SLIDE 1
CS 152: Programming Language Paradigms
- Prof. Tom Austin
Dynamic Code Evaluation & Taint Analysis Prof. Tom Austin San - - PowerPoint PPT Presentation
Dynamic Code Evaluation & Taint Analysis Prof. Tom Austin San - - PowerPoint PPT Presentation
CS 152: Programming Language Paradigms Dynamic Code Evaluation & Taint Analysis Prof. Tom Austin San Jos State University Parsing JSON (in-class) Review: additional Ruby eval methods instance_eval evaluates code within the body of an
SLIDE 2
SLIDE 3
Review: additional Ruby eval methods
- instance_eval evaluates
code within the body of an object.
- class_eval evaluates code
within the body of a class.
- These methods can take a string
- r (more safely) a block of code.
SLIDE 4
class_eval example
(in class)
SLIDE 5
SLIDE 6
The mind of a developer
What does my code need to do? Stupid documentation Hmm… I wonder if my code is secure
SLIDE 7
Web Security in the News
SLIDE 8
How do companies/developers cope?
- Train/shame developers to follow
best practices.
- Hire security experts
- Use analysis tools
- Hush up mistakes
- Budget to handle emergencies
- Bury their heads in the sand.
SLIDE 9
Secure By Architecture
Developers make mistakes.
Can we design tools to create secure systems, despite developer mistakes?
SLIDE 10
Success story: memory-safe languages
- Buffer overflows were once ubiquitous
- Memory-safe languages manage
memory automatically
– Developer focus on functionality – Security-critical bugs are eliminated
- Buffer overflows have virtually
disappeared
– Except in your OS, web browser, etc.
SLIDE 11
Three Security Mechanisms
- Taint analysis:
– protect critical fields from "dirty" data
- Information flow analysis:
– Prevent secrets from leaking.
SLIDE 12
Taint Analysis: Protecting against dirty data
SLIDE 13
Taint analysis
- Taint analysis focuses on integrity:
– does "dirty" data corrupt trusted data?
- Integrated into Perl and Ruby
- Handles explicit flows only
– direct assignment – passing parameters
SLIDE 14
Attacks preventable by taint analysis
- Data under the control of the user
may pose a security risk
– SQL injection – cross-site scripting (XSS) – cross-site request forgery (CSRF)
- Taint tracking tracks untrusted
variables and prevents then from being used in unsafe operations
SLIDE 15
Taint Tracking History
- 1989 – Perl 3 support for a taint mode
- 1996 – Netscape included support for a
taint mode in server-side JavaScript
– Later abandoned
- Ruby later implemented a taint mode;
we'll review in more depth.
SLIDE 16
Taint Mode in Ruby
- Protect against integrity attacks.
– E.g. Data pulled from an HTML form cannot be passed to eval.
- Cannot taint booleans or ints.
- Multiple ways to run in safe mode:
– Use –T command line flag. – Include $SAFE variable in code.
SLIDE 17
$SAFE levels in Ruby
- 0 – No checking (default)
- 1
– Tainted data cannot be passed to eval – Cannot load/require new files
- 2 – Can't change, make, or remove directories
- 3
– New strings/objects are automatically tainted – Cannot untaint tainted values
- 4 – Safe objects become immutable
SLIDE 18
s = "puts 4-3".taint $SAFE = 1 # Can't eval tainted data s.untaint # Removes taint from data puts s.tainted? eval s $SAFE = 3 s2 = "puts 2 * 7" # Tainted s2.untaint # Won't work now eval s2 eval s # this is OK
SLIDE 19
# Data from web s = "Robert'); DROP TABLE " + "STUDENTS;--" s.taint exec_query("SELECT *" + " FROM STUDENTS" + " WHERE NAME='" + s + "';"
SLIDE 20
class Record def exec_query(query_str) if query_str.tainted? puts "Err: tainted string" else # Perform the query ... end end end
SLIDE 21
Information Flow Analysis
Her ere be d e be dragon
- ns…
SLIDE 22
Information Flow Analysis
- Related to taint analysis
- Focuses on confidentiality:
– does secret data leak to public channels?
- Assumes attacker controls some code
- Must consider implicit flows
– can the attacker deduce secrets?
SLIDE 23
Developer Sensitive Data
Challenge of Securing Information
Private Channel Public Channel
Policy: Keep location
- f the spray paint can
from leaking to public channels.
SLIDE 24
Developer Sensitive Data Private Channel Public Channel
if (chan.police){ write(chan, spraycanLocation); } if (chan.police){ write(chan, spraycanLocation); }
Challenge of Securing Information
SLIDE 25
Developer Sensitive Data Private Channel Public Channel
if (chan.police){ write(chan, spraycanLocation); } if (chan.police){ write(chan, spraycanLocation); }
New Developers
write(chan, spraycanLocation);
New System Requirements
SLIDE 26
Information Leaked
SLIDE 27
Applications often make use of 3rd party libraries of questionable quality...
Additional Information Flow Challenges
…or have vulnerabilities to code injection attacks... …so we must assume that the attacker is able to inject code into our system.
SLIDE 28
Sensitive Data Public Data Private Channel Public Channel
Information Flow Analysis in Action
SLIDE 29
Private Channel Public Channel Sensitive Data Public Data
Information Flow Analysis in Action
SLIDE 30
Sensitive Data Public Data Private Channel Public Channel
Public outputs do not depend
- n private inputs
Termination-Insensitive Non-Interference
SLIDE 31
Explicit and Implicit Flows
spraycanLocation = "Kwik-E-Mart"police;
Location is only visible to the police.
x = spraycanLocation;
Explicit flow from spraycanLocation to x.
if (x.charAt(0) < 'N') { firstCharMax = 12; }
Implicit flow from x to firstCharMax.
SLIDE 32
write(chan, spraycanLocation);
Developer
Core Functionality
Security Expert Business Domain Expert
Label Data
Attach label police to spraycanLocation
Enforcement Mechanism
label: police chan: police
SLIDE 33
write(chan, spraycanLocation);
Developer
Core Functionality
Security Expert Business Domain Expert
Label Data
Attach label police to spraycanLocation
Enforcement Mechanism
label: police chan: public
DENIED
SLIDE 34
Denning-style Static Analysis
- Certification process, perhaps
integrated into a compiler.
- Data can flow down the lattice
- Programs can be guaranteed
to be secure before the program is ever executed.
SLIDE 35
Static Analysis Certification
var secret = truebank; var y = true; if (secret) y = false;
var leak = true; if (y) leak = false;
- Analysis ensures
that private data does not affect public data.
- In this example,
y's final value depends on x.
- [Denning 1976]
SLIDE 36
Purely Dynamic Info Flow Controls
- Instrument interpreter with runtime
controls
- Implicit flows can be handled by:
– Ignoring unsafe updates – Crashing on unsafe updates – Leaking some data (not satisfying noninterference)
SLIDE 37
A Tainting Approach One obvious strategy: if a public variable is updated in a private context, make it private as well.
var secret = truebank; var y = true; if (secret) y = false; Set y=falsebank
SLIDE 38
Challenges With Implicit Flows
var secret = truebank; var y = true; if (secret) y = false;
var leak = true; if (y) leak = false; y=falsebank leak=true y=true leak=false secret=falsebank
SLIDE 39
Dynamic Monitors Reject Executions
var secret = truebank; var y = true; if (secret) y = false;
Execution terminates to protect the value
- f secret.
Zdancewic 2002
SLIDE 40
Secure Multi-Execution
Executes program multiple:
- High execution
– Sees all information – Only writes to authorized channels
- Low execution
– Only sees public data – Writes to public channels – Confidential data replaced with default values.
SLIDE 41
var pass = mkSecret("scytale"); if (pass[0]==("s")) write(chan,"s");
var pass=""; if (pass[0] ==("s")) write(chan, "s");
Low Execution Program
var pass="scytale"; if (pass[0] ==("s")){ write(chan, "s");
High Execution Program Original Program
SLIDE 42
Secure Multi-Execution
High execution Low execution Private inputs Public inputs Dummy Values Private
- utputs
Public
- utputs
SLIDE 43