Embedded Web Security through Application-Layer …Umbra Embedded Web Security through...

UmbraEmbedded Web Security through Application-Layer

Firewalls

Travis Finkenauer J. Alex Halderman

1st Workshop on the Security of Cyber-Physical Systems22 September 2015

Travis Finkenauer (University of Michigan) Umbra WOS-CPS 2015 1 / 36

Motivation


Motivation

Motivating Example

Authentication bypass inD-Link router

ExploitCookie: cookie lang=1; client login=admin; client password=1


Motivation

Motivating Example

Stack-based buffer overflow inSupermicro IPMI web interface

ExploitPOST /cgi/login.cgi HTTP/1.1Content-Type: application/x-www-form-urlencoded

name=AAAAAAAAAAAAAAAAAA...&pwd=AAAAAAAAAAAAAAAAAA...


Motivation

Motivating Example

No authentication andfirmware upload CSRF vulnin Canon printer


Motivation

Problem

Security vulnerabilities are prevalent in embeddeddevices

Embedded developers often have limited knowledge andexperience with security

Existing solutions are not sufficient:Standalone network appliancesWeb frameworks


Motivation

Solution

Design drop-in security shim that:

! Integrates simply with existing embedded devices! Operates in small CPU, code size, and memory

footprint! Works on systems where source code is not available


Motivation

Solution

Design drop-in security shim that:! Integrates simply with existing embedded devices

! Operates in small CPU, code size, and memoryfootprint

! Works on systems where source code is not available


Motivation

Solution

Design drop-in security shim that:! Integrates simply with existing embedded devices! Operates in small CPU, code size, and memory

footprint

! Works on systems where source code is not available


Motivation

Solution

Design drop-in security shim that:! Integrates simply with existing embedded devices! Operates in small CPU, code size, and memory

footprint! Works on systems where source code is not available


Motivation

Outline

1 Motivation

2 Design and Implementation

3 Evaluation

4 Conclusion


Design and Implementation

Outline

1 Motivation


3 Evaluation

4 Conclusion


Design and Implementation

Design

Web ServerClient Umbra Shim

Target Device


Design and Implementation Threat Model

Threat Model

In Scope Out of ScopeAttacks on webinterfaces

HTTP or HTTPSUser viewingattacker-controlledpages

Attacks on otherservicesNetwork-level attackers


Design and Implementation System Design

System Design

ServerClient

HTTP Request Valid HTTP

RequestFormat

Respond w/

Rejection

No

Matches Config

Specification

Umbra Shim

Process Request

HTTP ResponseProcess Response

No

Yes Yes

Process Response

Target Device

Security

Policy


Design and Implementation System Design

System Design

Transparent proxy between clients and serverModifies HTTP requests and responsesNon-blocking sockets using Linux’s epoll


Design and Implementation Security Features

Security Features

Vulnerability Security Features

XSS Parameter whitelist

CSRF CSRF protection

Authentication bypass Authentication enforcementHTTP method whitelist

Information leakAuthentication enforcementHTTP method whitelistDirectory traversal check

CGI memory corruptionParameter character whitelistParameter length checkHeader field length limit

Directory traversal Directory traversal check



Page-level Authentication

Prevents authenticationbypass and information leakvulnerabilitiesUmbra can enforce RFC 2617Basic AuthenticationUmbra reads credentials fromfile at run time



Header Length Limit

Mitigates buffer overflowsLimits the length of header fields and values

ExploitGET / HTTP/1.1Host: 192.168.1.1Connection: keep-aliveUser-Agent: Mozilla/5.0 (X11; Linux x86 64)Overflow: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...



CSRF Protection/change-msg

New message:

Submit

/cgi-bin/set-msg

You set thenew message.

Main Page

attacker.com

Page snippet<form action="cgi-bin/set-msg">

<input type="ext" name="new-message"></form>



CSRF Protection/change-msg

New message:

Submit

/cgi-bin/set-msg


Main Page

attacker.com

X

Page snippet<form action="cgi-bin/set-msg">

<input type="ext" name="new-message"><input type="hidden"

name=" umbra csrf token"value="D629B39EA123DB0E0C35">

</form>


Design and Implementation Security Policy

Security Policy

Manufacturers define good vs. badbehaviorUmbra enforces policy described inconfiguration file

Select any combination of security featuresCompiles configuration into C code,which is compiled into Umbra binary



Security Policy

Sections:Global configurationDefault page policyPer-page policy

Specify conservative global policyRelax policy for specific pages



Example Web Application

/change-msg

New message:

Submit

/

Edit message

This is amessage...

/cgi-bin/set-msg


Main Page



Global Page Policy

"global_config": {"enable_request_type_check": true,"enable_param_len_check": true,"enable_param_whitelist_check": true,"enable_csrf_protection": true,"enable_authentication_check": true,"session_life_seconds": 300

}



Default Page Policy

"default_page_config": {"request_types": ["GET", "HEAD"],"requires_login": true,"has_csrf_form": false,"receives_csrf_form_action": false,"max_param_len": 30,"whitelist": "[a-zA-z0-9_]"

}



Per-Page Policy

"page_config": {"/":{

"requires_login": false},"/change-msg":{

"has_csrf_form": true},"/cgi-bin/set-msg": {

"request_types": ["POST"],"receives_csrf_form_action": true,"params": {

"new-msg": {"max_param_len": 200,"whitelist": "[a-zA-z0-9_,.! ]"

}}

}}


Evaluation

Outline

1 Motivation


3 Evaluation

4 Conclusion


Evaluation

Questions

1 What is the performance impact?2 Does Umbra achieve the security goal?


Evaluation Performance

Performance

Tested on Raspberry Pi Model Brunning OpenWRT 14.07Laptop connected via 100 MbpsEthernetUsed Apache Benchmark tool todownload main page (2.2 kB)



Performance

0

0.2

0.4

0.6

0.8

1

0 50 100 150 200

resp

onse

tim

e C

DF

response time (ms)

Web Server Latency CDF

without Umbrawith Umbra



Footprint

Size of dynamically-linked ARM binaryUmbra: 75 kBDropbear: 138 kBBusybox: 370 kB

CPU utilization was 2–3% during benchmarkPeaked at a virtual memory size of 1.2 MB

Raspberry Pi has 512 MB of RAM


Evaluation Security

Security Evaluation

BrotherCannon

CiscoD-LinkLinksysLorex

NetgearSupermicroTP-LINKTrendnet

Xerox

Randomly sampled 100 recentvulnerabilities from eight embeddedmanufacturers

40 out of 100 dealt with embedded webinterfaces

Manually classified:Type of vulnerabilityLevel of protection


Evaluation Security

How well can Umbra protect?

Vulnerability Protection Level TotalNone Partial Full Unknown

Bypass 1 0 4 0 5CSRF 0 0 5 1 6Information leak 1 0 3 0 4Command injection 0 0 2 0 2Directory traversal 0 0 1 0 1SQL injection 0 0 0 1 1Other 0 0 0 1 1Denial of service 3 1 1 1 6Memory corruption 2 0 1 0 3XSS 2 3 3 3 11

Protect Totals 9 4 20 7 40


Evaluation Security

Security Features Used

Vulnerability Security Feature Total

Auth CSRF Param.White.

Dir.Traver.

HeaderLengthCheck

Param.Length

Bypass 4 0 0 0 0 0 4Command injection 0 0 2 0 0 0 2CSRF 0 5 0 0 0 0 5Denial of service 0 0 0 0 1 0 1Directory traversal 0 0 0 1 0 0 1Information leak 2 1 0 0 0 0 3Memory corruption 0 0 0 0 0 1 1Other 0 0 0 0 0 0 0SQL injection 0 0 0 0 0 0 0XSS 0 0 3 0 0 0 3

Feature Totals 6 6 5 1 1 1 20


Conclusion

Outline

1 Motivation


3 Evaluation

4 Conclusion


Conclusion

Future Work

Automatically learning a securitypolicyApplying formal methods to UmbracodeHandling other managementprotocols

SNMPIPMITelnet/SSH


Conclusion

Conclusion

Built Umbra, an HTTP firewall that comfortablyruns in the footprint of an embedded systemUmbra is capable of preventing about half of thesurveyed vulnerabilities dealing with embedded webinterfacesConfiguration is expressive


Conclusion

UmbraEmbedded Web Security through Application-Layer

Firewalls

Travis Finkenauer J. Alex Halderman

Umbra is available as free and open source software:

https://github.com/umbra-firewall/umbra


https://github.com/umbra-firewall/umbra

Backup Slides


Standalone Firewalls

Operate as separate network entityMany require inline hardware appliances

Examples:Akamai KonaCisco ACEHP TippingPoint

FeaturesOutbound filtering for personalinformation such as credit card numbersDetect common web attacks

Akamai Kona

Cisco ACE


Host-based Firewalls

Operate as a plug-in for common webservers

ModSecurityIronBee

Analyzes items such as user-agentstrings, SQL queries, real-time IPblacklist, and HTTP parameters


Embedded Web Security through Application-Layer …Umbra Embedded Web Security through...

Documents

Transcript of Embedded Web Security through Application-Layer …Umbra Embedded Web Security through...