Privilege escalation vulnerability detection using message digest differentiation

US 10,523,699 B1
Filed: 06/20/2017
Issued: 12/31/2019
Est. Priority Date: 06/20/2017
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

obtaining a set of reference signatures for a set of web pages of a web application, individual signatures of the set of reference signatures calculated using a fuzzy hashing algorithm, the fuzzy hashing algorithm producing matching values for matching but different inputs;

initiating a session using authentication information of a user of the web application;

crawling the web application over the session to obtain a set of responses to requests made to the web application;

calculating a set of signatures for the set of responses, individual signatures calculated using the fuzzy hashing algorithm;

for a first signature in the set of signatures for the set of responses, performing a comparison between the first signature and a second signature of the set of reference signatures, the first signature and second signature both associated with a uniform resource identifier corresponding to a web page of the web application for which the user lacks authorization to access;

detecting, based at least in part on the comparison, that the user has an ability to exceed a set of privileges associated with the user; and

indicating that the user has the ability to exceed the set of privileges.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques described and suggested herein include various systems and methods for detecting privilege escalation vulnerabilities. A detection service may determine one or more resources of a service or application the computing resource service provider to test. The detection service may determine a set of message digests corresponding to responses to requests to access the resource of the service or application. A subset of the set of message digests associated with an identifier may be compared to determine whether an entity associated with one of the subset of message digests is able to exceed a set of privileges attributed to the entity.

Citations

20 Claims

1. A computer-implemented method, comprising:
- obtaining a set of reference signatures for a set of web pages of a web application, individual signatures of the set of reference signatures calculated using a fuzzy hashing algorithm, the fuzzy hashing algorithm producing matching values for matching but different inputs;
  
  initiating a session using authentication information of a user of the web application;
  
  crawling the web application over the session to obtain a set of responses to requests made to the web application;
  
  calculating a set of signatures for the set of responses, individual signatures calculated using the fuzzy hashing algorithm;
  
  for a first signature in the set of signatures for the set of responses, performing a comparison between the first signature and a second signature of the set of reference signatures, the first signature and second signature both associated with a uniform resource identifier corresponding to a web page of the web application for which the user lacks authorization to access;
  
  detecting, based at least in part on the comparison, that the user has an ability to exceed a set of privileges associated with the user; and
  
  indicating that the user has the ability to exceed the set of privileges.
- View Dependent Claims (2, 3, 4)
- - 2. The computer-implemented method of claim 1, wherein the set of signatures is obtained in connection with a second user associated with a second set of privileges for accessing the web application, the second set of privileges being sufficient to successfully access all web pages of the web application.
  - 3. The computer-implemented method of claim 1, wherein detection that the user has the ability to exceed the set of privileges is as a result of a determination that the first signature is insufficiently dissimilar to the second signature.
  - 4. The computer-implemented method of claim 1, wherein a service of a computing resource service provider crawls the web application using authentication information of the service.

5. A system, comprising:
- one or more physical processors; and
  
  memory that stores computer-executable instructions that, as a result of being executed, cause the system to;
  
  determine a signature associated with an entity, the signature associated with an identifier available for access to the entity, the signature produced using a fuzzy hashing algorithm that produces matching values for a matching but different pair of inputs;
  
  perform a comparison between the signature and a reference signature, the reference signature also associated with the identifier and produced using the fuzzy hashing algorithm; and
  
  indicate a result of the comparison, the result indicating whether the entity is able to exceed a set of privileges associated with the entity.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12)
- - 6. The system of claim 5, wherein access privileges associated with the reference signature are different than access privileges associated with the entity.
  - 7. The system of claim 5, wherein the reference signature corresponds to an indication of successful access to a resource associated with the identifier.
  - 8. The system of claim 5, wherein the signature is determined at least in part by receiving a response to an attempt by a service of a computing resource service provider to access a resource associated with the identifier.
  - 9. The system of claim 5, wherein performance of the comparison includes comparing pairs of fuzzy hash values generated from responses to requests for resource access, and the result indicating that the entity is able to exceed the set of privileges is based at least in part on a determination that the pair of fuzzy hash values are determined as being within a predetermined range of similarity.
  - 10. The system of claim 5, wherein the signature and the reference signature are obtained in connection with establishment of one or more communications sessions with an application associated with the identifier.
  - 11. The system of claim 5, wherein, exceeding the set of privileges is associated with a higher level of access than the entity should be permitted.
  - 12. The system of claim 5, wherein exceeding the set of privileges is associated with access to information associated with a different entity.

13. A non-transitory computer-readable storage medium storing executable instructions that, as a result of being executed by one or more processors of a computer system, cause the computer system to at least:
- determine a set of signatures related to access attempts for resource identifiers, the set of signatures comprising a first signature associated with a request to a first identifier using credentials of a user entity, the set of signatures produced using a fuzzy hashing algorithm that produces matching values for a matching but different pair of inputs;
  
  perform a comparison between the first signature and a reference signature corresponding to the first signature by association with the first identifier, the reference signature produced using the fuzzy hashing algorithm; and
  
  indicate whether the user entity is able to exceed a set of privileges associated with the user entity based at least in part on the comparison.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The non-transitory computer-readable storage medium of claim 13, wherein the instructions further comprise instructions that, as a result of being executed by the one or more processors, cause the computer system to, as a result of an indication that the user entity is able to exceed the set of privileges, perform a remediation action to limit risk of harm associated with a vulnerability caused by exceeding the set of privileges.
  - 15. The non-transitory computer-readable storage medium of claim 13, wherein the first signature corresponds to an attempt to access a resource associated with the first identifier using authentication information of the user entity, and the user entity is unauthorized to access the resource.
  - 16. The non-transitory computer-readable storage medium of claim 15, wherein the reference signature corresponds to a successful attempt to access the resource associated with the first identifier using authentication information of a user associated with universal access privileges to the resource.
  - 17. The non-transitory computer-readable storage medium of claim 13, wherein the set of signatures is generated subject to the fuzzy hashing algorithm, and the indication that the user entity is able to exceed the set of privileges is based on a similarity of the first signature to the reference signature.
  - 18. The non-transitory computer-readable storage medium of claim 13, wherein the first identifier corresponds to a first service of a computing resource service provider and the user entity corresponds to a second service of the computing resource service provider.
  - 19. The non-transitory computer-readable storage medium of claim 13, wherein the first identifier corresponds to a resource of a computing resource service provider and the entity corresponds to a user of the computing resource service provider.
  - 20. The non-transitory computer-readable storage medium of claim 13, wherein the user entity is unauthorized to access the resource, the comparison includes determination of a signature differential representing a level of similarity between the first signature and the reference signature, and an indication that the user entity is able to exceed the set of privileges is based at least in part on the signature differential exceeding a predetermined similarity threshold.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Alamuri, Naga Venkata Sunil
Primary Examiner(s)
Pich, Ponnoreay

Application Number

US15/627,943
Time in Patent Office

924 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/0823   using certificates cryptogr...

H04L 63/102   Entity profiles

H04L 63/126   the source of the received ...

H04L 63/1433   Vulnerability analysis

Privilege escalation vulnerability detection using message digest differentiation

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Privilege escalation vulnerability detection using message digest differentiation

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links