Wenliang (Kevin) Du Associate Professor Department of Electrical Engineering & Computer Science...
46
Re-designing the Web’s Access Control Systems Wenliang (Kevin) Du Associate Professor Department of Electrical Engineering & Computer Science Syracuse University Joint work with Dr. Karthick Jayaraman, Tongbo Luo, Xi Tan, and Dr. Zutao Zhu Presentation at Microsoft Research, Redmond, 7/28/2011.
Wenliang (Kevin) Du Associate Professor Department of Electrical Engineering & Computer Science Syracuse University Joint work with Dr. Karthick Jayaraman,
Wenliang (Kevin) Du Associate Professor Department of
Electrical Engineering & Computer Science Syracuse University
Joint work with Dr. Karthick Jayaraman, Tongbo Luo, Xi Tan, and Dr.
Zutao Zhu Presentation at Microsoft Research, Redmond,
7/28/2011.
Slide 2
Overview Access control in the Web Our positions on Webs access
control Our approaches to improve web security Escudo: Browser-side
access control Scuta: Server-side access control Database-side
access control
Slide 3
The Alarming Situation Vulnerabilities of web applications
(from WhiteHat Security)
Slide 4
The Overall Web Architecture Application Server Application
Server Database Web Browser e.g., PHP, Java Servlete.g., MySQL Web
Browser
Slide 5
A Web Application Example
Slide 6
Current Access Control Systems SQL Code Server-side Code (PHP,
C#, Java Servlet) Server-side Code (PHP, C#, Java Servlet)
DatabaseWeb Browser JavaScript Code HTML Page Static Contents Web
Application Server Browser Access Control (SOP) DB Access Control
Session + OS Access Control
Slide 7
Same Origin Policy (SOP) Google Mail Cookies from Gmail.com
Cookies from Microsoft.com DOM Tree JavaScript Code www.gmail.com
www.microsoft.com (this action is now allowed) AJAX
Slide 8
Same-Session Policy After authentication, a session is
established Avoid repetitive authentication Session cookies:
authentication token Same session, same privileges
Slide 9
Problems of SOP and SSP Coarse granularity: one or nothing No
separation of privileges Do we need to separate privileges?
Slide 10
Diversified Protection Needs AddFriends.php DeleteFriends.php
ViewFriends.php Advertisements Trusted Region Semi-Trusted Region
Untrusted Region First-party Content Untrusted Region Untrusted
Region Third-party Content Third-party Content
Slide 11
The Loss of Trust State F.php Button1 F.phps Output: HTML Page
Un-trusted Region Trusted Region Button3 Trust state of data gets
lost: led to the Same-Origin Policy. Trust status gets lost again:
led to the Same-Session Policy. Un-Trusted Data Trusted Data
Semi-Trusted Data Semi-Trusted Region Button2 ViewFriends.php
AddFriends.php DeleteFriends.php
Slide 12
Application-Specific Logic SQL Code DatabaseWeb Browser
JavaScript Code HTML Page Static Contents Browser-side Access
Control Database-side Access Control Application-specific Access
Control Server-Side Access Control Browser Access Control (SOP) DB
Access Control Session + OS Access Control
Slide 13
Inadequate Access Control Access control has to be built into
program logic Not easy for programmers 83% of web sites have at
least one serious vulnerability Deploy countermeasures in programs.
Developers need to be security experts Do we have enough security
experts? I am a security expert, I am afraid of writing web apps.
Something is fundamentally wrong! Dont blame the developers Blame
the Webs security infrastructure
Slide 14
Build Better Access Control SQL Code DatabaseWeb Browser
JavaScript Code HTML Page Static Contents Browser-side Access
Control Database-side Access Control Application-specific Access
Control Server-Side Access Control Better Access Control System
Better Access Control Better Access Control System
Slide 15
The Benefit Developers security efforts are reduced They only
need to configure Enforcement is done by the system Configuration:
compared to Implementation Much easier to do Require less security
expertise Less error prone Easier to verify
[Saltzer and Schroeder 1975]: 8 design principles for building
protection systems: Economy of mechanism Fail-safe defaults
Complete mediation Open design Separation of privilege Least
privilege Least common mechanism Psychological acceptability
Slide 18
Key Security Principles Separation of privilege Partitioning
access permissions Example: Root vs. Ordinary user account SOP
& SSP: privileges are not separated Principle of least
privilege A program must have no more privileges than necessary for
its legitimate purpose SOP & SSP: do not support this
principle
Slide 19
Requirement on the New Model Finer Granularity Reflect the
nature of Trust Multi-level, multi-lateral, etc. Considering the
Protection needs Backward compatible Well Vetted Creativity is
probably the enemy here.
Slide 20
Final Choice: the Ring model Subjects and objects are labeled
with rings Widely used model: operating system, etc.
Slide 21
Hierarchy
Slide 22
0 1 2 A.php B.php C.php D.php BrowserApplication ServerDatabase
0 1 2 Escudo + SOPScuta + SessionScuta Submit Ring = 0 Ring = 1 URL
JavaScript Code URL Submit JavaScript Code Ring = 2 JavaScript Code
URL Submit TableC TableB TableA 0 1 2 2 1 0 Ring-Based Access
Control for Web
Slide 23
Escudo: Shield in Portuguese
Slide 24
Example: HTML Encoding
Slide 25
Policy Integrity Scoping Rule A div tags principal ring is the
lower bound for all its children Node-splitting Use tag (or nonce)
to prevent malicious code
Slide 26
Backward Compatibility Escudo Browsers with Non-Escudo
Applications All principals and objects belong to the same ring,
mimicking same-origin policy Escudo-applications with Non-Escudo
Browsers The configuration is ignored Application still executes
(no security)
Slide 27
0 1 2 A.php B.php C.php D.php BrowserApplication ServerDatabase
0 1 2 Escudo + SOPScuta + SessionScuta Submit Ring = 0 Ring = 1 URL
JavaScript Code URL Submit JavaScript Code Ring = 2 JavaScript Code
URL Submit TableC TableB TableA 0 1 2 2 1 0 Scuta: Roman Shield
Fill the gap
Slide 28
Scuta: Subsession F.php Browser Side Ring = 0 Ring = 2 F.php
JavaScript Code call F.php URL (F.php) JavaScript Code call F.php
F.php Cookies SubSID_0 Ring: 0 Server Side SubSID_1 SID, SubSID_2
Ring: 1Ring: 2 Cookies: SubSID_0, SubSID_1, SubSID_2, SID
Subsession = 0 Subsession = 2 Cookies: SubSID_2, SID URL (F.php)
Web Page
Slide 29
Scutas Basic Access Control 0 1 2 A.php B.php C.php D.php
BrowserApplication Server Submit Ring = 0 Ring = 1 URL JavaScript
Code URL Submit JavaScript Code Ring = 2 JavaScript Code URL Submit
0 1 2
Slide 30
Scuta: More Flexible Policy Support Discretionary Security
Policies: Swich (session_esubsid() ) { case 0: Do Task A; break;
case 1: Do task B break; case 2: Do Task C break; }
Slide 31
Scuta: Gates Ring 0 Ring 1 Ring 2 Gate Exceptions invetible
Like system calls Provide controlled access Example DB
modification: Ring 0 Allow Ring 3 to modify DB in a controlled
way.
Another Gap 0 1 2 A.php B.php C.php D.php Application
ServerDatabase 0 1 2 TableC TableB TableA dbuser
Slide 34
Fill the Gap 0 1 2 A.php B.php C.php D.php Application
ServerDatabase 0 1 2 TableC TableB TableA dbuser_0 dbuser_2
dbuser_1
Slide 35
Place Data in Rings Use the GRANT command Fine granularity on
tables, columns, and operations Examples GRANT ALL ON TableA TO
dbuser_0 GRANT ALL ON TableB TO dbuser_1 GRANT ALL (Profile, Name)
ON TableC TO dbuser_1 GRANT SELECT (Profile) ON TableC TO
dbuser_2
Defeating XSS Attacks with Escudo First-Party Contents
(Trustworthy) Other users comments (Untrusted) Ring 0 Ring 2
First-Party Contents (Readable by Ads) Ring 1 Session Cookie: Ring
0 Ring 2
Secure Client-Side Extensions Ring 0 Ring 1 Ring 2 Display()
Modify() A 3 rd -party client-side extension Renew()
Slide 41
Server-Side Extensions Server-side code written by 3 rd parties
Elgg has hundreds of such extensions An App model Problematic
Server-Side Extensions Malicious Vulnerable: the SQL Injection
case
Slide 42
Secure Server-Side Extensions Ring 0 Ring 1 Ring 2 Not
so-trustworthy Server-side extensions Trustworthy Server-side
extensions
Slide 43
Cross-Site Requests (non-Ajax) Browsing Facebook Facebook.com
Users Browser e.g. Delete Friends Session ID
Slide 44
Secure Cross-Site Requests Ring 0 Ring 1 Ring 2 Facebooks Scuta
Configuration Cross-Site Requests Cross-Site Requests are Mapped to
the Least Privileged Ring
Slide 45
Cross-Site Ajax Request Security Policy Not allowed in the past
Allowed now Access Control Model The new Origin header White lists
Problems Origin is too coarse-grained A trusts B does not mean A
trusts the Ads on Bs page. Case 2
Slide 46
Secure Cross-Site Ajax Requests Ring 0 Ring 1 Ring 2 Servers
Scuta Configuration Ring 0 Ring 1 Ring 2 Browsers Escudo
Configuration Origin- based Ring Mapping Case 2
Slide 47
Summary Web is becoming part of the infrastructure Should not
be treated as yet-another application. Need more system thinking
for security Web Security is a major problem All web applications
need to think about security A good system support partially frees
developers So they can focus more on application logic We are
working on developing such a system support Browser-side support
Server-side support Database-side support