PPTX - Jonathan Burket

greenpepperwhinnyΑσφάλεια

3 Νοε 2013 (πριν από 3 χρόνια και 9 μήνες)

91 εμφανίσεις


A
Data
-
Centric Web
Application Security Framework

Jonathan Burket, Patrick Mutchler, Michael Weaver,

Muzzammil Zaveri, and David Evans


University of Virginia

http://guardrails.cs.virginia.edu


GuardRails

2

Web applications are easier to create

than ever!

3

Securing web applications is

not nearly as easy!

4

5

6

7

“><script>alert(
document.cookie
);</script>

8

9

10

11

Application

Page A

Page B

Page C

Page D

Data Object

Read

12

Application

Page A

Page B

Page C

Page D

Data Object

Read

Output HTML

Data
Object

13

Application

Page A

Page B

Page C

Page D

Data Object

Read

Output HTML

Data
Object

14

Application

Page A

Page B

Page C

Page D

Data Object

Read

Proxy that Enforces

Security Policies

Our Philosophy

16


Security policies should be
attached to the data


Security policies should be
enforced automatically

17

Annotated Ruby
on Rails Code

Secure Ruby on
Rails Code

GuardRails

Prevent Bugs and Security
Vulnerabilities

Improve Readability

Easy to Use

Access
C
ontrol
P
olicies

Fine
G
rained
T
aint
-
Tracking

Design Goals

Top Priority:



Automatically enforce security policies

Other Objectives:


Preserve application functionality


Easy for developers to use

Lesser Goals:


Minimize performance cost



18

19

Annotated Ruby
on Rails Code

Secure Ruby on
Rails Code

GuardRails

Prevent Bugs and Security
Vulnerabilities

Improve Readability

Easy to Use

Access
C
ontrol
P
olicies

Fine
G
rained
T
aint
-
Tracking

20

Annotated Ruby
on Rails Code

Secure Ruby on
Rails Code

GuardRails

Prevent Bugs and Security
Vulnerabilities

Improve Readability

Easy to Use

Access
C
ontrol
P
olicies

Fine
G
rained
T
aint
-
Tracking

21


if
include_subprojects

&& !
active_children.empty
?

ids = [id] +
active_children.collect

{|c| c.id}



conditions = ["#{
Project.table_name
}.id IN



(#{
ids.join
(',')})"]

22


if
include_subprojects

&& !
active_children.empty
?

ids = [id] +
active_children.collect

{|c| c.id}



conditions = ["#{
Project.table_name
}.id IN



(#{
ids.join
(',')})"]

23


if
include_subprojects

&& !
active_children.empty
?

ids = [id] +
active_children.collect

{|c| c.id}



conditions = ["#{
Project.table_name
}.id IN



(#{
ids.join
(',')})
AND






#{
Project.visible_by
}"]

24

25

application_helper.rb

4 Checks

project.rb

2

Checks

projects_controller.rb

3 Checks

acts_as_searchable.rb

1 Checks

# @
:
read
,
:self
,


lambda
{|
user|self.is_public


or
user.memberships.include
? self.id}


# @
:read
, lambda{|user|
self.is_public



or
user.memberships.include
?
self.id}

class Project <
ActiveRecord
::Base


# Project statuses


STATUS_ACTIVE = 1…

1 GuardRails Annotation

In
Project

model file:

Access Control Policy

Annotations


# @ (
policy_type
,
[target]
,
[handler
], mediator
)



#
@
:
delete
,
:self
,

:admin



#
@
:
write
, :
password
,
lambda{|user|user.id
== self.id
}



#
@
:
append
, :
members
,

lambda{|user|
user.belongs_to
?(self)}

26

27

Annotated Ruby
on Rails Code

Secure Ruby on
Rails Code

GuardRails

Access
C
ontrol
P
olicies

Fine
G
rained
T
aint
-
Tracking

Dynamic Taint Tracking

Protects against
injection attacks

28

“SELECT profile FROM users WHERE username=‘”
+
user_name

+
“’”

“User: <a
href
=‘
profile_page
’>”
+
user_name

+
“</a>”

Good:

user_name

= “jazzFan26”

Bad:

user_name

= “’; DROP TABLE users
--


Good:

user_name

= “
DrKevinPhillips


Bad:

user_name

= “<script language=‘
javascript
’>




alert(‘
document.cookie
’);</script>”

SQL Injection:

Cross
-
Site Scripting:

29

30

Application

Page A

Page B

Page C

Page D

Data Object

Read

31

Application

Page A

Page B

Page C

Page D

Data Object

Read

Output HTML

Data
Object

Taint Propagation


32

Model

Controller

Database

Data

Taint

Status

View

URL Parameters

Form Data

Other User Input

Tainted HTML

Sanitization

Safe HTML

Expressive

Taint Status

“<a
href
=‘
profile?id
=184392’>
<evil>SoccerFan1985</evil>
</a>”

“<a
href
=“
profile?id
=184392”><evil>SoccerFan1985</evil></a>”

String

Value:

Taint:

Character

Index

29

51

55

<Transformer::Identity>

<Transformer::Default>

<Transformer::Identity>

Different

Chunks

33

Transformers

{:
HTML
=> {


“//
script” =>
NoDisplay
,


:
default
=>
NoHTMLAllowed



},


:
SQL
=>
SQLSanitize
,


:
Ruby_eval

=>
NoDisplay
}

The Default Transformer

Use Context

Appropriate Sanitization Routine

34

Transformers

Raw String
Chunk 1

Transformer 1

Raw String
Chunk 2

Transformer 2

Raw String
Chunk 3

Transformer 3

Use Context

Sanitized Chunk

Sanitized Chunk

Sanitized Chunk

Sanitized String

35

Transformer Annotations

36


Different sanitization

policies in
different contexts


Context specified with
XPath

# @

:
taint
,
:
username
,


{:HTML =>
AlphaNumericOnly
}


# @
:
taint
,

:
full_name
,

{:HTML
=>



{
TitleTag

=>
LettersAndSpacesOnly
,



:default =>
NoHTML
}}




# @
:
taint
,
:
profile
,

{:HTML =>









{"//script” => Invisible,



:default =>
BoldItalicUnderlineOnly
}}

# @
taint
,
target
,
transformer


37

38

39

Test Application

Application Type

Image Gallery

(680 lines)

E
-
Commerce

(5556 lines)

Project

Management

(30747 lines)

E
-
Commerce

(11561 lines)

40

Performance Notes

41

10.7

0
1
2
3
4
5
6
7
Onyx
Redmine
PaperTracks
Relative Transaction Time (Normalized)

Original Application
Access Control Only
Taint Tracking Only
Full System
Try GuardRails

Alpha Release Now Available!

Our Web Page:
http://guardrails.cs.virginia.edu

Full source code can be downloaded from
GitHub



Contact Info:
guardrails@cs.virginia.edu


42

Questions?

Alpha Release Now Available!

Our Web Page:
http://guardrails.cs.virginia.edu

Full source code can be downloaded from
GitHub



Contact Info:
guardrails@cs.virginia.edu


43