Using HAZOP and FTA to Analyse Security Vulnerability
of Web Application and Infrastructure
Pumisake Snamchaiskul
1and Thitinan Phanrattanachai
21
Computer Engineering Program, Phetchabun Rajabhat University, Phetchabun, Thailand.
2
Electronics Technology Program, Phetchabun Rajabhat University, Phetchabun, Thailand.
Abstract.
Emerging from safety engineering, Hazard and Operating study (HAZOP) and Fault Tree Analysis (FTA) are two approaches amongst others employed in analysis of safety-critical system to identify hazard. This paper studies them, proposes some extension to cover security issues of web application, draws up guidelines in order to apply them to web applications and infrastructure, and finally analyses the effectiveness.The result confirms that HAZOP can reveal some alternative insecure situation when the web application are a part of system needed to interacted with the third party system and/or when there are manual operations needed. HAZOP can also be extended to cover the common vulnerabilities found in web application: cross-site scripting, SQL injection and script injection, although its application has not much contribution to understanding and preventing those vulnerabilities. FTA when being applied to the common vulnerabilities of web application also yields the similar result; it can be applied to but with a little contribution. However, FTA can be helpfully applicable to structuring the vulnerabilities in web infrastructure.
Keywords:
Web application, FTA, HAZOP, Vulnerability Analysis, Analytical Approach1.
Introduction
WWW is a type of information system widely used mainly over the Internet. Building applications on the WWW system are chosen by many organisations to become the promising platform for business application. Additionally, web applications are also the centres of internet communities. Public web applications, e.g. free web-based mail; search engine and web portal, have the enormous number of user all over the world.
Like any other information system, web application and infrastructure need to be ensure their integrity of security. Risk of system should be analysed in order to plan the proper countermeasure. One known method which is an ingredient of risk analysis is vulnerabilities analysis, the study of alternative system’s behaviours which lead to security compromise. This kind of behaviours usually is overlooked by system analysis and design method commonly used in software engineering.
The requirement of vulnerabilities analysis leads the information system researcher to looking for other methodologies from other engineering discipline. Hazard and operating study and Fault Tree Analysis, the two amongst the analytical approaches commonly used in safety engineering, have been examined and there are literatures supporting their useful application when being applied to software and information system. However, vulnerabilities in web application and infrastructure have their specific natures. The application of those two approaches has been questioned. This paper is going to investigate this matter.
2.
The Vulnerabilities in Web Application and Infrastructure
Web application are building from a text-based protocol called HTTP[1] which is originally designed to transport hypertext file, i.e. HTML file across the Internet. It has been added some other facilities afterward
Corresponding author.
2014 3rd International Conference on Informatics, Environment, Energy and Applications IPCBEE vol.66 (2014) © (2014) IACSIT Press, Singapore
in order to aid in development of web application, e.g. connecting with DBMS, client-side script, etc. The interaction between those facilities cause some glitches found in web application and they can be exploited by attacker.
The vulnerabilities in web applications commonly reported are: cross-site scripting[2], SQL injection[3] and script/execute command injection. Three of them are basically caused by ill input validation. In cross-site scripting, a malicious script will be secretly attached with input. The malicious script will be run on the victims when they view the input in other module. The attack is commonly used to hijack session id of victim. As a consequence, the attacker can do anything allowed by the victim’s privilege. In SQL injection, the malicious SQL command will be attached to input that is used to generate the intended SQL command. Instead of executing the intended SQL command specified by developer, the attacker’s command is executing. As a consequence, the attacker can exploit this vulnerability to perform unauthorised modification of database. In script/execute command injection, input is used as a part of executable command; or the uploaded files repository allows executing. The attacker can exploit them to execute any command he want in web server.
In web infrastructure which basically consists of OS, HTTP server and DBMS, the vulnerabilities can be in any sub system. This is because they are separately developed by different organisation and they have their own way to specify configuration. One of known causes can be mis-configuration of those entities. For the other causes, their failure mechanisms are beyond the knowledge of web developer. Therefore, those vulnerabilities just can be tracked by the vulnerability reports from software vendors, or security-focused websites.
3.
The Analytical Approaches
In safety engineering, system hazards have been studies in order to prevent them from endanger human life or environment.[4] Hazard needs to be identified at the beginning in order to formulate the countermeasure later on. There are two hazard finding approaches complementing one another: inductive approach and deductive approach. In inductive approach, the sub system’s fault will be analysed and, as a result, their effects to the other sub system or to the whole will be anticipate. On the other hand, in deductive approach the fault of whole system will be specified and the system will be analysed to come up with the causes situated in finer sub system, as a result. Two of those approaches, i.e. HAZOP from inductive side and FTA from deductive side are going to be studied as follows.
3.1
Hazard and Operating Study (HAZOP)
HAZOP is an inductive approach emerging from chemical process industry [4]. It was later been applied to other industry, e.g. oil, pharmaceutical and food processing industry.[5] It also has been reported to yield a useful application when being employed to security context of information system [6-8]. The key method of HAZOP used to identify hazard is the interpretation of guide words which are different from industry to industry. For example, some of guide words and their interpretation used in chemical industry are shown in Table 1.
Guide word Interpretation
NO The attribute change to be negative of intention.
AS WELL AS The other additional activity is also achieved.
OTHER THAN Some things other than intension are achieved.
MORE/LESS The increasing/decreasing of attribute.
PART OF Only some part of intention is achieved.
Table 1: some of interpretation in chemical industry [9]
Interpretation of guide word will be applied to the context of system, e.g. apply to attribute. It will lead analyst’s mind to anticipate the deviation of system. Because the lists of guide words are suggested by
researches in particular industries, analyst can ensure to some extent that they will not overlook some potential deviations.
3.2
Fault Tree Analysis (FTA)
FTA is, on the other hand, a deductive approach. It is widely used in electronics, airliner design and nuclear power plant.[10] The consensus amongst researchers working in information system security is that it can be used to analyse security matters in information system. [11-16] The key method of FTA is the use of graphic notation to structurally present the composition of hazard, i.e. undesired event. The constructing process starts from specify the known ultimate outcome as a top-event of the tree. After that, the top-event will be analysed and, as a result, the causes of the event will be identified. The causes of given event will be presenting as input of a graphic notation, gate. Gate will represent the composite logic, e.g. “and”, “or”, etc., combining the inputs to a predecessor event. The tree will be developed until the leaves are primary events. Some of graphic notations and an example of fault tree are shown in figure 1.
Loss of heating Loss of fuel supply Loss of electricity Loss of solid fuel Loss of liquid fuel
Intermediate event Undeveloped event
Basic event INHIBIT gate with condition
AND gate OR gate
Fig. 1: Graphic notations used in FTA and an example of fault tree
4.
The Guidelines and Extension for Applying the Approaches to Web
Application and Infrastructure
4.1
HAZOP Guidelines and Extension
In order to employ HAZOP to analyse web applications, the analysis should be able to detect the three common vulnerabilities. Therefore, the interpretation of guide words should be extended to cover the matter. The method of applying HAZOP to Use Case as design representation proposed by Srivatanakul et al.[8] are suitable, if some of guide word interpretations are extended. Therefore, the two suitable guide words, i.e. AS WELL AS and OTHER THAN are extended. AS WELL AS can be interpreted to mean that there are malicious script attached with input. This can reveal cross-site scripting. The interpretation of OTHER THAN also can be extended to mean that input is, instead of information, actually SQL command in the case of SQL injection and executable command or script file in the case of script injection.
The method of constructing and interpreting guide words proposed by Winther et al [6] can also be applied to web application , especially, when there are interaction with the third party entities, e.g. payment gateway, or the manual operation are needed.
4.2
FTA Guidelines
Fault tree of web application vulnerabilities obviously can be constructed by specifying the top-event as the three common vulnerabilities mentioned above. In case of cross-site scripting tree, the intermediate nodes are modules or pages that display data input to the application. Leaves of tree are the modules or pages that receive those inputs. In case of SQL injection, the successor nodes are the modules or pages that construct SQL command with input. Similarly, the successor nodes of script injection are the modules or pages that include input as execute command or those that perform uploading file.
Fault tree of web infrastructure can be constructed by specifying the top-event as the phrase “vulnerable system”. The intermediate nodes are entities composing the system, e.g. HTTP server, DBMS, OS etc. and the leaves node can be the vulnerabilities of those sub system published by software vendor or security-focused website. The leave node can also represent the issue in configuration that commonly found mistake.
The application of the proposed extension and guidelines are tested by scenarios picked up from functionality normally found in web application, i.e. e-commerce site and community message board. The results are as follows.
5.1
The Result of HAZOP
The HAZOP analysis by using the guide words and method suggested by Winther et al [6] can reveal some alternative insecure situation of system in scenario “Order Checkout and payment” as shown in figure 2. The operation in this scenario needs to receive an e-mail from payment gateway to notify the success of payment and manually update the order status by staff who receives the e-mail. An example of insecure situations are the interpretation of guide word “Deliberated disclosure of mail due to outsider” which reveals that e-mail can be eavesdropped and the interpretation of “Unintentional manipulation of order status due to staff” which reveal the potential error in manual operation.
Customer Order Man. Order DB Payment Staff
Submit Order Insert Order Insert succeed Redirect to Payment GW Submit Payment Payment Accept
Payment Succeeding Notification Update Order Status
Update Order Update Succeed
Update Succeed
Fig. 2: The sequence diagram of Order Checkout and Payment Scenario
The HAZOP analysis by using the extended version of the method proposed by Srivatanakulet al.[8] can straightforwardly reveal the common vulnerabilities in web applications. However, the result does not have much contribution to the understanding of those vulnerabilities due to the natures of web applications that are caused by ill input validation. One can argue that instead of putting effort to HAZOP analysis, he better improves the input validation method. Moreover, the effects of vulnerabilities which are yielded from the analysis are too wide. The effects of SQL injection and Script injection are the security compromise of the whole web server and database respectively. The effect of cross-site scripting typically leads to hijacking of victim’s session ID which attacker can use those to do anything allowed in the victim privilege. The further analysis of those deviations of sub-system has been blocked. This is considered to be useless for further study of vulnerability.
5.2
The Result of FTA
The fault trees of SQL injection and Script injection are not better than the categorised list of page that need input validation. This can be considered to have no contribution to the improvement of security. The cross-site scripting fault tree, on the contrary, can give some flow of input to output. This can reveal some potential problem. For example, cross-site scripting tree of scenario “browse product catalogue” when the product information is input by staff and later is browsed by customer, can reveals that the internal staffs are able perform cross-site scripting attack to customer. Therefore, even the product update page are used internally, the counter-measure, i.e. input validation, should be in place.
When applying FTA to web infrastructure, fault tree can be used to organise the reported vulnerabilities. This supports a suggestion that FTA can be “attack handbook” proposed by Brooke & Paige [16]. The tree can be used by system administrators in order to keep track of vulnerabilities and their patch or work-around solution. The tree can also be used to remind the system administrators to patch system or sub-system when they are newly built. For example, when a new web server is added to the server farm to cope with the increasing work load, system administrator can consult the fault tree in order to realise which part or sub-system need to be carefully addressed.
6.
Conclusion
HAZOP can be applicable when being applied to web application that has interaction with third party and/or need manual operation by human. HAZOP can reveal alternative insecure situations which might not be anticipated in common system design. It is also found out that by extending the interpretation of guide words, HAZOP can foresee the common vulnerabilities of web application: cross-site scripting, SQL injection and script injection, even though the study might not contribute much to preventing those vulnerabilities.
Fault tree of web application can be constructed by specifying the top event as the common vulnerabilities of web application. However, it is realised that constructing fault tree of vulnerabilities in web applications does not yield much contribution to understand and prevent the vulnerabilities. This is because the nature of those vulnerabilities that they can happen in any sub system, module or script page that need input validation.
On the contrary, Analysis by FTA of web infrastructure is useful. Fault tree of vulnerabilities of sub system in web infrastructure will present the structural list of vulnerabilities. System administrator can use it to understand and keep track of vulnerabilities published by software vendors or security-focused web site.
7.
References
[1] R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach, and T. Berners-Lee. RFC2616-- Hypertext
Transfer Protocol -- HTTP/1.1. http://www.ietf.org/rfc/rfc2616.txt. IETF, 1999.
[2] M. Samuel, P. Saxena, and D. Song. Context-sensitive auto-sanitization in web templating language using type qualifiers, In:Y. Chen(eds.). 18th ACM Conference on Computer and Communications Security, Chicago. 2011, pp. 587-600.
[3] J. Clark. SQL Injection Attacks and Defense. 2 ed. Syngress, 2012. [4] N. Storey. Safety-critical Computer Systems. Addison Wesley, 1996.
[5] T. Kletz. Hazop and Hazan: Identifying and assessing process industry hazards. Institution of Chemical Engineers, 1999.
[6] R. Winther, O. Johnsen, and B. A. Gran. Security Assessments of Safety Critical Systems Using HAZOPs, In:U. Voges(eds.). Proc. of the 20th International Conference on Computer Safety, Reliability and Security. 2001, pp. 14-24.
[7] K. Lano, D. Clark, and K. Androutsopoulos. Safety and Security Analysis of Object-Oriented Models, In:S. Anderson(eds.). SAFECOMP2002: The 21st International Conference on Computer Safety, Reliability and
Security, Catania. 2002, pp. 82-93.
[8] T. Srivatanakul, J. Clark, and F. Polack. Effective Security Requirements Analysis: HAZOP and Use Cases, In:K. Zhang, et al(eds.). Information Security: 7th International conference ISC 2004, CA, USA. 2004, pp. 416-427. [9] F. Redmill, M. Chudleigh, and J. Catmur. System Safety: HAZOP and Software HAZOP. John Wiley & Sons, 1999. [10] W. E. Vesely, F. F. Goldberg, N. H. Roberts, and D. F. Hassl. Fault Tree Handbook: NUREG-0492. U.S. Nuclear
Regulatory Commission, 1981.
[11] D. M. Kienzle and W. A. Wulf. A Practical Approach to Security Assessment, In:T. Haigh, et al(eds.). Proc. of the
1997 workshop on New security paradigms, Cumbria. 1997, pp. 5-16.
[12] B. Schneier. Attack Trees: Modeling security threats. Dr. Dobb's Journal. 1999, 1999(December): 21-29. [13] R. Anderson. Security Engineer: A Guide to Building Dependable Distributed Systems. Willey, 2001.
[14] A. P. Moore, R. J. Ellison, and R. C. Linger. Attack Modelling for Information Security and Survivability:Tech. Note. Carnegie Mellon University, 2001.
[15] G. Helmer, J. Wong, M. Slagell, V. Haonavar, and R. Lutz. A Software Fault Tree Approach to Requirements Analysis of an Intrusion Detection System. Requirements Engineer. 2002, 2002(7): 207-220.
[16] P. J. Brooke and F. R. Paige. Fault Trees for Security System Design and Analysis. Compter & Security. 2003,
