Presentation is loading. Please wait.

Presentation is loading. Please wait.

Static Checking of Dynamically-Varying Security Policies in Database-Backed Applications Adam Chlipala OSDI 2010.

Published byLauren Skinner Modified over 8 years ago

Similar presentations

Presentation on theme: "Static Checking of Dynamically-Varying Security Policies in Database-Backed Applications Adam Chlipala OSDI 2010."— Presentation transcript:

1 Static Checking of Dynamically-Varying Security Policies in Database-Backed Applications Adam Chlipala OSDI 2010

2 2 Beyond Code Injection An application includes an unintended run-time program interpreter Dependent on application-specific authentication and access control regimes! 1. Injection 2. Cross Site Scripting 3. Broken Authentication and Session Mgmt. 4. Insecure Direct Object References 5. Cross Site Request Forgery 6. Security Misconfiguration 7. Insecure Cryptographic Storage....

3 3 Authentication Snafus

4 4 Surprise attack Security Policy Roads to Security Resource Attack vector #1 Attack vector #2 Attack vector #3 Audit Information flow: who can learn what Access control: who can change what

5 5 Dynamic Checking Program Variable Sensitive Datum Program Variable Output to User Store security information with values Check before interaction with environment. Pros ● Easy to add to existing programs ● Flexibility in coding security checks Cons ● Bugs are only found for program paths that are tested. ● Performance overhead

6 6 Static Checking Program Variable Output to User Pros ● Checks all program paths at compile time ● No changes to run-time behavior required Cons ● Usually requires extensive program annotation ● Limited policy expressiveness Type Sensitive Datum High SecurityLow Security Subtyping check

7 7 The Best of Both Worlds The UrFlow analysis for the Ur/Web programming language Like Dynamic Checking: ● No program annotations required ● Flexible and programmer- accessible policy language (SQL) Like Security Typing: ● Checks all program paths statically ● No run-time overhead

8 8 A Word About Ur/Web queryX (SELECT * FROM t) (fn row => {[row.T.A]} {[row.T.B]} {[row.T.C]} {[row.T.D]} <submit action={delete row.T.A} value="Delete"/> ); Integrated parsing and type-checking of SQL and HTML

9 9 Simple Policies policy sendClient (SELECT Id, Name FROM Secrets) IdId Name Secret Secrets Client may learn anything this query could return.

10 10 Reasoning About Knowledge policy sendClient (SELECT * FROM Secrets WHERE known(Code)) IdId Name Secret Code Secrets

11 11 What is “known”? Web page that generated this requestApp source “foo” 42 AUTH (Username, Password) = (U, P) Cookies n v known: “foo” 42 nv(U, P) UP ((42, v), P) (“foo”, n) (42, v)

12 12 Multi-Table Policies policy sendClient (SELECT Secret FROM Secrets, Users WHERE Owner = Users.Id AND known(Password)) IdId Name Secret Owner Secrets IdId Name Password Users

13 13 Understanding SQL Usage Program Execution... (U, P) = readCookie(AUTH); pass = SELECT Password FROM Users WHERE Id = U; if (pass != P) abort();... rows = SELECT Secret FROM Secrets WHERE Owner = U; // Send rows to client....... ∃ u ∈ Users. u.Id = U ∧ u.Password = P ∀ v. mightSend(v) ⇒ ∃ s ∈ Secrets. s.Owner = U ∧ v = s.Secret known (U, P)

14 14 Understanding SQL Usage ∃ u ∈ Users. u.Id = U ∧ u.Password = P ∀ v. mightSend(v) ⇒ ∃ s ∈ Secrets. s.Owner = U ∧ v = s.Secret known (U, P) ∧ ∧ policy sendClient (SELECT Secret FROM Secrets, Users WHERE Owner = Users.Id AND known(Password)) ∀ s ∈ Secrets. ∀ u ∈ Users. s.Owner = u.Id ∧ known(u.Password) ⇒ allowed(s.Secret) ∧ Prove: ∀ v. mightSend(v) ⇒ allowed(v)

15 15 UrFlow Sketch Program CodePolicies (SQL) Policies (First-Order Logic) Finite set of execution paths Symbolic executions State: P1 P2 P3... PN Check: Q1 Q2... Automated Theorem-Prover P2 /\ policies => Q1

16 16 Fancier Policies policy sendClient (SELECT Body FROM Messages, ACL, Users WHERE ACL.Forum = Messages.Forum AND ACL.User = User.Id AND known(Password) AND Level >= 42) Forum Body Messages IdId Password Users Forum User Level ACL

17 17 Write Policies policy mayInsert (SELECT * FROM Secrets AS New, Users WHERE New.Owner = Users.Id AND known(Password) AND known(New.Secret)) IdId Name Secret Owner Secrets IdId Name Password Users

18 18 Case Studies

19 19 Progress Programming Languages Researchers Practitioners Imperative programs are too hard to analyze! Just use declarative languages, and your life will be so much easier. App Maybe later. I'm going to get back to coding my web application, which does almost nothing besides SQL queries. UrFlow

20 20 Ur/Web Available At: http://www.impredicative.com/ur/ Including online demos with syntax-highlighted source code

Download ppt "Static Checking of Dynamically-Varying Security Policies in Database-Backed Applications Adam Chlipala OSDI 2010."

Similar presentations

Not like the State of Virginia. What is State in ASP.NET? Services (like web services) are Stateless. This means if you make a second request to a server,

Not like the State of Virginia. What is State in ASP.NET? Services (like web services) are Stateless. This means if you make a second request to a server,
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.

JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.
1 CSC 551: Web Programming Spring 2004 client-side programming with JavaScript  scripts vs. programs  JavaScript vs. JScript vs. VBScript  common tasks.

1 CSC 551: Web Programming Spring 2004 client-side programming with JavaScript  scripts vs. programs  JavaScript vs. JScript vs. VBScript  common tasks.
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.

ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.
Input Validation For Free Text Fields Project Members: Hagar Offer &Ran Mor Academic Advisor: Dr Gera Weiss Technical Advisors: Raffi Lipkin & Nadav Attias.

Input Validation For Free Text Fields Project Members: Hagar Offer &Ran Mor Academic Advisor: Dr Gera Weiss Technical Advisors: Raffi Lipkin & Nadav Attias.
DT228/3 Web Development JSP: Directives and Scripting elements.

DT228/3 Web Development JSP: Directives and Scripting elements.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
Aaron Blankstein and Michael J. Freedman Princeton University Tuan Tran.

Aaron Blankstein and Michael J. Freedman Princeton University Tuan Tran.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
OWASP Zed Attack Proxy Project Lead

OWASP Zed Attack Proxy Project Lead
Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.

Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.
Remotely authenticating against the Service Framework.

Remotely authenticating against the Service Framework.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
Approaches to Application Security – DSM

Approaches to Application Security – DSM
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.

Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
INTERNET APPLICATION DEVELOPMENT For More visit:

INTERNET APPLICATION DEVELOPMENT For More visit:
Security testing of study information system Security team: Matis Alliksoo Alo Konno Urmo Lihten Taavi Podzuks Sander Saarm.

Security testing of study information system Security team: Matis Alliksoo Alo Konno Urmo Lihten Taavi Podzuks Sander Saarm.

Similar presentations

Ads by Google