wenliang (kevin) du associate professor department of electrical engineering & computer science...
Post on 21-Dec-2015
220 views
TRANSCRIPT
- Slide 1
- Wenliang (Kevin) Du Associate Professor Department of Electrical Engineering & Computer Science Syracuse University Joint work with Dr. Karthick Jayaraman, Tongbo Luo, Xi Tan, and Dr. Zutao Zhu Presentation at Microsoft Research, Redmond, 7/28/2011.
- Slide 2
- Overview Access control in the Web Our positions on Webs access control Our approaches to improve web security Escudo: Browser-side access control Scuta: Server-side access control Database-side access control
- Slide 3
- The Alarming Situation Vulnerabilities of web applications (from WhiteHat Security)
- Slide 4
- The Overall Web Architecture Application Server Application Server Database Web Browser e.g., PHP, Java Servlete.g., MySQL Web Browser
- Slide 5
- A Web Application Example
- Slide 6
- Current Access Control Systems SQL Code Server-side Code (PHP, C#, Java Servlet) Server-side Code (PHP, C#, Java Servlet) DatabaseWeb Browser JavaScript Code HTML Page Static Contents Web Application Server Browser Access Control (SOP) DB Access Control Session + OS Access Control
- Slide 7
- Same Origin Policy (SOP) Google Mail Cookies from Gmail.com Cookies from Microsoft.com DOM Tree JavaScript Code www.gmail.com www.microsoft.com (this action is now allowed) AJAX
- Slide 8
- Same-Session Policy After authentication, a session is established Avoid repetitive authentication Session cookies: authentication token Same session, same privileges
- Slide 9
- Problems of SOP and SSP Coarse granularity: one or nothing No separation of privileges Do we need to separate privileges?
- Slide 10
- Diversified Protection Needs AddFriends.php DeleteFriends.php ViewFriends.php Advertisements Trusted Region Semi-Trusted Region Untrusted Region First-party Content Untrusted Region Untrusted Region Third-party Content Third-party Content
- Slide 11
- The Loss of Trust State F.php Button1 F.phps Output: HTML Page Un-trusted Region Trusted Region Button3 Trust state of data gets lost: led to the Same-Origin Policy. Trust status gets lost again: led to the Same-Session Policy. Un-Trusted Data Trusted Data Semi-Trusted Data Semi-Trusted Region Button2 ViewFriends.php AddFriends.php DeleteFriends.php
- Slide 12
- Application-Specific Logic SQL Code DatabaseWeb Browser JavaScript Code HTML Page Static Contents Browser-side Access Control Database-side Access Control Application-specific Access Control Server-Side Access Control Browser Access Control (SOP) DB Access Control Session + OS Access Control
- Slide 13
- Inadequate Access Control Access control has to be built into program logic Not easy for programmers 83% of web sites have at least one serious vulnerability Deploy countermeasures in programs. Developers need to be security experts Do we have enough security experts? I am a security expert, I am afraid of writing web apps. Something is fundamentally wrong! Dont blame the developers Blame the Webs security infrastructure
- Slide 14
- Build Better Access Control SQL Code DatabaseWeb Browser JavaScript Code HTML Page Static Contents Browser-side Access Control Database-side Access Control Application-specific Access Control Server-Side Access Control Better Access Control System Better Access Control Better Access Control System
- Slide 15
- The Benefit Developers security efforts are reduced They only need to configure Enforcement is done by the system Configuration: compared to Implementation Much easier to do Require less security expertise Less error prone Easier to verify
- Slide 16
- Design Principles Civil Engineering PrinciplesSecurity Engineering Principles
- Slide 17
- [Saltzer and Schroeder 1975]: 8 design principles for building protection systems: Economy of mechanism Fail-safe defaults Complete mediation Open design Separation of privilege Least privilege Least common mechanism Psychological acceptability
- Slide 18
- Key Security Principles Separation of privilege Partitioning access permissions Example: Root vs. Ordinary user account SOP & SSP: privileges are not separated Principle of least privilege A program must have no more privileges than necessary for its legitimate purpose SOP & SSP: do not support this principle
- Slide 19
- Requirement on the New Model Finer Granularity Reflect the nature of Trust Multi-level, multi-lateral, etc. Considering the Protection needs Backward compatible Well Vetted Creativity is probably the enemy here.
- Slide 20
- Final Choice: the Ring model Subjects and objects are labeled with rings Widely used model: operating system, etc.
- Slide 21
- Hierarchy
- Slide 22
- 0 1 2 A.php B.php C.php D.php BrowserApplication ServerDatabase 0 1 2 Escudo + SOPScuta + SessionScuta Submit Ring = 0 Ring = 1 URL JavaScript Code URL Submit JavaScript Code Ring = 2 JavaScript Code URL Submit TableC TableB TableA 0 1 2 2 1 0 Ring-Based Access Control for Web
- Slide 23
- Escudo: Shield in Portuguese
- Slide 24
- Example: HTML Encoding
- Slide 25
- Policy Integrity Scoping Rule A div tags principal ring is the lower bound for all its children Node-splitting Use tag (or nonce) to prevent malicious code
- Slide 26
- Backward Compatibility Escudo Browsers with Non-Escudo Applications All principals and objects belong to the same ring, mimicking same-origin policy Escudo-applications with Non-Escudo Browsers The configuration is ignored Application still executes (no security)
- Slide 27
- 0 1 2 A.php B.php C.php D.php BrowserApplication ServerDatabase 0 1 2 Escudo + SOPScuta + SessionScuta Submit Ring = 0 Ring = 1 URL JavaScript Code URL Submit JavaScript Code Ring = 2 JavaScript Code URL Submit TableC TableB TableA 0 1 2 2 1 0 Scuta: Roman Shield Fill the gap
- Slide 28
- Scuta: Subsession F.php Browser Side Ring = 0 Ring = 2 F.php JavaScript Code call F.php URL (F.php) JavaScript Code call F.php F.php Cookies SubSID_0 Ring: 0 Server Side SubSID_1 SID, SubSID_2 Ring: 1Ring: 2 Cookies: SubSID_0, SubSID_1, SubSID_2, SID Subsession = 0 Subsession = 2 Cookies: SubSID_2, SID URL (F.php) Web Page
- Slide 29
- Scutas Basic Access Control 0 1 2 A.php B.php C.php D.php BrowserApplication Server Submit Ring = 0 Ring = 1 URL JavaScript Code URL Submit JavaScript Code Ring = 2 JavaScript Code URL Submit 0 1 2
- Slide 30
- Scuta: More Flexible Policy Support Discretionary Security Policies: Swich (session_esubsid() ) { case 0: Do Task A; break; case 1: Do task B break; case 2: Do Task C break; }
- Slide 31
- Scuta: Gates Ring 0 Ring 1 Ring 2 Gate Exceptions invetible Like system calls Provide controlled access Example DB modification: Ring 0 Allow Ring 3 to modify DB in a controlled way.
- Slide 32
- 0 1 2 A.php B.php C.php D.php BrowserApplication ServerDatabase 0 1 2 Escudo + SOPScuta + SessionScuta Submit Ring = 0 Ring = 1 URL JavaScript Code URL Submit JavaScript Code Ring = 2 JavaScript Code URL Submit TableC TableB TableA 0 1 2 2 1 0 Scuta at Database
- Slide 33
- Another Gap 0 1 2 A.php B.php C.php D.php Application ServerDatabase 0 1 2 TableC TableB TableA dbuser
- Slide 34
- Fill the Gap 0 1 2 A.php B.php C.php D.php Application ServerDatabase 0 1 2 TableC TableB TableA dbuser_0 dbuser_2 dbuser_1
- Slide 35
- Place Data in Rings Use the GRANT command Fine granularity on tables, columns, and operations Examples GRANT ALL ON TableA TO dbuser_0 GRANT ALL ON TableB TO dbuser_1 GRANT ALL (Profile, Name) ON TableC TO dbuser_1 GRANT SELECT (Profile) ON TableC TO dbuser_2
- Slide 36
- Scuta: Architecture SessionScutaDatabase Run-time Security Context PHP Code Initialization ExtensionsZend Engine Web Request Reply
- Slide 37
- Case Studies Browser-side Protection Cross-Site Scripting Attacks (XSS) Same-Origin Requests Client-side extensions Server-side extensions Cross-Origin (or Cross-Site) Requests Non-Ajax Ajax
- Slide 38
- Defeating XSS Attacks with Escudo First-Party Contents (Trustworthy) Other users comments (Untrusted) Ring 0 Ring 2 First-Party Contents (Readable by Ads) Ring 1 Session Cookie: Ring 0 Ring 2
- Slide 39
- Client-Side Extensions Third-party JS code Advertisements
- Slide 40
- Secure Client-Side Extensions Ring 0 Ring 1 Ring 2 Display() Modify() A 3 rd -party client-side extension Renew()
- Slide 41
- Server-Side Extensions Server-side code written by 3 rd parties Elgg has hundreds of such extensions An App model Problematic Server-Side Extensions Malicious Vulnerable: the SQL Injection case
- Slide 42
- Secure Server-Side Extensions Ring 0 Ring 1 Ring 2 Not so-trustworthy Server-side extensions Trustworthy Server-side extensions
- Slide 43
- Cross-Site Requests (non-Ajax) Browsing Facebook Facebook.com Users Browser e.g. Delete Friends Session ID
- Slide 44
- Secure Cross-Site Requests Ring 0 Ring 1 Ring 2 Facebooks Scuta Configuration Cross-Site Requests Cross-Site Requests are Mapped to the Least Privileged Ring
- Slide 45
- Cross-Site Ajax Request Security Policy Not allowed in the past Allowed now Access Control Model The new Origin header White lists Problems Origin is too coarse-grained A trusts B does not mean A trusts the Ads on Bs page. Case 2
- Slide 46
- Secure Cross-Site Ajax Requests Ring 0 Ring 1 Ring 2 Servers Scuta Configuration Ring 0 Ring 1 Ring 2 Browsers Escudo Configuration Origin- based Ring Mapping Case 2
- Slide 47
- Summary Web is becoming part of the infrastructure Should not be treated as yet-another application. Need more system thinking for security Web Security is a major problem All web applications need to think about security A good system support partially frees developers So they can focus more on application logic We are working on developing such a system support Browser-side support Server-side support Database-side support