Michael Dalton, Christos Kozyrakis, and Nickolai Zeldovich MIT, Stanford University USENIX 09’ Nemesis: Preventing Authentication & Access Control Vulnerabilities.

Slides:



Advertisements
Similar presentations
Type-based Taint Analysis for Java Web Applications Wei Huang, Yao Dong and Ana Milanova Rensselaer Polytechnic Institute 1.
Advertisements

Attacking Authentication and Authorization CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
Yip, X. Wang, N. Zeldovich, M. F. Kaashoek MIT CSAIL Reading Group by Theo 06 Oct 2009.
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Aaron Blankstein and Michael J. Freedman Princeton University Tuan Tran.
1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.
SQL-Injection attacks Damir Lizdek & Dan Rundlöf Language-based security.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
 2004 Prentice Hall, Inc. All rights reserved. Chapter 25 – Perl and CGI (Common Gateway Interface) Outline 25.1 Introduction 25.2 Perl 25.3 String Processing.
D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.
W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.
PHP Security.
Session 5: Working with MySQL iNET Academy Open Source Web Development.
Cookies Set a cookie – setcookie() Extract data from a cookie - $_COOKIE Augment user authentication script with a cookie.
Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.
SQL INJECTION COUNTERMEASURES &
Hamdi Yesilyurt, MA Student in MSDF & PhD-Public Affaris SQL Riji Jacob MS Student in Computer Science.
CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
Automatically Hardening Web Applications Using Precise Tainting Anh Nguyen-Tuong Salvatore Guarnieri Doug Greene Jeff Shirley David Evans University of.
1 PHP and MySQL. 2 Topics  Querying Data with PHP  User-Driven Querying  Writing Data with PHP and MySQL PHP and MySQL.
November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 5 “Database and Cloud Security”.
Preventing Web Application Injections with Complementary Character Coding Raymond Mui Phyllis Frankl Polytechnic Institute of NYU Presented at ESORICS.
Attacking Applications: SQL Injection & Buffer Overflows.
Chapter 2. Core Defense Mechanisms. Fundamental security problem All user input is untrusted.
Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.
Oracle Application Express Security. © 2009 Oracle Corporation Authentication Out-of-the-Box Pre-Configured Schemes LDAP Directory credentials Oracle.
12/3/2012ISC329 Isabelle Bichindaritz1 PHP and MySQL Advanced Features.
Week seven CIT 354 Internet II. 2 Objectives Database_Driven User Authentication Using Cookies Session Basics Summary Homework and Project 2.
PHP Workshop ‹#› PHP Security. PHP Workshop ‹#› Two Golden Rules 1.FILTER external input Obvious.. $_POST, $_COOKIE, etc. Less obvious.. $_SERVER 2.ESCAPE.
1 Chapter 9 – Cookies, Sessions, FTP, and More spring into PHP 5 by Steven Holzner Slides were developed by Jack Davis College of Information Science.
Analysis of SQL injection prevention using a filtering proxy server By: David Rowe Supervisor: Barry Irwin.
Dropbox security glitch CASE STUDY Lewis Scaife SYSM 6309 Advanced Requirements Engineering Summer 2013 Professor – Dr. Lawrence Chung.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 6 City College.
SecurityPHPApril 2010 : [‹#›] PHP Security. SecurityPHPApril 2010 : [‹#›] Two Golden Rules 1.FILTER external input Obvious.. $_POST, $_COOKIE, etc. Less.
Aniket Joshi Justin Thomas. Agenda Introduction to SQL Injection SQL Injection Attack SQL Injection Prevention Summary.
Secure Systems Research Group - FAU SW Development methodology using patterns and model checking 8/13/2009 Maha B Abbey PhD Candidate.
Building Secure Web Applications With ASP.Net MVC.
Securing Sensitive Information Data Security Dashboards often contain the most important data in the company Securing that information makes business.
PwC New Technologies New Risks. PricewaterhouseCoopers Technology and Security Evolution Mainframe Technology –Single host –Limited Trusted users Security.
 Registry itself is easy and straightforward in implementation  The objects of registry are actually complicated to store and manage  Objects of Registry.
CS526Topic 12: Web Security (2)1 Information Security CS 526 Topic 9 Web Security Part 2.
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.
Security Issues with PHP  PHP installation  PHP programming Willa Zhu & Eugene Burger.
Mr. Justin “JET” Turner CSCI 3000 – Fall 2015 CRN Section A – TR 9:30-10:45 CRN – Section B – TR 5:30-6:45.
CSC 2720 Building Web Applications Basic Frameworks for Building Dynamic Web Sites / Web Applications.
Secure Authentication. SQL Injection Many web developers are unaware of how SQL queries can be tampered with SQL queries are able to circumvent access.
Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.
LINUX Presented By Parvathy Subramanian. April 23, 2008LINUX, By Parvathy Subramanian2 Agenda ► Introduction ► Standard design for security systems ►
ASP.NET 2.0 Security Alex Mackman CM Group Ltd
SQL INJECTION Lecturer: A.Prof.Dr. DANG TRAN KHANH Student :Le Nguyen Truong Giang.
SQL Injection Attacks S Vinay Kumar, 07012D0506. Outline SQL Injection ? Classification of Attacks Attack Techniques Prevention Techniques Conclusion.
Introduction SQL Injection is a very old security attack. It first came into existence in the early 1990's ex: ”Hackers” movie hero does SQL Injection.
Database and Cloud Security
Group 18: Chris Hood Brett Poche
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
Introduction to Dynamic Web Programming
World Wide Web policy.
19.10 Using Cookies A cookie is a piece of information that’s stored by a server in a text file on a client’s computer to maintain information about.
Security mechanisms and vulnerabilities in .NET
Chapter 13 Security Methods Part 3.
Lecture 2 - SQL Injection
Web Programming Language
Automatically Hardening Web Applications Using Precise Tainting
Presentation transcript:

Michael Dalton, Christos Kozyrakis, and Nickolai Zeldovich MIT, Stanford University USENIX 09’ Nemesis: Preventing Authentication & Access Control Vulnerabilities in Web Applications 1

2 Outline 1. Introduction 2. Web Application Security Architecture 3. Authentication Inference 4. Authorization Enforcement 5. Implementation 6. Experimental Results 7. Conclusion 2

3 1. Introduction web application deploys its own authentication & access control FS & DB layers perform operations with the privileges of the web application –Not user no defensive tools exist to automatically prevent 3

4 Nemesis modify library and interpreter –shadow authentication –taint, track the flow & string compare & IO do not require the behavior of the application to be modified 4

5 2. Web Application Security Architecture Authentication: –user input –performs an authentication check, ensure –validated, creates a login session for the user Access Control attacks: execute server side operations which might not be authorized to perform 5

6 6

7 3. Authentication Inference infer when authentication has occurred shadow authentication system –ensure the authentication steps require developer to provide “annotation” –where pass and name stored –external function 7

8 Dynamic Information Flow Tracking DIFT tag each data –“credential” taint bit –“user input” taint bit perform taint propagation in the language interpreter –source operand tainted, destination tainted 8

9 2 taint tag bits “credential” taint bit: data item represents a known-good password or other credential “user input” taint bit: data item was supplied by the user as part of the HTTP request Nemesis propagates both taint 9

10

11 Nemesis ACL Enforce: –Intercept I/O operations to enforce file ACLs –Intercept, rewrite SQL queries to enforce DB ACLs DIFT: –2 tag bits per object to track credentials and taint Tag propagation on all operations –Automatic inference of authentication checks 11

12 Creating a New Login Session data tagged as “user input” compare to data tagged as “credentials” using string (in)equality operators User input password matches the one stored in the password DB infer user authentication auth function 12

13 keep Login Session use an entirely separate session management framework shadow cookie: private key 13

14 4. Authorization Enforcement access control rules (ACL) developer supply ACL for file, dir, & DB ACL check : current shadow authenticated user is permitted to execute the operation 14

15 Restrict the access of file, directory or DB Little programmer effort required Intercept the IO operation 15

16 Against SQL injection (to..) Rewrite the SQL query & add the 3 rd bit in zval denote user input that may be interpreted as a SQL keyword or operator SQL quoting functions clear this tag bit –mysql_real_escape_string() 16

17 5. Implementation implement a prototype of Nemesis by modifying the PHP interpreter zval Due to alignment restrictions, the zval structure has a few unused bits 17

18 Tag Initialization Any input is tainted with the ’user input’ bit set a global variable to store the candidate username associated with the password shadow authentication system uses this candidate username to initialize the shadow cookie setcookie() 18

19 Password Comparison Authentication Inference performed by modifying the PHP interpreter’s string comparison operators perform a check to see if the two string operands were determined to be equal equal & A:“credential”, B:”user input”  succeed 19

20 Authentication check check the global variable that indicates the current shadow authenticated user not set: check if shadow authentication information is stored in the current session file Check shadow authentication cookie (extract) 20

21 Access control check checking the current authenticated user against a list of accessible files on each file access manually inserted these checks into applications based on the ACL 21

22 6. Experimental Results 22

23 authentication bypass: shadow authentication is not affected installation script will reset the administrator password: restricted by ACL 23

24 7. Conclusion novel methodology for preventing authentication & access control bypass shadow authentication system: track user authentication state by an additional HTTP cookie Programmers can specify ACL lists Little effort( < 100 LoC) 24

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.