Resin on Rails
-
Upload
victor-costan -
Category
Technology
-
view
469 -
download
0
Transcript of Resin on Rails
Securing Web Applications with Practical Data Flow Assertions
Victor Costan (龍望)
Prof. Srinivas Devadas
Prof. Nickolai Zeldovich
Motivation
Newsfeed
Publishing
Instant Feed
Chat
Ads
Featured
Apps
Profile
Search Account
Comments
Shortcuts
Motivation
Today’s Web applications are complex
• Complex applications -> Modules
• Modules -> Separate Teams
• Separate Teams -> No unified security model
Security is a cross-cutting concern; we need an abstraction for expressing policies and enforcing them across the entire application
Deputy Confusion in Web Apps
Cloud Application
Database
John’s Browser
E-mail ServerBackend Server
Jane’s Browser
John
App Jane
StringLogic
App
App
Deputy Confusion at Facebook
Test your privacy settings by displaying your profile as it is shown to your friends
Deputy Confusion at Facebook
Victor’s Profile: Nickolai
Victor’s Feed: Nickolai
Victor’s Friends: Nickolai
Chat:Victor
Instant Feed:Victor
Nickolai’s Profile: Victor
VictorVictor
Deputy Confusion at Facebook
“Facebook Chat is now down for maintenance. The feature waspresumably disabled following a report that exposed a Facebook securitybug that allowed users to access and view friends’ live chats, friendrequests and friends in common.The report indicates that access to this personal information wasaccessible via Facebook’s privacy settings, with the Preview My Profilefeature creating the loophole to access the private live chats of friends.With Preview My Profile, users can view how their profile appears to anygiven Facebook friend. The bug apparently let those users see the livechats and friend requests of the friend in question.Unfortunately for the company, this is not the first time users’ personalinformation has been exposed without consent. Earlier this year, user e-mail addresses were exposed in a hiccup following a site update.”
Deputy Confusion in Web Apps
Cloud Application
Database
John’s Browser
E-mail ServerBackend Server
Jane’s Browser
John
App Jane
StringLogic
App
App
Encoding Confusion in Web Apps
• name: pwnall
• password: awesome
Correct login query:
SELECT * FROM users WHERE name=“pwnall” AND password=“awesome” LIMIT 1
• name: pwnall
• password: awesome ” OR “”=“
Password-less login query:
SELECT * FROM users WHERE name=“pwnall” AND password=“awesome” OR “”=“” LIMIT 1
Encoding Confusion in Web Apps
Application Server
Database
Browser
HTML
JavaScriptCSS
HTTP Request
Form Cookies
SQLText
Controller
Model
View
String
E-mail ServerBackend Server
String
String
Encoding Confusion in Web Apps
Field Value
email [email protected]
password mit
password2 mit
email password admin
costan@mit mit false
it@mit secret true
…
@user = User.new(params[:user])
@user.save
params[:user]
Encoding Confusion in Web Apps
Field Value
email [email protected]
password mit
password2 mit
admin true
email password admin
costan@mit mit true
it@mit secret true
…
@user = User.new(params[:user])
@user.save
params[:user]
Encoding Confusion at GitHub
"The root cause of the vulnerability was a failure to properly check incoming form parameters, a problem known as the mass-assignment vulnerability," GitHub co-founder Tom Preston-Werner wrote in a blog post on Sunday. "In parallel to the attack investigation we initiated a full audit of the GitHubcodebase to ensure that no other instances of this vulnerability were present.”There is little doubt that the vulnerability was serious. As Homakov himself noted on his blog, it gave him access to wipe any post in the Rails project and even "pull/commit/push in any repository on GitHub". He said "lots of Rails apps" were similarly vulnerable.
Eliminate the Confusion!
Add Labels to Data
Labels address deputy confusion
This text was typed by Victor
Only show this to Victor’s friends
Labels address encoding confusion
Unsafe text supplied by users
Safe to splice in a HTML page
Safe to splice in a SQL query
Filter Output Data
• Prevent deputy confusion– Check security policies before
making database changes
– Check privacy policies before outputting data to the user
• Prevent encoding confusion– Only output HTML-safe pages
– Only issue SQL-safe database queries
Encoding Confusion in Web Apps
Field Value
email [email protected]
password mit
password2 mit
admin true
email password admin
costan@mit mit true
it@mit secret true
…
@user = User.new(params[:user])
@user.save
params[:user]
Eliminating Encoding Confusion
Field Value
email [email protected]
password mit
password2 mit
admin true
email password admin
costan@mit not created
it@mit secret true
…
@user = User.new(params[:user])
params[:user]
BlockedNo security policy for user dictionaries
Eliminating Deputy Confusion
Field Value
email [email protected]
password mit
password2 mit
admin true
@user = User.new(params[:user])
@user.save
params[:user]
Field Policy
email Users can edit their own
password Users can edit their own
admin Admins can edit anyBlocked
Security policy: only admins can write the admin field
Data Flow Assertions in Rails
• Labeling and Filtering
– Inserted automatically in the Rails stack
• Label propagation
– Hard to do without changing the interpreter
• API for security policies
– Domain-Specific Language (DSL) for model code
Labels and Filters in Rails
Database
Request
Response Filteroutput
Filterqueries
Labelinput
Labelresults
Security policies
Labels and Filters in Rails
Rack
Controller
Model
View
Database
Request
Response Filteroutput
Filterqueries
Labelinput
Labelresults
Security policies
Label Propagation:
Privacy labels (for deputy confusion) propagate automatically
(646) 434-8887
Only show this to Victor’s friends
Unsafe text supplied by users
Safe to splice in a HTML page
<dl>
<dt>Phone number:</dt>
<dd><%= phone %></dd>
</dl>
<dl>
<dt>Phone number:</dt>
<dd>(646) 434-8887</dd>
</dl>
Label Propagation:
Unsafe text labels propagate automaticallyOther encoding labels do not propagate automatically
(646) 434-8887
Only show this to Victor’s friends
Unsafe text supplied by users
Safe to splice in a HTML page
<dl>
<dt>Phone number:</dt>
<dd><%= phone %></dd>
</dl>
<dl>
<dt>Phone number:</dt>
<dd>(646) 434-8887</dd>
</dl>
Label Propagation:
Unsafe text labels propagate automaticallyOther encoding labels do not propagate automatically
(646) 434-8887 Only show this to Victor’s friends
Unsafe text supplied by users
Safe to splice in a HTML page
<dl>
<dt>Phone number:</dt>
<dd><%= phone %></dd>
</dl>
<dl>
<dt>Phone number:</dt>
<dd>(646) 434-8887</dd>
</dl>
HTML escape
(646) 434-8887
Label Propagation:
Operations on labeled data are non-trivial, and making them fast is challenging.
(646) 434-8887
Only show this to Victor’s friends
Unsafe text supplied by users
Safe to splice in a HTML page
<dl>
<dt>Phone number:</dt>
<dd><%= phone %></dd>
</dl>
<dl>
<dt>Phone number:</dt>
<dd>(646) 434-8887</dd>
</dl>
Label Propagation:
Operations on labeled data are non-trivial, and making them fast is challenging.
(646) 434-8887 Only show this to Victor’s friends
Unsafe text supplied by users
Safe to splice in a HTML page
<dl>
<dt>Phone number:</dt>
<dd><%= phone %></dd>
</dl>
<dl>
<dt>Phone number:</dt>
<dd>(646) 434-8887</dd>
</dl>
HTML escape
(646) 434-8887