Download presentation
Presentation is loading. Please wait.
1
Swift: Secure Web Applications via Automatic Partitioning Stephen Chong, Jed Liu, Andrew C. Myers, Xin Qi, K. Vikram, Lantian Zheng, Xin Zheng Cornell University SOSP 2007 (October 15) Speaker: K. Vikram S plitting W ebapps via I nformation F low T ypes
2
Ubiquitous, important, yet insecure –61% of Internet vulnerabilities affect webapps* –Cross-site scripting, SQL injection, Information Leakage, etc. Development methods lack security reasoning –Distributed system in multiple languages Client: CSS, XHTML, JavaScript, Flash Server: PHP, ASP, Ruby, SQL –Ajax/Web 2.0: Complex JavaScript UIs generating HTTP requests *Symantec Internet Security Threat Report 2007 Can we make web applications secure?
3
Swift * Make interactive web applications secure and easier to write *S plitting W ebapps via I nformation F low T ypes Easier to Write –One program (in one general purpose language) automatically split by the compiler Security by construction –Rich security policies as declarative annotations Interactivity –Finding an optimal split for performance Swift source code Compiler Partitioner Javascript client code Java server code
4
K.Vikram Swift Cornell University The Guess-the-Number Game Secret Number: 7 Tries: 3 Take a Guess! (You have 3 chances) Random number between 1 and 10
5
K.Vikram Swift Cornell University The Guess-the-Number Game Secret Number: 7 Tries: 3 Take a Guess! (You have 3 chances) 6 Try Again 12 Out of range 4 Try Again 7 You win $500 Tries: 2Tries: 1 (You have 2 chances)(You have 1 chance)You win $500 Bounds Check Compare Guess Tries: 0
6
K.Vikram Swift Cornell University The Guess-the-Number Game Secret Number: 7 Tries: 3 Take a Guess! (You have 3 chances) 7 You win $500 Confidentiality Requirement Tries: 10 1234567 Integrity Requirement I win $500 Integrity Requirement Bounds Check Compare Guess Buggy or malicious Trusted
7
K.Vikram Swift Cornell University The Guess-the-Number Game Secret Number: 7 Tries: 3 Take a Guess! (You have 3 chances) Tries: 3 Compare Guess Bounds Check A secure optimal split Bounds Check
8
K.Vikram Swift Cornell University Input Validation Check Fails Called from a Listener Guess-the-number in Swift { if (guess >= 1 && guess <= 10) { int secret; int tries; } else { message.setText("Out of range:" + guess); } } void makeGuess (int guess) …
9
K.Vikram Swift Cornell University Compare with stored secret Successful Guess Guess-the-number in Swift … { if (guess >= 1 && guess <= 10) { } else { message.setText("Out of range:" + guess); } } if (tries > 0 && correct) { finishApp("You win $500!"); } boolean correct = guess == secret; void makeGuess (int guess) int secret; int tries;
10
K.Vikram Swift Cornell University Compare with stored secret Guess-the-number in Swift … { if (guess >= 1 && guess <= 10) { } else { message.setText("Out of range:" + guess); } } if (tries > 0 && correct) { finishApp("You win $500!"); } else { boolean correct = guess == secret; void makeGuess (int guess) int secret; int tries; tries--; if (tries > 0) else message.setText("Try again"); finishApp("Game over"); Unsuccessful Guess }
11
K.Vikram Swift Cornell University … { if (guess >= 1 && guess <= 10) { } else { message.setText("Out of range:" + guess); } } if (tries > 0 && correct) { finishApp("You win $500!"); } else { boolean correct = guess == secret; void makeGuess (int guess) int secret; int tries; tries--; if (tries > 0) else message.setText("Try again"); finishApp("Game over"); }
12
K.Vikram Swift Cornell University … { if (guess >= 1 && guess <= 10) { } else { message.setText("Out of range:" + guess); } } if (tries > 0 && correct) { finishApp("You win $500!"); } else { boolean correct = guess == secret; void makeGuess (int guess) int secret; int tries; tries--; if (tries > 0) else message.setText("Try again"); finishApp("Game over"); } … { if (guess >= 1 && guess <= 10) { } else { message.setText("Out of range:" + guess); } } if (tries > 0 && correct) { finishApp("You win $500!"); } else { boolean correct = guess == secret; void makeGuess (int guess) int secret; int tries; tries--; if (tries > 0) else message.setText("Try again"); finishApp("Game over"); }
13
K.Vikram Swift Cornell University Writing security labels in Swift A label denotes the security policy enforced on data (using the Decentralized Label Model[ML97]) int{server→server; server←server} secret; int{server→client; server←server} tries; Alice Bob Alice permits Bob to read AliceBob Alice permits Bob to write The compiler allows only those information flows that conform to security policies (Jif[ML99]) int{server→client} display; display = secret; server→server server→client server←server
![K.Vikram Swift Cornell University Writing security labels in Swift A label denotes the security policy enforced on data (using the Decentralized Label Model[ML97]) int{server→server; server←server} secret; int{server→client; server←server} tries; Alice Bob Alice permits Bob to read AliceBob Alice permits Bob to write The compiler allows only those information flows that conform to security policies (Jif[ML99]) int{server→client} display; display = secret; server→server server→client server←server](http://images.slideplayer.com./15/4821698/slides/slide_13.jpg "K.Vikram Swift Cornell University Writing security labels in Swift A label denotes the security policy enforced on data (using the Decentralized Label Model[ML97]) int{server→server; server←server} secret; int{server→client; server←server} tries; Alice Bob Alice permits Bob to read AliceBob Alice permits Bob to write The compiler allows only those information flows that conform to security policies (Jif[ML99]) int{server→client} display; display = secret; server→server server→client server←server")
14
K.Vikram Swift Cornell University … { if (guess >= 1 && guess <= 10) { int{server→server; server←server} secret; int{server→client; server←server} tries; Guess-the-number in Swift } } else { message.setText("Out of range:" + guess); } } {server→server} to {server→client}); if (tries > 0 && correct) { finishApp("You win $500!"); } else { tries--; if (tries > 0) else message.setText("Try again"); boolean correct = declassify (guess == secret, finishApp("Game over"); endorse (guess, {server←client} to {server←server}) If guess is within bounds the server is prepared to trust it Client is allowed to learn if guess is correct boolean correct = guess == secret;
15
The Swift Architecture Jif source code WebIL code Located WebIL code label projection partitioning Confidentiality/ Integrity labels Server/Client Placement HTTP Java servlet framework Swift server runtime Java server code Web Server Java client code GWT Swift client runtime GWT runtime library Javascript client code Web Browser
16
Swift server runtime Java servlet framework GWT runtime library Swift client runtime Java server code Javascript client code The Swift Architecture WebIL code Located WebIL code partitioning HTTP Web Server Java client code GWT Web Browser Jif source code label projection
17
K.Vikram Swift Cornell University Placement Constraints from Labels {Alice→Bob; Alice←Bob} {Chuck→Alice,Bob;Alice←Chuck} {Alice→Bob, Dave} {Chuck←Chuck, Alice} {Chuck←Bob, Alice} {Alice→Bob, Dave} {Fiona→Bob, Eve, Alice; Bob←Fiona} {Eve←Chuck, Alice} {George→Bob, Dave; Fiona→Bob; George←Alice,Dave} {Dave→Bob, Heather} {} {Alice→Bob, Dave; w} {*l} {x} {p←p} {Irina→Bob; Heather←Dave,Bob,Irina} {p→Bob, q; n} {Alice→Bob, Dave} client cannot read client can read client can write client cannot write (low confidentiality) (high confidentiality) (low integrity)(high integrity) client or server S?C? server and maybe client ShC? server only S server only Sh
18
K.Vikram Swift Cornell University Placement Constraints from Labels client cannot read client can read client can write client cannot write (low confidentiality) (high confidentiality) (low integrity)(high integrity) SSh S?C? ShC?
19
K.Vikram Swift Cornell University C Security Constraints S?C? SSh Architectural Constraints S Database library calls UI Widget calls Placement Constraints from Labels ShC?
20
K.Vikram Swift Cornell University S?C?: int secret; int tries; … void makeGuess (int guess) { if (guess >= 1 && guess <= 10) { } else { message.setText("Out of range:" + guess); } } finishApp("You win $500!"); } } else { tries--; if (tries > 0) else finishApp("Game over"); } Guess-the-number in WebIL Sh: ShC?: Sh: ShC?: message.setText("Try again"); S?C?: C: Comparison only on server Calls to UI methods on client if (tries > 0 && correct) { boolean correct = guess == secret; Sh:
21
K.Vikram Swift Cornell University WebIL code Located WebIL code partitioning Swift server runtime Java servlet framework GWT runtime library Swift client runtime Java server code Javascript client code The Swift Architecture Jif source code label projection HTTP Web Server Java client code GWT Web Browser
22
K.Vikram Swift Cornell University Minimize number of network messages –Network latency has biggest impact on responsiveness –Control transfer might require a network message Modeling the run-time behavior of the program by a weighted control flow graph –Interprocedural dataflow analysis Construct an instance of the min-cut problem Min-cut/Max-flow algorithm runs in O(n 3 ) time Performance Optimization S C C S S S C C S S SC 10 5 7.5 15 5 7.5 10 5 7.5 15 5 7.5
23
K.Vikram Swift Cornell University Guess-the-number with placements C: int secret; int tries; … void makeGuess (int guess) { if (guess >= 1 && guess <= 10) { } else { message.setText("Out of range:" + guess); } } finishApp("You win $500!"); } } else { tries--; if (tries > 0) else finishApp("Game over"); } Sh: ShC: Sh: ShC: message.setText("Try again"); C: if (tries > 0 && correct) { boolean correct = guess == secret; Sh: ShC: Each statement/field is given one of five possible annotations: {C, S, SC, Sh, ShC} Input validation code replicated
24
K.Vikram Swift Cornell University The Swift Architecture Located WebIL code HTTP Java servlet framework Swift server runtime Java server code Web Server Java client code GWT Swift client runtime GWT runtime library Javascript client code Web Browser Jif source code WebIL code label projection partitioning
25
guess=6 if (guess >= 1 && guess <= 10) { void makeGuess (int guess) { … if (guess >= 1 && guess <= 10) { } else { message.setText("Out of range:" + guess); } } if (tries > 0 && correct) { finishApp("You win $500!"); } else { tries--; if (tries > 0) else finishApp("Game over"); } message.setText("Try again"); int secret; int tries; … void makeGuess (int guess) { } else { message.setText("Out of range:" + guess); } } if (tries > 0 && correct) { finishApp("You win $500!"); } else { tries--; if (tries > 0) else finishApp("Game over"); } message.setText("Try again"); int secret; int tries; [Code to execute, Local Variable Values] boolean correct = guess == secret;
![guess=6 if (guess >= 1 && guess <= 10) { void makeGuess (int guess) { … if (guess >= 1 && guess <= 10) { } else { message.setText( Out of range: + guess); } } if (tries > 0 && correct) { finishApp( You win $500! ); } else { tries--; if (tries > 0) else finishApp( Game over ); } message.setText( Try again ); int secret; int tries; … void makeGuess (int guess) { } else { message.setText( Out of range: + guess); } } if (tries > 0 && correct) { finishApp( You win $500! ); } else { tries--; if (tries > 0) else finishApp( Game over ); } message.setText( Try again ); int secret; int tries; [Code to execute, Local Variable Values] boolean correct = guess == secret;](http://images.slideplayer.com./15/4821698/slides/slide_25.jpg "guess=6 if (guess >= 1 && guess <= 10) { void makeGuess (int guess) { … if (guess >= 1 && guess <= 10) { } else { message.setText( Out of range: + guess); } } if (tries > 0 && correct) { finishApp( You win $500! ); } else { tries--; if (tries > 0) else finishApp( Game over ); } message.setText( Try again ); int secret; int tries; … void makeGuess (int guess) { } else { message.setText( Out of range: + guess); } } if (tries > 0 && correct) { finishApp( You win $500! ); } else { tries--; if (tries > 0) else finishApp( Game over ); } message.setText( Try again ); int secret; int tries; [Code to execute, Local Variable Values] boolean correct = guess == secret;")
26
if (tries > 0 && correct) { boolean correct = guess == secret; int secret; int tries; … void makeGuess (int guess) { } else { message.setText("Out of range:" + guess); } } if (tries > 0 && correct) { finishApp("You win $500!"); } else { tries--; if (tries > 0) else finishApp("Game over"); } message.setText("Try again"); int secret; int tries; … void makeGuess (int guess) { } else { message.setText("Out of range:" + guess); } } finishApp("You win $500!"); } else { tries--; if (tries > 0) else finishApp("Game over"); } message.setText("Try again"); [Code to execute, Local variable values] updates to locals if (guess >= 1 && guess <= 10) { boolean correct = guess == secret;
![if (tries > 0 && correct) { boolean correct = guess == secret; int secret; int tries; … void makeGuess (int guess) { } else { message.setText( Out of range: + guess); } } if (tries > 0 && correct) { finishApp( You win $500! ); } else { tries--; if (tries > 0) else finishApp( Game over ); } message.setText( Try again ); int secret; int tries; … void makeGuess (int guess) { } else { message.setText( Out of range: + guess); } } finishApp( You win $500! ); } else { tries--; if (tries > 0) else finishApp( Game over ); } message.setText( Try again ); [Code to execute, Local variable values] updates to locals if (guess >= 1 && guess <= 10) { boolean correct = guess == secret;](http://images.slideplayer.com./15/4821698/slides/slide_26.jpg "if (tries > 0 && correct) { boolean correct = guess == secret; int secret; int tries; … void makeGuess (int guess) { } else { message.setText( Out of range: + guess); } } if (tries > 0 && correct) { finishApp( You win $500! ); } else { tries--; if (tries > 0) else finishApp( Game over ); } message.setText( Try again ); int secret; int tries; … void makeGuess (int guess) { } else { message.setText( Out of range: + guess); } } finishApp( You win $500! ); } else { tries--; if (tries > 0) else finishApp( Game over ); } message.setText( Try again ); [Code to execute, Local variable values] updates to locals if (guess >= 1 && guess <= 10) { boolean correct = guess == secret;")
27
int secret; int tries; … void makeGuess (int guess) { } else { message.setText("Out of range:" + guess); } } if (tries > 0 && correct) { finishApp("You win $500!"); } else { tries--; if (tries > 0) else finishApp("Game over"); } message.setText("Try again"); int secret; int tries; … void makeGuess (int guess) { } else { message.setText("Out of range:" + guess); } } if (tries > 0 && correct) { finishApp("You win $500!"); } else { tries--; if (tries > 0) else finishApp("Game over"); } message.setText("Try again"); boolean correct = guess == secret; if (guess >= 1 && guess <= 10) { boolean correct = guess == secret;
28
K.Vikram Swift Cornell University Client could cheat and request execution of arbitrary server code –Server keeps enough state about expected control flow Client could corrupt local variables –Server does not accept updates for high integrity variables Client cannot –Violate data integrity –Influence execution of high integrity code –Learn confidential values [Code to execute, Local variable values] Code to executeLocal variable values
![K.Vikram Swift Cornell University Client could cheat and request execution of arbitrary server code –Server keeps enough state about expected control flow Client could corrupt local variables –Server does not accept updates for high integrity variables Client cannot –Violate data integrity –Influence execution of high integrity code –Learn confidential values [Code to execute, Local variable values] Code to executeLocal variable values](http://images.slideplayer.com./15/4821698/slides/slide_28.jpg "K.Vikram Swift Cornell University Client could cheat and request execution of arbitrary server code –Server keeps enough state about expected control flow Client could corrupt local variables –Server does not accept updates for high integrity variables Client cannot –Violate data integrity –Influence execution of high integrity code –Learn confidential values [Code to execute, Local variable values] Code to executeLocal variable values")
29
Evaluation: Code size measurements Guess-the-Number 142 lines Poll 113 lines Secret Keeper 324 lines Treasure Hunt 92 lines Auction 502 lines Shop 1094 lines
30
K.Vikram Swift Cornell University Evaluation: Network message counts ExampleTask ActualOptimal Server ! ClientClient ! ServerServer ! ClientClient ! Server Guess-the- Number guessing a number 1211 Shop adding an item 0000 Poll casting a vote 1101 Secret Keeper viewing the secret 1111 Treasure Hunt exploring a cell 1211 Auctionbidding 1111
31
K.Vikram Swift Cornell University Related Work Unified Programming Models –Links [CLWY 06] –Hop [SGL 06] –Hilda [YGQDGS 07,YSRG 06] Web Application Security –Static Analysis [HYHTLK 04, XA 06, JKK 06] –Dynamic Taint Tracking [HO 05, NGGE 05, XBS 06, CVM 07] Security by construction –Jif/Split [ZZNM 02, ZCMZ 03] –Fairplay [MNPS 04] –SMCL [NS 07] - Tracking over multiple requests - Client side computation - Confidentiality - Security - Replication for responsiveness - Automated, fine-grained optimization Swift - Bigger, more practical applications - Web application security
![K.Vikram Swift Cornell University Related Work Unified Programming Models –Links [CLWY 06] –Hop [SGL 06] –Hilda [YGQDGS 07,YSRG 06] Web Application Security –Static Analysis [HYHTLK 04, XA 06, JKK 06] –Dynamic Taint Tracking [HO 05, NGGE 05, XBS 06, CVM 07] Security by construction –Jif/Split [ZZNM 02, ZCMZ 03] –Fairplay [MNPS 04] –SMCL [NS 07] - Tracking over multiple requests - Client side computation - Confidentiality - Security - Replication for responsiveness - Automated, fine-grained optimization Swift - Bigger, more practical applications - Web application security](http://images.slideplayer.com./15/4821698/slides/slide_31.jpg "K.Vikram Swift Cornell University Related Work Unified Programming Models –Links [CLWY 06] –Hop [SGL 06] –Hilda [YGQDGS 07,YSRG 06] Web Application Security –Static Analysis [HYHTLK 04, XA 06, JKK 06] –Dynamic Taint Tracking [HO 05, NGGE 05, XBS 06, CVM 07] Security by construction –Jif/Split [ZZNM 02, ZCMZ 03] –Fairplay [MNPS 04] –SMCL [NS 07] - Tracking over multiple requests - Client side computation - Confidentiality - Security - Replication for responsiveness - Automated, fine-grained optimization Swift - Bigger, more practical applications - Web application security")
32
K.Vikram Swift Cornell University Conclusions/Questions? Web applications are critical and handle sensitive data Secure web applications are hard to write The Swift programming system provides –Greater security assurance –A responsive interface –Cleaner programming model http://www.cs.cornell.edu/jif/swift/
Similar presentations
