Aaron Blankstein and Michael J. Freedman Princeton University Tuan Tran.

Slides:

Advertisements

Similar presentations

Chapter 6 Server-side Programming: Java Servlets

Advertisements

PHP I.

Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.

Java Script Session1 INTRODUCTION.

Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.

An Evaluation of the Google Chrome Extension Security Architecture

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

WebGoat & WebScarab “What is computer security for $1000 Alex?”

Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.

Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.

Subspace: Secure Cross-Domain Communication for Web Mashups Collin Jackson Stanford University Helen J. Wang Microsoft Research ACM WWW, May, 2007 Presenter:

D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.

Ruby on Rails CSCI 6314 David Gaspar Jennifer Garcia Avila.

FALL 2005CSI 4118 – UNIVERSITY OF OTTAWA1 Part 4 Web technologies: HTTP, CGI, PHP,Java applets)

CSCI 6962: Server-side Design and Programming Course Introduction and Overview.

A Scalable Application Architecture for composing News Portals on the Internet Serpil TOK, Zeki BAYRAM. Eastern MediterraneanUniversity Famagusta Famagusta.

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.

1 PHP and MySQL. 2 Topics  Querying Data with PHP  User-Driven Querying  Writing Data with PHP and MySQL PHP and MySQL.

November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University

Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 5 “Database and Cloud Security”.

I Do Not Know What You Visited Last Summer: Protecting users from stateful third-party web tracking with TrackingFree browser Xiang Pan §, Yinzhi Cao †,

Preventing Web Application Injections with Complementary Character Coding Raymond Mui Phyllis Frankl Polytechnic Institute of NYU Presented at ESORICS.

INTRODUCTION TO JAVASCRIPT AND DOM Internet Engineering Spring 2012.

Chapter 2. Core Defense Mechanisms. Fundamental security problem All user input is untrusted.

CSC-682 Cryptography & Computer Security Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Pompi Rotaru Based on an article.

MACIASZEK, L.A. (2001): Requirements Analysis and System Design. Developing Information Systems with UML, Addison Wesley Chapter 6 - Tutorial Guided Tutorial.

Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.

Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.

COMPUTER SECURITY MIDTERM REVIEW CS161 University of California BerkeleyApril 4, 2012.

1 Swaddler: An Approach for the Anomaly-based Detection of State Violations in Web Application Marco Cova, Davide Balzarotti, Viktoria Felmetsger, and.

ADV. NETWORK SECURITY CODY WATSON What’s in Your Dongle and Bank Account? Mandatory and Discretionary Protections of External Resources.

October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University

SMash : Secure Component Model for Cross- Domain Mashups on Unmodified Browsers WWW 2008 Frederik De Keukelaere et al. Presenter : SJ Park.

Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation.

Web Applications Testing By Jamie Rougvie Supported by.

1 Robust Defenses for Cross-Site Request Forgery Adam Barth, Collin Jackson, John C. Mitchell Stanford University 15th ACM CCS.

Rails & Ajax Module 5. Introduction to Rails Overview of Rails Rails is Ruby based “A development framework for Web-based applications” Rails uses the.

THE DEVIL IS IN THE (IMPLEMENTATION) DETAILS: AN EMPIRICAL ANALYSIS OF OAUTH SSO SYSTEMS SAN-TSAI SUN & KONSTANTIN BEZNOSOV PRESENTED BY: NAZISH KHAN COMPSCI.

M. Alexander Helen J. Wang Yunxin Liu Microsoft Research 1 Presented by Zhaoliang Duan.

Vaibhav Rastogi and Yi Yang.  SOP is outdated  Netscape introduced this policy when most content on the Internet was static  Differences amongst different.

Protecting Browsers from Extension Vulnerabilities Paper by: Adam Barth, Adrienne Porter Felt, Prateek Saxena at University of California, Berkeley and.

Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.

Wireless and Mobile Security

Michael Dalton, Christos Kozyrakis, and Nickolai Zeldovich MIT, Stanford University USENIX 09’ Nemesis: Preventing Authentication & Access Control Vulnerabilities.

1 Isolating Web Programs in Modern Browser Architectures CS6204: Cloud Environment Spring 2011.

8 Chapter Eight Server-side Scripts. 8 Chapter Objectives Create dynamic Web pages that retrieve and display database data using Active Server Pages Process.

Securing Angular Apps Brian Noyes

Copyright © The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP Denver February 2012.

AJAX. Overview of Ajax Ajax is not an API or a programming language Ajax aims to provide more responsive web applications In normal request/response HTTP.

Java Programming: Advanced Topics 1 Building Web Applications Chapter 13.

ASP.NET 2.0 Security Alex Mackman CM Group Ltd

Chapter 29: Program Security Dr. Wayne Summers Department of Computer Science Columbus State University

A Presentation Presentation On JSP On JSP & Online Shopping Cart Online Shopping Cart.

Web Security (cont.) 1. Referral issues r HTTP referer (originally referrer) – HTTP header that designates calling resource  Page on which a link is.

Database and Cloud Security

Building Secure ColdFusion Applications

Web Application Vulnerabilities, Detection Mechanisms, and Defenses

Static Detection of Cross-Site Scripting Vulnerabilities

Server Concepts Dr. Charles W. Kann.

PHP / MySQL Introduction

Web Systems Development (CSC-215)

CS5123 Software Validation and Quality Assurance

Cross Site Request Forgery (CSRF)

Presentation transcript:

Aaron Blankstein and Michael J. Freedman Princeton University Tuan Tran

Introduction How to solve those threats? Source:

Presentation Outline Security goals and assumptions Passe design Passe runtime in web setting Passe analysis phase Implementation Evaluations 3

Security goals and assumptions 4 Threat Model Developers supply non-malicious application code. Attackers are unable to compromise the trusted components. Passe’s trusted components provide very simple functionality.

Security goals and assumptions Motivating Classes of Vulnerabilities Poorly understood application behavior Use library calls which have surprising behavior. Cross-Site Scripting XSS attacks may allow a vulnerability in one view to make AJAX requests to other views. Arbitrary Code Execution Attackers can execute arbitrary code. 5

Security goals and assumptions Security Properties of Passe Isolation of Execution An attacker is unable to inspect or alter the memory of views Isolation of Data An attacker is unable to read or modify portions of the durable data store. Enforcement of Data Policy An attacker is unable to violate high-level application data policies. 6

Passe design Accommodates the typical tiered, scale-out architecture. Service tier Handle request. Access shared storage. Storage tier Handle partitions of the shared storage. 7

Passe design 8 Apps are decomposed into isolated views. Views handle specific requests. Passe introduces a stateless proxy between the service and storage tiers

Passe design Interacting with a Shared Data Store Passe provides data isolation between application views. Application views interact with a shared data store through a query interface. An unbound query has a set of arguments. Ex: result = fetchUserMessage(uname = “Bob”) Passe constrains the arguments to queries. 9

Passe design Protecting the Shared Data Store Enforce dependencies: a database proxy; cryptographic tokens. Every request and response must include a token. To approve a query, the database proxy checks: The unbound query. The argument value and token. 10

Passe design Learning Constraints Passe uses dynamic taint tracking to learn the dependencies. Developers can either supply test cases or run an “internal beta”. Passe translates dependencies into the token-based constraints, allowing any of the witnessed traces to run. 11

Passe runtime in web setting Implement as a drop-in replacement for Django. Dispatcher Use URL of a request. Session Manager Handle mapping cookies. Authentication Manager Check users credential. Database proxy Mediates access to database. View Server Provide a wrapper around view function. 12

Passe runtime in web setting Isolating View Determining view boundaries Each view handles a complete request. Translating function calls Wrap application code with a view server. Dealing with global variables Shared global variables are no longer shared. Sandboxing the processes Engaging Linux’s App Armor. Create specific communication channels for the processes. 13

Passe runtime in web setting Constraining SQL Queries Specify how a SQL query maps to an unbound query. Treat the query sting as the unbound query. Store the string with a cryptographic hash of the query string. Specify how SQL query results are stored Use a hash of the query string. Separate the results by column. 14

Passe runtime in web setting 15 Handling a Web Request View receives the HTTP request object and a token. View makes two queries with protected arguments. View displays all posts form Alice’s friends.

Passe runtime in web setting 16 User Authentication and Session Management Modify Django’s mechanisms for associating a request with a user. In Django: View can call into the library which returns the user. The request is a part of a session associated with a user. In Passe: Embed the user’s ID in a token.

Passe runtime in web setting 17 An end user’s browser presents a significant attack channel. Cross-view attack channel

Passe runtime in web setting 18 Isolating Views at Client’s Browser Passe supports execution with isolation at the client browser. Passe’s dispatcher interposes on AJAX requests between views. Implement a trusted shim layer which ensures that the headers are correctly added to each outgoing AJAX request.

Passe runtime in web setting 19 Applicability to Other Frameworks Passe’s architecture is applicable to other web frameworks. Ruby on Rails The dispatcher make routing decisions based on Rails’ routes. Views are separated along Rails’ ActionControllers and Views Passe would need to provide a new third party authentication library.

Passe analysis phase 20 Passe monitors application execution to: Enumerate Views Assign each of them a unique identifier. Enumerate Queries Associate each view with the SQL queries. Infer Dependency Relationships Between Queries Determine data, control-flow relationships. Translate Dependencies into Enforceable Constraints. Dependencies must be translated to constraints

Passe analysis phase 21 Dynamic Taint Tracking The interpreter exposes a library which application-level code can use to taint tracking and tracing. Any instruction which returns an object propagates taint from the arguments to that object. The interpreter checks the taint of any boolean used to evaluate a conditional jump.

Passe analysis phase 22 Tainting Data Objects and Logging Query Events Passe captures a query call with the following information: The view The query string An ordered list of the query’s argument values and their taints. Any previous database results and their taints. The control-flow taint set for the execution context. The analyzer translates witnessed dependency relationships between queries and objects into the integrity constraints.

Passe analysis phase 23 Inferring Constraints from Dependency Relationships Passe collects all of the events and merges the dependency. Data-flow relationships: Checks for equality and set membership relationships These two relationships are captured based on object identifiers Control-flow relationships: Determine which control-flow relationships affect the event. Create a set of invariants for the query.

Passe analysis phase 24 Impacts of False Positives and Negatives False Positive: Developers allow dataflow which Passe does not. Resolve by including new test cases. False Negative: Passe generate a policy which is too permissive. Remedy by manually inserting the dependencies into the policy.

Implementation 25 Implement Passe as modified versions of Django 1.3 Runtime engine: Modify the dispatcher to support interprocess call to view. Modify library to make proxied requests. Analysis engine: Add annotating calls for the tracer.

Implementation 26 Unsupported Django Behavior Views are forced to authenticate users through the default authentication library. Applications cannot use arbitrary global variables. The URL Map may only contain views found during analysis.

Protections for real applications 27 Passe in the Presence of Vulnerabilities Unexpected behavior The normal path of the code would create a constraint for the SQL statements. XSS attacks Restricting the content returned by views. Arbitrary code execution Restricting developer-supplied code to specific database actions.

Protections for real applications 28 Common Web Vulnerabilities and Their Effects SQL Injection The only parts of a query allowed to change are the arguments. SQL Injection attacks are mitigated. Cross-Site Request Forgery Mitigate CSRF attacks by requiring forms to carry CSRF tokens. Click Jacking Load web pages in a HTML frame and access using Javascript. Passe adds the X-Frame-Options header to all outgoing responses.

Evaluation 29 Case studies Social News Platform Social news service like Reddit. Users can submit stories, comments and votes them. CMS Platform Users can create and manage a blog. Support multiple authors, group and static pages. Web Forum Developers can run an online forum. Support user accounts, groups.

Performance evaluations 30 Latency Measure latency of requests by repeatedly fetching application pages with a single user. Passe’s latency overhead is not an excessive burden.

Performance evaluations 31 Throughput (TP) Apps with little I/O and no database op, TP is reduced by 37% Apps require more I/O and query, TP is reduced by 25%. The cost of Passe may vary greatly.

Performance evaluations 32 Memory Overhead Passe adds memory overhead, as each view requires a separate OS process. Memory overhead is large. Do not increase significantly under load.

Conclusion 33 Passe provides security guarantees for applications. Passe decomposes applications into isolated views. Passe enforces the integrity of data queries and security policy. Passe prototype is capable of executing unmodified Django applications with little performance overhead.

Q & A 34