Wenliang (Kevin) Du

sweetlipscasteΑσφάλεια

2 Νοε 2013 (πριν από 4 χρόνια και 6 μέρες)

53 εμφανίσεις

Wenliang (Kevin) Du

Associate Professor

Department of Electrical Engineering & Computer Science

Syracuse University


Joint work with

Dr. Karthick Jayaraman, Tongbo Luo, Xi Tan, and Dr.
Zutao

Zhu


Presentation at Microsoft Research, Redmond, 7/28/2011.

Overview


Access control in the Web


Our positions on Web’s access control


Our approaches to improve web security


Escudo: Browser
-
side access control


Scuta: Server
-
side access control


Database
-
side access control

The Alarming Situation

Vulnerabilities of web applications (from
WhiteHat

Security)

The Overall Web Architecture

Application

Server

Database

Web Browser

e.g., PHP, Java Servlet

e.g.,
MySQL

Web Browser

A Web Application Example

Current Access Control Systems








SQL

Code

Server
-
side
Code

(PHP, C#,
Java
Servlet
)

Database

Web Browser

JavaScript
Code

HTML Page





Static
Contents

Web Application Server

Browser Access
Control (SOP)

DB Access
Control

Session + OS Access Control

Same Origin Policy (SOP)

Google Mail







Cookies from

Gmail.com

Cookies from

Microsoft.com

DOM Tree




JavaScript

Code

www.gmail.com

www.microsoft.com

(this action is now allowed)

AJAX

AJAX

Same
-
Session Policy


After authentication, a session is established


Avoid repetitive authentication


Session cookies: authentication token


Same session, same privileges

Problems of SOP and SSP


Coarse granularity: one or nothing


No separation of privileges


Do we need to separate privileges?

Diversified Protection Needs

AddFriends.php

DeleteFriends.php

ViewFriends.php

Advertisements

Trusted

Region

Semi
-
Trusted Region

Untrusted

Region

First
-
party Content

Untrusted

Region

Third
-
party Content

Third
-
party

Content

The Loss of Trust State

F.php

Button1

F.php’s Output: HTML Page

Un
-
trusted Region

Trusted Region

Button3

Trust state of data gets lost:

led to the
Same
-
Origin Policy
.

Trust status gets lost again:

led to the “
Same
-
Session
P
olicy
”.

Un
-
Trusted
Data

Trusted Data

Semi
-
Trusted
Data

Semi
-
Trusted Region

Button2

ViewFriends.php

AddFriends.php

DeleteFriends.php

Application
-
Specific Logic








SQL

Code

Database

Web Browser

JavaScript
Code

HTML Page





Static
Contents

Browser
-
side
Access
Control

Database
-
side
Access
Control

Application
-
specific

Access Control

Server
-
Side Access Control

Browser Access
Control (SOP)

DB Access
Control

Session + OS Access Control

Inadequate Access Control


Access control has to be built into program logic


Not easy for programmers


83%

of web sites have at least one serious vulnerability


Deploy countermeasures in programs.


Developers need to be security experts


Do we have enough security experts?


I am a security expert, I am afraid of writing web apps.


Something is fundamentally wrong!


Don’t blame the developers


Blame the Web’s security infrastructure


Build Better Access Control








SQL

Code

Database

Web Browser

JavaScript
Code

HTML Page





Static
Contents

Browser
-
side
Access Control

Database
-
side

Access Control

Application
-
specific

Access Control

Server
-
Side Access Control

Better Access
Control
System

Better
Access
Control

Better Access Control System

The Benefit


Developers’ security efforts are reduced


They only need to “configure”


Enforcement is done by the system


Configuration
: compared to
Implementation


Much easier to do


Require less security expertise


Less error prone


Easier to verify



Design Principles

Civil Engineering Principles

Security Engineering Principles

Security Engineering Principles


[
Saltzer and Schroeder
1975]: 8
design principles for
building protection
systems:


Economy of mechanism


Fail
-
safe defaults


Complete mediation


Open design


Separation of privilege


Least privilege


Least common mechanism


Psychological acceptability

Key Security Principles


Separation of privilege


Partitioning access permissions


Example: Root vs. Ordinary user account


SOP & SSP
: privileges are not separated



Principle of least privilege


A program must have no more privileges than necessary
for its legitimate
purpose


SOP & SSP
: do not support this principle


Requirement on the New Model


Finer Granularity


Reflect the nature of “Trust”


Multi
-
level
, multi
-
lateral, etc.


Considering the Protection needs


Backward compatible


Well Vetted


Creativity is probably the enemy here.

Final Choice: the Ring model


Subjects and objects are labeled with rings


Widely used model: operating system, etc.

Hierarchy

0

1

2

A
.php

Browser

Application Server

Database

0

1

2

Escudo + SOP

Scuta

+ Session

Scuta

S
ubmit

Ring = 0

Ring = 1

URL

JavaScript Code

URL

S
ubmit

JavaScript Code

Ring = 2

JavaScript Code

URL

S
ubmit

TableA

0

1

2

2

1

0

Ring
-
Based Access Control for Web

Escudo:
Shield in Portuguese

<div ring=3>





</div>

Policy Integrity


Scoping Rule


A
“div” tag’s principal ring is
the lower bound for all its
children



Node
-
splitting


Use tag (or nonce) to
prevent

</div>

<div ring=
0
>


malicious code

</div>

<div>

Backward Compatibility


Escudo
Browsers with Non
-
Escudo Applications


All principals and objects belong to the same ring,
mimicking same
-
origin policy


Escudo
-
applications with Non
-
Escudo Browsers


The configuration is ignored


Application still executes (no security)

0

1

2

A
.php

Browser

Application Server

Database

0

1

2

Escudo + SOP

Scuta

+ Session

Scuta

S
ubmit

Ring = 0

Ring = 1

URL

JavaScript Code

URL

S
ubmit

JavaScript Code

Ring = 2

JavaScript Code

URL

S
ubmit

TableA

0

1

2

2

1

0

Scuta
:
Roman Shield

Fill the gap

Fill the gap

Scuta:
Subsession

F.php

Browser Side

Ring = 0

Ring = 2

F.php

F.php

JavaScript Code



call F.php

URL

(F.php)

JavaScript Code



call F.php

F.php

Cookies

SubSID_0

Ring: 0

Server Side

SubSID_1

SID,

SubSID_2

Ring: 1

Ring: 2

Cookies: SubSID_0,

SubSID_1, SubSID_2, SID

Subsession = 0

Subsession = 2

Cookies: SubSID_2, SID

URL

(F.php)

Web Page

Scuta’s

Basic Access Control

0

1

2

A
.php

Browser

Application Server

S
ubmit

Ring = 0

Ring = 1

URL

JavaScript Code

URL

S
ubmit

JavaScript Code

Ring = 2

JavaScript Code

URL

S
ubmit

0

1

2

Scuta: More Flexible Policy


Support Discretionary Security Policies:



Swich

(
session_esubsid
() ) {




case 0: Do Task A;





break;



case 1: Do task B





break;



case 2: Do Task C





break;


}


Scuta: Gates

Ring 0

Ring 1

Ring 2


Exceptions
invetible


Like system calls


Provide controlled access


Example


DB modification:
Ring 0


Allow
Ring

3

to modify DB
in a controlled way.


0

1

2

A
.php

Browser

Application Server

Database

0

1

2

Escudo + SOP

Scuta

+ Session

Scuta

S
ubmit

Ring = 0

Ring = 1

URL

JavaScript Code

URL

S
ubmit

JavaScript Code

Ring = 2

JavaScript Code

URL

S
ubmit

TableA

0

1

2

2

1

0

Scuta

at Database

Another Gap

0

1

2

A
.php

Application Server

Database

0

1

2

TableA

dbuser

Fill the Gap

0

1

2

A
.php

Application Server

Database

0

1

2

TableA

dbuser_0

dbuser_2

dbuser_1

Place Data in Rings


Use the GRANT command


Fine granularity on tables, columns, and operations


Examples


GRANT ALL ON
TableA

TO dbuser_0


GRANT ALL ON
TableB

TO dbuser_1


GRANT ALL (
Profile, Name
)

ON
TableC

TO dbuser_1


GRANT
SELECT

(Profile) ON
TableC

TO dbuser_2

Scuta: Architecture


Session

Scuta

Database

Run
-
time Security Context

PHP Code

Initialization

Extensions

Zend

Engine

Web

Request

Reply

Case Studies


Browser
-
side Protection


Cross
-
Site Scripting Attacks (XSS)


Same
-
Origin Requests


Client
-
side extensions


Server
-
side extensions


Cross
-
Origin (or Cross
-
Site) Requests


Non
-
Ajax


Ajax

Defeating XSS Attacks with Escudo

First
-
Party Contents

(Trustworthy)

Other user’s comments

(
Untrusted
)

Ring 0

Ring 2

First
-
Party Contents

(
Readable by Ads
)

Ring 1

Ring 1

Session Cookie:
Ring 0

Ring 2

Client
-
Side Extensions

Third
-
party JS code

Advertisements


Secure Client
-
Side Extensions

Ring 0

Ring 1

Ring 2

Display()

Modify()

A 3
rd
-
party client
-
side extension

Renew()

Server
-
Side Extensions


Server
-
side code written by 3
rd

parties


Elgg

has hundreds of such extensions


An “App” model


Problematic Server
-
Side Extensions


Malicious


Vulnerable: the SQL Injection case

Secure Server
-
Side Extensions

Ring 0

Ring 1

Ring 2

Not so
-
trustworthy

Server
-
side

extensions

Trustworthy

Server
-
side

extensions

Cross
-
Site Requests (non
-
Ajax)

Browsing
Facebook

Facebook.com

User’s Browser

e.g. Delete Friends

Secure Cross
-
Site Requests

Ring 0

Ring 1

Ring 2

Facebook’s Scuta Configuration

Cross
-
Site Requests

Cross
-
Site Requests are Mapped to


the
Least Privileged
Ring

Cross
-
Site Ajax Request


Security Policy


Not allowed in the past


Allowed now


Access Control Model


The new “
Origin
” header


White lists


Problems



Origin
” is too coarse
-
grained


A trusts B does not mean A trusts the Ads on B’s page.

Case 2

Secure Cross
-
Site Ajax Requests

Ring 0

Ring 1

Ring 2

Server’s Scuta Configuration

Ring 0

Ring 1

Ring 2

Browser’s Escudo Configuration

Origin
-
based
Ring

Mapping

Case 2

Summary


Web is becoming part of the infrastructure


Should not be treated as yet
-
another application.


Need more system thinking for security


Web Security is a major problem


All web applications need to think about security


A good system support partially frees developers


So they can focus more on application logic


We are working on developing such a system support


Browser
-
side support


Server
-
side support


Database
-
side support