software to continue execution despite potential attacks or actual attacks. This may all be done transparently, efficiently, without requiring any efforts from software developers.
An aspect of various embodiments of the present invention may provide a number of advantages, such as but not limited thereto, the ability to protect software without requiring users to modify the software, which therefore makes it a practical solution.
An aspect of an embodiment of the present invention thwarts a severe and important class of attacks, namely command injection attacks. These attacks exploit software vulnerabilities that are in the MITRE's list of the “Top 25 Most Dangerous Software Errors”. An aspect of an embodiment of the present invention also allows many software programs to continue normal operation even after an attempted attack.
An aspect of various embodiments of the present invention may be utilized for a number of products and services, such as but not limited thereto, as discussed below. An aspect of an embodiment of the present invention is applicable to all software. It can be applied on a wide variety of platforms and applications, including laptops, desktops, cell phones, tablets, photo frames, cameras, video recorders, PDAs, routers, web browsers and servers, music players, televisions, game consoles, handheld gaming devices, critical infrastructure devices (traffic lights, power relays), heart-rate monitors, biometric monitors, networked-enabled sensors, etc. The importance of the invention will only rise over time as more and more devices are becoming network-enabled, e.g. refrigerator, home thermostats, automobiles, medical devices, etc. Further, an aspect of an embodiment can be applied on a wide variety of applications for infrastructure related systems and devices, such as power utilities, water utilities, public utilities, office infrastructure, home dwellings, department of defense infrastructure and systems, military equipment and systems, medical equipment and systems, vehicles, aircraft, server farms, and watercraft.
An aspect of an embodiment of the present invention provides a method, system and computer readable medium that can thwart OS command injection attacks (as well as data base or SQL injection attacks, database and web based application; format string attacks; LDAP injection attacks, XPATH injection attacks, cross-site scripting (XSS) attacks, attacks against scripting languages, and NoSQL injection attacks or the like) by matching the program's signature fragments to the commands it attempts to issue. If commands cannot be matched, the software, system and method of an embodiment of the present invention assumes that the command that has been injected into the program is potentially dangerous.
An aspect of an embodiment of the present invention provides, among other things, a method, system and computer readable medium that provides, among other things, taint inference and positive tainting resulting in positive taint inference
An aspect of an embodiment of the present invention is that it does not require the software manufacturer to change their code. In fact, as discussed above, an aspect of an embodiment of the invention can be applied even after the manufacturer has shipped the software.
An aspect of an embodiment of the present invention provides, but not limited thereto, a computer method for detecting command injection attacks. The method may comprise: receiving software code; extracting string fragments from the received software code to provide extracted signature fragments; receiving command instructions; converting the received command instructions into command fragments; identifying critical parts from the commands fragments; determining if the critical parts are untrusted or trusted by matching with the extracted signature fragments; identifying potential attacks upon the condition that a command includes critical parts that are untrusted; and communicating the identification of potential attacks to an output device.
An aspect of an embodiment of the present invention provides, but not limited thereto, a computer method for detecting command injection attacks. The method may comprise: receiving software code; receiving string fragments to provide signature fragments; receiving command instructions; converting the received command instructions into command fragments; identifying critical parts from the commands fragments; determining untrusted or trusted parts of the command instructions by using the signature fragments; identifying potential attacks upon the condition that a command includes critical parts that are untrusted; and communicating the identification of potential attacks to an output device.
An aspect of an embodiment of the present invention provides, but not limited thereto, a system for detecting command injection attacks based on command instructions to be received from a client processor or client data memory (or other processor or data memory as desired, needed or required). The system may comprise: a memory unit operative to store software code; and a processor. The processor may be configured to: extract string fragments from the software code to provide extracted signature fragments; receive the client command instructions; convert the received command instructions into command fragments; identify critical parts from the commands fragments; determine if the critical parts are untrusted or trusted by matching with the extracted signature fragments; identify potential attacks upon the condition that a command includes critical parts that are untrusted; and communicate the identification of potential attacks to an output device.
An aspect of an embodiment of the present invention provides, but not limited thereto, a system for detecting command injection attacks based on command instructions to be received from a client processor or client data memory (or other processor or data memory as desired, needed or required). The system may comprise: a memory unit operative to store software code and a processor. The processor may be configured: receive string fragments to provide signature fragments; receive command instructions; convert the received command instructions into command fragments; identify critical parts from the commands fragments; determine untrusted or trusted parts of the command instructions by using the signature fragments; identify potential attacks upon the condition that a command includes critical parts that are untrusted; and communicate the identification of potential attacks to an output device.
An aspect of an embodiment of the present invention provides, but not limited thereto, a non-transitory computer readable medium including instructions executable by a processor for detecting command injection attacks. The instructions may comprise: receiving software code; extracting string fragments from the received software code to provide extracted signature fragments; receiving command instructions; converting the received command instructions into command fragments; identifying critical parts from the commands fragments; determining if the critical parts are untrusted or trusted by matching with the extracted signature fragments; identifying potential attacks upon the condition that a command includes critical parts that are untrusted; and communicating the identification of potential attacks to an output device.
An aspect of an embodiment of the present invention provides, but not limited thereto, a non-transitory computer readable medium including instructions executable by a processor for detecting command injection attacks. The instructions may comprise: receiving software code; receiving string fragments to provide signature fragments; receiving command instructions; converting the received command instructions into command fragments; identifying critical parts from the commands fragments; determining untrusted or trusted parts of the command instructions by using the signature fragments; identifying potential attacks upon the condition that a command includes critical parts that are untrusted; and communicating the identification of potential attacks to an output device.
An aspect of an embodiment of the present invention provides, but not limited thereto, methods and systems that are described herein for detecting command injection attacks. A positive, taint inference method includes receiving signature fragments on one hand, converting command injection instructions into command fragments on another hand, thus identifying potential attacks upon the condition that a command injection instruction includes critical untrusted parts by using signature fragments. A system detects command injection attacks using this kind of method, and remediates and rejects potential attacks.
These and other objects, along with advantages and features of various aspects of embodiments of the invention disclosed herein, will be made more apparent from the description, drawings and claims that follow.