Static Checking of Dynamically-Varying Security Policies in - - PowerPoint PPT Presentation

▶

Oct 10, 2022 386 likes •601 views

Static Checking of Dynamically-Varying Security Policies in Database-Backed Applications Adam Chlipala OSDI 2010 Beyond Code Injection 1.Injection An application includes an Dependent on application-specific unintended run-time program

SLIDE 1

Static Checking of Dynamically-Varying Security Policies in Database-Backed Applications

Adam Chlipala OSDI 2010

SLIDE 2

Beyond Code Injection

An application includes an unintended run-time program interpreter Dependent on application-specific authentication and access control regimes!

1.Injection 2.Cross Site Scripting 3.Broken Authentication and Session Mgmt. 4.Insecure Direct Object References 5.Cross Site Request Forgery 6.Security Misconfiguration 7.Insecure Cryptographic Storage ....

SLIDE 3

Authentication Snafus

SLIDE 4

Surprise attack Security Policy

Roads to Security

Resource Attack vector #1 Attack vector #2 Attack vector #3 Audit Audit Audit Information flow: who can learn what Access control: who can change what

SLIDE 5

Dynamic Checking

Database Program Variable

Sensitive Datum

Program Variable Program Variable Output to User Store security information with values Check before interaction with environment.

Pros

Easy to add to existing programs
Flexibility in coding security checks

Cons

Bugs are only found for program paths that are tested.
Performance overhead

SLIDE 6

Static Checking

Database Program Variable Program Variable Program Variable Output to User

Pros

Checks all program paths at compile time
No changes to run-time behavior required

Cons

Usually requires extensive program annotation
Limited policy expressiveness

Type Type Type Type Type

Sensitive Datum

High Security Low Security Subtyping check

SLIDE 7

The Best of Both Worlds

The

UrFlow

analysis

for the Ur/Web programming language

Like Dynamic Checking:

No program annotations

required

Flexible and

programmer-accessible policy language (SQL) Like Security Typing:

Checks all program paths

statically

No run-time overhead

SLIDE 8

A Word About Ur/Web

queryX (SELECT * FROM t) (fn row => <xml><tr> <td>{[row.T.A]}</td> <td>{[row.T.B]}</td> <td>{[row.T.C]}</td> <td>{[row.T.D]}</td> <td><form><submit action={delete row.T.A} value="Delete"/> </form></td> </tr></xml>);

Integrated parsing and type-checking of SQL and HTML

SLIDE 9

Simple Policies

policy sendClient (SELECT Id, Name FROM Secrets)

Id Name Secret

Secrets

Client may learn anything this query could return.

SLIDE 10

Reasoning About Knowledge

policy sendClient (SELECT * FROM Secrets WHERE known(Code))

Id Name Secret Code

Secrets

SLIDE 11

What is “known”?

Web page that generated this request App source “foo” 42 AUTH (Username, Password) = (U, P) Cookies n v

known: “foo” 42 n v (U, P) U P ((42, v), P) (“foo”, n) (42, v)

SLIDE 12

Multi-Table Policies

policy sendClient (SELECT Secret FROM Secrets, Users WHERE Owner = Users.Id AND known(Password))

Id Name Secret Owner

Secrets

Id Name Password

Users

SLIDE 13

Understanding SQL Usage

Program Execution

... ... (U, P) = readCookie(AUTH); pass = SELECT Password FROM Users WHERE Id = U; if (pass != P) abort(); ... ... ... rows = SELECT Secret FROM Secrets WHERE Owner = U; // Send rows to client.... ...

∃ u ∈ Users. u.Id = U ∧ u.Password = P ∀ v. mightSend(v) ⇒ ∃ s ∈ Secrets. s.Owner = U ∧ v = s.Secret known (U, P)

SLIDE 14

Understanding SQL Usage

∃ u ∈ Users. u.Id = U ∧ u.Password = P ∀ v. mightSend(v) ⇒ ∃ s ∈ Secrets. s.Owner = U ∧ v = s.Secret known (U, P)

∧ ∧

policy sendClient (SELECT Secret FROM Secrets, Users WHERE Owner = Users.Id AND known(Password)) ∀ s ∈ Secrets. ∀ u ∈ Users. s.Owner = u.Id ∧ known(u.Password) ⇒ allowed(s.Secret)

∧

Prove: ∀ v. mightSend(v) ⇒ allowed(v)

SLIDE 15

UrFlow Sketch

Program Code Policies (SQL) Policies (First-Order Logic) Finite set of execution paths Symbolic executions State: P1 P2 P3 ... PN Check: Q1 Q2 ... Automated Theorem-Prover P2 /\ policies => Q1

SLIDE 16

Fancier Policies

policy sendClient (SELECT Body FROM Messages, ACL, Users WHERE ACL.Forum = Messages.Forum AND ACL.User = User.Id AND known(Password) AND Level >= 42)

Forum Body

Messages

Id Password

Users

Forum User Level

ACL

SLIDE 17

Write Policies

policy mayInsert (SELECT * FROM Secrets AS New, Users WHERE New.Owner = Users.Id AND known(Password) AND known(New.Secret))

Id Name Secret Owner

Secrets

Id Name Password

Users

SLIDE 18

Case Studies

SLIDE 19

Progress

Programming Languages Researchers Practitioners Imperative programs are too hard to analyze! Just use declarative languages, and your life will be so much easier. Database App Maybe later. I'm going to get back to coding my web application, which does almost nothing besides SQL queries.

UrFlow

SLIDE 20

Static Checking of Dynamically-Varying Security Policies in Database-Backed Applications

Adam Chlipala OSDI 2010

Beyond Code Injection

1.Injection 2.Cross Site Scripting 3.Broken Authentication and Session Mgmt. 4.Insecure Direct Object References 5.Cross Site Request Forgery 6.Security Misconfiguration 7.Insecure Cryptographic Storage ....

Authentication Snafus

Surprise attack Security Policy

Roads to Security

Resource Attack vector #1 Attack vector #2 Attack vector #3 Audit Audit Audit Information flow: who can learn what Access control: who can change what

Dynamic Checking

Pros

Cons

Static Checking

Pros

Cons

The Best of Both Worlds

UrFlow

analysis

Like Dynamic Checking:

required

programmer-accessible policy language (SQL) Like Security Typing:

statically

A Word About Ur/Web

queryX (SELECT * FROM t) (fn row => <xml><tr> <td>{[row.T.A]}</td> <td>{[row.T.B]}</td> <td>{[row.T.C]}</td> <td>{[row.T.D]}</td> <td><form><submit action={delete row.T.A} value="Delete"/> </form></td> </tr></xml>);

Integrated parsing and type-checking of SQL and HTML

Simple Policies

policy sendClient (SELECT Id, Name FROM Secrets)

Id Name Secret

Secrets

Reasoning About Knowledge

policy sendClient (SELECT * FROM Secrets WHERE known(Code))

Id Name Secret Code

Secrets

What is “known”?

known: “foo” 42 n v (U, P) U P ((42, v), P) (“foo”, n) (42, v)

Multi-Table Policies

policy sendClient (SELECT Secret FROM Secrets, Users WHERE Owner = Users.Id AND known(Password))

Id Name Secret Owner

Secrets

Id Name Password

Users

Understanding SQL Usage

Program Execution

∃ u ∈ Users. u.Id = U ∧ u.Password = P ∀ v. mightSend(v) ⇒ ∃ s ∈ Secrets. s.Owner = U ∧ v = s.Secret known (U, P)

Understanding SQL Usage

∃ u ∈ Users. u.Id = U ∧ u.Password = P ∀ v. mightSend(v) ⇒ ∃ s ∈ Secrets. s.Owner = U ∧ v = s.Secret known (U, P)

∧ ∧

policy sendClient (SELECT Secret FROM Secrets, Users WHERE Owner = Users.Id AND known(Password)) ∀ s ∈ Secrets. ∀ u ∈ Users. s.Owner = u.Id ∧ known(u.Password) ⇒ allowed(s.Secret)

∧

Prove: ∀ v. mightSend(v) ⇒ allowed(v)

UrFlow Sketch

Fancier Policies

policy sendClient (SELECT Body FROM Messages, ACL, Users WHERE ACL.Forum = Messages.Forum AND ACL.User = User.Id AND known(Password) AND Level >= 42)

Forum Body

Messages

Id Password

Users

Forum User Level

ACL

Write Policies

policy mayInsert (SELECT * FROM Secrets AS New, Users WHERE New.Owner = Users.Id AND known(Password) AND known(New.Secret))

Id Name Secret Owner

Secrets

Id Name Password

Users

Case Studies

Progress

UrFlow

Ur/Web Available At:

http://www.impredicative.com/ur/

Including online demos with syntax-highlighted source code