Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Data-Centric Web Application Security Framework Jonathan Burket, Patrick Mutchler, Michael Weaver, Muzzammil Zaveri, and David Evans University of Virginia.

Published byElwin O’Connor’ Modified over 9 years ago

Similar presentations

Presentation on theme: "A Data-Centric Web Application Security Framework Jonathan Burket, Patrick Mutchler, Michael Weaver, Muzzammil Zaveri, and David Evans University of Virginia."— Presentation transcript:

1 A Data-Centric Web Application Security Framework Jonathan Burket, Patrick Mutchler, Michael Weaver, Muzzammil Zaveri, and David Evans University of Virginia http://guardrails.cs.virginia.edu GuardRails

2 2 Web applications are easier to create than ever!

3 3 Securing web applications is not nearly as easy!

4 4

5 5

6 6

7 7 “> alert(document.cookie);

8 8

9 9

10 10

11 11 Application Page A Page B Page C Page D Data Object Write Append Read Write Read Delete Read

12 12 Application Page A Page B Page C Page D Data Object Write Append Read Write Read Delete Read Output HTML Data Object

13 13 Application Page A Page B Page C Page D Data Object Write Append Read Write Read Delete Read Output HTML Data Object

14 14 Application Page A Page B Page C Page D Data Object Write Append Read Write Read Delete Read Proxy that Enforces Security Policies

15 15 Application Page A Page B Page C Page D Data Object Write Append Read Write Read Delete Read Output HTML Data Object Proxy that Enforces Security Policies

16 Our Philosophy 16 Security policies should be attached to the data Security policies should be enforced automatically

17 17 Annotated Ruby on Rails Code Secure Ruby on Rails Code GuardRails Prevent Bugs and Security Vulnerabilities Improve Readability Easy to Use Access Control Policies Fine Grained Taint- Tracking

18 Design Goals Top Priority: Automatically enforce security policies Other Objectives: Preserve application functionality Easy for developers to use Lesser Goals: Minimize performance cost 18

19 19 Annotated Ruby on Rails Code Secure Ruby on Rails Code GuardRails Prevent Bugs and Security Vulnerabilities Improve Readability Easy to Use Access Control Policies Fine Grained Taint-Tracking

20 20 Annotated Ruby on Rails Code Secure Ruby on Rails Code GuardRails Prevent Bugs and Security Vulnerabilities Improve Readability Easy to Use Access Control Policies Fine Grained Taint-Tracking

21 21

22 if include_subprojects && !active_children.empty? ids = [id] + active_children.collect {|c| c.id} conditions = ["#{Project.table_name}.id IN (#{ids.join(',')})"] 22

23 if include_subprojects && !active_children.empty? ids = [id] + active_children.collect {|c| c.id} conditions = ["#{Project.table_name}.id IN (#{ids.join(',')})"] 23

24 if include_subprojects && !active_children.empty? ids = [id] + active_children.collect {|c| c.id} conditions = ["#{Project.table_name}.id IN (#{ids.join(',')}) AND #{Project.visible_by}"] 24

25 25 application_helper.rb 4 Checks project.rb 2 Checks projects_controller.rb 3 Checks acts_as_searchable.rb 1 Checks # @ :read, :self, lambda{|user|self.is_public or user.memberships.include? self.id} # @ :read, lambda{|user| self.is_public or user.memberships.include? self.id} class Project < ActiveRecord::Base # Project statuses STATUS_ACTIVE = 1… 1 GuardRails Annotation In Project model file:

26 Access Control Policy Annotations # @ (policy_type, [target], [handler], mediator) # @ :delete, :self, :admin # @ :write, :password, lambda{|user|user.id == self.id } # @ :append, :members, lambda{|user| user.belongs_to?(self)} 26

27 27 Annotated Ruby on Rails Code Secure Ruby on Rails Code GuardRails Access Control Policies Fine Grained Taint-Tracking

28 Dynamic Taint Tracking Protects against injection attacks 28 “SELECT profile FROM users WHERE username=‘” + user_name + “’” “User: ” + user_name + “ ” Good: user_name = “jazzFan26” Bad: user_name = “’; DROP TABLE users--” Good: user_name = “DrKevinPhillips” Bad: user_name = “ alert(‘document.cookie’); ” SQL Injection: Cross-Site Scripting:

29 29

30 30 Application Page A Page B Page C Page D Data Object Write Append Read Write Read Delete Read

31 31 Application Page A Page B Page C Page D Data Object Write Append Read Write Read Delete Read Output HTML Data Object

32 Taint Propagation 32 Model Controller Database Data Taint Status View URL Parameters Form Data Other User Input Tainted HTML Sanitization Safe HTML

33 Expressive Taint Status “ SoccerFan1985 ” String Value: Taint: Character Index 29 51 55 Different Chunks 33

34 Transformers {:HTML => { “//script” => NoDisplay, :default => NoHTMLAllowed }, :SQL => SQLSanitize, :Ruby_eval => NoDisplay} The Default Transformer Use Context Appropriate Sanitization Routine 34

35 Transformers Raw String Chunk 1 Transformer 1 Raw String Chunk 2 Transformer 2 Raw String Chunk 3 Transformer 3 Use Context Sanitized Chunk Sanitized String 35

36 Transformer Annotations 36 Different sanitization policies in different contexts Context specified with XPath # @ :taint, :username, {:HTML => AlphaNumericOnly} # @ :taint, :full_name, {:HTML => {TitleTag => LettersAndSpacesOnly, :default => NoHTML}} # @ :taint, :profile, {:HTML => {"//script” => Invisible, :default => BoldItalicUnderlineOnly}} # @ taint, target, transformer

37 37

38 38

39 39

40 Test ApplicationApplication Type Image Gallery (680 lines) E-Commerce (5556 lines) Project Management (30747 lines) E-Commerce (11561 lines) 40

41 Performance Notes 41

42 Try GuardRails Alpha Release Now Available! Our Web Page: http://guardrails.cs.virginia.edu Full source code can be downloaded from GitHub Contact Info: guardrails@cs.virginia.edu 42

43 Questions? Alpha Release Now Available! Our Web Page: http://guardrails.cs.virginia.edu Full source code can be downloaded from GitHub Contact Info: guardrails@cs.virginia.edu 43

Download ppt "A Data-Centric Web Application Security Framework Jonathan Burket, Patrick Mutchler, Michael Weaver, Muzzammil Zaveri, and David Evans University of Virginia."

Similar presentations

Module XIV SQL Injection

Module XIV SQL Injection
PHP Hypertext Preprocessor Information Systems 337 Prof. Harry Plantinga.

PHP Hypertext Preprocessor Information Systems 337 Prof. Harry Plantinga.
Team Members: Brad Stancel,

Team Members: Brad Stancel,
Data-Centric Security Dawn Song UC Berkeley Collaboration with Lorenzo Martignoni, Stephen McCamant, Pongsin Poosankam, Matei Zaharia, Scott Shenker, Ion.

Data-Centric Security Dawn Song UC Berkeley Collaboration with Lorenzo Martignoni, Stephen McCamant, Pongsin Poosankam, Matei Zaharia, Scott Shenker, Ion.
COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.

COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.
Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.

Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.
-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.

-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.
Into the Mind of the Hacker: Hands-On Web Application Hacking Adam Doupé University of California, Santa Barbara 4/23/12.

Into the Mind of the Hacker: Hands-On Web Application Hacking Adam Doupé University of California, Santa Barbara 4/23/12.
NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu 15 708 33 Ostrava-Poruba.

NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu Ostrava-Poruba.
Project 7 Discussion Section XSS and SQL Injection in Rails.

Project 7 Discussion Section XSS and SQL Injection in Rails.
ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.

ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.
Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.

Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.
Aaron Blankstein and Michael J. Freedman Princeton University Tuan Tran.

Aaron Blankstein and Michael J. Freedman Princeton University Tuan Tran.
Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.

Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Varun Sharma Security Engineer | ACE Team | Microsoft Information Security

Varun Sharma Security Engineer | ACE Team | Microsoft Information Security
Introducing LAMP: Linux, Apache, MySQL and PHP Track 2 Workshop PacNOG 7 July 1, 2010 Pago Pago, American Samoa.

Introducing LAMP: Linux, Apache, MySQL and PHP Track 2 Workshop PacNOG 7 July 1, 2010 Pago Pago, American Samoa.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.

Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.
{ Code Injection Cable Johnson.  Overview  Common Injection Types  Developer Prevention Code Injection.

{ Code Injection Cable Johnson.  Overview  Common Injection Types  Developer Prevention Code Injection.

Similar presentations

Ads by Google