Deep Modeling
October 17, 2017 ยท View on GitHub
Building a Deep Model
We assume that you have prepared already a vilanoo SQLite DB and a rawtrace-analysis SQLite DB. These two databases are imported in Neo4j with dbmanager.py.
dbmanager.py allows to initialize, reset, and import the above databases.
Make sure that you have properly installed Neo4j and that you have valid credentials.
Configuration
An example of database access configuration is in deep-modeling/shared/config.py.example. Copy it into deep-modeling/shared/config.py:
$ cp deep-modeling/shared/config.py.example deep-modeling/shared/config.py
Run your favourite text editor, open deep-modeling/shared/config.py, and put the appropriate values for Neo4j server hostname, username, and password.
Init Neo4j DB
To initialize the Neo4j database type the following:
$ ./dbmanager.py init
Reset Neo4j DB
To initialize the Neo4j database type the following:
$ ./dbmanager.py reset
Import data
To import dynamic traces into Neo4j, you will need the vilanoo SQLite database, the rawtrace-analysis database, a project name, a session ID, and username. The project name can be, for example, the name of the web application. The session ID can be a number. If you import two traces for the same web application you may want to use two numbers in order to distinguish them. Finally, the username can be the name of the account that you used in the web application under test.
To import all data type the following:
$ ./dbmanager.py import all $path_to_vilanoo_sqlite $path_to_mosgi_sqlite $path_to_rawtrace_sqlite $projname $session $user
You can import traces one by one. Have a look at the help page of dbmanager (--help).
Running Analysis on a Deep Model
IMPORTANT: The current version of our framework assumes that you use the suffix _S1 and _S2 to distinguish between session 1 and session 2. This is ugly and we acknowledge that. But you have to deal with it until we find resources to improve usability :)
We can run a number of analysis on a deep model. Analyses may depend from each other in the sense that part of the output of one analysis (e.g., new nodes in the model) are needed for another one.
Below I am listing a working order of analysis. If you want to build a model follow this order. Details on the hidden dependencies may be shared soon :)
- Dataflow (insert variables, vertical chains and backward selenese chains)
- User Generated Chains (insert propagation types for variables. Only UG so far)
- Intra-causality (causality between events, e.g., via Referer header)
- Add abstract parse trees (so far, we have only SQL query abstraction)
- Variable type inference (creation of abstract event and semantic+syntactic type inference)
- Model inference (FSM creation)
Here is a mapping of the above analyses with dbmanager commands. If you want to build a model, you should run dbmanager using the commands below in the give order. Use --help to see the exact type of parameters:
dbmanager.py analysis all: analyses number 1, 2, 3, and 4 (it is not really ALL)dbmanager.py type: analysis 5dbmanager.py analysis inference: analysis 6
Testermanager
The Testermanager is the tool that is used to generate and later on evaluate the actual csrf tests. The generation is solely based on the deep model of an operation whereas the test evaluation also requires the results of other tests to distinguish between a success and a probable failure.
Testgeneration
We define two different type of csrf tests. Tests that test forms that apparently have no csrf protection, called unprotected, and tests that test forms that apparently have a csrf protection, called protected. The derived tests are stored in a sqlite database. Both, the generation of protected and the generation of unprotected tests are based on the same call with only one keyword changed.
testermanager.py tgen [not_]protected [-h] [--simulate]
projname operation database
positional arguments:
projname Project name
operation Operation
database Database where to store HTTP requests
optional arguments:
-h, --help show this help message and exit
--simulate Do not write to database
Testevaluation
The testevaluation (ie. the call of the oracle) is based on the deep model of the to be evaluated operation as well as other test results and cosequently requires that multiple different csrf tests have been conducted beforehand. The results are directly displayed.
testermanager.py oracle [-h]
tc_references tc_analyzed_references tc
tc_analyzed
positional arguments:
tc_references csv list of sqlite databases of test cases for
reference
tc_analyzed_references
csv list of rawtrace-analysis sqlite databases of the
test cases for reference
tc database with the test case
tc_analyzed rawtrace-analysis database of the test case
optional arguments:
-h, --help show this help message and exit