The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
Known XML Vulnerabilities Are Still a Threat to Popular Parsers ! & Open Source Systems
1. .lusoftware verification & validation
VVS
Known XML Vulnerabilities Are Still a Threat
to Popular Parsers !
& Open Source Systems
Sadeeq Jan, Cu D. Nguyen, Lionel Briand
Interdisciplinary Centre for Security, Reliability and Trust (SnT)
University of Luxembourg
QRS 2015
The 2015 IEEE International Conference on Software Quality, Reliability & Security
Vancouver, Canada, August 3-5, 2015
2. Motivation
• Widespread use of XML
• De-facto standard for data
exchange
• > 500 XML Vulnerabilities
reported in National
Vulnerability Database (NVD)
2
NVD Statistics (07/2015)
0
50
100
150
200
250
XML
DoS(BIL)
XXE
XML Parser
Xml
injection
No.ofVulnerabilities
4. XML Bomb/Billion Laughs (BIL)
• DoS attack on XML parser
using well-formed XML
• Exponential entity expansion
<?xml version="1.0"?>
<!DOCTYPE xmlBOMB [
<!ENTITY a “Random Text">
<!ENTITY b “&a; &a; &a; &a; &a;”>
<!ENTITY c “&b; &b; &b; &b; &b;”>
<!ENTITY d “&c; &c; &c; &c; &c;”>
]>
<xmlBOMB>&d;</xmlBOMB>
• Impact
– Higher memory & CPU
Consumption
– DoS on parsing system
XML
4
5. XML External Entity (XXE)
Vulnerabilities
• Attack on a weakly configured parser via XML input
containing a reference to an external entity
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE myFile [
<!ELEMENT myFile ANY>
<!ENTITY xxe SYSTEM "file:///etc/passwd" > ]>
<myFile>&xxe;</myFile>
• Impact
– Disclosure of confidential Information
– DoS on parsing system
– Unauthorized access to system/data
5
6. Research Problem and Goals
• Research problem
• Insecure use and configuration of XML parsers
• Lack of adequate security testing of popular XML parsers and open
source systems for XML related vulnerabilities
• Goals
• Security assessment of popular XML parsers and open source systems
• Raising awareness among software developers regarding these
vulnerabilities
6
7. Contribution of This Work
• A large-scale systematic and rigorous experimental
evaluation of BIL/XXE attacks
• in popular XML parsers and open source systems using
those parsers
• Unbiased and extensive evidence of the lack of mitigation for
these vulnerabilities
• To raise awareness among software developers
7
8. Research Questions
To which extent are BIL and XXE attacks successful in
modern XML parsers?
Do software systems, which use one of the vulnerable
parsers, apply mitigation techniques for BIL and XXE
attacks?
8
RQ1
RQ2
10. Experiment Setup-Subject
Selection
10
XML Parsers
Open Source Systems
Java, Python, PHP, C#, Perl
Popular?
Popularity = no. of adoptions
(> 0.5 Million in Github/Google Code)
13 XML Parsers
Those using a vulnerable parser (Java DOM)
749 Java Classes
(628 Github projects)
8 Applications
RQ1
RQ2
Subject Selection
11. Experiment Setup—Inputs,
Subjects and Oracle
Subjects
• Memory consumption
• CPU time
• Response content
Oracle/Indicators
• 10 XML bomb of size M x N for
BIL category
• 3 XML files for XXE category
Test Inputs
Parsers
Open Source Systems
S.No
Parser Name
1
JDOM2
2
NanoXML
3
NanoXML-LITE
4
Std-DOM
5
Std-SAX
6
Std-STAX
7
WOODSTOX
8
XERCES-JDOM
9
LXML-ETREE
10
Std-ETREE
11
PERL(XML:LibXML)
12
PHPDOM
13
MSXML
S.No
Application
1
Websphere-portal-plugiin
2
File-Archiver-Main
3
AppDF
4
source2XMI
5
Jbm-to-hornetq
6
Fastcatsearch
7
Bimoku-Crawler
8
blog
749 Java Classes using Std-
DOM Parser (from Github
projects)
Applications using XML parser
11
12. Results
12
13
8 7
Total #parsers #Vul. to BIL #Vul. to XXE
735 out of 749 (98.13%) Java
classes from 628 GitHub
projects that use Java DOM
Parser are vulnerable.
Parsers
More than half of the tested
parsers are vulnerable to BIL and
XXE.
Open Source Systems
All tested applications (8/8)
are vulnerable.
13. 13
<?xml version="1.0"?>
<!DOCTYPE xmlBOMB [
<!ENTITY lol “lol">
<!ENTITY lol1 “&lol”; “&lol”; “&lol”; “&lol”; “&lol”;”>
<!ENTITY lol2 “&lol1”; “&lol1”; “&lol1”; “&lol1”; “&lol1”;”>
<!ENTITY lol3 “&lol2”; “&lol2”; “&lol2”; “&lol2”; “&lol2”;”>
<!ENTITY lol4 “&lol3”; “&lol3”; “&lol3”; “&lol3”; “&lol3”;”>
<!ENTITY lol5 “&lol4”; “&lol4”; “&lol4”; “&lol4”; “&lol4”;”>
]>
<lolz>&lol5;</lolz>
Input
No. of Entities (M) = 5
No. of references per entity (N) = 5
Response of a non-vulnerable parser
Parser’s behavior to BIL attack
Response of a vulnerable parser
14. 14
Input
Parser’s behavior to XXE attack
<?xml version="1.0”?>
<!DOCTYPE myFile [
<!ELEMENT myFile ANY>
<!ENTITY xxe SYSTEM ”C:DatafileContents.txt”>]>
<foo>&xxe;</foo>
Response of a non-vulnerable parser
Response of a vulnerable parser
15. Test Oracles
15
XML File
Physical size
on disk
Test Oracle
Result
Memory Consumption
CPU Time
Response Content
Legit
< 10KB
< 1MB
< 1 sec
Normal
Non-vulnerable
Malicious
< 1KB
> 100 MB
> 10 min
Continued expanding
entities
Vulnerable
Malicious
< 1KB
< 100 MB
< 10 min
Detected & stopped
entity expansion
Non-vulnerable
XML File
Physical size on disk
Test Oracle
Result
Response Content
Legit
< 1KB
No external contents
Non-vulnerable
Malicious
< 1KB
Acquired external contents
referred by the entity
Vulnerable
Malicious
< 1KB
Blocked access to external
contents
Non-vulnerable
For BIL Category:
For XXE Category:
17. CPU Time Analysis
17
Parsing BIL XML files of different sizes (M x N)
- M is the number entities
- N is the number of references per entity)
18. Results-details
Parser Name
BIL Vulnerable?
XXE Vulnerable?
JDOM2
Yes
Yes
NanoXML
Yes
Yes
NanoXML-LITE
No
No
Std-DOM
Yes
Yes
Std-SAX
Yes
Yes
Std-STAX
No
No
WOODSTOX
No
No
XERCES-JDOM
Yes
Yes
LXML-ETREE
No
No
Std-ETREE
Yes
No
PERL(XML:LibXML)
Yes
Yes
PHPDOM
No
No
MSXML
Yes
Yes
Total
8
7
18
Parser Name
BIL
Vulnerable?
XXE
Vulnerable?
Websphere-
portal-plugiin
Yes
Yes
File-‐Archiver-‐Main
Yes
Yes
AppDF
Yes
Yes
source2XMI
Yes
Yes
Jbm-to-hornetq
Yes
Yes
Bimoku-Crawler
Yes
Yes
blog
Yes
Yes
Fastcatsearch
Yes
Yes
Applications using Vulnerable parser
Parsers
19. Results-details
19
Sample of 100 open sources projects from 1000 selected in our study.
All of the these projects use the vulnerable parser (Std-DOM) without
disabling the features leading to XML BIL/XXE attacks.
20. Research Questions-Answers
BIL and XXE vulnerabilities are present in modern XML parsers.
Among the selected ones, more than a half are vulnerable.
20
Systems that adopt a BIL or XXE-vulnerable XML parser do not apply
any proper security measure, hence, and are vulnerable.
RQ1: To which extent are BIL and XXE attacks successful in modern
XML parsers?
RQ2: Do software systems, which use one of the vulnerable parsers,
apply mitigation techniques for BIL and XXE attacks?
21. Recommendations
• Software developers
• Be aware of security issues in parsers
• Correctly set parsers’ configuration and disable unused features
• For example, block/limit external entities
• Parser developers
• Secure default configurations, better documentation
• Adequate security testing
21