Prateek Saxena UC Berkeley
25
Context-Sensitive Auto- Sanitization In Web Templating Languages Using Type Qualifiers Prateek Saxena UC Berkeley Mike Samuel Google Dawn Song UC Berkeley 1
description
Context-Sensitive Auto-Sanitization In Web Templating Languages Using Type Qualifiers. Prateek Saxena UC Berkeley. Mike Samuel Google. Dawn Song UC Berkeley. Script Injection Vulnerabilities. OWASP Top Ten Vulnerabilities 2 nd in 2010 & 2011 Today Affects Major Web Services - PowerPoint PPT Presentation
Transcript of Prateek Saxena UC Berkeley
1
Context-Sensitive Auto-Sanitization In Web Templating Languages
Using Type Qualifiers
Prateek SaxenaUC Berkeley
Mike SamuelGoogle
Dawn SongUC Berkeley
2
Script Injection Vulnerabilities
• OWASP Top Ten Vulnerabilities– 2nd in 2010 & 2011
• Today Affects–Major Web Services– Client-side Libraries– Browser Extensions– Devices & Smartphones
3
Predominant Defense Practice
• Why Does it Fail?– Developers forget to Sanitize [Pixy’06, PhpTaint’06,Cqual’04, Merlin’09,Securifly’05, PhpAspis’11]– Pick the wrong sanitizer [CCS’11]
String Div.Render () {
print(“<div>”);print(userimg);print(“</div>”);
}
String Div.Render () {
print(“<div>”); print(Sanitize(userimg));
print(“</div>”);}
SanitizerLibrary
4
Vision
• Eliminate Scripting Attacks–Make Applications Secure by Construction
Developer
Code
Application
Code
5
Contributions
• A New "Push-Button" Defense Primitive– "Security By Construction" Approach
• Context-Sensitive Auto-Sanitization (CSAS)– New Challenge: Which Sanitizers To Place Where?– Targets Existing Web Templating Frameworks
• It is Practical
• Deployed Commercially– Google Closure Templates powers Google+
Fast Auditable
Compatible Secure
<script>var o = new soy.StringBuilder(); imgRender({O: o, imglink: $_GET(‘extlink’), name: [$_GET(‘name’)] })); document.write(o);</script>
Web Templating Frameworks
Templating
Framework
CompilerJava JS
Application
calls
Target Language Code
Template
Application Code
template imgRender($imgLink, $name) { print (“<img src=\“”); print ($imglink); print “\”/>” . $name. “<br>”; return; }
Template Code
Template Language does not have complex constructs
6
Explicitly Separates Untrusted Inputs
7
Talk Outline
• System Architecture & Features• Challenges• The CSAS Engine Design• Implementation• Evaluation & Deployment
8
CSAS
System Architecture
Compiler
Java JS JS
Application
calls
Instrumented Auto-Sanitization
Template
Sanitizer
Library
Static Error
9
CSAS
Auditability & Compatibility
Compiler
Java JS JS
Instrumented Auto-Sanitization
Sanitizer
Library
Static Error
• Easily Auditable• Compatibility– No Developer
Involvement– Minimize Static Errors
• Security• Performance
10
HtmlSanitizer
URLSanitizer
template ImgRender($imgLink, $name) {……………}
Security & Correctness (I)
• Property CSAN: Context-Sensitive Sanitization
<img src=" /img?f= "/> <br>$name $imgLink $name
HTML Tag
Context
URI START Context
URI PATH Context
URI QUERYParameter
Context
HTMLTag
Context
Attacks Vary By Contexts!
11
Security & Correctness (II)
• Property NOS: No Over Sanitization
<img src=" / /img?f= "/> <br>$name $imgLink $name
Sanitize Only Untrusted DataNot Constant Strings
Security Assumptions
• Canonical HTML Parser – Flexible to recognize browser differences [GWT,
CTemplates]
• Correct Sanitizers– Extensive Community Effort [OWASP, HtmlPurify, GWT,
Django]– Research on Secure Sanitization Primitives [Bek’11,
Hampi’09,Min’06]– Already Used in Many Frameworks
13
Challenges
• Easily Auditable• Compatibility• Security• Performance
Security
Performance Compatibility
14
Approach #1:Context-Insensitive Sanitization
template ImgRender($imgLink, $name) { print (“<img src=”); x := $imgLink; print ($x); print “/>” . $name. “<br>”; return; }
template ImgRender($imgLink, $name) { print (“<img src=‘”); x := HtmlEncode($imgLink); print ($x); print “’/>” . HtmlEncode($name). “<br>”; return; }
javascript: bad();
Security
Performance Compatibility
False Sense of Security!
15
Approach #2: Context-Sensitive Runtime Parsing (CSRP)
URI START Context
URI ParamContext
template ImgRender($imgLink, $name) {……………}
<img src=" /img?f=$name $imgLink
URLSanitizer
URLParamSanitizer
Security
Performance Compatibility
16
Rich Language Features
<img src=' / /img?f= '/> <br>$name $imgLink $name
template ImgRender($imgLink, $name) { print (“<img src='”); x := “/” . $name. “/img?f=”. $imgLink;
print ($x); print “'/>” . $name. “<br>”; return; }
17
template ImgRender($imgLink, $name) { print (“<img src='”); if ($name != “”) then x := “/” . $name. “/img?f=”. $imgLink; else x:= $imgLink; fi print ($x); print “'/>” . $name. “<br>”; return; }
Rich Language Features:Control Flow
<img src=' / /img?f= '/> <br>$name $imgLink $name
Usage Contexts Statically Ambiguous:Sanitization Requirements vary by path!
18
Our Approach
Type Inference
Well-TypedIR
UntypedTemplat
e
CompilationCompile
dCode
• CSAS Engine– Context Type Qualifiers
Context Type Qualifiers
• Context Type Qualifier: – "Which contexts is a string safe to be
rendered in"
x:=“<img src='” . $imgLink;
<img src='
$imgLink
y:= UrlAttribSsanitize($imgLink)
𝐻𝑇𝑀𝐿𝑆𝑇𝐴𝑅𝑇𝑈𝑅𝐼𝑆𝑇𝐴𝑅𝑇
𝑈𝑅𝐼𝑆𝑇𝐴𝑅𝑇𝑈𝑅𝐼 x:=“<img src='” . y;
𝐻𝑇𝑀𝐿𝑆𝑇𝐴𝑅𝑇𝑈𝑅𝐼
TERMS TYPES
19
Type Inference: Where To Place Sanitizers?
21
Implementation & Evaluation
• Google Closure Templates– Powers several Google products– 3045 LOC Java
• Evaluation Benchmarks:– 1035 templates from production Google code– Rich Features• 2997 calls• 1224 print/sink statements using 600 untrusted
input variables
22
Evaluation: Compatibility
• All 1035 templates auto-sanitized!– No Developer Involvement– No Static Errors
• Compared to original sanitization– 21 cases differ out of 1224 – CSAS engine inferred a more accurate
sanitizer
23
Evaluation: Security
escapeHtmlescapeHtmlAttribute
filterNormalizeURI, escapeHtmlescapeJsValuefilterCSSValueescapeJsString
escapeUriescapeHtmlRcdata
escapeHtmlAttributeNospacefilterHtmlIdent
filternormalizeURI
0 100 200 300 400 500 600 700602
380231
393327
1510731
Context-Insensitive Approach Fails on 28% prints
UNSAFE
24
Java
JavaScript
Evaluation: Performance Overhead
CI CSRP CSASChrome
93.0% 78.8% 3.0%
FF 3.6 9.6% 425% 9.6%Safari 5 2.5% 189% 3.1%
CI CSRP CSASJava 0% 72% 0%
Order Of Magnitude Faster Than CSRP
• Benchmarks– Templates Only, No Other Application
Logic • Base: No Sanitization
Practical Performance: Upto 9.6%
25
Conclusion
• CSAS: A New "Push-Button" Defense Primitive– Fast, Secure, Compatible and Auditable– Increasing Commercially Adoption
• Other FrameworksJuly Today
0100020003000400050006000
26
Thanks
http://code.google.com/closure/templates/docs/security.html
Questions?
