Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
A Data-Centric Web Application Security Framework
Jonathan Burket, Patrick Mutchler, Michael Weaver,
Muzzammil Zaveri, and David Evans
University of Virginia
http://guardrails.cs.virginia.edu
GuardRailsGuardRails
2
Web applications are easier to create
than ever!
3
Securing web applications is
not nearly as easy!
4
5 6
7
“><script>alert(document.cookie);</script>
8
9 10
11
Application
Page A
Page B
Page C
Page D
Data ObjectRead
12
Application
Page A
Page B
Page C
Page D
Data ObjectRead
Output HTML
Data
Object
13
Application
Page A
Page B
Page C
Page D
Data ObjectRead
Output HTML
Data
Object
14
Application
Page A
Page B
Page C
Page D
Data ObjectRead
Proxy that Enforces
Security Policies
15
Application
Page A
Page B
Page C
Page D
Data ObjectRead
Output HTML
Data
Object
Proxy that Enforces
Security Policies
Our Philosophy
16
Security policies should be
attached to the data
Security policies should be
enforced automatically
17
Annotated Ruby
on Rails Code
Secure Ruby on
Rails CodeGuardRails
Design Goals
Top Priority:
Automatically enforce security policies
Other Objectives:
Preserve application functionality
Easy for developers to use
Lesser Goals:
Minimize performance cost
18
19
Annotated Ruby
on Rails Code
Secure Ruby on
Rails CodeGuardRails
Access Control Policies
Fine Grained Taint-Tracking
20
Annotated Ruby
on Rails Code
Secure Ruby on
Rails CodeGuardRails
Access Control Policies
Fine Grained Taint-Tracking
21
if include_subprojects && !active_children.empty?
ids = [id] + active_children.collect {|c| c.id}
conditions = ["#{Project.table_name}.id IN
(#{ids.join(',')})"]
22
if include_subprojects && !active_children.empty?
ids = [id] + active_children.collect {|c| c.id}
conditions = ["#{Project.table_name}.id IN
(#{ids.join(',')})"]
23
if include_subprojects && !active_children.empty?
ids = [id] + active_children.collect {|c| c.id}
conditions = ["#{Project.table_name}.id IN
(#{ids.join(',')}) AND
#{Project.visible_by}"]
24
25
application_helper.rb
4 Checks
project.rb
2 Checks
projects_controller.rb
3 Checks
acts_as_searchable.rb
1 Checks
# @ :read, :self,
lambda{|user|self.is_public
or user.memberships.include? self.id}
# @ :read, lambda{|user| self.is_public
or user.memberships.include? self.id}
class Project < ActiveRecord::Base
# Project statuses
STATUS_ACTIVE = 1…
1 GuardRails Annotation
In Project model file:
Access Control Policy Annotations
# @ (policy_type, [target], [handler], mediator)
# @ :delete, :self, :admin
# @ :write, :password, lambda{|user|user.id == self.id }
# @ :append, :members, lambda{|user| user.belongs_to?(self)}
26
27
Annotated Ruby
on Rails Code
Secure Ruby on
Rails CodeGuardRails
Access Control Policies
Fine Grained Taint-Tracking
Dynamic Taint Tracking
Protects against injection attacks
28
“SELECT profile FROM users WHERE username=‘” + user_name + “’”
“User: <a href=‘profile_page’>” + user_name + “</a>”
Good: user_name = “jazzFan26”
Bad: user_name = “’; DROP TABLE users--”
Good: user_name = “DrKevinPhillips”
Bad: user_name = “<script language=‘javascript’>
alert(‘document.cookie’);</script>”
SQL Injection:
Cross-Site Scripting:
29 30
Application
Page A
Page B
Page C
Page D
Data ObjectRead
31
Application
Page A
Page B
Page C
Page D
Data ObjectRead
Output HTML
Data
Object
Taint Propagation
32
ModelController
Database
Data Taint
Status
View
URL Parameters
Form Data
Other User Input
Tainted HTML
SanitizationSafe HTML
Expressive Taint Status
“<a href=‘profile?id=184392’><evil>SoccerFan1985</evil></a>”
“<a href=“profile?id=184392”><evil>SoccerFan1985</evil></a>”
StringValue:
Taint:
Character
Index
29
51
55
<Transformer::Identity>
<Transformer::Default>
<Transformer::Identity>
Different
Chunks
33
Transformers
{:HTML => {
“//script” => NoDisplay,
:default => NoHTMLAllowed
},
:SQL => SQLSanitize,
:Ruby_eval => NoDisplay}
The Default Transformer
Use Context
Appropriate Sanitization Routine
34
Transformers
Raw String
Chunk 1Transformer 1
Raw String
Chunk 2Transformer 2
Raw String
Chunk 3Transformer 3
Use Context
Sanitized Chunk
Sanitized Chunk
Sanitized Chunk
Sanitized String
35
Transformer Annotations
36
# @ :taint, :username,
{:HTML => AlphaNumericOnly}
# @ :taint, :full_name,
{:HTML =>
{TitleTag => LettersAndSpacesOnly,
:default => NoHTML}}
# @ :taint, :profile,
{:HTML =>
{"//script” => Invisible,
:default => BoldItalicUnderlineOnly}}
# @ taint, target, transformer
37 38
39
Test Application Application Type
Image Gallery
(680 lines)
E-Commerce
(5556 lines)
Project Management
(30747 lines)
E-Commerce
(11561 lines)
40
Performance Notes
41
10.7
0
1
2
3
4
5
6
7
Onyx Redmine PaperTracks
Re
lati
ve
Tra
nsa
ctio
n T
ime
(N
orm
ali
zed
)
Original Application
Access Control Only
Taint Tracking Only
Full System
Try GuardRails
Alpha Release Now Available!
Our Web Page: http://guardrails.cs.virginia.edu
Full source code can be downloaded from GitHub
Contact Info: [email protected]
42
Questions?
Alpha Release Now Available!
Our Web Page: http://guardrails.cs.virginia.edu
Full source code can be downloaded from GitHub
Contact Info: [email protected]
43