Securing web applications is not nearly as easy! 3 4 5 6 - - PDF document

securing web applications is not nearly as easy
SMART_READER_LITE
LIVE PREVIEW

Securing web applications is not nearly as easy! 3 4 5 6 - - PDF document

Dec 24, 2022 33 likes •113 views

GuardRails GuardRails Web applications are easier to create A Data-Centric Web Application Security Framework than ever! Jonathan Burket, Patrick Mutchler, Michael Weaver, Muzzammil Zaveri, and David Evans University of Virginia

slide-1
SLIDE 1

A Data-Centric Web Application Security Framework

Jonathan Burket, Patrick Mutchler, Michael Weaver, Muzzammil Zaveri, and David Evans University of Virginia http://guardrails.cs.virginia.edu

GuardRails GuardRails

2

Web applications are easier to create than ever!

3

Securing web applications is not nearly as easy!

4 5 6

slide-2
SLIDE 2

7

“><script>alert(document.cookie);</script>

8 9 10 11

Application Page A Page B Page C Page D

Data Object

Read

12

Application Page A Page B Page C Page D

Data Object

Read

Output HTML

Data Object

slide-3
SLIDE 3

13

Application Page A Page B Page C Page D

Data Object

Read

Output HTML

Data Object

14

Application Page A Page B Page C Page D

Data Object

Read

Proxy that Enforces Security Policies

15

Application Page A Page B Page C Page D

Data Object

Read

Output HTML

Data Object

Proxy that Enforces Security Policies

Our Philosophy

16

Security policies should be attached to the data Security policies should be enforced automatically

17

Annotated Ruby

  • n Rails Code

Secure Ruby on Rails Code GuardRails

Design Goals

Top Priority: Automatically enforce security policies Other Objectives: Preserve application functionality Easy for developers to use Lesser Goals: Minimize performance cost

18

slide-4
SLIDE 4

19

Annotated Ruby

  • n Rails Code

Secure Ruby on Rails Code GuardRails

Access Control Policies Fine Grained Taint-Tracking

20

Annotated Ruby

  • n Rails Code

Secure Ruby on Rails Code GuardRails

Access Control Policies Fine Grained Taint-Tracking

21

if include_subprojects && !active_children.empty? ids = [id] + active_children.collect {|c| c.id} conditions = ["#{Project.table_name}.id IN (#{ids.join(',')})"]

22

if include_subprojects && !active_children.empty? ids = [id] + active_children.collect {|c| c.id} conditions = ["#{Project.table_name}.id IN (#{ids.join(',')})"]

23

if include_subprojects && !active_children.empty? ids = [id] + active_children.collect {|c| c.id} conditions = ["#{Project.table_name}.id IN (#{ids.join(',')}) AND #{Project.visible_by}"]

24

slide-5
SLIDE 5

25

application_helper.rb 4 Checks project.rb 2 Checks projects_controller.rb 3 Checks acts_as_searchable.rb 1 Checks

# @ :read, :self, lambda{|user|self.is_public

  • r user.memberships.include? self.id}

# @ :read, lambda{|user| self.is_public

  • r user.memberships.include? self.id}

class Project < ActiveRecord::Base # Project statuses STATUS_ACTIVE = 1…

1 GuardRails Annotation In Project model file:

Access Control Policy Annotations

# @ (policy_type, [target], [handler], mediator)

# @ :delete, :self, :admin # @ :write, :password, lambda{|user|user.id == self.id } # @ :append, :members, lambda{|user| user.belongs_to?(self)}

26 27

Annotated Ruby

  • n Rails Code

Secure Ruby on Rails Code GuardRails

Access Control Policies Fine Grained Taint-Tracking

Dynamic Taint Tracking

Protects against injection attacks

28

“SELECT profile FROM users WHERE username=‘” + user_name + “’” “User: <a href=‘profile_page’>” + user_name + “</a>”

Good: user_name = “jazzFan26” Bad: user_name = “’; DROP TABLE users--” Good: user_name = “DrKevinPhillips” Bad: user_name = “<script language=‘javascript’> alert(‘document.cookie’);</script>”

SQL Injection: Cross-Site Scripting:

29 30

Application Page A Page B Page C Page D

Data Object

Read

slide-6
SLIDE 6

31

Application Page A Page B Page C Page D

Data Object

Read

Output HTML

Data Object

Taint Propagation

32

Model Controller Database Data Taint Status View URL Parameters Form Data Other User Input Tainted HTML Sanitization Safe HTML

Expressive Taint Status

“<a href=‘profile?id=184392’><evil>SoccerFan1985</evil></a>”

“<a href=“profile?id=184392”><evil>SoccerFan1985</evil></a>”

String

Value: Taint: Character Index 29 51 55 <Transformer::Identity> <Transformer::Default> <Transformer::Identity> Different Chunks

33

Transformers

{:HTML => { “//script” => NoDisplay, :default => NoHTMLAllowed }, :SQL => SQLSanitize, :Ruby_eval => NoDisplay}

The Default Transformer

Use Context Appropriate Sanitization Routine

34

Transformers

Raw String Chunk 1 Transformer 1 Raw String Chunk 2 Transformer 2 Raw String Chunk 3 Transformer 3 Use Context Sanitized Chunk Sanitized Chunk Sanitized Chunk Sanitized String

35

Transformer Annotations

36

# @ :taint, :username, {:HTML => AlphaNumericOnly} # @ :taint, :full_name, {:HTML => {TitleTag => LettersAndSpacesOnly, :default => NoHTML}} # @ :taint, :profile, {:HTML => {"//script” => Invisible, :default => BoldItalicUnderlineOnly}}

# @ taint, target, transformer

slide-7
SLIDE 7

37 38 39

Test Application Application Type

Image Gallery (680 lines) E-Commerce (5556 lines) Project Management (30747 lines) E-Commerce (11561 lines)

40

Performance Notes

41

10.7 1 2 3 4 5 6 7 Onyx Redmine PaperTracks Relative Transaction Time (Normalized) Original Application Access Control Only Taint Tracking Only Full System

Try GuardRails

Alpha Release Now Available! Our Web Page: http://guardrails.cs.virginia.edu Full source code can be downloaded from GitHub Contact Info: guardrails@cs.virginia.edu

42

slide-8
SLIDE 8

Questions?

Alpha Release Now Available! Our Web Page: http://guardrails.cs.virginia.edu Full source code can be downloaded from GitHub Contact Info: guardrails@cs.virginia.edu

43