Slide 1

Wenliang (Kevin) Du Associate Professor Department of Electrical Engineering & Computer Science Syracuse University Joint work with Dr. Karthick Jayaraman, Tongbo Luo, Xi Tan, and Dr. Zutao Zhu Presentation at Microsoft Research, Redmond, 7/28/2011.

Slide 2

Overview Access control in the Web Our positions on Webs access control Our approaches to improve web security Escudo: Browser-side access control Scuta: Server-side access control Database-side access control

Slide 3

The Alarming Situation Vulnerabilities of web applications (from WhiteHat Security)

Slide 4

The Overall Web Architecture Application Server Application Server Database Web Browser e.g., PHP, Java Servlete.g., MySQL Web Browser

Slide 5

A Web Application Example

Slide 6

Current Access Control Systems SQL Code Server-side Code (PHP, C#, Java Servlet) Server-side Code (PHP, C#, Java Servlet) DatabaseWeb Browser JavaScript Code HTML Page Static Contents Web Application Server Browser Access Control (SOP) DB Access Control Session + OS Access Control

Slide 7

Same Origin Policy (SOP) Google Mail Cookies from Gmail.com Cookies from Microsoft.com DOM Tree JavaScript Code www.gmail.com www.microsoft.com (this action is now allowed) AJAX

Slide 8

Same-Session Policy After authentication, a session is established Avoid repetitive authentication Session cookies: authentication token Same session, same privileges

Slide 9

Problems of SOP and SSP Coarse granularity: one or nothing No separation of privileges Do we need to separate privileges?

Slide 10

Diversified Protection Needs AddFriends.php DeleteFriends.php ViewFriends.php Advertisements Trusted Region Semi-Trusted Region Untrusted Region First-party Content Untrusted Region Untrusted Region Third-party Content Third-party Content

Slide 11

The Loss of Trust State F.php Button1 F.phps Output: HTML Page Un-trusted Region Trusted Region Button3 Trust state of data gets lost: led to the Same-Origin Policy. Trust status gets lost again: led to the Same-Session Policy. Un-Trusted Data Trusted Data Semi-Trusted Data Semi-Trusted Region Button2 ViewFriends.php AddFriends.php DeleteFriends.php

Slide 12

Application-Specific Logic SQL Code DatabaseWeb Browser JavaScript Code HTML Page Static Contents Browser-side Access Control Database-side Access Control Application-specific Access Control Server-Side Access Control Browser Access Control (SOP) DB Access Control Session + OS Access Control

Slide 13

Inadequate Access Control Access control has to be built into program logic Not easy for programmers 83% of web sites have at least one serious vulnerability Deploy countermeasures in programs. Developers need to be security experts Do we have enough security experts? I am a security expert, I am afraid of writing web apps. Something is fundamentally wrong! Dont blame the developers Blame the Webs security infrastructure

Slide 14

Build Better Access Control SQL Code DatabaseWeb Browser JavaScript Code HTML Page Static Contents Browser-side Access Control Database-side Access Control Application-specific Access Control Server-Side Access Control Better Access Control System Better Access Control Better Access Control System

Slide 15

The Benefit Developers security efforts are reduced They only need to configure Enforcement is done by the system Configuration: compared to Implementation Much easier to do Require less security expertise Less error prone Easier to verify

Slide 16

Design Principles Civil Engineering PrinciplesSecurity Engineering Principles

Slide 17

[Saltzer and Schroeder 1975]: 8 design principles for building protection systems: Economy of mechanism Fail-safe defaults Complete mediation Open design Separation of privilege Least privilege Least common mechanism Psychological acceptability

Slide 18

Key Security Principles Separation of privilege Partitioning access permissions Example: Root vs. Ordinary user account SOP & SSP: privileges are not separated Principle of least privilege A program must have no more privileges than necessary for its legitimate purpose SOP & SSP: do not support this principle

Slide 19

Requirement on the New Model Finer Granularity Reflect the nature of Trust Multi-level, multi-lateral, etc. Considering the Protection needs Backward compatible Well Vetted Creativity is probably the enemy here.

Slide 20

Final Choice: the Ring model Subjects and objects are labeled with rings Widely used model: operating system, etc.

Slide 21

Hierarchy

Slide 22

0 1 2 A.php B.php C.php D.php BrowserApplication ServerDatabase 0 1 2 Escudo + SOPScuta + SessionScuta Submit Ring = 0 Ring = 1 URL JavaScript Code URL Submit JavaScript Code Ring = 2 JavaScript Code URL Submit TableC TableB TableA 0 1 2 2 1 0 Ring-Based Access Control for Web

Slide 23

Escudo: Shield in Portuguese

Slide 24

Example: HTML Encoding

Slide 25

Policy Integrity Scoping Rule A div tags principal ring is the lower bound for all its children Node-splitting Use tag (or nonce) to prevent malicious code

Slide 26

Backward Compatibility Escudo Browsers with Non-Escudo Applications All principals and objects belong to the same ring, mimicking same-origin policy Escudo-applications with Non-Escudo Browsers The configuration is ignored Application still executes (no security)

Slide 27

0 1 2 A.php B.php C.php D.php BrowserApplication ServerDatabase 0 1 2 Escudo + SOPScuta + SessionScuta Submit Ring = 0 Ring = 1 URL JavaScript Code URL Submit JavaScript Code Ring = 2 JavaScript Code URL Submit TableC TableB TableA 0 1 2 2 1 0 Scuta: Roman Shield Fill the gap

Slide 28

Scuta: Subsession F.php Browser Side Ring = 0 Ring = 2 F.php JavaScript Code call F.php URL (F.php) JavaScript Code call F.php F.php Cookies SubSID_0 Ring: 0 Server Side SubSID_1 SID, SubSID_2 Ring: 1Ring: 2 Cookies: SubSID_0, SubSID_1, SubSID_2, SID Subsession = 0 Subsession = 2 Cookies: SubSID_2, SID URL (F.php) Web Page

Slide 29

Scutas Basic Access Control 0 1 2 A.php B.php C.php D.php BrowserApplication Server Submit Ring = 0 Ring = 1 URL JavaScript Code URL Submit JavaScript Code Ring = 2 JavaScript Code URL Submit 0 1 2

Slide 30

Scuta: More Flexible Policy Support Discretionary Security Policies: Swich (session_esubsid() ) { case 0: Do Task A; break; case 1: Do task B break; case 2: Do Task C break; }

Slide 31

Scuta: Gates Ring 0 Ring 1 Ring 2 Gate Exceptions invetible Like system calls Provide controlled access Example DB modification: Ring 0 Allow Ring 3 to modify DB in a controlled way.

Slide 32

0 1 2 A.php B.php C.php D.php BrowserApplication ServerDatabase 0 1 2 Escudo + SOPScuta + SessionScuta Submit Ring = 0 Ring = 1 URL JavaScript Code URL Submit JavaScript Code Ring = 2 JavaScript Code URL Submit TableC TableB TableA 0 1 2 2 1 0 Scuta at Database

Slide 33

Another Gap 0 1 2 A.php B.php C.php D.php Application ServerDatabase 0 1 2 TableC TableB TableA dbuser

Slide 34

Fill the Gap 0 1 2 A.php B.php C.php D.php Application ServerDatabase 0 1 2 TableC TableB TableA dbuser_0 dbuser_2 dbuser_1

Slide 35

Place Data in Rings Use the GRANT command Fine granularity on tables, columns, and operations Examples GRANT ALL ON TableA TO dbuser_0 GRANT ALL ON TableB TO dbuser_1 GRANT ALL (Profile, Name) ON TableC TO dbuser_1 GRANT SELECT (Profile) ON TableC TO dbuser_2

Slide 36

Scuta: Architecture SessionScutaDatabase Run-time Security Context PHP Code Initialization ExtensionsZend Engine Web Request Reply

Slide 37

Case Studies Browser-side Protection Cross-Site Scripting Attacks (XSS) Same-Origin Requests Client-side extensions Server-side extensions Cross-Origin (or Cross-Site) Requests Non-Ajax Ajax

Slide 38

Defeating XSS Attacks with Escudo First-Party Contents (Trustworthy) Other users comments (Untrusted) Ring 0 Ring 2 First-Party Contents (Readable by Ads) Ring 1 Session Cookie: Ring 0 Ring 2

Slide 39

Client-Side Extensions Third-party JS code Advertisements

Slide 40

Secure Client-Side Extensions Ring 0 Ring 1 Ring 2 Display() Modify() A 3 rd -party client-side extension Renew()

Slide 41

Server-Side Extensions Server-side code written by 3 rd parties Elgg has hundreds of such extensions An App model Problematic Server-Side Extensions Malicious Vulnerable: the SQL Injection case

Slide 42

Secure Server-Side Extensions Ring 0 Ring 1 Ring 2 Not so-trustworthy Server-side extensions Trustworthy Server-side extensions

Slide 43

Cross-Site Requests (non-Ajax) Browsing Facebook Facebook.com Users Browser e.g. Delete Friends Session ID

Slide 44

Secure Cross-Site Requests Ring 0 Ring 1 Ring 2 Facebooks Scuta Configuration Cross-Site Requests Cross-Site Requests are Mapped to the Least Privileged Ring

Slide 45

Cross-Site Ajax Request Security Policy Not allowed in the past Allowed now Access Control Model The new Origin header White lists Problems Origin is too coarse-grained A trusts B does not mean A trusts the Ads on Bs page. Case 2

Slide 46

Secure Cross-Site Ajax Requests Ring 0 Ring 1 Ring 2 Servers Scuta Configuration Ring 0 Ring 1 Ring 2 Browsers Escudo Configuration Origin- based Ring Mapping Case 2

Slide 47

Summary Web is becoming part of the infrastructure Should not be treated as yet-another application. Need more system thinking for security Web Security is a major problem All web applications need to think about security A good system support partially frees developers So they can focus more on application logic We are working on developing such a system support Browser-side support Server-side support Database-side support