A Data-Centric Web Application Security Framework Jonathan Burket, Patrick Mutchler, Michael Weaver,...
-
Upload
elwin-oconnor -
Category
Documents
-
view
213 -
download
0
Transcript of A Data-Centric Web Application Security Framework Jonathan Burket, Patrick Mutchler, Michael Weaver,...
![Page 1: A Data-Centric Web Application Security Framework Jonathan Burket, Patrick Mutchler, Michael Weaver, Muzzammil Zaveri, and David Evans University of Virginia.](https://reader035.fdocuments.in/reader035/viewer/2022062718/56649e845503460f94b86996/html5/thumbnails/1.jpg)
A Data-Centric Web Application Security Framework
Jonathan Burket, Patrick Mutchler, Michael Weaver, Muzzammil Zaveri, and David Evans
University of Virginiahttp://guardrails.cs.virginia.edu
GuardRails
![Page 2: A Data-Centric Web Application Security Framework Jonathan Burket, Patrick Mutchler, Michael Weaver, Muzzammil Zaveri, and David Evans University of Virginia.](https://reader035.fdocuments.in/reader035/viewer/2022062718/56649e845503460f94b86996/html5/thumbnails/2.jpg)
2
Web applications are easier to create than ever!
![Page 3: A Data-Centric Web Application Security Framework Jonathan Burket, Patrick Mutchler, Michael Weaver, Muzzammil Zaveri, and David Evans University of Virginia.](https://reader035.fdocuments.in/reader035/viewer/2022062718/56649e845503460f94b86996/html5/thumbnails/3.jpg)
3
Securing web applications is not nearly as easy!
![Page 4: A Data-Centric Web Application Security Framework Jonathan Burket, Patrick Mutchler, Michael Weaver, Muzzammil Zaveri, and David Evans University of Virginia.](https://reader035.fdocuments.in/reader035/viewer/2022062718/56649e845503460f94b86996/html5/thumbnails/4.jpg)
4
![Page 5: A Data-Centric Web Application Security Framework Jonathan Burket, Patrick Mutchler, Michael Weaver, Muzzammil Zaveri, and David Evans University of Virginia.](https://reader035.fdocuments.in/reader035/viewer/2022062718/56649e845503460f94b86996/html5/thumbnails/5.jpg)
5
![Page 6: A Data-Centric Web Application Security Framework Jonathan Burket, Patrick Mutchler, Michael Weaver, Muzzammil Zaveri, and David Evans University of Virginia.](https://reader035.fdocuments.in/reader035/viewer/2022062718/56649e845503460f94b86996/html5/thumbnails/6.jpg)
6
![Page 7: A Data-Centric Web Application Security Framework Jonathan Burket, Patrick Mutchler, Michael Weaver, Muzzammil Zaveri, and David Evans University of Virginia.](https://reader035.fdocuments.in/reader035/viewer/2022062718/56649e845503460f94b86996/html5/thumbnails/7.jpg)
7
“><script>alert(document.cookie);</script>
![Page 8: A Data-Centric Web Application Security Framework Jonathan Burket, Patrick Mutchler, Michael Weaver, Muzzammil Zaveri, and David Evans University of Virginia.](https://reader035.fdocuments.in/reader035/viewer/2022062718/56649e845503460f94b86996/html5/thumbnails/8.jpg)
8
![Page 9: A Data-Centric Web Application Security Framework Jonathan Burket, Patrick Mutchler, Michael Weaver, Muzzammil Zaveri, and David Evans University of Virginia.](https://reader035.fdocuments.in/reader035/viewer/2022062718/56649e845503460f94b86996/html5/thumbnails/9.jpg)
9
![Page 10: A Data-Centric Web Application Security Framework Jonathan Burket, Patrick Mutchler, Michael Weaver, Muzzammil Zaveri, and David Evans University of Virginia.](https://reader035.fdocuments.in/reader035/viewer/2022062718/56649e845503460f94b86996/html5/thumbnails/10.jpg)
10
![Page 11: A Data-Centric Web Application Security Framework Jonathan Burket, Patrick Mutchler, Michael Weaver, Muzzammil Zaveri, and David Evans University of Virginia.](https://reader035.fdocuments.in/reader035/viewer/2022062718/56649e845503460f94b86996/html5/thumbnails/11.jpg)
11
Application
Page A
Page B
Page C
Page D
Data Object
WriteAppendRead
WriteRead
Delete
Read
Read
![Page 12: A Data-Centric Web Application Security Framework Jonathan Burket, Patrick Mutchler, Michael Weaver, Muzzammil Zaveri, and David Evans University of Virginia.](https://reader035.fdocuments.in/reader035/viewer/2022062718/56649e845503460f94b86996/html5/thumbnails/12.jpg)
12
Application
Page A
Page B
Page C
Page D
Data Object
WriteAppendRead
WriteRead
Delete
Read
Read
Output HTML
Data Object
![Page 13: A Data-Centric Web Application Security Framework Jonathan Burket, Patrick Mutchler, Michael Weaver, Muzzammil Zaveri, and David Evans University of Virginia.](https://reader035.fdocuments.in/reader035/viewer/2022062718/56649e845503460f94b86996/html5/thumbnails/13.jpg)
13
Application
Page A
Page B
Page C
Page D
Data Object
WriteAppendRead
WriteRead
Delete
Read
Read
Output HTML
Data Object
![Page 14: A Data-Centric Web Application Security Framework Jonathan Burket, Patrick Mutchler, Michael Weaver, Muzzammil Zaveri, and David Evans University of Virginia.](https://reader035.fdocuments.in/reader035/viewer/2022062718/56649e845503460f94b86996/html5/thumbnails/14.jpg)
14
Application
Page A
Page B
Page C
Page D
Data Object
WriteAppendRead
WriteRead
Delete
Read
Read
Proxy that EnforcesSecurity Policies
![Page 15: A Data-Centric Web Application Security Framework Jonathan Burket, Patrick Mutchler, Michael Weaver, Muzzammil Zaveri, and David Evans University of Virginia.](https://reader035.fdocuments.in/reader035/viewer/2022062718/56649e845503460f94b86996/html5/thumbnails/15.jpg)
16
Our Philosophy
Security policies should be attached to the data
Security policies should be enforced automatically
![Page 16: A Data-Centric Web Application Security Framework Jonathan Burket, Patrick Mutchler, Michael Weaver, Muzzammil Zaveri, and David Evans University of Virginia.](https://reader035.fdocuments.in/reader035/viewer/2022062718/56649e845503460f94b86996/html5/thumbnails/16.jpg)
17
Annotated Ruby on Rails Code
Secure Ruby on Rails Code
GuardRails
![Page 17: A Data-Centric Web Application Security Framework Jonathan Burket, Patrick Mutchler, Michael Weaver, Muzzammil Zaveri, and David Evans University of Virginia.](https://reader035.fdocuments.in/reader035/viewer/2022062718/56649e845503460f94b86996/html5/thumbnails/17.jpg)
18
Design GoalsTop Priority:
Automatically enforce security policiesOther Objectives:
Preserve application functionalityEasy for developers to use
Lesser Goals:Minimize performance cost
![Page 18: A Data-Centric Web Application Security Framework Jonathan Burket, Patrick Mutchler, Michael Weaver, Muzzammil Zaveri, and David Evans University of Virginia.](https://reader035.fdocuments.in/reader035/viewer/2022062718/56649e845503460f94b86996/html5/thumbnails/18.jpg)
19
Annotated Ruby on Rails Code
Secure Ruby on Rails Code
GuardRails
Access Control PoliciesFine Grained Taint-Tracking
![Page 19: A Data-Centric Web Application Security Framework Jonathan Burket, Patrick Mutchler, Michael Weaver, Muzzammil Zaveri, and David Evans University of Virginia.](https://reader035.fdocuments.in/reader035/viewer/2022062718/56649e845503460f94b86996/html5/thumbnails/19.jpg)
20
Annotated Ruby on Rails Code
Secure Ruby on Rails Code
GuardRails
Access Control PoliciesFine Grained Taint-Tracking
![Page 20: A Data-Centric Web Application Security Framework Jonathan Burket, Patrick Mutchler, Michael Weaver, Muzzammil Zaveri, and David Evans University of Virginia.](https://reader035.fdocuments.in/reader035/viewer/2022062718/56649e845503460f94b86996/html5/thumbnails/20.jpg)
21
![Page 21: A Data-Centric Web Application Security Framework Jonathan Burket, Patrick Mutchler, Michael Weaver, Muzzammil Zaveri, and David Evans University of Virginia.](https://reader035.fdocuments.in/reader035/viewer/2022062718/56649e845503460f94b86996/html5/thumbnails/21.jpg)
22
if include_subprojects && !active_children.empty? ids = [id] + active_children.collect {|c| c.id}
conditions = ["#{Project.table_name}.id IN (#{ids.join(',')})"]
![Page 22: A Data-Centric Web Application Security Framework Jonathan Burket, Patrick Mutchler, Michael Weaver, Muzzammil Zaveri, and David Evans University of Virginia.](https://reader035.fdocuments.in/reader035/viewer/2022062718/56649e845503460f94b86996/html5/thumbnails/22.jpg)
23
if include_subprojects && !active_children.empty? ids = [id] + active_children.collect {|c| c.id}
conditions = ["#{Project.table_name}.id IN (#{ids.join(',')})"]
![Page 23: A Data-Centric Web Application Security Framework Jonathan Burket, Patrick Mutchler, Michael Weaver, Muzzammil Zaveri, and David Evans University of Virginia.](https://reader035.fdocuments.in/reader035/viewer/2022062718/56649e845503460f94b86996/html5/thumbnails/23.jpg)
24
if include_subprojects && !active_children.empty? ids = [id] + active_children.collect {|c| c.id}
conditions = ["#{Project.table_name}.id IN (#{ids.join(',')}) AND #{Project.visible_by}"]
![Page 24: A Data-Centric Web Application Security Framework Jonathan Burket, Patrick Mutchler, Michael Weaver, Muzzammil Zaveri, and David Evans University of Virginia.](https://reader035.fdocuments.in/reader035/viewer/2022062718/56649e845503460f94b86996/html5/thumbnails/24.jpg)
25
application_helper.rb
4 Checks
project.rb
2 Checks
projects_controller.rb
3 Checks
acts_as_searchable.rb
1 Checks
# @ :read, :self, lambda{|user|self.is_public or user.memberships.include? self.id}
# @ :read, lambda{|user| self.is_public or user.memberships.include? self.id}
class Project < ActiveRecord::Base# Project statusesSTATUS_ACTIVE = 1…
1 GuardRails Annotation
In Project model file:
![Page 25: A Data-Centric Web Application Security Framework Jonathan Burket, Patrick Mutchler, Michael Weaver, Muzzammil Zaveri, and David Evans University of Virginia.](https://reader035.fdocuments.in/reader035/viewer/2022062718/56649e845503460f94b86996/html5/thumbnails/25.jpg)
26
Access Control Policy Annotations
# @ (policy_type, [target], [handler], mediator)
# @ :delete, :self, :admin
# @ :write, :password, lambda{|user|user.id == self.id }
# @ :append, :members, lambda{|user| user.belongs_to?(self)}
![Page 26: A Data-Centric Web Application Security Framework Jonathan Burket, Patrick Mutchler, Michael Weaver, Muzzammil Zaveri, and David Evans University of Virginia.](https://reader035.fdocuments.in/reader035/viewer/2022062718/56649e845503460f94b86996/html5/thumbnails/26.jpg)
27
Annotated Ruby on Rails Code
Secure Ruby on Rails Code
GuardRails
Access Control PoliciesFine Grained Taint-Tracking
![Page 27: A Data-Centric Web Application Security Framework Jonathan Burket, Patrick Mutchler, Michael Weaver, Muzzammil Zaveri, and David Evans University of Virginia.](https://reader035.fdocuments.in/reader035/viewer/2022062718/56649e845503460f94b86996/html5/thumbnails/27.jpg)
28
Dynamic Taint TrackingProtects against injection attacks
“SELECT profile FROM users WHERE username=‘” + user_name + “’”
“User: <a href=‘profile_page’>” + user_name + “</a>”
Good: user_name = “jazzFan26”
Bad: user_name = “’; DROP TABLE users--”
Good: user_name = “DrKevinPhillips”
Bad: user_name = “<script language=‘javascript’>alert(‘document.cookie’);</script>”
SQL Injection:
Cross-Site Scripting:
![Page 28: A Data-Centric Web Application Security Framework Jonathan Burket, Patrick Mutchler, Michael Weaver, Muzzammil Zaveri, and David Evans University of Virginia.](https://reader035.fdocuments.in/reader035/viewer/2022062718/56649e845503460f94b86996/html5/thumbnails/28.jpg)
29
![Page 29: A Data-Centric Web Application Security Framework Jonathan Burket, Patrick Mutchler, Michael Weaver, Muzzammil Zaveri, and David Evans University of Virginia.](https://reader035.fdocuments.in/reader035/viewer/2022062718/56649e845503460f94b86996/html5/thumbnails/29.jpg)
30
Application
Page A
Page B
Page C
Page D
Data Object
WriteAppendRead
WriteRead
Delete
Read
Read
![Page 30: A Data-Centric Web Application Security Framework Jonathan Burket, Patrick Mutchler, Michael Weaver, Muzzammil Zaveri, and David Evans University of Virginia.](https://reader035.fdocuments.in/reader035/viewer/2022062718/56649e845503460f94b86996/html5/thumbnails/30.jpg)
31
Application
Page A
Page B
Page C
Page D
Data Object
WriteAppendRead
WriteRead
Delete
Read
Read
Output HTML
Data Object
![Page 31: A Data-Centric Web Application Security Framework Jonathan Burket, Patrick Mutchler, Michael Weaver, Muzzammil Zaveri, and David Evans University of Virginia.](https://reader035.fdocuments.in/reader035/viewer/2022062718/56649e845503460f94b86996/html5/thumbnails/31.jpg)
32
Taint Propagation
ModelController
Database
Data Taint Status
View
URL Parameters
Form Data
Other User Input
Tainted HTML
SanitizationSafe HTML
![Page 32: A Data-Centric Web Application Security Framework Jonathan Burket, Patrick Mutchler, Michael Weaver, Muzzammil Zaveri, and David Evans University of Virginia.](https://reader035.fdocuments.in/reader035/viewer/2022062718/56649e845503460f94b86996/html5/thumbnails/32.jpg)
Expressive Taint Status“<a href=‘profile?id=184392’><evil>SoccerFan1985</evil></a>”
“<a href=“profile?id=184392”><evil>SoccerFan1985</evil></a>”
StringValue:
Taint:
Character Index
29
51
55
<Transformer::Identity>
<Transformer::Default>
<Transformer::Identity>
DifferentChunks
33
![Page 33: A Data-Centric Web Application Security Framework Jonathan Burket, Patrick Mutchler, Michael Weaver, Muzzammil Zaveri, and David Evans University of Virginia.](https://reader035.fdocuments.in/reader035/viewer/2022062718/56649e845503460f94b86996/html5/thumbnails/33.jpg)
Transformers
{:HTML => { “//script” => NoDisplay, :default => NoHTMLAllowed }, :SQL => SQLSanitize, :Ruby_eval => NoDisplay}
The Default Transformer
Use Context
Appropriate Sanitization Routine
34
![Page 34: A Data-Centric Web Application Security Framework Jonathan Burket, Patrick Mutchler, Michael Weaver, Muzzammil Zaveri, and David Evans University of Virginia.](https://reader035.fdocuments.in/reader035/viewer/2022062718/56649e845503460f94b86996/html5/thumbnails/34.jpg)
Transformers
Raw String Chunk 1 Transformer 1
Raw String Chunk 2 Transformer 2
Raw String Chunk 3 Transformer 3
Use Context
Sanitized Chunk
Sanitized Chunk
Sanitized Chunk
Sanitized String
35
![Page 35: A Data-Centric Web Application Security Framework Jonathan Burket, Patrick Mutchler, Michael Weaver, Muzzammil Zaveri, and David Evans University of Virginia.](https://reader035.fdocuments.in/reader035/viewer/2022062718/56649e845503460f94b86996/html5/thumbnails/35.jpg)
36
Transformer Annotations
# @ :taint, :username, {:HTML => AlphaNumericOnly}
# @ :taint, :full_name, {:HTML =>
{TitleTag => LettersAndSpacesOnly,:default => NoHTML}}
# @ :taint, :profile, {:HTML =>
{"//script” => Invisible,:default => BoldItalicUnderlineOnly}}
# @ taint, target, transformer
![Page 36: A Data-Centric Web Application Security Framework Jonathan Burket, Patrick Mutchler, Michael Weaver, Muzzammil Zaveri, and David Evans University of Virginia.](https://reader035.fdocuments.in/reader035/viewer/2022062718/56649e845503460f94b86996/html5/thumbnails/36.jpg)
37
![Page 37: A Data-Centric Web Application Security Framework Jonathan Burket, Patrick Mutchler, Michael Weaver, Muzzammil Zaveri, and David Evans University of Virginia.](https://reader035.fdocuments.in/reader035/viewer/2022062718/56649e845503460f94b86996/html5/thumbnails/37.jpg)
38
![Page 38: A Data-Centric Web Application Security Framework Jonathan Burket, Patrick Mutchler, Michael Weaver, Muzzammil Zaveri, and David Evans University of Virginia.](https://reader035.fdocuments.in/reader035/viewer/2022062718/56649e845503460f94b86996/html5/thumbnails/38.jpg)
39
![Page 39: A Data-Centric Web Application Security Framework Jonathan Burket, Patrick Mutchler, Michael Weaver, Muzzammil Zaveri, and David Evans University of Virginia.](https://reader035.fdocuments.in/reader035/viewer/2022062718/56649e845503460f94b86996/html5/thumbnails/39.jpg)
40
Test Application Application Type
Image Gallery(680 lines)
E-Commerce(5556 lines)
Project Management(30747 lines)
E-Commerce(11561 lines)
![Page 40: A Data-Centric Web Application Security Framework Jonathan Burket, Patrick Mutchler, Michael Weaver, Muzzammil Zaveri, and David Evans University of Virginia.](https://reader035.fdocuments.in/reader035/viewer/2022062718/56649e845503460f94b86996/html5/thumbnails/40.jpg)
41
Performance Notes
Onyx Redmine PaperTracks0
1
2
3
4
5
6
7
10.7Original ApplicationAccess Control OnlyTaint Tracking OnlyFull System
Rela
tive
Tran
sacti
on T
ime
(Nor
mal
ized
)
![Page 41: A Data-Centric Web Application Security Framework Jonathan Burket, Patrick Mutchler, Michael Weaver, Muzzammil Zaveri, and David Evans University of Virginia.](https://reader035.fdocuments.in/reader035/viewer/2022062718/56649e845503460f94b86996/html5/thumbnails/41.jpg)
42
Try GuardRails
Alpha Release Now Available!Our Web Page: http://guardrails.cs.virginia.eduFull source code can be downloaded from GitHub
Contact Info: [email protected]
![Page 42: A Data-Centric Web Application Security Framework Jonathan Burket, Patrick Mutchler, Michael Weaver, Muzzammil Zaveri, and David Evans University of Virginia.](https://reader035.fdocuments.in/reader035/viewer/2022062718/56649e845503460f94b86996/html5/thumbnails/42.jpg)
43
Questions?
Alpha Release Now Available!Our Web Page: http://guardrails.cs.virginia.eduFull source code can be downloaded from GitHub
Contact Info: [email protected]