1 / 24

Michael Dalton, Christos Kozyrakis, and Nickolai Zeldovich MIT, Stanford University USENIX 09’

Nemesis: Preventing Authentication & Access Control Vulnerabilities in Web Applications. Michael Dalton, Christos Kozyrakis, and Nickolai Zeldovich MIT, Stanford University USENIX 09’. Outline. 1. Introduction 2. Web Application Security Architecture 3. Authentication Inference

maia
Download Presentation

Michael Dalton, Christos Kozyrakis, and Nickolai Zeldovich MIT, Stanford University USENIX 09’

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Nemesis: Preventing Authentication & Access Control Vulnerabilities in Web Applications Michael Dalton, Christos Kozyrakis, and Nickolai Zeldovich MIT, Stanford University USENIX 09’

  2. Outline 1. Introduction 2. Web Application Security Architecture 3. Authentication Inference 4. Authorization Enforcement 5. Implementation 6. Experimental Results 7. Conclusion

  3. 1. Introduction • web application deploys its own authentication & access control • FS & DB layers perform operations with the privileges of the web application • Not user • no defensive tools exist to automatically prevent

  4. Nemesis • modify library and interpreter • shadow authentication • taint, track the flow & string compare & IO • do not require the behavior of the application to be modified

  5. 2. Web Application Security Architecture • Authentication: • user input • performs an authentication check, ensure • validated, creates a login session for the user • Access Control attacks: execute server side operations which might not be authorized to perform

  6. 3. Authentication Inference • infer when authentication has occurred • shadow authentication system • ensure the authentication steps • require developer to provide “annotation” • where pass and name stored • external function

  7. Dynamic Information Flow Tracking • DIFT tag each data • “credential” taint bit • “user input” taint bit • perform taint propagation in the language interpreter • source operand tainted, destination tainted

  8. 2 taint tag bits • “credential” taint bit: data item represents a known-good password or other credential • “user input” taint bit: data item was supplied by the user as part of the HTTP request • Nemesis propagates both taint

  9. Nemesis • ACL Enforce: • Intercept I/O operations to enforce file ACLs • Intercept, rewrite SQL queries to enforce DB ACLs • DIFT: • 2 tag bits per object to track credentials and taint Tag propagation on all operations • Automatic inference of authentication checks

  10. Creating a New Login Session • data tagged as “user input” compare to data tagged as “credentials” • using string (in)equality operators • User input password matches the one stored in the password DB • infer user authentication • auth function

  11. keep Login Session • use an entirely separate session management framework • shadow cookie: private key

  12. 4. Authorization Enforcement • access control rules (ACL) • developer supply ACL for file, dir, & DB • ACL check : current shadow authenticated user is permitted to execute the operation

  13. Restrict the access of file, directory or DB • Little programmer effort required • Intercept the IO operation

  14. Against SQL injection (to..) • Rewrite the SQL query & add the 3rd bit in zval • denote user input that may be interpreted as a SQL keyword or operator • SQL quoting functions clear this tag bit • mysql_real_escape_string()

  15. 5. Implementation • implement a prototype of Nemesis by modifying the PHP interpreter • zval • Due to alignment restrictions, the zval structure has a few unused bits

  16. Tag Initialization • Any input is tainted with the ’user input’ bit • set a global variable to store the candidate username associated with the password • shadow authentication system uses this candidate username to initialize the shadow cookie • setcookie()

  17. Password Comparison Authentication Inference • performed by modifying the PHP interpreter’s string comparison operators • perform a check to see if the two string operands were determined to be equal • equal & A:“credential”, B:”user input” succeed

  18. Authentication check • check the global variable that indicates the current shadow authenticated user • not set: check if shadow authentication information is stored in the current session file • Check shadow authentication cookie (extract)

  19. Access control check • checking the current authenticated user against a list of accessible files on each file access • manually inserted these checks into applications based on the ACL

  20. 6. Experimental Results

  21. authentication bypass: shadow authentication is not affected • installation script will reset the administrator password: restricted by ACL

  22. 7. Conclusion • novel methodology for preventing authentication & access control bypass • shadow authentication system: track user authentication state by an additional HTTP cookie • Programmers can specify ACL lists • Little effort( < 100 LoC)

More Related