Securing Web Applications with Practical Data Flow Assertions

Victor Costan (龍望)

Prof. Srinivas Devadas

Prof. Nickolai Zeldovich

Motivation

Motivation

Newsfeed

Publishing

Instant Feed

Chat

Ads

Featured

Apps

Profile

Search Account

Comments

Shortcuts

Motivation

Today’s Web applications are complex

• Complex applications -> Modules

• Modules -> Separate Teams

• Separate Teams -> No unified security model

Security is a cross-cutting concern; we need an abstraction for expressing policies and enforcing them across the entire application

Outline

1. Web applications security issues

2. Data flow assertions

3. Demo

4. Our implementation

Web Application Security Issues

Deputy Confusion

Encoding Confusion

Deputy Confusion in Web Apps

Cloud Application

Database

John’s Browser

E-mail ServerBackend Server

Jane’s Browser

John

App Jane

StringLogic

App

App

Deputy Confusion at Facebook

Test your privacy settings by displaying your profile as it is shown to your friends

Deputy Confusion at Facebook

Deputy Confusion at Facebook

Victor’s Profile: Nickolai

Victor’s Feed: Nickolai

Victor’s Friends: Nickolai

Chat:Victor

Instant Feed:Victor

Nickolai’s Profile: Victor

VictorVictor

Deputy Confusion at Facebook

“Facebook Chat is now down for maintenance. The feature waspresumably disabled following a report that exposed a Facebook securitybug that allowed users to access and view friends’ live chats, friendrequests and friends in common.The report indicates that access to this personal information wasaccessible via Facebook’s privacy settings, with the Preview My Profilefeature creating the loophole to access the private live chats of friends.With Preview My Profile, users can view how their profile appears to anygiven Facebook friend. The bug apparently let those users see the livechats and friend requests of the friend in question.Unfortunately for the company, this is not the first time users’ personalinformation has been exposed without consent. Earlier this year, user e-mail addresses were exposed in a hiccup following a site update.”

Deputy Confusion in Web Apps

Cloud Application

Database

John’s Browser

E-mail ServerBackend Server

Jane’s Browser

John

App Jane

StringLogic

App

App

Encoding Confusion in Web Apps

• name: pwnall

• password: awesome

Correct login query:

SELECT * FROM users WHERE name=“pwnall” AND password=“awesome” LIMIT 1

• name: pwnall

• password: awesome ” OR “”=“

Password-less login query:

SELECT * FROM users WHERE name=“pwnall” AND password=“awesome” OR “”=“” LIMIT 1

Encoding Confusion in Web Apps

Encoding Confusion in Web Apps

Application Server

Database

Browser

HTML

JavaScriptCSS

HTTP Request

Form Cookies

SQLText

Controller

Model

View

String

E-mail ServerBackend Server

String

String

Encoding Confusion in Web Apps

Field Value

email costan@mit.edu

password mit

password2 mit

email password admin

costan@mit mit false

it@mit secret true

…

@user = User.new(params[:user])

@user.save

params[:user]

Encoding Confusion in Web Apps

Field Value

email costan@mit.edu

password mit

password2 mit

admin true

email password admin

costan@mit mit true

it@mit secret true

…

@user = User.new(params[:user])

@user.save

params[:user]

Encoding Confusion at GitHub

"The root cause of the vulnerability was a failure to properly check incoming form parameters, a problem known as the mass-assignment vulnerability," GitHub co-founder Tom Preston-Werner wrote in a blog post on Sunday. "In parallel to the attack investigation we initiated a full audit of the GitHubcodebase to ensure that no other instances of this vulnerability were present.”There is little doubt that the vulnerability was serious. As Homakov himself noted on his blog, it gave him access to wipe any post in the Rails project and even "pull/commit/push in any repository on GitHub". He said "lots of Rails apps" were similarly vulnerable.

Data Flow Assertions

Labels and Filters

Eliminate the Confusion!

Add Labels to Data

Labels address deputy confusion

This text was typed by Victor

Only show this to Victor’s friends

Labels address encoding confusion

Unsafe text supplied by users

Safe to splice in a HTML page

Safe to splice in a SQL query

Filter Output Data

• Prevent deputy confusion– Check security policies before

making database changes

– Check privacy policies before outputting data to the user

• Prevent encoding confusion– Only output HTML-safe pages

– Only issue SQL-safe database queries

Encoding Confusion in Web Apps

Field Value

email costan@mit.edu

password mit

password2 mit

admin true

email password admin

costan@mit mit true

it@mit secret true

…

@user = User.new(params[:user])

@user.save

params[:user]

Eliminating Encoding Confusion

Field Value

email costan@mit.edu

password mit

password2 mit

admin true

email password admin

costan@mit not created

it@mit secret true

…

@user = User.new(params[:user])

params[:user]

BlockedNo security policy for user dictionaries

Eliminating Deputy Confusion

Field Value

email costan@mit.edu

password mit

password2 mit

admin true

@user = User.new(params[:user])

@user.save

params[:user]

Field Policy

email Users can edit their own

password Users can edit their own

admin Admins can edit anyBlocked

Security policy: only admins can write the admin field

Demo

What brought down GitHub

Our Implementation

Bringing Data Flow Assertions to Ruby on Rails

Data Flow Assertions in Rails

• Labeling and Filtering

– Inserted automatically in the Rails stack

• Label propagation

– Hard to do without changing the interpreter

• API for security policies

– Domain-Specific Language (DSL) for model code

Labels and Filters in Rails

Rack

Controller

Model

View

Database

Request

Response

Labels and Filters in Rails

Database

Request

Response

Labels and Filters in Rails

Database

Request

Response Filteroutput

Filterqueries

Labelinput

Labelresults

Security policies

Labels and Filters in Rails

Rack

Controller

Model

View

Database

Request

Response Filteroutput

Filterqueries

Labelinput

Labelresults

Security policies

Label Propagation:

Privacy labels (for deputy confusion) propagate automatically

(646) 434-8887

Only show this to Victor’s friends

Unsafe text supplied by users

Safe to splice in a HTML page

<dl>

<dt>Phone number:</dt>

<dd><%= phone %></dd>

</dl>

<dl>

<dt>Phone number:</dt>

<dd>(646) 434-8887</dd>

</dl>

Label Propagation:

Unsafe text labels propagate automaticallyOther encoding labels do not propagate automatically

(646) 434-8887

Only show this to Victor’s friends

Unsafe text supplied by users

Safe to splice in a HTML page

<dl>

<dt>Phone number:</dt>

<dd><%= phone %></dd>

</dl>

<dl>

<dt>Phone number:</dt>

<dd>(646) 434-8887</dd>

</dl>

Label Propagation:

Unsafe text labels propagate automaticallyOther encoding labels do not propagate automatically

(646) 434-8887 Only show this to Victor’s friends

Unsafe text supplied by users

Safe to splice in a HTML page

<dl>

<dt>Phone number:</dt>

<dd><%= phone %></dd>

</dl>

<dl>

<dt>Phone number:</dt>

<dd>(646) 434-8887</dd>

</dl>

HTML escape

(646) 434-8887

Label Propagation:

Operations on labeled data are non-trivial, and making them fast is challenging.

(646) 434-8887

Only show this to Victor’s friends

Unsafe text supplied by users

Safe to splice in a HTML page

<dl>

<dt>Phone number:</dt>

<dd><%= phone %></dd>

</dl>

<dl>

<dt>Phone number:</dt>

<dd>(646) 434-8887</dd>

</dl>

Label Propagation:

Operations on labeled data are non-trivial, and making them fast is challenging.

(646) 434-8887 Only show this to Victor’s friends

Unsafe text supplied by users

Safe to splice in a HTML page

<dl>

<dt>Phone number:</dt>

<dd><%= phone %></dd>

</dl>

<dl>

<dt>Phone number:</dt>

<dd>(646) 434-8887</dd>

</dl>

HTML escape

(646) 434-8887

Thank you!