GuardRails GuardRails Web applications are easier to create A Data-Centric Web Application Security Framework than ever! Jonathan Burket, Patrick Mutchler, Michael Weaver, Muzzammil Zaveri, and David Evans University of Virginia http://guardrails.cs.virginia.edu 2 Securing web applications is not nearly as easy! 3 4 5 6
“><script>alert(document.cookie);</script> 7 8 9 10 Application Application Page A Page A Output HTML Page B Page B Data Read Read Data Object Data Object Object Page C Page C Page D Page D 11 12
Application Application Page A Page A Output HTML Page B Data Page B Object Read Read Data Object Data Object Page C Page C Proxy that Enforces Page D Page D Security Policies 13 14 Our Philosophy Application Page A Security policies should be Output HTML Page B attached to the data Data Read Data Object Object Page C Security policies should be enforced automatically Proxy that Enforces Page D Security Policies 15 16 Design Goals Top Priority: Automatically enforce security policies Annotated Ruby Secure Ruby on Other Objectives: GuardRails on Rails Code Rails Code Preserve application functionality Easy for developers to use Lesser Goals: Minimize performance cost 17 18
Annotated Ruby Annotated Ruby Secure Ruby on Secure Ruby on GuardRails GuardRails on Rails Code on Rails Code Rails Code Rails Code Access Control Policies Access Control Policies Fine Grained Taint-Tracking Fine Grained Taint-Tracking 19 20 if include_subprojects && !active_children.empty? ids = [id] + active_children.collect {|c| c.id} conditions = ["#{Project.table_name}.id IN (#{ids.join(',')})"] 21 22 if include_subprojects && !active_children.empty? if include_subprojects && !active_children.empty? ids = [id] + active_children.collect {|c| c.id} ids = [id] + active_children.collect {|c| c.id} conditions = ["#{Project.table_name}.id IN conditions = ["#{Project.table_name}.id IN (#{ids.join(',')})"] (#{ids.join(',')}) AND #{Project.visible_by}"] 23 24
Access Control Policy Annotations application_helper.rb 1 GuardRails Annotation 4 Checks # @ :read, :self, # @ (policy_type, [target], [handler], mediator) lambda{|user|self.is_public project.rb or user.memberships.include? self.id} 2 Checks # @ :delete, :self, :admin projects_controller.rb In Project model file: # @ :write, :password, lambda{|user|user.id == self.id } 3 Checks # @ :read, lambda{|user| self.is_public or user.memberships.include? self.id} class Project < ActiveRecord::Base # @ :append, :members, lambda{|user| user.belongs_to?(self)} # Project statuses acts_as_searchable.rb STATUS_ACTIVE = 1… 1 Checks 25 26 Dynamic Taint Tracking Protects against injection attacks Annotated Ruby Secure Ruby on GuardRails on Rails Code Rails Code SQL Injection: “SELECT profile FROM users WHERE username=‘” + user_name + “’” Good: user_name = “jazzFan26” Bad: user_name = “’; DROP TABLE users--” Access Control Policies Cross-Site Scripting: Fine Grained Taint-Tracking “User: <a href=‘profile_page’>” + user_name + “</a>” Good: user_name = “DrKevinPhillips” Bad: user_name = “<script language=‘javascript’> alert(‘document.cookie’);</script>” 27 28 Application Page A Page B Read Data Object Page C Page D 29 30
Taint Propagation Application Page A URL Parameters Output HTML Controller Form Data Model Page B Data Read Other User Input Data Object Object View Database Page C Tainted HTML Taint Data Page D Status Safe HTML Sanitization 31 32 Transformers Expressive Taint Status “<a href=‘profile?id=184392’><evil>SoccerFan1985</evil></a>” Use Context String The Default Transformer Value: “<a href=“profile?id=184392”><evil>SoccerFan1985</evil></a>” {: HTML => { “//script” => NoDisplay, Taint: : default => NoHTMLAllowed 29 <Transformer::Identity> }, Different : SQL => SQLSanitize, 51 <Transformer::Default> Chunks : Ruby_eval => NoDisplay} 55 <Transformer::Identity> Character Index Appropriate Sanitization Routine 33 34 Transformers Transformer Annotations # @ taint , target, transformer Use Context # @ :taint, :username, {:HTML => AlphaNumericOnly} Raw String Transformer 1 Sanitized Chunk Chunk 1 # @ :taint, :full_name, {:HTML => Raw String Transformer 2 Sanitized Chunk {TitleTag => LettersAndSpacesOnly, Chunk 2 :default => NoHTML}} Raw String Transformer 3 Sanitized Chunk Chunk 3 # @ :taint, :profile, {:HTML => {"//script” => Invisible, Sanitized String :default => BoldItalicUnderlineOnly}} 35 36
37 38 Test Application Application Type Image Gallery (680 lines) E-Commerce (5556 lines) Project Management (30747 lines) E-Commerce (11561 lines) 40 39 Performance Notes Try GuardRails 7 Relative Transaction Time (Normalized) Alpha Release Now Available! 6 Our Web Page: http://guardrails.cs.virginia.edu 10.7 5 Full source code can be downloaded from GitHub Original Application 4 Access Control Only 3 Taint Tracking Only Full System 2 Contact Info: guardrails@cs.virginia.edu 1 0 Onyx Redmine PaperTracks 41 42
Questions? Alpha Release Now Available! Our Web Page: http://guardrails.cs.virginia.edu Full source code can be downloaded from GitHub Contact Info: guardrails@cs.virginia.edu 43
Recommend
More recommend
