Post on 30-Dec-2015
A Data-Centric Web Application Security Framework
Jonathan Burket, Patrick Mutchler, Michael Weaver, Muzzammil Zaveri, and David Evans
University of Virginiahttp://guardrails.cs.virginia.edu
GuardRails
2
Web applications are easier to create than ever!
3
Securing web applications is not nearly as easy!
4
5
6
7
“><script>alert(document.cookie);</script>
8
9
10
11
Application
Page A
Page B
Page C
Page D
Data Object
WriteAppendRead
WriteRead
Delete
Read
Read
12
Application
Page A
Page B
Page C
Page D
Data Object
WriteAppendRead
WriteRead
Delete
Read
Read
Output HTML
Data Object
13
Application
Page A
Page B
Page C
Page D
Data Object
WriteAppendRead
WriteRead
Delete
Read
Read
Output HTML
Data Object
14
Application
Page A
Page B
Page C
Page D
Data Object
WriteAppendRead
WriteRead
Delete
Read
Read
Proxy that EnforcesSecurity Policies
16
Our Philosophy
Security policies should be attached to the data
Security policies should be enforced automatically
17
Annotated Ruby on Rails Code
Secure Ruby on Rails Code
GuardRails
18
Design GoalsTop Priority:
Automatically enforce security policiesOther Objectives:
Preserve application functionalityEasy for developers to use
Lesser Goals:Minimize performance cost
19
Annotated Ruby on Rails Code
Secure Ruby on Rails Code
GuardRails
Access Control PoliciesFine Grained Taint-Tracking
20
Annotated Ruby on Rails Code
Secure Ruby on Rails Code
GuardRails
Access Control PoliciesFine Grained Taint-Tracking
21
22
if include_subprojects && !active_children.empty? ids = [id] + active_children.collect {|c| c.id}
conditions = ["#{Project.table_name}.id IN (#{ids.join(',')})"]
23
if include_subprojects && !active_children.empty? ids = [id] + active_children.collect {|c| c.id}
conditions = ["#{Project.table_name}.id IN (#{ids.join(',')})"]
24
if include_subprojects && !active_children.empty? ids = [id] + active_children.collect {|c| c.id}
conditions = ["#{Project.table_name}.id IN (#{ids.join(',')}) AND #{Project.visible_by}"]
25
application_helper.rb
4 Checks
project.rb
2 Checks
projects_controller.rb
3 Checks
acts_as_searchable.rb
1 Checks
# @ :read, :self, lambda{|user|self.is_public or user.memberships.include? self.id}
# @ :read, lambda{|user| self.is_public or user.memberships.include? self.id}
class Project < ActiveRecord::Base# Project statusesSTATUS_ACTIVE = 1…
1 GuardRails Annotation
In Project model file:
26
Access Control Policy Annotations
# @ (policy_type, [target], [handler], mediator)
# @ :delete, :self, :admin
# @ :write, :password, lambda{|user|user.id == self.id }
# @ :append, :members, lambda{|user| user.belongs_to?(self)}
27
Annotated Ruby on Rails Code
Secure Ruby on Rails Code
GuardRails
Access Control PoliciesFine Grained Taint-Tracking
28
Dynamic Taint TrackingProtects against injection attacks
“SELECT profile FROM users WHERE username=‘” + user_name + “’”
“User: <a href=‘profile_page’>” + user_name + “</a>”
Good: user_name = “jazzFan26”
Bad: user_name = “’; DROP TABLE users--”
Good: user_name = “DrKevinPhillips”
Bad: user_name = “<script language=‘javascript’>alert(‘document.cookie’);</script>”
SQL Injection:
Cross-Site Scripting:
29
30
Application
Page A
Page B
Page C
Page D
Data Object
WriteAppendRead
WriteRead
Delete
Read
Read
31
Application
Page A
Page B
Page C
Page D
Data Object
WriteAppendRead
WriteRead
Delete
Read
Read
Output HTML
Data Object
32
Taint Propagation
ModelController
Database
Data Taint Status
View
URL Parameters
Form Data
Other User Input
Tainted HTML
SanitizationSafe HTML
Expressive Taint Status“<a href=‘profile?id=184392’><evil>SoccerFan1985</evil></a>”
“<a href=“profile?id=184392”><evil>SoccerFan1985</evil></a>”
StringValue:
Taint:
Character Index
29
51
55
<Transformer::Identity>
<Transformer::Default>
<Transformer::Identity>
DifferentChunks
33
Transformers
{:HTML => { “//script” => NoDisplay, :default => NoHTMLAllowed }, :SQL => SQLSanitize, :Ruby_eval => NoDisplay}
The Default Transformer
Use Context
Appropriate Sanitization Routine
34
Transformers
Raw String Chunk 1 Transformer 1
Raw String Chunk 2 Transformer 2
Raw String Chunk 3 Transformer 3
Use Context
Sanitized Chunk
Sanitized Chunk
Sanitized Chunk
Sanitized String
35
36
Transformer Annotations
# @ :taint, :username, {:HTML => AlphaNumericOnly}
# @ :taint, :full_name, {:HTML =>
{TitleTag => LettersAndSpacesOnly,:default => NoHTML}}
# @ :taint, :profile, {:HTML =>
{"//script” => Invisible,:default => BoldItalicUnderlineOnly}}
# @ taint, target, transformer
37
38
39
40
Test Application Application Type
Image Gallery(680 lines)
E-Commerce(5556 lines)
Project Management(30747 lines)
E-Commerce(11561 lines)
41
Performance Notes
Onyx Redmine PaperTracks0
1
2
3
4
5
6
7
10.7Original ApplicationAccess Control OnlyTaint Tracking OnlyFull System
Rela
tive
Tran
sacti
on T
ime
(Nor
mal
ized
)
42
Try GuardRails
Alpha Release Now Available!Our Web Page: http://guardrails.cs.virginia.eduFull source code can be downloaded from GitHub
Contact Info: guardrails@cs.virginia.edu
43
Questions?
Alpha Release Now Available!Our Web Page: http://guardrails.cs.virginia.eduFull source code can be downloaded from GitHub
Contact Info: guardrails@cs.virginia.edu