improving security using data flow assertions
play

Improving security using data flow assertions Alex Yip, Xi Wang, - PowerPoint PPT Presentation

Apr 26, 2023 •334 likes •912 views

Improving security using data flow assertions Alex Yip, Xi Wang, Nickolai Zeldovich , Frans Kaashoek MIT CSAIL Many security vulnerabilities caused by programming errors Attack vector Percentage SQL injection 20.4% Cross-site scripting

  1. Improving security using data flow assertions Alex Yip, Xi Wang, Nickolai Zeldovich , Frans Kaashoek MIT CSAIL

  2. Many security vulnerabilities caused by programming errors Attack vector Percentage SQL injection 20.4% Cross-site scripting 14.0% Buffer overflow 9.5% Directory traversal 6.6% Script eval injection 5.0% Missing access checks 4.6% ( … long tail of others … ) 39.8% Top 6 classes of security vulnerabilities found in 2008 [CVE]

  3. Many security vulnerabilities caused by programming errors ● SQL injection: attacker's input used in SQL query ● XSS: attacker's input used in HTML page ● Directory traversal: attacker-supplied path has “..” ● Script injection: attacker's input executed as code ● Missing ACL: sensitive data sent without check

  4. Common programming error: missing checks … … … … … … Application … …

  5. Common programming error: missing checks … … … … … … Application … …

  6. SQL injection attack Stored … query … Attacker's browser … … Application … SQL database ● Goal: quote user input before using in SQL

  7. SQL injection attack Stored … query … Attacker's browser … … Application … SQL database ● Goal: quote user input before using in SQL

  8. Missing access control check Attacker's … browser … … … … Application … Protected file ● Goal: check ACL when sending file to user

  9. Missing access control check Attacker's … browser … … … … Application … Protected file ● Goal: check ACL when sending file to user

  10. Cross-site scripting attack … … Attacker's … browser Victim's … Application browser … … ● Goal: remove Javascript from user input before using in HTML

  11. Cross-site scripting attack … … Attacker's … browser Victim's … Application browser … … ● Goal: remove Javascript from user input before using in HTML

  12. Challenge: knowing where to check … … Attacker's … browser Victim's … Application browser … … ● Today: invoke check on all paths from source to sink ● Easy to miss one (out of 572 in phpBB, a popular web app) ● Security check cannot be made based on data alone ● At the source, don't know where data is going yet ● At the sink, don't know where data came from

  13. Approach: Associate checks with data ● Assume trusted runtime & non-malicious app code ● Programmers tag data with assertions at source ● Track assertions when data is copied or moved ● Assertions checked at the sinks

  14. Example bug: HotCRP password disclosure

  15. Example bug: HotCRP password disclosure

  16. Example bug: HotCRP password disclosure From: tom@cs.washington.edu To: nickolai@csail.mit.edu Dear Nickolai Zeldovich, Here is your account information: Email: nickolai@csail.mit.edu Password: cluprerast

  17. Example bug: HotCRP password disclosure ● Helpful feature: email preview mode ● Display emails instead of sending them ● Useful to fine-tune messages sent to everyone

  20. Programmer has a security plan ● Programmers often have a data flow plan in mind ● Sanitize HTML; only send password to user's email ● Hard: plan must be enforced everywhere

  21. Programmer has a security plan ● Programmers often have a data flow plan in mind ● Sanitize HTML; only send password to user's email ● Hard: plan must be enforced everywhere ● Challenge: many flow paths, easy to miss one ● phpBB: 572 calls to check for cross-site scripting

  22. Programmer has a security plan ● Programmers often have a data flow plan in mind ● Sanitize HTML; only send password to user's email ● Hard: plan must be enforced everywhere ● Challenge: many flow paths, easy to miss one ● phpBB: 572 calls to check for cross-site scripting ● Challenge: 3rd-party developers don't know plan ● phpBB: 879 plug-ins written by 505 programmers

  23. Our approach: Allow programmers to make security plan explicit ● Resin : modified language runtime (Python, PHP) ● Programmer specifies explicit data flow assertions ● Runtime checks assertion on every source→sink path ● Assertion prevents attacker from exploiting missing check ● Not a bug-finding tool; prevents exploits at runtime

  24. Challenges and ideas ● Plan: “only send this password to nickolai@mit.edu” ● How would we check if a program obeys this plan? ● How would the programmer express this assertion?

  25. Challenges and ideas ● Plan: “only send this password to nickolai@mit.edu” ● How would we check if a program obeys this plan? ● Associate the assertions with data (e.g. password) ● Track assertions along with data in language runtime ● Check at programmer-defined boundaries – E.g. external I/O (file, network), when data leaves our control ● How would the programmer express this assertion?

  26. Challenges and ideas ● Plan: “only send this password to nickolai@mit.edu” ● How would we check if a program obeys this plan? ● Associate the assertions with data (e.g. password) ● Track assertions along with data in language runtime ● Check at programmer-defined boundaries – E.g. external I/O (file, network), when data leaves our control ● How would the programmer express this assertion? ● Express using code – simple, general-purpose ● Programmers can reuse code, data structures

  27. Example: Preventing HotCRP's bug in Resin Pipe to sendmail for nickolai@mit.edu “myPassw0rd” HTTP conn to browser SQL database Resin Language Runtime World-readable log file

  28. Programmer attaches a policy object to a string Pipe to sendmail for nickolai@mit.edu “myPassw0rd” HTTP conn to browser Policy: Only email to nickolai@mit.edu SQL database Resin Language Runtime World-readable log file

  29. Programmer attaches filter objects to security boundaries Pipe to sendmail for nickolai@mit.edu Filter “myPassw0rd” HTTP conn to browser Policy: Filter Only email to nickolai@mit.edu Filter SQL database Filter Resin Language Runtime World-readable log file

  30. Runtime propagates policies for strings Pipe to sendmail for nickolai@mit.edu Filter “myPassw0rd” HTTP conn to browser Policy: Filter Dear Nickolai Zeldovich, Only email to nickolai@mit.edu Here is your account info Email: nickolai@mit.edu Filter Password: myPassw0rd SQL database Filter Resin Language Runtime World-readable log file

  31. Runtime propagates policies for strings Pipe to sendmail for nickolai@mit.edu Filter “myPassw0rd” HTTP conn to browser Policy: Filter Dear Nickolai Zeldovich, Only email to nickolai@mit.edu Here is your account info Email: nickolai@mit.edu Filter Password: myPassw0rd Policy: Only email to SQL database nickolai@mit.edu Filter Resin Language Runtime World-readable log file

  32. Filters check assertions by invoking policy objects Pipe to sendmail for nickolai@mit.edu Filter “myPassw0rd” HTTP conn to browser Policy: Filter Dear Nickolai Zeldovich, Only email to X nickolai@mit.edu Here is your account info X Email: nickolai@mit.edu Filter Password: myPassw0rd Policy: X Only email to SQL database nickolai@mit.edu Filter Resin Language Runtime World-readable log file

  33. Assertions avoid the need to understand all code Pipe to sendmail for nickolai@mit.edu Third-party Filter email module “myPassw0rd” HTTP conn X to browser Policy: Filter Dear Nickolai Zeldovich, Only email to nickolai@mit.edu Here is your account info X Email: nickolai@mit.edu Filter Password: myPassw0rd Policy: Only email to SQL database nickolai@mit.edu Filter Resin Language Runtime World-readable log file

  34. PHP code for HotCRP's policy class PasswordPolicy extends Policy { private $user; function __construct($username) { $this->user = $username; } function export_check($context) { if ($context[‘type’] == “mail” && $context[‘rcpt’] == $this- >user) return; if ($Me->valid() && $Me->privChair) return; throw new Exception (“unauthorized disclosure”); } }

  35. PHP code for HotCRP's policy class PasswordPolicy extends Policy { private $user; Stores owner's username (email address in HotCRP) function __construct($username) { $this->user = $username; } function export_check($context) { if ($context[‘type’] == “mail” && $context[‘rcpt’] == $this- >user) return; if ($Me->valid() && $Me->privChair) return; throw new Exception (“unauthorized disclosure”); } }

  36. PHP code for HotCRP's policy class PasswordPolicy extends Policy { private $user; Filter consults policy; function __construct($username) { context provided by filter $this->user = $username; at security boundary } function export_check($context) { if ($context[‘type’] == “mail” && $context[‘rcpt’] == $this- >user) return; if ($Me->valid() && $Me->privChair) return; throw new Exception (“unauthorized disclosure”); } }

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Hardware-Software Interface Memory addressing, C language, pointers Assertions, debugging

Hardware-Software Interface Memory addressing, C language, pointers Assertions, debugging

CS 240 Stage 2 Hardware-Software Interface Memory addressing, C language, pointers Assertions, debugging Machine code, assembly language, program translation Control flow Procedures, stacks Data layout, security, linking and loading Program,

822 views • 29 slides
Hardware-Software Interface Memory addressing, C language, pointers Assertions, debugging

Hardware-Software Interface Memory addressing, C language, pointers Assertions, debugging

CS 240 Stage 2 Hardware-Software Interface Memory addressing, C language, pointers Assertions, debugging Machine code, assembly language, program translation Control flow Procedures, stacks Data layout, security, linking and loading Program,

415 views • 30 slides
Model Assertions for Monitoring and Improving ML Models Daniel Kang* , , Deepti Raghavan*, Peter

Model Assertions for Monitoring and Improving ML Models Daniel Kang* , , Deepti Raghavan*, Peter

Model Assertions for Monitoring and Improving ML Models Daniel Kang* , , Deepti Raghavan*, Peter Bailis, Matei Zaharia DAWN Project, Stanford InfoLab http://dawn.cs.stanford.edu/ 1 Machine learning is deployed in mission-critical settings with

952 views • 37 slides
1 What Is Control-Flow Analysis? Loop Concepts Control-flow analysis discovers the flow of

1 What Is Control-Flow Analysis? Loop Concepts Control-flow analysis discovers the flow of

Control-Flow Analysis and Loop Detection Context Last time Data-flow Speeding up data-flow analysis Flow of data values from defs to uses Could alternatively be represented as a data dependence Today Control-flow analysis

516 views • 5 slides
1 Java assert statement Java assert (cont.) an assert statement can be placed anywhere you

1 Java assert statement Java assert (cont.) an assert statement can be placed anywhere you

Assertions assertions communicate assumptions about the state of the program, and stop processing if they turn out to be false very often comments are statements about the state Assertions the program should be in but assertions can

61 views • 3 slides
Company Introduction Improving the security and performance of your data centres, networks and

Company Introduction Improving the security and performance of your data centres, networks and

SOLUTIONS & SUPPORT PROFESSIONAL & MANAGED SERVICES Company Introduction Improving the security and performance of your data centres, networks and applications Network Data Cyber Application Network Test www.phoenixdatacom.com

476 views • 10 slides
Improving Usability of Information Flow Security in Java Mark Thober Joint work with Scott F.

Improving Usability of Information Flow Security in Java Mark Thober Joint work with Scott F.

Mark Thober June 14, 2007 Improving Usability of Information Flow Security in Java Mark Thober Joint work with Scott F. Smith Department of Computer Science Johns Hopkins University PLAS 07 1 Mark Thober June 14, 2007 Motivation

580 views • 37 slides
Computer Security environment, without compromising functionality or security? Three parts

Computer Security environment, without compromising functionality or security? Three parts

9/7/2013 Some topics Im working on Computing on encrypted data Information flow: Dynamic IFC in Haskell, web Sandboxing Untrusted JavaScript Third party web tracking and other web security stories Practical web security

572 views • 21 slides
Enforcing Kernel Security Invariants with Data Flow Integrity Chengyu Song , ByoungyoungLee,

Enforcing Kernel Security Invariants with Data Flow Integrity Chengyu Song , ByoungyoungLee,

Enforcing Kernel Security Invariants with Data Flow Integrity Chengyu Song , ByoungyoungLee, Kangjie Lu, William Harris, Taesoo Kim, Wenke Lee Institute for Information Security & Privacy Georgia Tech Kernel Memory Corruption Vulnerability

493 views • 24 slides
Flow++: Improving Flow-Based Generative Models with Variational Dequantization and Architecture

Flow++: Improving Flow-Based Generative Models with Variational Dequantization and Architecture

Flow++: Improving Flow-Based Generative Models with Variational Dequantization and Architecture Design Jonathan Ho*, Xi Chen*, Aravind Srinivas, Yan Duan, Pieter Abbeel Overview - Goal: likelihood-based model with Fast sampling and training -

363 views • 11 slides
CSE 504: Project Proposal Jennifer Niederlnder 01/13/2016 Improving Security Testing

CSE 504: Project Proposal Jennifer Niederlnder 01/13/2016 Improving Security Testing

CSE 504: Project Proposal Jennifer Niederlnder 01/13/2016 Improving Security Testing Improving Security Testing or Collect security errors Derive Patterns Improving Performance Improving Performance 1. Take the code 2. Point out

423 views • 9 slides
Assertions, pre/post- conditions Assertions: Section 4.2 in Savitch (p. 239) Programming as a

Assertions, pre/post- conditions Assertions: Section 4.2 in Savitch (p. 239) Programming as a

Assertions, pre/post- conditions Assertions: Section 4.2 in Savitch (p. 239) Programming as a contract n Specifying what each method does q Specify it in a comment before method's header n Precondition q What is assumed to be true

625 views • 33 slides
Assertions and Triggers Rose-Hulman Institute of Technology Curt Clifton Assertions Like

Assertions and Triggers Rose-Hulman Institute of Technology Curt Clifton Assertions Like

Assertions and Triggers Rose-Hulman Institute of Technology Curt Clifton Assertions Like constraints: Recall: state IN {'IA', 'MN', 'WI', 'MI', 'IL'} But can reference all tables Defined by: CREATE ASSERTION <name>

552 views • 30 slides
Information Flow Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security

Information Flow Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security

Information Flow Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security Information Flow 3 Many security requirements can be formulated as what information flow is allowed/disallowed E.g., confidential data should not

478 views • 27 slides
1 Ways to improve data-flow analysis efficiency Example (liveness) 1st 2nd 3rd

1 Ways to improve data-flow analysis efficiency Example (liveness) 1st 2nd 3rd

Speeding Up Data-Flow Analysis Solving the Data-flow Equations Last time Algorithm Various optimizations that use data-flow analysis for each node n in CFG initialize solutions in[n] = ; out[n] = Today repeat Speeding up

418 views • 4 slides
Flow Analysis Data-flow analysis, Control-flow analysis, Abstract interpretation, AAM Helpful

Flow Analysis Data-flow analysis, Control-flow analysis, Abstract interpretation, AAM Helpful

Flow Analysis Data-flow analysis, Control-flow analysis, Abstract interpretation, AAM Helpful Reading: Sections 1.1-1.5, 2.1 Data-flow analysis (DFA) A framework for statically proving facts about program data. Focuses on simple, finite

1.04k views • 54 slides
Preemption-aware Admission Control in a Virtualized Grid Federation Mohsen Amini Salehi, Bahman

Preemption-aware Admission Control in a Virtualized Grid Federation Mohsen Amini Salehi, Bahman

Preemption-aware Admission Control in a Virtualized Grid Federation Mohsen Amini Salehi, Bahman Javadi, Rajkumar Buyya CLOUDS Laboratory Department of Computing and Information Systems The University of Melbourne, Australia

548 views • 18 slides
Normal distribution Slides developed by Mine etinkaya-Rundel of OpenIntro The slides may be

Normal distribution Slides developed by Mine etinkaya-Rundel of OpenIntro The slides may be

Normal distribution Slides developed by Mine etinkaya-Rundel of OpenIntro The slides may be copied, edited, and/or shared via the CC BY-SA license Some images may be included under fair use guidelines (educational purposes) Obtaining Good

737 views • 28 slides
Part I: Introductory Materials Introduction to Data Mining Dr. Nagiza F. Samatova Department of

Part I: Introductory Materials Introduction to Data Mining Dr. Nagiza F. Samatova Department of

Part I: Introductory Materials Introduction to Data Mining Dr. Nagiza F. Samatova Department of Computer Science North Carolina State University and Computer Science and Mathematics Division Oak Ridge National Laboratory What is common among

275 views • 26 slides
Pretium: Dynamic Pricing and Traffic Engineering for Timely Inter-Datacenter Transfers I SHAI M

Pretium: Dynamic Pricing and Traffic Engineering for Timely Inter-Datacenter Transfers I SHAI M

Pretium: Dynamic Pricing and Traffic Engineering for Timely Inter-Datacenter Transfers I SHAI M ENACHE V IRAJITH J ALAPARTI , I VAN B LIZNETS , B RENDAN L UCIER AND S RIKANTH K ANDULA M ICROSOFT * S IGCOMM 2016 *D ISCLAMER : C URRENTLY NOT PART OF

334 views • 20 slides
Welcome to the TAICEP webinar: What Are 3-year Chinese Degrees and What to Do With Them in

Welcome to the TAICEP webinar: What Are 3-year Chinese Degrees and What to Do With Them in

Welcome to the TAICEP webinar: What Are 3-year Chinese Degrees and What to Do With Them in Graduate Admissions 2019 TAICEP Webinar 5 th Annual Conference Vancouver! October 21 st 24 th 2019 TAICEP Webinar What Are 3-year Chinese

496 views • 31 slides
CAS Senate Minutes 16 December 2019 Present: J. Angelini, E. Bell, E. Donnelly, L. Duggan, A.

CAS Senate Minutes 16 December 2019 Present: J. Angelini, E. Bell, E. Donnelly, L. Duggan, A.

CAS Senate Minutes 16 December 2019 Present: J. Angelini, E. Bell, E. Donnelly, L. Duggan, A. Fox, D. Flaherty, K. Franich, D. Gallant, A. Hayes, A. Hestvik, D. Galileo, P. Gentry, J. Gizis, D. Koltomski, D. Lpez-Gydosh, E. Lyman, B.

381 views • 16 slides
Care Transitions Program to Reduce Readmissions in the Bronx Stephen Rosenthal Executive

Care Transitions Program to Reduce Readmissions in the Bronx Stephen Rosenthal Executive

Care Transitions Program to Reduce Readmissions in the Bronx Stephen Rosenthal Executive Director, The Bronx Collaborative President, CMO, The Care Management Company New York State Health Foundation Paying for Health Reform: The Imperative

456 views • 13 slides
Timely Fine-Grained Scheduling Tatiana Jin, Zhenkun Cai, Boyang Li, Chenguang Zheng, Guanxian

Timely Fine-Grained Scheduling Tatiana Jin, Zhenkun Cai, Boyang Li, Chenguang Zheng, Guanxian

Improving Resource Utilization by Timely Fine-Grained Scheduling Tatiana Jin, Zhenkun Cai, Boyang Li, Chenguang Zheng, Guanxian Jiang, James Cheng Department of Computer Science and Engineering The Chinese University of Hong Kong Core Problem

656 views • 30 slides

More recommend