Dynamic Code Evaluation & Taint Analysisaustin/cs152-fall16/slides/CS152... · – Tainted data...
Transcript of Dynamic Code Evaluation & Taint Analysisaustin/cs152-fall16/slides/CS152... · – Tainted data...
![Page 1: Dynamic Code Evaluation & Taint Analysisaustin/cs152-fall16/slides/CS152... · – Tainted data cannot be passed to eval – Cannot load/require new files • 2 – Can't change,](https://reader036.fdocuments.in/reader036/viewer/2022071217/604a9a80100842236226af8b/html5/thumbnails/1.jpg)
CS 152: Programming Language Paradigms
Prof. Tom Austin San José State University
Dynamic Code Evaluation & Taint Analysis
![Page 2: Dynamic Code Evaluation & Taint Analysisaustin/cs152-fall16/slides/CS152... · – Tainted data cannot be passed to eval – Cannot load/require new files • 2 – Can't change,](https://reader036.fdocuments.in/reader036/viewer/2022071217/604a9a80100842236226af8b/html5/thumbnails/2.jpg)
Parsing JSON (in-class)
![Page 3: Dynamic Code Evaluation & Taint Analysisaustin/cs152-fall16/slides/CS152... · – Tainted data cannot be passed to eval – Cannot load/require new files • 2 – Can't change,](https://reader036.fdocuments.in/reader036/viewer/2022071217/604a9a80100842236226af8b/html5/thumbnails/3.jpg)
Review: additional Ruby eval methods
• instance_eval evaluates code within the body of an object.
• class_eval evaluates code within the body of a class.
• These methods can take a string or (more safely) a block of code.
![Page 4: Dynamic Code Evaluation & Taint Analysisaustin/cs152-fall16/slides/CS152... · – Tainted data cannot be passed to eval – Cannot load/require new files • 2 – Can't change,](https://reader036.fdocuments.in/reader036/viewer/2022071217/604a9a80100842236226af8b/html5/thumbnails/4.jpg)
class_eval example
(in class)
![Page 5: Dynamic Code Evaluation & Taint Analysisaustin/cs152-fall16/slides/CS152... · – Tainted data cannot be passed to eval – Cannot load/require new files • 2 – Can't change,](https://reader036.fdocuments.in/reader036/viewer/2022071217/604a9a80100842236226af8b/html5/thumbnails/5.jpg)
![Page 6: Dynamic Code Evaluation & Taint Analysisaustin/cs152-fall16/slides/CS152... · – Tainted data cannot be passed to eval – Cannot load/require new files • 2 – Can't change,](https://reader036.fdocuments.in/reader036/viewer/2022071217/604a9a80100842236226af8b/html5/thumbnails/6.jpg)
The mind of a developer
What does my code
need to do? Stupid documentation
Hmm… I wonder if my code is secure
![Page 7: Dynamic Code Evaluation & Taint Analysisaustin/cs152-fall16/slides/CS152... · – Tainted data cannot be passed to eval – Cannot load/require new files • 2 – Can't change,](https://reader036.fdocuments.in/reader036/viewer/2022071217/604a9a80100842236226af8b/html5/thumbnails/7.jpg)
Web Security in the News
![Page 8: Dynamic Code Evaluation & Taint Analysisaustin/cs152-fall16/slides/CS152... · – Tainted data cannot be passed to eval – Cannot load/require new files • 2 – Can't change,](https://reader036.fdocuments.in/reader036/viewer/2022071217/604a9a80100842236226af8b/html5/thumbnails/8.jpg)
How do companies/developers cope?
• Train/shame developers to follow best practices.
• Hire security experts • Use analysis tools • Hush up mistakes • Budget to handle emergencies • Bury their heads in the sand.
![Page 9: Dynamic Code Evaluation & Taint Analysisaustin/cs152-fall16/slides/CS152... · – Tainted data cannot be passed to eval – Cannot load/require new files • 2 – Can't change,](https://reader036.fdocuments.in/reader036/viewer/2022071217/604a9a80100842236226af8b/html5/thumbnails/9.jpg)
Secure By Architecture
Developers make mistakes.
Can we design tools to create secure systems, despite developer mistakes?
![Page 10: Dynamic Code Evaluation & Taint Analysisaustin/cs152-fall16/slides/CS152... · – Tainted data cannot be passed to eval – Cannot load/require new files • 2 – Can't change,](https://reader036.fdocuments.in/reader036/viewer/2022071217/604a9a80100842236226af8b/html5/thumbnails/10.jpg)
Success story: memory-safe languages
• Buffer overflows were once ubiquitous • Memory-safe languages manage
memory automatically – Developer focus on functionality – Security-critical bugs are eliminated
• Buffer overflows have virtually disappeared – Except in your OS, web browser, etc.
![Page 11: Dynamic Code Evaluation & Taint Analysisaustin/cs152-fall16/slides/CS152... · – Tainted data cannot be passed to eval – Cannot load/require new files • 2 – Can't change,](https://reader036.fdocuments.in/reader036/viewer/2022071217/604a9a80100842236226af8b/html5/thumbnails/11.jpg)
Three Security Mechanisms
• Taint analysis: – protect critical fields from
"dirty" data • Information flow analysis:
– Prevent secrets from leaking.
![Page 12: Dynamic Code Evaluation & Taint Analysisaustin/cs152-fall16/slides/CS152... · – Tainted data cannot be passed to eval – Cannot load/require new files • 2 – Can't change,](https://reader036.fdocuments.in/reader036/viewer/2022071217/604a9a80100842236226af8b/html5/thumbnails/12.jpg)
Taint Analysis: Protecting against dirty data
![Page 13: Dynamic Code Evaluation & Taint Analysisaustin/cs152-fall16/slides/CS152... · – Tainted data cannot be passed to eval – Cannot load/require new files • 2 – Can't change,](https://reader036.fdocuments.in/reader036/viewer/2022071217/604a9a80100842236226af8b/html5/thumbnails/13.jpg)
Taint analysis
• Taint analysis focuses on integrity: – does "dirty" data corrupt trusted data?
• Integrated into Perl and Ruby • Handles explicit flows only
– direct assignment – passing parameters
![Page 14: Dynamic Code Evaluation & Taint Analysisaustin/cs152-fall16/slides/CS152... · – Tainted data cannot be passed to eval – Cannot load/require new files • 2 – Can't change,](https://reader036.fdocuments.in/reader036/viewer/2022071217/604a9a80100842236226af8b/html5/thumbnails/14.jpg)
Attacks preventable by taint analysis
• Data under the control of the user may pose a security risk – SQL injection – cross-site scripting (XSS) – cross-site request forgery (CSRF)
• Taint tracking tracks untrusted variables and prevents then from being used in unsafe operations
![Page 15: Dynamic Code Evaluation & Taint Analysisaustin/cs152-fall16/slides/CS152... · – Tainted data cannot be passed to eval – Cannot load/require new files • 2 – Can't change,](https://reader036.fdocuments.in/reader036/viewer/2022071217/604a9a80100842236226af8b/html5/thumbnails/15.jpg)
Taint Tracking History
• 1989 – Perl 3 support for a taint mode • 1996 – Netscape included support for a
taint mode in server-side JavaScript – Later abandoned
• Ruby later implemented a taint mode; we'll review in more depth.
![Page 16: Dynamic Code Evaluation & Taint Analysisaustin/cs152-fall16/slides/CS152... · – Tainted data cannot be passed to eval – Cannot load/require new files • 2 – Can't change,](https://reader036.fdocuments.in/reader036/viewer/2022071217/604a9a80100842236226af8b/html5/thumbnails/16.jpg)
Taint Mode in Ruby
• Protect against integrity attacks. – E.g. Data pulled from an HTML form
cannot be passed to eval. • Cannot taint booleans or ints. • Multiple ways to run in safe mode:
– Use –T command line flag. – Include $SAFE variable in code.
![Page 17: Dynamic Code Evaluation & Taint Analysisaustin/cs152-fall16/slides/CS152... · – Tainted data cannot be passed to eval – Cannot load/require new files • 2 – Can't change,](https://reader036.fdocuments.in/reader036/viewer/2022071217/604a9a80100842236226af8b/html5/thumbnails/17.jpg)
$SAFE levels in Ruby
• 0 – No checking (default) • 1
– Tainted data cannot be passed to eval – Cannot load/require new files
• 2 – Can't change, make, or remove directories • 3
– New strings/objects are automatically tainted – Cannot untaint tainted values
• 4 – Safe objects become immutable
![Page 18: Dynamic Code Evaluation & Taint Analysisaustin/cs152-fall16/slides/CS152... · – Tainted data cannot be passed to eval – Cannot load/require new files • 2 – Can't change,](https://reader036.fdocuments.in/reader036/viewer/2022071217/604a9a80100842236226af8b/html5/thumbnails/18.jpg)
s = "puts 4-3".taint $SAFE = 1 # Can't eval tainted data s.untaint # Removes taint from data puts s.tainted? eval s $SAFE = 3 s2 = "puts 2 * 7" # Tainted s2.untaint # Won't work now eval s2 eval s # this is OK
![Page 19: Dynamic Code Evaluation & Taint Analysisaustin/cs152-fall16/slides/CS152... · – Tainted data cannot be passed to eval – Cannot load/require new files • 2 – Can't change,](https://reader036.fdocuments.in/reader036/viewer/2022071217/604a9a80100842236226af8b/html5/thumbnails/19.jpg)
# Data from web s = "Robert'); DROP TABLE " + "STUDENTS;--" s.taint exec_query("SELECT *" + " FROM STUDENTS" + " WHERE NAME='" + s + "';"
![Page 20: Dynamic Code Evaluation & Taint Analysisaustin/cs152-fall16/slides/CS152... · – Tainted data cannot be passed to eval – Cannot load/require new files • 2 – Can't change,](https://reader036.fdocuments.in/reader036/viewer/2022071217/604a9a80100842236226af8b/html5/thumbnails/20.jpg)
class Record def exec_query(query_str)
if query_str.tainted? puts "Err: tainted string"
else # Perform the query ...
end end end
![Page 21: Dynamic Code Evaluation & Taint Analysisaustin/cs152-fall16/slides/CS152... · – Tainted data cannot be passed to eval – Cannot load/require new files • 2 – Can't change,](https://reader036.fdocuments.in/reader036/viewer/2022071217/604a9a80100842236226af8b/html5/thumbnails/21.jpg)
Information Flow Analysis
Here be dragons…
![Page 22: Dynamic Code Evaluation & Taint Analysisaustin/cs152-fall16/slides/CS152... · – Tainted data cannot be passed to eval – Cannot load/require new files • 2 – Can't change,](https://reader036.fdocuments.in/reader036/viewer/2022071217/604a9a80100842236226af8b/html5/thumbnails/22.jpg)
Information Flow Analysis
• Related to taint analysis • Focuses on confidentiality:
– does secret data leak to public channels? • Assumes attacker controls some code • Must consider implicit flows
– can the attacker deduce secrets?
![Page 23: Dynamic Code Evaluation & Taint Analysisaustin/cs152-fall16/slides/CS152... · – Tainted data cannot be passed to eval – Cannot load/require new files • 2 – Can't change,](https://reader036.fdocuments.in/reader036/viewer/2022071217/604a9a80100842236226af8b/html5/thumbnails/23.jpg)
Developer
Sensitive Data
Challenge of Securing Information
Private Channel
Public Channel
Policy: Keep location of the spray paint can from leaking to public channels.
![Page 24: Dynamic Code Evaluation & Taint Analysisaustin/cs152-fall16/slides/CS152... · – Tainted data cannot be passed to eval – Cannot load/require new files • 2 – Can't change,](https://reader036.fdocuments.in/reader036/viewer/2022071217/604a9a80100842236226af8b/html5/thumbnails/24.jpg)
Developer
Sensitive Data
Private Channel
Public Channel
if (chan.police){ write(chan, spraycanLocation); }
if (chan.police){ write(chan, spraycanLocation); }
Challenge of Securing Information
![Page 25: Dynamic Code Evaluation & Taint Analysisaustin/cs152-fall16/slides/CS152... · – Tainted data cannot be passed to eval – Cannot load/require new files • 2 – Can't change,](https://reader036.fdocuments.in/reader036/viewer/2022071217/604a9a80100842236226af8b/html5/thumbnails/25.jpg)
Developer
Sensitive Data
Private Channel
Public Channel
if (chan.police){ write(chan, spraycanLocation); }
if (chan.police){ write(chan, spraycanLocation); }
New Developers
write(chan, spraycanLocation);
New System Requirements
![Page 26: Dynamic Code Evaluation & Taint Analysisaustin/cs152-fall16/slides/CS152... · – Tainted data cannot be passed to eval – Cannot load/require new files • 2 – Can't change,](https://reader036.fdocuments.in/reader036/viewer/2022071217/604a9a80100842236226af8b/html5/thumbnails/26.jpg)
Information Leaked
![Page 27: Dynamic Code Evaluation & Taint Analysisaustin/cs152-fall16/slides/CS152... · – Tainted data cannot be passed to eval – Cannot load/require new files • 2 – Can't change,](https://reader036.fdocuments.in/reader036/viewer/2022071217/604a9a80100842236226af8b/html5/thumbnails/27.jpg)
Applications often make use of 3rd party libraries of questionable quality...
Additional Information Flow Challenges
…or have vulnerabilities to code injection attacks...
…so we must assume that the attacker is able to inject code into our system.
![Page 28: Dynamic Code Evaluation & Taint Analysisaustin/cs152-fall16/slides/CS152... · – Tainted data cannot be passed to eval – Cannot load/require new files • 2 – Can't change,](https://reader036.fdocuments.in/reader036/viewer/2022071217/604a9a80100842236226af8b/html5/thumbnails/28.jpg)
Sensitive Data
Public Data
Private Channel
Public Channel
Information Flow Analysis in Action
![Page 29: Dynamic Code Evaluation & Taint Analysisaustin/cs152-fall16/slides/CS152... · – Tainted data cannot be passed to eval – Cannot load/require new files • 2 – Can't change,](https://reader036.fdocuments.in/reader036/viewer/2022071217/604a9a80100842236226af8b/html5/thumbnails/29.jpg)
Private Channel
Public Channel
Sensitive Data
Public Data
Information Flow Analysis in Action
![Page 30: Dynamic Code Evaluation & Taint Analysisaustin/cs152-fall16/slides/CS152... · – Tainted data cannot be passed to eval – Cannot load/require new files • 2 – Can't change,](https://reader036.fdocuments.in/reader036/viewer/2022071217/604a9a80100842236226af8b/html5/thumbnails/30.jpg)
Sensitive Data
Public Data
Private Channel
Public Channel
Public outputs do not depend on private inputs
Termination-Insensitive Non-Interference
![Page 31: Dynamic Code Evaluation & Taint Analysisaustin/cs152-fall16/slides/CS152... · – Tainted data cannot be passed to eval – Cannot load/require new files • 2 – Can't change,](https://reader036.fdocuments.in/reader036/viewer/2022071217/604a9a80100842236226af8b/html5/thumbnails/31.jpg)
Explicit and Implicit Flows
spraycanLocation = "Kwik-E-Mart"police;
Location is only visible to the police. x = spraycanLocation;
Explicit flow from spraycanLocation to x.
if (x.charAt(0) < 'N') {
firstCharMax = 12;
}
Implicit flow from x to firstCharMax.
![Page 32: Dynamic Code Evaluation & Taint Analysisaustin/cs152-fall16/slides/CS152... · – Tainted data cannot be passed to eval – Cannot load/require new files • 2 – Can't change,](https://reader036.fdocuments.in/reader036/viewer/2022071217/604a9a80100842236226af8b/html5/thumbnails/32.jpg)
write(chan, spraycanLocation);
Developer
Core Functionality Security Expert
Business Domain Expert
Label Data
Attach label police to spraycanLocation
Enforcement Mechanism
label: police chan: police
![Page 33: Dynamic Code Evaluation & Taint Analysisaustin/cs152-fall16/slides/CS152... · – Tainted data cannot be passed to eval – Cannot load/require new files • 2 – Can't change,](https://reader036.fdocuments.in/reader036/viewer/2022071217/604a9a80100842236226af8b/html5/thumbnails/33.jpg)
write(chan, spraycanLocation);
Developer
Core Functionality Security Expert
Business Domain Expert
Label Data
Attach label police to spraycanLocation
Enforcement Mechanism
label: police chan: public
DENIED
![Page 34: Dynamic Code Evaluation & Taint Analysisaustin/cs152-fall16/slides/CS152... · – Tainted data cannot be passed to eval – Cannot load/require new files • 2 – Can't change,](https://reader036.fdocuments.in/reader036/viewer/2022071217/604a9a80100842236226af8b/html5/thumbnails/34.jpg)
Denning-style Static Analysis
• Certification process, perhaps integrated into a compiler.
• Data can flow down the lattice • Programs can be guaranteed
to be secure before the program is ever executed.
![Page 35: Dynamic Code Evaluation & Taint Analysisaustin/cs152-fall16/slides/CS152... · – Tainted data cannot be passed to eval – Cannot load/require new files • 2 – Can't change,](https://reader036.fdocuments.in/reader036/viewer/2022071217/604a9a80100842236226af8b/html5/thumbnails/35.jpg)
Static Analysis Certification var secret = truebank; var y = true; if (secret) y = false; var leak = true;
if (y)
leak = false;
• Analysis ensures that private data does not affect public data.
• In this example, y's final value depends on x.
• [Denning 1976]
![Page 36: Dynamic Code Evaluation & Taint Analysisaustin/cs152-fall16/slides/CS152... · – Tainted data cannot be passed to eval – Cannot load/require new files • 2 – Can't change,](https://reader036.fdocuments.in/reader036/viewer/2022071217/604a9a80100842236226af8b/html5/thumbnails/36.jpg)
Purely Dynamic Info Flow Controls
• Instrument interpreter with runtime controls
• Implicit flows can be handled by: – Ignoring unsafe updates – Crashing on unsafe updates – Leaking some data (not satisfying
noninterference)
![Page 37: Dynamic Code Evaluation & Taint Analysisaustin/cs152-fall16/slides/CS152... · – Tainted data cannot be passed to eval – Cannot load/require new files • 2 – Can't change,](https://reader036.fdocuments.in/reader036/viewer/2022071217/604a9a80100842236226af8b/html5/thumbnails/37.jpg)
A Tainting Approach
One obvious strategy: if a public variable is updated in a private context, make it private as well. var secret = truebank; var y = true;
if (secret)
y = false; Set y=falsebank
![Page 38: Dynamic Code Evaluation & Taint Analysisaustin/cs152-fall16/slides/CS152... · – Tainted data cannot be passed to eval – Cannot load/require new files • 2 – Can't change,](https://reader036.fdocuments.in/reader036/viewer/2022071217/604a9a80100842236226af8b/html5/thumbnails/38.jpg)
Challenges With Implicit Flows var secret = truebank; var y = true; if (secret) y = false; var leak = true;
if (y)
leak = false;
y=falsebank
leak=true
y=true
leak=false
secret=falsebank
![Page 39: Dynamic Code Evaluation & Taint Analysisaustin/cs152-fall16/slides/CS152... · – Tainted data cannot be passed to eval – Cannot load/require new files • 2 – Can't change,](https://reader036.fdocuments.in/reader036/viewer/2022071217/604a9a80100842236226af8b/html5/thumbnails/39.jpg)
Dynamic Monitors Reject Executions var secret = truebank; var y = true; if (secret) y = false;
Execution terminates to protect the value of secret.
Zdancewic 2002
![Page 40: Dynamic Code Evaluation & Taint Analysisaustin/cs152-fall16/slides/CS152... · – Tainted data cannot be passed to eval – Cannot load/require new files • 2 – Can't change,](https://reader036.fdocuments.in/reader036/viewer/2022071217/604a9a80100842236226af8b/html5/thumbnails/40.jpg)
Secure Multi-Execution
Executes program multiple: • High execution
– Sees all information – Only writes to authorized channels
• Low execution – Only sees public data – Writes to public channels – Confidential data replaced with default
values.
![Page 41: Dynamic Code Evaluation & Taint Analysisaustin/cs152-fall16/slides/CS152... · – Tainted data cannot be passed to eval – Cannot load/require new files • 2 – Can't change,](https://reader036.fdocuments.in/reader036/viewer/2022071217/604a9a80100842236226af8b/html5/thumbnails/41.jpg)
var pass = mkSecret("scytale"); if (pass[0]==("s")) write(chan,"s");
var pass=""; if (pass[0]
==("s"))
write(chan,
"s");
Low Execution Program
var pass="scytale"; if (pass[0]
==("s")){
write(chan,
"s");
High Execution Program
Original Program
![Page 42: Dynamic Code Evaluation & Taint Analysisaustin/cs152-fall16/slides/CS152... · – Tainted data cannot be passed to eval – Cannot load/require new files • 2 – Can't change,](https://reader036.fdocuments.in/reader036/viewer/2022071217/604a9a80100842236226af8b/html5/thumbnails/42.jpg)
Secure Multi-Execution
High execution
Low execution
Private inputs
Public inputs
Dummy Values
Private outputs
Public outputs
![Page 43: Dynamic Code Evaluation & Taint Analysisaustin/cs152-fall16/slides/CS152... · – Tainted data cannot be passed to eval – Cannot load/require new files • 2 – Can't change,](https://reader036.fdocuments.in/reader036/viewer/2022071217/604a9a80100842236226af8b/html5/thumbnails/43.jpg)
Lab: Taint tracking
Today's lab explores taint tracking in Ruby. Starter code is available on the course website. Details in Canvas.