Save 37% off PRO during our Black Friday Sale! »

ACIDRain: Concurrency-Related Attacks on Database-Backed Web Applications

D4d69a38202be5ae6b4320d74caa0bcd?s=47 Stanford Future Data Systems
May 16, 2017
Technology
3
1.6k

ACIDRain: Concurrency-Related Attacks on Database-Backed Web Applications

ACM SIGMOD 2017
http://www.bailis.org/papers/acidrain-sigmod2017.pdf
https://github.com/stanford-futuredata/acidrain

D4d69a38202be5ae6b4320d74caa0bcd?s=128

Stanford Future Data Systems

May 16, 2017
Tweet

More Decks by Stanford Future Data Systems

See All by Stanford Future Data Systems
D4d69a38202be5ae6b4320d74caa0bcd?s=48 futuredata
1
780
D4d69a38202be5ae6b4320d74caa0bcd?s=48 futuredata
2
1.8k
D4d69a38202be5ae6b4320d74caa0bcd?s=48 futuredata
0
420
D4d69a38202be5ae6b4320d74caa0bcd?s=48 futuredata
5
1.2k

Other Decks in Technology

See All in Technology
11ab209b6dcacad4e5aa841af533a937?s=48 katahiro12345
0
110
156a7b659a9b4aba83a8c0a33515a06f?s=48 e11i0t_4lders0n
1
1.3k
33dd5188ff5f608ca2a1e007b9528e6b?s=48 okepy
PRO
0
610
5afa0b3a91d287fdf8b248a118a3975d?s=48 y503unavailable
0
180
D0f5daa7cc3a26140c06ea29e5e235cc?s=48 noriyukitakei
0
900
81902928da54ee11fd4028144d061993?s=48 tohae
1
220
932329c79bc511fdfed22abbd5ec92d2?s=48 rnakamuramartiny
0
1.1k
B46a00cafe34a9437d3a5bc6afc5bee3?s=48 aditya45
1
430
Ca6281fff64797dc419b78f51f25c0a5?s=48 fujiwara3
PRO
4
920
7a29c02251394fc05ebd88c631c562dc?s=48 takufujii
0
1.4k
33ef4c1ebe619115b552db9a9f9a3509?s=48 sadnessojisan
5
2.3k
D0a6969000c3715087b3a00abd646d20?s=48 timeseriesfr
0
250

Featured

See All Featured
5f83ef806155b403c3393160ce51f955?s=48 jlugia
218
16k
766b9746b59e6f09e280cd33cf4ed419?s=48 skipperchong
14
1.1k
D67fff74178013024d833b3eec6cf27f?s=48 lynnandtonic
277
17k
245cee81a9c424266e5e401d844ea881?s=48 lara
175
11k
C620790ae5bf5b50c245b2e0ef95f338?s=48 deanohume
294
28k
Fde6c3a50ca518a909ef35c22c0ee0e4?s=48 destraynor
148
20k
7edec06b5435e0dac07a353b2cc26253?s=48 geeforr
337
30k
B6a8f005f39d23ffc930508ac9da68b9?s=48 vanstee
123
5.2k
11c84dff30266b907714802088852677?s=48 jasonvnalue
88
8.4k
A60068bce2e73de3a37ca9d2dbe36092?s=48 bryan
105
12k
812e1705ff0f8bc1bcf18587bde687d5?s=48 62gerente
595
210k
9cde37f47e4a800ea081ea42de8d749a?s=48 dougneiner
56
5.7k

Transcript

  1. 1 ACIDRain: Concurrency-Related Attacks on Database-Backed Web Applications Todd Warszawski,

    Peter Bailis Stanford University

  2. 2 Explore Real World Transaction Usage • Do programmers use

    transactions correctly? • This paper: 22 new critical vulnerabilities due to incorrect transaction usage – Corrupt store inventory, overspend giftcards, steal items • 50% of eCommerce sites (2M+) at risk

  3. 3 Analyzed Popular Sites

  4. 5 Analyzed Popular Sites Plus 9 more!

  5. 6 Companies Using These Applications

  6. 7

  7. 8

  8. 9

  9. 10 What do these vulnerabilities look like?

  10. 11 LIVE DEMO HERE Invite Todd to talk at your

    organization!

  11. 12

  12. 13

  13. 14 “By sending thousands of simultaneous requests, the attacker was

    able to ‘move’ coins from one user account to another until the sending account was overdrawn, before balances were updated.”

  14. 15 What's Happening? • Race condition – application exhibits behavior

    under concurrent execution not possible under serial execution • Can we exploit these behaviors? • Yes! We call this exploitation of non- serializable API behavior an ACIDRain attack

  15. 16 Overview • Problem setup • New method for detecting

    latent potential for non-serializable behavior • Evaluation – analysis of 12 eCommerce platforms

  16. 17 Problem Setup: Attacking Websites http POST request SELECT ...

    UPDATE ... SELECT ... http GET request Application Server Database

  17. 18 Problem Setup: Attacking Websites http POST request SELECT ...

    UPDATE ... SELECT ... http GET request Application Server Database

  18. 19 Problem Setup: Attacking Websites http POST request SELECT ...

    UPDATE ... SELECT ... http GET request Application Server Database

  19. 20 Problem Setup: Attacking Websites http POST request SELECT ...

    UPDATE ... SELECT ... http GET request Application Server Database

  20. 21 Problem Setup: Attacking Websites http POST request SELECT ...

    UPDATE ... SELECT ... http GET request Application Server Application Server Database

  21. 22 Problem Setup: Attacking Websites http POST request SELECT ...

    UPDATE ... SELECT ... http GET request Database Application Server

  22. 23 Problem Setup: Attacking Websites http POST request SELECT ...

    UPDATE ... SELECT ... http GET request Serializability of API Requests Serializability of Database Transactions Application Server Database

  23. 24 Non-Transactional Implementation def checkVoucher(code): usage = readUsage(code) if (usage

    == 0): markUsed(code) SELECT usage FROM voucher WHERE code = HNUHY UPDATE voucher SET usage = 1 WHERE code = HNUHY

  24. 25 Non-Transactional Implementation def checkVoucher(code): usage = readUsage(code) if (usage

    == 0): markUsed(code) SELECT usage FROM voucher WHERE code = HNUHY UPDATE voucher SET usage = 1 WHERE code = HNUHY Alice Checkout SELECT 0 UPDATE SELECT 1 Bob Checkout usage = 0 Application Server Database

  25. 26 Non-Transactional Implementation def checkVoucher(code): usage = readUsage(code) if (usage

    == 0): markUsed(code) SELECT usage FROM voucher WHERE code = HNUHY UPDATE voucher SET usage = 1 WHERE code = HNUHY Alice Checkout SELECT 0 UPDATE SELECT 1 Bob Checkout usage = 0 Application Server Database

  26. 27 Non-Transactional Implementation def checkVoucher(code): usage = readUsage(code) if (usage

    == 0): markUsed(code) SELECT usage FROM voucher WHERE code = HNUHY UPDATE voucher SET usage = 1 WHERE code = HNUHY Alice Checkout SELECT 0 UPDATE SELECT 1 Bob Checkout usage = 0 Application Server Database

  27. 28 Non-Transactional Implementation def checkVoucher(code): usage = readUsage(code) if (usage

    == 0): markUsed(code) SELECT usage FROM voucher WHERE code = HNUHY UPDATE voucher SET usage = 1 WHERE code = HNUHY Alice Checkout SELECT 0 UPDATE SELECT 1 Bob Checkout usage = 1 Application Server Database

  28. 29 Non-Transactional Implementation def checkVoucher(code): usage = readUsage(code) if (usage

    == 0): markUsed(code) SELECT usage FROM voucher WHERE code = HNUHY UPDATE voucher SET usage = 1 WHERE code = HNUHY Alice Checkout SELECT 0 UPDATE SELECT 1 Bob Checkout usage = 1 Application Server Database

  29. 30 Non-Transactional Implementation def checkVoucher(code): usage = readUsage(code) if (usage

    == 0): markUsed(code) SELECT usage FROM voucher WHERE code = HNUHY UPDATE voucher SET usage = 1 WHERE code = HNUHY Alice Checkout SELECT 0 UPDATE SELECT 1 Bob Checkout usage = 1 Application Server Database

  30. 31 Non-Transactional Implementation def checkVoucher(code): usage = readUsage(code) if (usage

    == 0): markUsed(code) SELECT usage FROM voucher WHERE code = HNUHY UPDATE voucher SET usage = 1 WHERE code = HNUHY Alice Checkout SELECT 0 UPDATE SELECT 0 Bob Checkout UPDATE usage = 0 Application Server Database

  31. 32 Non-Transactional Implementation def checkVoucher(code): usage = readUsage(code) if (usage

    == 0): markUsed(code) SELECT usage FROM voucher WHERE code = HNUHY UPDATE voucher SET usage = 1 WHERE code = HNUHY Alice Checkout SELECT 0 UPDATE SELECT 0 Bob Checkout UPDATE usage = 0 Application Server Database

  32. 33 Non-Transactional Implementation def checkVoucher(code): usage = readUsage(code) if (usage

    == 0): markUsed(code) SELECT usage FROM voucher WHERE code = HNUHY UPDATE voucher SET usage = 1 WHERE code = HNUHY Alice Checkout SELECT 0 UPDATE SELECT 0 Bob Checkout UPDATE usage = 0 Application Server Database

  33. 34 Non-Transactional Implementation def checkVoucher(code): usage = readUsage(code) if (usage

    == 0): markUsed(code) SELECT usage FROM voucher WHERE code = HNUHY UPDATE voucher SET usage = 1 WHERE code = HNUHY Alice Checkout SELECT 0 UPDATE SELECT 0 Bob Checkout UPDATE usage = 0 Application Server Database

  34. 35 Non-Transactional Implementation def checkVoucher(code): usage = readUsage(code) if (usage

    == 0): markUsed(code) SELECT usage FROM voucher WHERE code = HNUHY UPDATE voucher SET usage = 1 WHERE code = HNUHY Alice Checkout SELECT 0 UPDATE SELECT 0 Bob Checkout UPDATE usage = 1 Application Server Database

  35. 36 Non-Transactional Implementation def checkVoucher(code): usage = readUsage(code) if (usage

    == 0): markUsed(code) SELECT usage FROM voucher WHERE code = HNUHY UPDATE voucher SET usage = 1 WHERE code = HNUHY Alice Checkout SELECT 0 UPDATE SELECT 0 Bob Checkout UPDATE usage = 1 Application Server Database

  36. 37 Transactional Implementation def checkVoucher(code): beginTxn() usage = readUsage(code) if

    (usage == 0): markUsed(code) commit() BEGIN TRANSACTION SELECT usage FROM voucher WHERE code = HNUHY UPDATE voucher SET usage = 1 WHERE code = HNUHY COMMIT

  37. 38 Transactional Implementation def checkVoucher(code): beginTxn() usage = readUsage(code) if

    (usage == 0): markUsed(code) commit() BEGIN TRANSACTION SELECT usage FROM voucher WHERE code = HNUHY UPDATE voucher SET usage = 1 WHERE code = HNUHY COMMIT Alice Checkout SELECT 0 UPDATE SELECT 0 Bob Checkout UPDATE BEGIN BEGIN COMMIT COMMIT usage = 0 Database Application Server

  38. 39 Transactional Implementation def checkVoucher(code): beginTxn() usage = readUsage(code) if

    (usage == 0): markUsed(code) commit() BEGIN TRANSACTION SELECT usage FROM voucher WHERE code = HNUHY UPDATE voucher SET usage = 1 WHERE code = HNUHY COMMIT Alice Checkout SELECT 0 UPDATE SELECT 0 Bob Checkout UPDATE BEGIN BEGIN COMMIT COMMIT usage = 0 Database Application Server

  39. 40 Transactional Implementation def checkVoucher(code): beginTxn() usage = readUsage(code) if

    (usage == 0): markUsed(code) commit() BEGIN TRANSACTION SELECT usage FROM voucher WHERE code = HNUHY UPDATE voucher SET usage = 1 WHERE code = HNUHY COMMIT Alice Checkout SELECT 0 UPDATE SELECT 0 Bob Checkout UPDATE BEGIN BEGIN COMMIT COMMIT usage = 0 Database Application Server

  40. 41 Transactional Implementation def checkVoucher(code): beginTxn() usage = readUsage(code) if

    (usage == 0): markUsed(code) commit() BEGIN TRANSACTION SELECT usage FROM voucher WHERE code = HNUHY UPDATE voucher SET usage = 1 WHERE code = HNUHY COMMIT Alice Checkout SELECT 0 UPDATE SELECT 0 Bob Checkout UPDATE BEGIN BEGIN COMMIT COMMIT usage = 0 Database Application Server

  41. 42 Transactional Implementation def checkVoucher(code): beginTxn() usage = readUsage(code) if

    (usage == 0): markUsed(code) commit() BEGIN TRANSACTION SELECT usage FROM voucher WHERE code = HNUHY UPDATE voucher SET usage = 1 WHERE code = HNUHY COMMIT Alice Checkout SELECT 0 UPDATE SELECT 0 Bob Checkout UPDATE BEGIN BEGIN COMMIT COMMIT usage = 0 Database Application Server

  42. 43 Transactional Implementation def checkVoucher(code): beginTxn() usage = readUsage(code) if

    (usage == 0): markUsed(code) commit() BEGIN TRANSACTION SELECT usage FROM voucher WHERE code = HNUHY UPDATE voucher SET usage = 1 WHERE code = HNUHY COMMIT Alice Checkout SELECT 0 UPDATE SELECT 0 Bob Checkout UPDATE BEGIN BEGIN COMMIT COMMIT usage = 0 Database Application Server

  43. 44 Transactional Implementation def checkVoucher(code): beginTxn() usage = readUsage(code) if

    (usage == 0): markUsed(code) commit() BEGIN TRANSACTION SELECT usage FROM voucher WHERE code = HNUHY UPDATE voucher SET usage = 1 WHERE code = HNUHY COMMIT Alice Checkout SELECT 0 UPDATE SELECT 0 Bob Checkout UPDATE BEGIN BEGIN COMMIT COMMIT usage = 1 Database Application Server

  44. 45 Transactional Implementation def checkVoucher(code): beginTxn() usage = readUsage(code) if

    (usage == 0): markUsed(code) commit() BEGIN TRANSACTION SELECT usage FROM voucher WHERE code = HNUHY UPDATE voucher SET usage = 1 WHERE code = HNUHY COMMIT Alice Checkout SELECT 0 UPDATE SELECT 0 Bob Checkout UPDATE BEGIN BEGIN COMMIT COMMIT usage = 1 Database Application Server

  45. 46 Transactional Implementation def checkVoucher(code): beginTxn() usage = readUsage(code) if

    (usage == 0): markUsed(code) commit() BEGIN TRANSACTION SELECT usage FROM voucher WHERE code = HNUHY UPDATE voucher SET usage = 1 WHERE code = HNUHY COMMIT Alice Checkout SELECT 0 UPDATE SELECT 0 Bob Checkout UPDATE BEGIN BEGIN COMMIT COMMIT usage = 1 Database Application Server

  46. 47 Transactional Implementation def checkVoucher(code): beginTxn() usage = readUsage(code) if

    (usage == 0): markUsed(code) commit() BEGIN TRANSACTION SELECT usage FROM voucher WHERE code = HNUHY UPDATE voucher SET usage = 1 WHERE code = HNUHY COMMIT Alice Checkout SELECT 0 UPDATE SELECT 0 Bob Checkout UPDATE BEGIN BEGIN COMMIT COMMIT usage = 1 Database Application Server

  47. 48 Transactional Implementation def checkVoucher(code): beginTxn() usage = readUsage(code) if

    (usage == 0): markUsed(code) commit() BEGIN TRANSACTION SELECT usage FROM voucher WHERE code = HNUHY UPDATE voucher SET usage = 1 WHERE code = HNUHY COMMIT Alice Checkout SELECT 0 UPDATE SELECT 0 Bob Checkout UPDATE BEGIN BEGIN COMMIT COMMIT usage = 1 Database Application Server Will one of the transactions fail? It depends

  48. 49 = prevents anomaly = exhibits anomaly Many Databases Allow

    This Anomaly Database Default Isolation Maximum Isolation Actian Ingres 10.0/10S Aerospike Akiban Persistit Clustrix CLX 4100 Greenplum 4.1 IBM DB2 10 for z/OS MySQL 5.6 MemSQL 1b MS SQL Server 2012 NuoDB Oracle 11g Oracle Berkeley DB Oracle Berkeley DB JE Postgres 9.2.2 SAP HANA ScaleDB 1.02 VoltDB

  49. 50 Two Sources of Vulnerabilities • Databases providing weak isolation

    may exhibit non-serializable behavior def checkVoucher(code): beginTxn() usage = readUsage(code) if (usage == 0): markUsed(code) commit() def checkVoucher(code): usage = readUsage(code) if (usage == 0): markUsed(code) • Programmers may code transactions incorrectly

  50. 51 Overview • Problem setup • New method for detecting

    latent potential for non-serializable behavior • Evaluation – analysis of 12 eCommerce platforms

  51. 52 Analysis Challenges • Want to analyze web applications written

    in multiple languages and frameworks • Anomalies only occur under concurrent execution, but website activity is often serial

  52. 53 Approach: Abstract Anomaly Detection (2AD) Collect (possibly serial) logs

    from database Build compact representation of history (abstract history graph) Search abstract history for cycles to generate possible anomalous API calls 1. 2. a 3.

  53. Approach: Abstract Anomaly Detection (2AD)

  54. Approach: Abstract Anomaly Detection (2AD)

  55. Approach: Abstract Anomaly Detection (2AD)

  56. Approach: Abstract Anomaly Detection (2AD)

  57. Approach: Abstract Anomaly Detection (2AD)

  58. 59 Approach: Abstract Anomaly Detection (2AD)

  59. 60 Approach: Abstract Anomaly Detection (2AD) Collect (possibly serial) logs

    from database Build compact representation of history (abstract history graph) Search abstract history for cycles to generate possible anomalous API calls 1. 2. a 3.

  60. 61 Abstract History Graph def checkVoucher(code): beginTxn() usage = readUsage(code)

    if (usage == 0): markUsed(code) commit() BEGIN TRANSACTION SELECT usage FROM voucher WHERE code = HNUHY UPDATE voucher SET usage = 1 WHERE code = HNUHY COMMIT BEGIN TRANSACTION SELECT usage FROM voucher WHERE code = HNUHY UPDATE voucher SET usage = 1 WHERE code = HNUHY COMMIT

  61. 62 Abstract History Graph BEGIN TRANSACTION SELECT usage FROM voucher

    WHERE code = HNUHY UPDATE voucher SET usage = 1 WHERE code = HNUHY COMMIT BEGIN TRANSACTION SELECT usage FROM voucher WHERE code = HNUHY UPDATE voucher SET usage = 1 WHERE code = HNUHY COMMIT

  62. 63 Abstract History Graph r(voucher) w(voucher) r(voucher) w(voucher) BEGIN TRANSACTION

    SELECT usage FROM voucher WHERE code = HNUHY UPDATE voucher SET usage = 1 WHERE code = HNUHY COMMIT BEGIN TRANSACTION SELECT usage FROM voucher WHERE code = HNUHY UPDATE voucher SET usage = 1 WHERE code = HNUHY COMMIT = Operation Add node for each operation 1.

  63. 64 Abstract History Graph r(voucher) w(voucher) r(voucher) w(voucher) BEGIN TRANSACTION

    SELECT usage FROM voucher WHERE code = HNUHY UPDATE voucher SET usage = 1 WHERE code = HNUHY COMMIT BEGIN TRANSACTION SELECT usage FROM voucher WHERE code = HNUHY UPDATE voucher SET usage = 1 WHERE code = HNUHY COMMIT = Operation = Transaction Add node for each operation Add supernode for each transaction 1. 2.

  64. 65 Abstract History Graph r(voucher) w(voucher) r(voucher) w(voucher) BEGIN TRANSACTION

    SELECT usage FROM voucher WHERE code = HNUHY UPDATE voucher SET usage = 1 WHERE code = HNUHY COMMIT BEGIN TRANSACTION SELECT usage FROM voucher WHERE code = HNUHY UPDATE voucher SET usage = 1 WHERE code = HNUHY COMMIT = Operation = Transaction = API Call Add node for each operation Add supernode for each transaction Add super-supernode for each API call 1. 2. 3.

  65. 66 Abstract History Graph r(voucher) w(voucher) r(voucher) w(voucher) BEGIN TRANSACTION

    SELECT usage FROM voucher WHERE code = HNUHY UPDATE voucher SET usage = 1 WHERE code = HNUHY COMMIT BEGIN TRANSACTION SELECT usage FROM voucher WHERE code = HNUHY UPDATE voucher SET usage = 1 WHERE code = HNUHY COMMIT = Operation = Transaction = API Call = Conflict Add node for each operation Add supernode for each transaction Add super-supernode for each API call Add edge for each conflict 1. 2. 3. 4.

  66. 67 Abstract History Graph r(voucher) w(voucher) r(voucher) w(voucher) BEGIN TRANSACTION

    SELECT usage FROM voucher WHERE code = HNUHY UPDATE voucher SET usage = 1 WHERE code = HNUHY COMMIT BEGIN TRANSACTION SELECT usage FROM voucher WHERE code = HNUHY UPDATE voucher SET usage = 1 WHERE code = HNUHY COMMIT = Operation = Transaction = API Call = Conflict Add node for each operation Add supernode for each transaction Add super-supernode for each API call Add edge for each conflict 1. 2. 3. 4.

  67. 68 Abstract History Graph r(voucher) w(voucher) r(voucher) w(voucher) BEGIN TRANSACTION

    SELECT usage FROM voucher WHERE code = HNUHY UPDATE voucher SET usage = 1 WHERE code = HNUHY COMMIT BEGIN TRANSACTION SELECT usage FROM voucher WHERE code = HNUHY UPDATE voucher SET usage = 1 WHERE code = HNUHY COMMIT = Operation = Transaction = API Call = Conflict Add node for each operation Add supernode for each transaction Add super-supernode for each API call Add edge for each conflict 1. 2. 3. 4.

  68. 69 Abstract History Graph r(voucher) w(voucher) r(voucher) w(voucher) BEGIN TRANSACTION

    SELECT usage FROM voucher WHERE code = HNUHY UPDATE voucher SET usage = 1 WHERE code = HNUHY COMMIT BEGIN TRANSACTION SELECT usage FROM voucher WHERE code = HNUHY UPDATE voucher SET usage = 1 WHERE code = HNUHY COMMIT = Operation = Transaction = API Call = Conflict Add node for each operation Add supernode for each transaction Add super-supernode for each API call Add edge for each conflict Search for cycles in the graph 1. 2. 3. 4. 5.

  69. 70 Abstract History Graph r(voucher) w(voucher) = Operation = Transaction

    = API Call = Conflict BEGIN TRANSACTION SELECT usage FROM voucher WHERE code = HNUHY BEGIN TRANSACTION SELECT usage FROM voucher WHERE code = HNUHY UPDATE voucher SET usage = 1 WHERE code = HNUHY COMMIT UPDATE voucher SET usage = 1 WHERE code = HNUHY COMMIT Add node for each operation Add supernode for each transaction Add super-supernode for each API call Add edge for each conflict Search for cycles in the graph 1. 2. 3. 4. 5. r(voucher) w(voucher)

  70. 71 Completeness Guarantees • Completeness: if there is a potential

    anomalous execution, this approach will find it • Soundness: discussion in paper Thm: Given a set of API calls, there exists an anomalous execution of the API calls if and only if there is a cycle in the abstract history.

  71. 72 Limitations • Does not take into account user level

    (i.e., "feral" [Bailis et al. 2015]) concurrency control def checkVoucher(code): beginTxn() usage = readUsage(code) if (usage == 0): markUsed(code) commit()

  72. 73 Limitations • Does not take into account user level

    (i.e., "feral" [Bailis et al. 2015]) concurrency control def checkVoucher(code): beginTxn() usage = readUsage(code) if (usage == 0): markUsed(code) commit() def checkVoucher(code): appLock.lock() usage = readUsage(code) if (usage == 0): markUsed(code) appLock.release()

  73. 74 Overview • Problem setup • New method for detecting

    latent potential for non-serializable behavior • Evaluation – analysis of 12 eCommerce platforms

  74. 75 Ecommerce Platforms

  75. 76 Ecommerce Platforms Interested in 3 key invariants: 1. Inventory

    2. Voucher 3. Cart

  76. 77 Inventory Invariant Stock should not go below 0 and

    should reflect all orders placed

  77. 78 Inventory Invariant Stock should not go below 0 and

    should reflect all orders placed

  78. 79 Inventory Invariant Stock should not go below 0 and

    should reflect all orders placed

  79. 80 Voucher Invariant Vouchers should not be spent past their

    intended limit

  80. 81 Voucher Invariant Vouchers should not be spent past their

    intended limit

  81. 82 Voucher Invariant Vouchers should not be spent past their

    intended limit

  82. 83 Cart Invariant Total charged for an order should be

    equal to the value of items associated with the order

  83. 84 Cart Invariant Total charged for an order should be

    equal to the value of items associated with the order

  84. 85 Cart Invariant Total charged for an order should be

    equal to the value of items associated with the order

  85. 86 Analysis Results Application Language Inventory Voucher Cart Opencart PHP

    ✗ ✗ ✔ Prestashop PHP ✗ ✗ ✔ Magento PHP ✗ ✗ ✔ WooCommerce PHP ✗ ✗ ✔ Spree Ruby on Rails ✔ ✔ ✔ Ror_ecommerce Ruby on Rails ✗ N/A ✗ Shoppe Ruby on Rails ✗ N/A ✗ Oscar Python (Django) ✗ ✗ ✔ LFS Python (Django) ✗ ✗ ✗ Saleor Python (Django) ✗ ✗ N/A Broadleaf Java (Spring) N/A ✗ ✗ Shopizer Java (Spring) N/A N/A ✗ ✗ = vulnerable, ✔ = not vulnerable 22 new vulnerabilities!

  86. 87 Analysis Results Application Language Inventory Voucher Cart Opencart PHP

    ✗ ✗ ✔ Prestashop PHP ✗ ✗ ✔ Magento PHP ✗ ✗ ✔ WooCommerce PHP ✗ ✗ ✔ Spree Ruby on Rails ✔ ✔ ✔ Ror_ecommerce Ruby on Rails ✗ N/A ✗ Shoppe Ruby on Rails ✗ N/A ✗ Oscar Python (Django) ✗ ✗ ✔ LFS Python (Django) ✗ ✗ ✗ Saleor Python (Django) ✗ ✗ N/A Broadleaf Java (Spring) N/A ✗ ✗ Shopizer Java (Spring) N/A N/A ✗ ✗ = vulnerable, ✔ = not vulnerable 22 new vulnerabilities! 2M+ sites at risk

  87. 88 Analysis Results Application Language Inventory Voucher Cart Opencart PHP

    ✗ ✗ ✔ Prestashop PHP ✗ ✗ ✔ Magento PHP ✗ ✗ ✔ WooCommerce PHP ✗ ✗ ✔ Spree Ruby on Rails ✔ ✔ ✔ Ror_ecommerce Ruby on Rails ✗ N/A ✗ Shoppe Ruby on Rails ✗ N/A ✗ Oscar Python (Django) ✗ ✗ ✔ LFS Python (Django) ✗ ✗ ✗ Saleor Python (Django) ✗ ✗ N/A Broadleaf Java (Spring) N/A ✗ ✗ Shopizer Java (Spring) N/A N/A ✗ ✗ = vulnerable, ✔ = not vulnerable 22 new vulnerabilities! 2M+ sites at risk 4 different languages

  88. 89 Analysis Results Application Language Inventory Voucher Cart Opencart PHP

    ✗ ✗ ✔ Prestashop PHP ✗ ✗ ✔ Magento PHP ✗ ✗ ✔ WooCommerce PHP ✗ ✗ ✔ Spree Ruby on Rails ✔ ✔ ✔ Ror_ecommerce Ruby on Rails ✗ N/A ✗ Shoppe Ruby on Rails ✗ N/A ✗ Oscar Python (Django) ✗ ✗ ✔ LFS Python (Django) ✗ ✗ ✗ Saleor Python (Django) ✗ ✗ N/A Broadleaf Java (Spring) N/A ✗ ✗ Shopizer Java (Spring) N/A N/A ✗ ✗ = vulnerable, ✔ = not vulnerable 22 new vulnerabilities! 2M+ sites at risk 4 different languages 5 errors due to DB default isolation

  89. 90 Analysis Results Application Language Inventory Voucher Cart Opencart PHP

    ✗ ✗ ✔ Prestashop PHP ✗ ✗ ✔ Magento PHP ✗ ✗ ✔ WooCommerce PHP ✗ ✗ ✔ Spree Ruby on Rails ✔ ✔ ✔ Ror_ecommerce Ruby on Rails ✗ N/A ✗ Shoppe Ruby on Rails ✗ N/A ✗ Oscar Python (Django) ✗ ✗ ✔ LFS Python (Django) ✗ ✗ ✗ Saleor Python (Django) ✗ ✗ N/A Broadleaf Java (Spring) N/A ✗ ✗ Shopizer Java (Spring) N/A N/A ✗ ✗ = vulnerable, ✔ = not vulnerable 22 new vulnerabilities! 2M+ sites at risk 4 different languages 5 errors due to DB default isolation 17 errors due to improper transaction usage

  90. 91 Developer Response 8 confirmed

  91. 92 Developer Response 8 confirmed

  92. 93 Developer Response 8 confirmed

  93. 94 Developer Response 8 confirmed

  94. 95 Developer Response 8 confirmed

  95. 96 Developer Response 8 confirmed

  96. 97

  97. 98

  98. 99 Developer Response

  99. 100 Developer Response

  100. 101 Related Work • [Bailis et al. 2015] Study user

    level (Feral) invariants in Ruby on Rails applications • [Jorwekar et al. 2007] Provide analysis methods for detecting potential anomalies in transaction programs for Snapshot Isolation • [Fekete et al. 2009] Quantify Read Committed and Snapshot Isolation anomalies • Our focus is on any non-serializable behavior in API based web applications as observed in practice

  101. 102 Conclusions • Many popular eCommerce applications do not use

    transactions correctly • 2AD: a new, cross-language analysis tool to check for potential anomalies • Using 2AD, we find 22 new vulnerabilities due to incorrect transaction usage affecting up to 2M+ eCommerce sites

  102. 103 Conclusions • Many popular eCommerce applications do not use

    transactions correctly • 2AD: a new, cross-language analysis tool to check for potential anomalies • Using 2AD, we find 22 new vulnerabilities due to incorrect transaction usage affecting up to 2M+ eCommerce sites Thanks! twarszaw@stanford.edu https://github.com/stanford-futuredata/acidrain