Presentation is loading. Please wait.

Presentation is loading. Please wait.

Context-Sensitive Auto-Sanitization In Web Templating Languages Using Type Qualifiers Prateek Saxena UC Berkeley Mike Samuel Google Dawn Song UC Berkeley.

Published byBrianne Hodgens Modified over 10 years ago

Similar presentations

Presentation on theme: "Context-Sensitive Auto-Sanitization In Web Templating Languages Using Type Qualifiers Prateek Saxena UC Berkeley Mike Samuel Google Dawn Song UC Berkeley."— Presentation transcript:

1 Context-Sensitive Auto-Sanitization In Web Templating Languages Using Type Qualifiers Prateek Saxena UC Berkeley Mike Samuel Google Dawn Song UC Berkeley 1

2 Script Injection Vulnerabilities OWASP Top Ten Vulnerabilities – 2 nd in 2010 & 2011 Today Affects – Major Web Services – Client-side Libraries – Browser Extensions – Devices & Smartphones 2

3 Predominant Defense Practice Why Does it Fail? – Developers forget to Sanitize [ Pixy06, PhpTaint06,Cqual04, Merlin09,Securifly05, PhpAspis11 ] – Pick the wrong sanitizer [ CCS11 ] 3 String Div.Render () { print( ); print(userimg); print( ); } String Div.Render () { print( ); print(Sanitize(userimg)); print( ); } Sanitizer Library Sanitizer Library

4 Vision Eliminate Scripting Attacks – Make Applications Secure by Construction Developer Code Developer Code Application Code Application Code 4

5 Contributions A New "Push-Button" Defense Primitive – "Security By Construction" Approach Context-Sensitive Auto-Sanitization (CSAS) – New Challenge: Which Sanitizers To Place Where? – Targets Existing Web Templating Frameworks It is Practical Deployed Commercially – Google Closure Templates powers Google+ 5 FastAuditableCompatibleSecure

6 var o = new soy.StringBuilder(); imgRender({O: o, imglink: $_GET(extlink), name: [$_GET(name)] })); document.write(o); Web Templating Frameworks Templating Framework Compiler Java JS Application calls Target Language Code Template Application Code template imgRender($imgLink, $name) { print (<img src=\); print ($imglink); print \/>. $name. ; return; } Template Code Template Language does not have complex constructs 6 Explicitly Separates Untrusted Inputs

7 Talk Outline System Architecture & Features Challenges The CSAS Engine Design Implementation Evaluation & Deployment 7

8 CSAS System Architecture Compiler Java JS Application calls Instrumented Auto-Sanitization Template Sanitizer Library Sanitizer Library Static Error 8

9 CSAS Auditability & Compatibility Compiler Java JS Instrumented Auto- Sanitization Sanitizer Library Sanitizer Library Static Error Easily Auditable Compatibility – No Developer Involvement – Minimize Static Errors Security Performance 9

10 HtmlSanitizer URLSanitizer template ImgRender($imgLink, $name) {……………} Security & Correctness (I) Property C SAN: Context-Sensitive Sanitization <img src="/img?f="/> $name$imgLink$name HTML Tag Context URI START Context URI PATH Context URI QUERY Parameter Context HTML Tag Context Attacks Vary By Contexts! 10

11 Security & Correctness (II) Property N OS: No Over Sanitization <img src="//img?f="/> $name$imgLink$name Sanitize Only Untrusted Data Not Constant Strings 11

12 Security Assumptions Canonical HTML Parser – Flexible to recognize browser differences [GWT, CTemplates] Correct Sanitizers – Extensive Community Effort [OWASP, HtmlPurify, GWT, Django] – Research on Secure Sanitization Primitives [Bek11, Hampi09,Min06] – Already Used in Many Frameworks

13 Challenges Easily Auditable Compatibility Security Performance Security PerformanceCompatibility 13

14 Approach #1: Context-Insensitive Sanitization template ImgRender($imgLink, $name) { print (<img src=); x := $imgLink; print ($x); print />. $name. ; return; } template ImgRender($imgLink, $name) { print (<img src=); x := HtmlEncode($imgLink); print ($x); print />. HtmlEncode($name ). ; return; } javascript: bad(); Security PerformanceCompatibility False Sense of Security! 14

15 Approach #2: Context-Sensitive Runtime Parsing (CSRP) URI START Context URI Param Context template ImgRender($imgLink, $name) {……………} <img src="/img?f= $name$imgLink URLSanitizer URLParamSanitizer Security PerformanceCompatibility 15

16 Rich Language Features <img src='//img?f='/> $name$imgLink$name 16 template ImgRender($imgLink, $name) { print (<img src='); x := /. $name. /img?f=. $imgLink; print ($x); print '/>. $name. ; return; }

17 template ImgRender($imgLink, $name) { print (<img src='); if ($name != ) then x := /. $name. /img?f=. $imgLink; else x:= $imgLink; fi print ($x); print '/>. $name. ; return; } Rich Language Features: Control Flow <img src='//img?f='/> $name$imgLink$name Usage Contexts Statically Ambiguous: Sanitization Requirements vary by path! 17

18 Our Approach Type Inference Well-Typed IR Untyped Template Compilation Compiled Code 18 CSAS Engine – Context Type Qualifiers

19 Context Type Qualifiers Context Type Qualifier: – "Which contexts is a string safe to be rendered in" x:=<img src='. $imgLink; <img src=' $imgLink y:= UrlAttribSsanitize($imgLink) x:=<img src='. y; TERMSTYPES 19 Type Inference: Where To Place Sanitizers?

20 Ensuring Compatibility: Key Ideas Flow-sensitive Type Qualifiers 20 template StatAmb($imgLink, $name) { if ($name == ) then print (<img src=\); else print ( ); fi print ($imgLink); } DYN STATIC CSRP Approach (1%) Statically Sanitized (99%)

21 Implementation & Evaluation Google Closure Templates – Powers several Google products – 3045 LOC Java Evaluation Benchmarks: – 1035 templates from production Google code – Rich Features 2997 calls 1224 print/sink statements using 600 untrusted input variables 21

22 Evaluation: Compatibility All 1035 templates auto-sanitized! – No Developer Involvement – No Static Errors Compared to original sanitization – 21 cases differ out of 1224 – CSAS engine inferred a more accurate sanitizer 22

23 Evaluation: Security Context-Insensitive Approach Fails on 28% prints 23 UNSAFE

24 Java JavaScript Evaluation: Performance Overhead CICSRPCSAS Chrome 93.0%78.8%3.0% FF 3.69.6%425%9.6% Safari 52.5%189%3.1% CICSRPCSAS Java0%72%0% 24 Order Of Magnitude Faster Than CSRP Benchmarks – Templates Only, No Other Application Logic Base: No Sanitization Practical Performance: Upto 9.6%

25 Conclusion 25 CSAS: A New "Push-Button" Defense Primitive – Fast, Secure, Compatible and Auditable – Increasing Commercially Adoption Other Frameworks

26 Thanks 26 http://code.google.com/closure/templates/docs/security.html Questions?

Download ppt "Context-Sensitive Auto-Sanitization In Web Templating Languages Using Type Qualifiers Prateek Saxena UC Berkeley Mike Samuel Google Dawn Song UC Berkeley."

Similar presentations

Copyright 2001, ActiveState. XSLT and Scripting Languages or…XSLT: what is everyone so hot and bothered about?

Copyright 2001, ActiveState. XSLT and Scripting Languages or…XSLT: what is everyone so hot and bothered about?
Ben Livshits and Úlfar Erlingsson Microsoft Research.

Ben Livshits and Úlfar Erlingsson Microsoft Research.
Appeared in 30 th IEEE Symposium on Security and Privacy, May 2009. Authors: Mike Ter Louw and V.N. Venkatakrishnan Dept. of Computer Science: University.

Appeared in 30 th IEEE Symposium on Security and Privacy, May Authors: Mike Ter Louw and V.N. Venkatakrishnan Dept. of Computer Science: University.
Microsoft Research March 20, 2000 A Programming Language for Developing Interactive Web Services Claus Brabrand BRICS, University of Aarhus, Denmark.

Microsoft Research March 20, 2000 A Programming Language for Developing Interactive Web Services Claus Brabrand BRICS, University of Aarhus, Denmark.
Session ID: Session Classification: Romain Gaucher Coverity ASEC-F42 Intermediate Why Haven’t We Stamped Out SQL Injection and XSS Yet?

Session ID: Session Classification: Romain Gaucher Coverity ASEC-F42 Intermediate Why Haven’t We Stamped Out SQL Injection and XSS Yet?
Java Script Session1 INTRODUCTION.

Java Script Session1 INTRODUCTION.
THE BROKEN WEB A Systematic Analysis of XSS Sanitization in Web Application Frameworks.

THE BROKEN WEB A Systematic Analysis of XSS Sanitization in Web Application Frameworks.
0 The Past, Present and Future of XSS Defense Jim Manico 2011 OWASP Brussels.

0 The Past, Present and Future of XSS Defense Jim Manico 2011 OWASP Brussels.
1 CSC 551: Web Programming Spring 2004 client-side programming with JavaScript  scripts vs. programs  JavaScript vs. JScript vs. VBScript  common tasks.

1 CSC 551: Web Programming Spring 2004 client-side programming with JavaScript  scripts vs. programs  JavaScript vs. JScript vs. VBScript  common tasks.
GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.

GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.
1 Yinzhi Cao, Zhichun Li *, Vaibhav Rastogi, Yan Chen, and Xitao Wen Labs of Internet Security and Technology Northwestern University * NEC Labs America.

1 Yinzhi Cao, Zhichun Li *, Vaibhav Rastogi, Yan Chen, and Xitao Wen Labs of Internet Security and Technology Northwestern University * NEC Labs America.
The XSS Files Find, Exploit, and Eliminate. Josh Little Security Engineer at global vertical market business intelligence company. 9 years in application.

The XSS Files Find, Exploit, and Eliminate. Josh Little Security Engineer at global vertical market business intelligence company. 9 years in application.
Web Server Programming

Web Server Programming
Presented by Vaibhav Rastogi.  Advent of Web 2.0 and Mashups  Inclusion of untrusted third party content a necessity  Need to restrict the functionality.

Presented by Vaibhav Rastogi.  Advent of Web 2.0 and Mashups  Inclusion of untrusted third party content a necessity  Need to restrict the functionality.
An Evaluation of the Google Chrome Extension Security Architecture

An Evaluation of the Google Chrome Extension Security Architecture
SOFTWARE SECURITY JORINA VAN MALSEN 1 FLAX: Systematic Discovery of Client-Side Validation Vulnerabilities in Rich Web Applications.

SOFTWARE SECURITY JORINA VAN MALSEN 1 FLAX: Systematic Discovery of Client-Side Validation Vulnerabilities in Rich Web Applications.
S CRIPT G ARD Automatic Context-Sensitive Sanitization for Large-Scale Legacy Web Applications Prateek Saxena UC Berkeley David Molnar Microsoft Research.

S CRIPT G ARD Automatic Context-Sensitive Sanitization for Large-Scale Legacy Web Applications Prateek Saxena UC Berkeley David Molnar Microsoft Research.
Server-Side vs. Client-Side Scripting Languages

Server-Side vs. Client-Side Scripting Languages
Google Web Toolkit - Gufran Mohammed. Google Web Toolkit (GWT) is an open source Java software development framework that makes writing AJAX applications.

Google Web Toolkit - Gufran Mohammed. Google Web Toolkit (GWT) is an open source Java software development framework that makes writing AJAX applications.
HTML Recall that HTML is static in that it describes how a page is to be displayed, but it doesn’t provide for interaction or animation. A page created.

HTML Recall that HTML is static in that it describes how a page is to be displayed, but it doesn’t provide for interaction or animation. A page created.

Similar presentations

Ads by Google