Upload
eleanore-mosley
View
218
Download
2
Embed Size (px)
Citation preview
Michael Dalton, Christos Kozyrakis, and Nickolai Zeldovich
MIT, Stanford UniversityUSENIX 09’
Nemesis: Preventing Authentication & Access
Control Vulnerabilities in Web Applications
1
2
Outline1. Introduction
2. Web Application Security Architecture
3. Authentication Inference
4. Authorization Enforcement
5. Implementation
6. Experimental Results
7. Conclusion2
3
1. Introduction• web application deploys its own
authentication & access control
• FS & DB layers perform operations with the privileges of the web application– Not user
• no defensive tools exist to automatically prevent
3
4
• Nemesis
• modify library and interpreter– shadow authentication– taint, track the flow & string compare & IO
• do not require the behavior of the application to be modified
4
5
2. Web Application Security Architecture
• Authentication:– user input– performs an authentication check, ensure– validated, creates a login session for the user
• Access Control attacks: execute server side operations which might not be authorized to perform
5
6 6
7
3. Authentication Inference
• infer when authentication has occurred
• shadow authentication system– ensure the authentication steps
• require developer to provide “annotation”– where pass and name stored– external function
7
8
Dynamic Information Flow Tracking
• DIFT tag each data– “credential” taint bit– “user input” taint bit
• perform taint propagation in the language interpreter – source operand tainted, destination tainted
8
9
2 taint tag bits
• “credential” taint bit: data item represents a known-good password or other credential
• “user input” taint bit: data item was supplied by the user as part of the HTTP request
• Nemesis propagates both taint9
10 10
11
Nemesis
• ACL Enforce:– Intercept I/O operations to enforce file ACLs – Intercept, rewrite SQL queries to enforce DB
ACLs
• DIFT:– 2 tag bits per object to track credentials and
taint Tag propagation on all operations– Automatic inference of authentication checks
11
12
Creating a New Login Session
• data tagged as “user input” compare to data tagged as “credentials”
• using string (in)equality operators • User input password matches the one stored
in the password DB
• infer user authentication• auth function
12
13
keep Login Session
• use an entirely separate session management framework
• shadow cookie: private key
13
14
4. Authorization Enforcement
• access control rules (ACL)
• developer supply ACL for file, dir, & DB
• ACL check : current shadow authenticated user is permitted to execute the operation
14
15
• Restrict the access of file, directory or DB
• Little programmer effort required
• Intercept the IO operation
15
16
Against SQL injection (to..)
• Rewrite the SQL query & add the 3rd bit in zval
• denote user input that may be interpreted as a SQL keyword or operator
• SQL quoting functions clear this tag bit– mysql_real_escape_string()
16
17
5. Implementation
• implement a prototype of Nemesis by modifying the PHP interpreter
• zval
• Due to alignment restrictions, the zval structure has a few unused bits
17
18
Tag Initialization
• Any input is tainted with the ’user input’ bit
• set a global variable to store the candidate username associated with the password
• shadow authentication system uses this candidate username to initialize the shadow cookie
• setcookie()
18
19
Password Comparison Authentication Inference
• performed by modifying the PHP interpreter’s string comparison operators
• perform a check to see if the two string operands were determined to be equal
• equal & A:“credential”, B:”user input”
succeed19
20
Authentication check
• check the global variable that indicates the current shadow authenticated user
• not set: check if shadow authentication information is stored in the current session file
• Check shadow authentication cookie (extract)
20
21
Access control check
• checking the current authenticated user against a list of accessible files on each file access
• manually inserted these checks into applications based on the ACL
21
22
6. Experimental Results
22
23
• authentication bypass: shadow authentication is not affected
• installation script will reset the administrator password: restricted by ACL
23
24
7. Conclusion
• novel methodology for preventing authentication & access control bypass
• shadow authentication system: track user authentication state by an additional HTTP cookie
• Programmers can specify ACL lists
• Little effort( < 100 LoC)
24