320 likes | 443 Views
Swift: Secure Web Applications via Automatic Partitioning. Stephen Chong, Jed Liu, Andrew C. Myers, Xin Qi, K. Vikram, Lantian Zheng, Xin Zheng Cornell University SOSP 2007 (October 15) Speaker: K. Vikram. S plitting W ebapps via I nformation F low T ypes.
E N D
Swift: Secure Web Applications via Automatic Partitioning Stephen Chong, Jed Liu, Andrew C. Myers, Xin Qi, K. Vikram, Lantian Zheng, Xin Zheng Cornell University SOSP 2007 (October 15) Speaker: K. Vikram Splitting Webapps via Information Flow Types
Can we make web applications secure? • Ubiquitous, important, yet insecure • 61% of Internet vulnerabilities affect webapps* • Cross-site scripting, SQL injection, Information Leakage, etc. • Development methods lack security reasoning • Distributed system in multiple languages • Client: CSS, XHTML, JavaScript, Flash • Server: PHP, ASP, Ruby, SQL • Ajax/Web 2.0: Complex JavaScript UIs generating HTTP requests *Symantec Internet Security Threat Report 2007
Swift source code Compiler Partitioner Javascript client code Swift* • Make interactive web applications secure and easier to write • Easier to Write • One program (in one general purpose language) automatically split by the compiler • Security by construction • Rich security policies as declarative annotations • Interactivity • Finding an optimal split for performance Java server code *Splitting Webapps via Information Flow Types
Take a Guess! (You have 3 chances) The Guess-the-Number Game Random number between 1 and 10 Secret Number: 7 Tries: 3 K.Vikram Swift Cornell University
The Guess-the-Number Game Bounds Check Compare Guess Secret Number: 7 6 Tries: 3 Tries: 1 Tries: 2 Tries: 0 Try Again 12 Out of range 4 Take a Guess! Try Again 7 (You have 3 chances) (You have 1 chance) (You have 2 chances) You win $500 You win $500 K.Vikram Swift Cornell University
Bounds Check Compare Guess The Guess-the-Number Game Confidentiality Requirement Secret Number: 7 Tries: 10 Tries: 3 Integrity Requirement Buggy or malicious Trusted I win $500 Take a Guess! 7 6 2 4 3 1 7 5 Integrity Requirement (You have 3 chances) You win $500 K.Vikram Swift Cornell University
The Guess-the-Number Game Bounds Check Bounds Check Compare Guess Secret Number: 7 A secure optimal split Tries: 3 Tries: 3 Take a Guess! (You have 3 chances) K.Vikram Swift Cornell University
Guess-the-number in Swift intsecret; inttries; … Called from a Listener void makeGuess(int guess) { if (guess >= 1 && guess <= 10) { Input Validation Check Fails } else { message.setText("Out of range:"+ guess); } K.Vikram Swift Cornell University }
Guess-the-number in Swift intsecret; inttries; … void makeGuess(int guess) { if (guess >= 1 && guess <= 10) { boolean correct = guess == secret; Compare with stored secret if (tries > 0 && correct) { finishApp("You win $500!"); } Successful Guess } else { message.setText("Out of range:"+ guess); } K.Vikram Swift Cornell University }
Guess-the-number in Swift intsecret; inttries; … void makeGuess(int guess) { if (guess >= 1 && guess <= 10) { boolean correct = guess == secret; Compare with stored secret if (tries > 0 && correct) { finishApp("You win $500!"); } else { Unsuccessful Guess tries--; if (tries > 0) message.setText("Try again"); else finishApp("Game over"); } } else { message.setText("Out of range:"+ guess); } K.Vikram Swift Cornell University }
intsecret; inttries; … void makeGuess(int guess) { if (guess >= 1 && guess <= 10) { boolean correct = guess == secret; if (tries > 0 && correct) { finishApp("You win $500!"); } else { tries--; if (tries > 0) message.setText("Try again"); else finishApp("Game over"); } } else { message.setText("Out of range:"+ guess); } K.Vikram Swift Cornell University }
int secret; intsecret; inttries; inttries; … … void makeGuess(int guess) void makeGuess(int guess) { { if (guess >= 1 && guess <= 10) { if (guess >= 1 && guess <= 10) { boolean correct = guess == secret; boolean correct = guess == secret; if (tries > 0 && correct) { if (tries > 0 && correct) { finishApp("You win $500!"); finishApp("You win $500!"); } else { } else { tries--; tries--; if (tries > 0) if (tries > 0) message.setText("Try again"); message.setText("Try again"); else else finishApp("Game over"); finishApp("Game over"); } } } else { } else { message.setText("Out of range:"+ guess); message.setText("Out of range:" + guess); } } } } K.Vikram Swift Cornell University
Alice Alice permits Bob to read Bob Alice permits Bob to write Alice Bob Writing security labels in Swift • A label denotes the security policy enforced on data (using the Decentralized Label Model[ML97]) server←server server→server int{server→server; server←server} secret; int{server→client; server←server} tries; server←server server→client • The compiler allows only those information flows that conform to security policies (Jif[ML99]) int{server→client} display; display = secret; K.Vikram Swift Cornell University
Guess-the-number in Swift int{server→server; server←server} secret; int{server→client; server←server} tries; … { If guess is within bounds the server is prepared to trust it endorse (guess, {server←client} to {server←server}) if (guess >= 1 && guess <= 10) { boolean correct = guess == secret; boolean correct = declassify (guess == secret, {server→server} to {server→client}); if (tries > 0 && correct) { finishApp("You win $500!"); } else { Client is allowed to learn if guess is correct tries--; if (tries > 0) message.setText("Try again"); else finishApp("Game over"); } } else { message.setText("Out of range:"+ guess); } K.Vikram Swift Cornell University }
Java client code GWT runtime library Swift client runtime Javascript client code Java servlet framework Swift server runtime Java server code HTTP The Swift Architecture Jif source code Confidentiality/ Integrity labels label projection WebIL code partitioning Server/Client Placement Located WebIL code GWT Web Browser Web Server
The Swift Architecture Jif source code label projection WebIL code partitioning Located WebIL code Java client code Java servlet framework Swift server runtime Java server code Javascript client code Swift client runtime GWT runtime library GWT HTTP Web Browser Web Server
{Alice→Bob, Dave} {Irina→Bob; Heather←Dave,Bob,Irina} (low integrity) (high integrity) {Eve←Chuck, Alice} client can write client cannot write {Alice→Bob; Alice←Bob} {p←p} {} {Alice→Bob, Dave} {Fiona→Bob, Eve, Alice; Bob←Fiona} {Alice→Bob, Dave; w} {Chuck→Alice,Bob;Alice←Chuck} client can read {*l} {Alice→Bob, Dave} (low confidentiality) {Chuck←Chuck, Alice} {Chuck←Chuck, Alice} {Dave→Bob, Heather} {Chuck←Bob, Alice} client cannot read {George→Bob, Dave; Fiona→Bob; George←Alice,Dave} (high confidentiality) {x} {p→Bob, q; n} Placement Constraints from Labels server and maybe client ShC? client or server S?C? server only Sh server only S K.Vikram Swift Cornell University
(low integrity) (high integrity) client can write client cannot write client can read (low confidentiality) client cannot read (high confidentiality) Placement Constraints from Labels ShC? S?C? S Sh K.Vikram Swift Cornell University
Placement Constraints from Labels Security Constraints ShC? S?C? Architectural Constraints S S C Sh UI Widget calls Database library calls K.Vikram Swift Cornell University
Guess-the-number in WebIL Sh: int secret; ShC?: int tries; … void makeGuess(int guess) { if (guess >= 1 && guess <= 10) { ShC?: Comparison only on server Sh: boolean correct = guess == secret; Sh: if (tries > 0 && correct) { S?C?: finishApp("You win $500!"); } else { } ShC?: tries--; Calls to UI methods on client S?C?: if (tries > 0) C: message.setText("Try again"); S?C?: else finishApp("Game over"); } } else { message.setText("Out of range:"+ guess); C: } } K.Vikram Swift Cornell University
The Swift Architecture Jif source code label projection WebIL code partitioning Located WebIL code Java client code Java servlet framework Swift server runtime Java server code Javascript client code Swift client runtime GWT runtime library GWT HTTP K.Vikram Swift Cornell University Web Browser Web Server
7.5 7.5 10 10 S S 10 C C S S 7.5 15 7.5 7.5 C C 7.5 5 10 15 10 10 10 S S 10 5 7.5 7.5 10 10 5 5 Performance Optimization • Minimize number of network messages • Network latency has biggest impact on responsiveness • Control transfer might require a network message • Modeling the run-time behavior of the program by a weighted control flow graph • Interprocedural dataflow analysis • Construct an instance of the min-cut problem • Min-cut/Max-flow algorithm runs in O(n3) time S C K.Vikram Swift Cornell University
Guess-the-number with placements Sh: int secret; ShC: int tries; … void makeGuess(int guess) { Input validation code replicated if (guess >= 1 && guess <= 10) { ShC: Sh: boolean correct = guess == secret; Sh: if (tries > 0 && correct) { finishApp("You win $500!"); C: Each statement/field is given one of five possible annotations: {C, S, SC,Sh, ShC} } } else { ShC: tries--; C: if (tries > 0) C: message.setText("Try again"); C: else finishApp("Game over"); } } else { message.setText("Out of range:"+ guess); C: } } K.Vikram Swift Cornell University
Java client code GWT runtime library Swift client runtime Javascript client code Java servlet framework Swift server runtime Java server code HTTP The Swift Architecture Jif source code label projection WebIL code partitioning Located WebIL code GWT K.Vikram Swift Cornell University Web Browser Web Server
[Code to execute, Local Variable Values] int secret; int secret; int tries; int tries; … … guess=6 void makeGuess(int guess) { void makeGuess(int guess) { if (guess >= 1 && guess <= 10) { if (guess >= 1 && guess <= 10) { boolean correct = guess == secret; boolean correct = guess == secret; if (tries > 0 && correct) { if (tries > 0 && correct) { finishApp("You win $500!"); finishApp("You win $500!"); } else { } else { tries--; tries--; if (tries > 0) if (tries > 0) message.setText("Try again"); message.setText("Try again"); else finishApp("Game over"); else finishApp("Game over"); } } } else { } else { message.setText("Out of range:"+ guess); message.setText("Out of range:" + guess); } } } }
[Code to execute, Local variable values] int secret; int secret; int tries; int tries; … … void makeGuess(int guess) { void makeGuess(int guess) { if (guess >= 1 && guess <= 10) { if (guess >= 1 && guess <= 10) { boolean correct = guess == secret; boolean correct = guess == secret; if (tries > 0 && correct) { if (tries > 0 && correct) { finishApp("You win $500!"); finishApp("You win $500!"); } else { } else { updates to locals tries--; tries--; if (tries > 0) if (tries > 0) message.setText("Try again"); message.setText("Try again"); else finishApp("Game over"); else finishApp("Game over"); } } } else { } else { message.setText("Out of range:"+ guess); message.setText("Out of range:" + guess); } } } }
int secret; int secret; int tries; int tries; … … void makeGuess(int guess) { void makeGuess(int guess) { if (guess >= 1 && guess <= 10) { if (guess >= 1 && guess <= 10) { boolean correct = guess == secret; boolean correct = guess == secret; if (tries > 0 && correct) { if (tries > 0 && correct) { finishApp("You win $500!"); finishApp("You win $500!"); } else { } else { tries--; tries--; if (tries > 0) if (tries > 0) message.setText("Try again"); message.setText("Try again"); else finishApp("Game over"); else finishApp("Game over"); } } } else { } else { message.setText("Out of range:"+ guess); message.setText("Out of range:" + guess); } } } }
[Code to execute, Local variable values] Code to execute Local variable values • Client could cheat and request execution of arbitrary server code • Server keeps enough state about expected control flow • Client could corrupt local variables • Server does not accept updates for high integrity variables • Client cannot • Violate data integrity • Influence execution of high integrity code • Learn confidential values K.Vikram Swift Cornell University
Evaluation: Code size measurements Secret Keeper 324 lines Guess-the-Number 142 lines Poll 113 lines Shop 1094 lines Auction 502 lines Treasure Hunt 92 lines
Evaluation: Network message counts K.Vikram Swift Cornell University
Swift Related Work - Security - Replication for responsiveness - Automated, fine-grained optimization • Unified Programming Models • Links [CLWY 06] • Hop [SGL 06] • Hilda [YGQDGS 07,YSRG 06] • Web Application Security • Static Analysis [HYHTLK 04, XA 06, JKK 06] • Dynamic Taint Tracking [HO 05, NGGE 05, XBS 06, CVM 07] • Security by construction • Jif/Split [ZZNM 02, ZCMZ 03] • Fairplay [MNPS 04] • SMCL [NS 07] - Tracking over multiple requests - Client side computation - Confidentiality - Bigger, more practical applications - Web application security K.Vikram Swift Cornell University
Conclusions/Questions? • Web applications are critical and handle sensitive data • Secure web applications are hard to write • The Swift programming system provides • Greater security assurance • A responsive interface • Cleaner programming model • http://www.cs.cornell.edu/jif/swift/ K.Vikram Swift Cornell University