1 / 32

Swift: Secure Web Applications via Automatic Partitioning

Swift: Secure Web Applications via Automatic Partitioning. Stephen Chong, Jed Liu, Andrew C. Myers, Xin Qi, K. Vikram, Lantian Zheng, Xin Zheng Cornell University SOSP 2007 (October 15) Speaker: K. Vikram. S plitting W ebapps via I nformation F low T ypes.

cree
Download Presentation

Swift: Secure Web Applications via Automatic Partitioning

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Swift: Secure Web Applications via Automatic Partitioning Stephen Chong, Jed Liu, Andrew C. Myers, Xin Qi, K. Vikram, Lantian Zheng, Xin Zheng Cornell University SOSP 2007 (October 15) Speaker: K. Vikram Splitting Webapps via Information Flow Types

  2. Can we make web applications secure? • Ubiquitous, important, yet insecure • 61% of Internet vulnerabilities affect webapps* • Cross-site scripting, SQL injection, Information Leakage, etc. • Development methods lack security reasoning • Distributed system in multiple languages • Client: CSS, XHTML, JavaScript, Flash • Server: PHP, ASP, Ruby, SQL • Ajax/Web 2.0: Complex JavaScript UIs generating HTTP requests *Symantec Internet Security Threat Report 2007

  3. Swift source code Compiler Partitioner Javascript client code Swift* • Make interactive web applications secure and easier to write • Easier to Write • One program (in one general purpose language) automatically split by the compiler • Security by construction • Rich security policies as declarative annotations • Interactivity • Finding an optimal split for performance Java server code *Splitting Webapps via Information Flow Types

  4. Take a Guess! (You have 3 chances) The Guess-the-Number Game Random number between 1 and 10 Secret Number: 7 Tries: 3 K.Vikram Swift Cornell University

  5. The Guess-the-Number Game Bounds Check Compare Guess Secret Number: 7 6 Tries: 3 Tries: 1 Tries: 2 Tries: 0 Try Again 12 Out of range 4 Take a Guess! Try Again 7 (You have 3 chances) (You have 1 chance) (You have 2 chances) You win $500 You win $500 K.Vikram Swift Cornell University

  6. Bounds Check Compare Guess The Guess-the-Number Game Confidentiality Requirement Secret Number: 7 Tries: 10 Tries: 3 Integrity Requirement Buggy or malicious Trusted I win $500 Take a Guess! 7 6 2 4 3 1 7 5 Integrity Requirement (You have 3 chances) You win $500 K.Vikram Swift Cornell University

  7. The Guess-the-Number Game Bounds Check Bounds Check Compare Guess Secret Number: 7 A secure optimal split Tries: 3 Tries: 3 Take a Guess! (You have 3 chances) K.Vikram Swift Cornell University

  8. Guess-the-number in Swift intsecret; inttries; … Called from a Listener void makeGuess(int guess) { if (guess >= 1 && guess <= 10) { Input Validation Check Fails } else { message.setText("Out of range:"+ guess); } K.Vikram Swift Cornell University }

  9. Guess-the-number in Swift intsecret; inttries; … void makeGuess(int guess) { if (guess >= 1 && guess <= 10) { boolean correct = guess == secret; Compare with stored secret if (tries > 0 && correct) { finishApp("You win $500!"); } Successful Guess } else { message.setText("Out of range:"+ guess); } K.Vikram Swift Cornell University }

  10. Guess-the-number in Swift intsecret; inttries; … void makeGuess(int guess) { if (guess >= 1 && guess <= 10) { boolean correct = guess == secret; Compare with stored secret if (tries > 0 && correct) { finishApp("You win $500!"); } else { Unsuccessful Guess tries--; if (tries > 0) message.setText("Try again"); else finishApp("Game over"); } } else { message.setText("Out of range:"+ guess); } K.Vikram Swift Cornell University }

  11. intsecret; inttries; … void makeGuess(int guess) { if (guess >= 1 && guess <= 10) { boolean correct = guess == secret; if (tries > 0 && correct) { finishApp("You win $500!"); } else { tries--; if (tries > 0) message.setText("Try again"); else finishApp("Game over"); } } else { message.setText("Out of range:"+ guess); } K.Vikram Swift Cornell University }

  12. int secret; intsecret; inttries; inttries; … … void makeGuess(int guess) void makeGuess(int guess) { { if (guess >= 1 && guess <= 10) { if (guess >= 1 && guess <= 10) { boolean correct = guess == secret; boolean correct = guess == secret; if (tries > 0 && correct) { if (tries > 0 && correct) { finishApp("You win $500!"); finishApp("You win $500!"); } else { } else { tries--; tries--; if (tries > 0) if (tries > 0) message.setText("Try again"); message.setText("Try again"); else else finishApp("Game over"); finishApp("Game over"); } } } else { } else { message.setText("Out of range:"+ guess); message.setText("Out of range:" + guess); } } } } K.Vikram Swift Cornell University

  13. Alice Alice permits Bob to read Bob Alice permits Bob to write Alice Bob Writing security labels in Swift • A label denotes the security policy enforced on data (using the Decentralized Label Model[ML97]) server←server server→server int{server→server; server←server} secret; int{server→client; server←server} tries; server←server server→client • The compiler allows only those information flows that conform to security policies (Jif[ML99]) int{server→client} display; display = secret; K.Vikram Swift Cornell University

  14. Guess-the-number in Swift int{server→server; server←server} secret; int{server→client; server←server} tries; … { If guess is within bounds the server is prepared to trust it endorse (guess, {server←client} to {server←server}) if (guess >= 1 && guess <= 10) { boolean correct = guess == secret; boolean correct = declassify (guess == secret, {server→server} to {server→client}); if (tries > 0 && correct) { finishApp("You win $500!"); } else { Client is allowed to learn if guess is correct tries--; if (tries > 0) message.setText("Try again"); else finishApp("Game over"); } } else { message.setText("Out of range:"+ guess); } K.Vikram Swift Cornell University }

  15. Java client code GWT runtime library Swift client runtime Javascript client code Java servlet framework Swift server runtime Java server code HTTP The Swift Architecture Jif source code Confidentiality/ Integrity labels label projection WebIL code partitioning Server/Client Placement Located WebIL code GWT Web Browser Web Server

  16. The Swift Architecture Jif source code label projection WebIL code partitioning Located WebIL code Java client code Java servlet framework Swift server runtime Java server code Javascript client code Swift client runtime GWT runtime library GWT HTTP Web Browser Web Server

  17. {Alice→Bob, Dave} {Irina→Bob; Heather←Dave,Bob,Irina} (low integrity) (high integrity) {Eve←Chuck, Alice} client can write client cannot write {Alice→Bob; Alice←Bob} {p←p} {} {Alice→Bob, Dave} {Fiona→Bob, Eve, Alice; Bob←Fiona} {Alice→Bob, Dave; w} {Chuck→Alice,Bob;Alice←Chuck} client can read {*l} {Alice→Bob, Dave} (low confidentiality) {Chuck←Chuck, Alice} {Chuck←Chuck, Alice} {Dave→Bob, Heather} {Chuck←Bob, Alice} client cannot read {George→Bob, Dave; Fiona→Bob; George←Alice,Dave} (high confidentiality) {x} {p→Bob, q; n} Placement Constraints from Labels server and maybe client ShC? client or server S?C? server only Sh server only S K.Vikram Swift Cornell University

  18. (low integrity) (high integrity) client can write client cannot write client can read (low confidentiality) client cannot read (high confidentiality) Placement Constraints from Labels ShC? S?C? S Sh K.Vikram Swift Cornell University

  19. Placement Constraints from Labels Security Constraints ShC? S?C? Architectural Constraints S S C Sh UI Widget calls Database library calls K.Vikram Swift Cornell University

  20. Guess-the-number in WebIL Sh: int secret; ShC?: int tries; … void makeGuess(int guess) { if (guess >= 1 && guess <= 10) { ShC?: Comparison only on server Sh: boolean correct = guess == secret; Sh: if (tries > 0 && correct) { S?C?: finishApp("You win $500!"); } else { } ShC?: tries--; Calls to UI methods on client S?C?: if (tries > 0) C: message.setText("Try again"); S?C?: else finishApp("Game over"); } } else { message.setText("Out of range:"+ guess); C: } } K.Vikram Swift Cornell University

  21. The Swift Architecture Jif source code label projection WebIL code partitioning Located WebIL code Java client code Java servlet framework Swift server runtime Java server code Javascript client code Swift client runtime GWT runtime library GWT HTTP K.Vikram Swift Cornell University Web Browser Web Server

  22. 7.5 7.5 10 10 S S 10 C C S S 7.5 15 7.5 7.5 C C 7.5 5 10 15 10 10 10 S S 10 5 7.5 7.5 10 10 5 5 Performance Optimization • Minimize number of network messages • Network latency has biggest impact on responsiveness • Control transfer might require a network message • Modeling the run-time behavior of the program by a weighted control flow graph • Interprocedural dataflow analysis • Construct an instance of the min-cut problem • Min-cut/Max-flow algorithm runs in O(n3) time S C K.Vikram Swift Cornell University

  23. Guess-the-number with placements Sh: int secret; ShC: int tries; … void makeGuess(int guess) { Input validation code replicated if (guess >= 1 && guess <= 10) { ShC: Sh: boolean correct = guess == secret; Sh: if (tries > 0 && correct) { finishApp("You win $500!"); C: Each statement/field is given one of five possible annotations: {C, S, SC,Sh, ShC} } } else { ShC: tries--; C: if (tries > 0) C: message.setText("Try again"); C: else finishApp("Game over"); } } else { message.setText("Out of range:"+ guess); C: } } K.Vikram Swift Cornell University

  24. Java client code GWT runtime library Swift client runtime Javascript client code Java servlet framework Swift server runtime Java server code HTTP The Swift Architecture Jif source code label projection WebIL code partitioning Located WebIL code GWT K.Vikram Swift Cornell University Web Browser Web Server

  25. [Code to execute, Local Variable Values] int secret; int secret; int tries; int tries; … … guess=6 void makeGuess(int guess) { void makeGuess(int guess) { if (guess >= 1 && guess <= 10) { if (guess >= 1 && guess <= 10) { boolean correct = guess == secret; boolean correct = guess == secret; if (tries > 0 && correct) { if (tries > 0 && correct) { finishApp("You win $500!"); finishApp("You win $500!"); } else { } else { tries--; tries--; if (tries > 0) if (tries > 0) message.setText("Try again"); message.setText("Try again"); else finishApp("Game over"); else finishApp("Game over"); } } } else { } else { message.setText("Out of range:"+ guess); message.setText("Out of range:" + guess); } } } }

  26. [Code to execute, Local variable values] int secret; int secret; int tries; int tries; … … void makeGuess(int guess) { void makeGuess(int guess) { if (guess >= 1 && guess <= 10) { if (guess >= 1 && guess <= 10) { boolean correct = guess == secret; boolean correct = guess == secret; if (tries > 0 && correct) { if (tries > 0 && correct) { finishApp("You win $500!"); finishApp("You win $500!"); } else { } else { updates to locals tries--; tries--; if (tries > 0) if (tries > 0) message.setText("Try again"); message.setText("Try again"); else finishApp("Game over"); else finishApp("Game over"); } } } else { } else { message.setText("Out of range:"+ guess); message.setText("Out of range:" + guess); } } } }

  27. int secret; int secret; int tries; int tries; … … void makeGuess(int guess) { void makeGuess(int guess) { if (guess >= 1 && guess <= 10) { if (guess >= 1 && guess <= 10) { boolean correct = guess == secret; boolean correct = guess == secret; if (tries > 0 && correct) { if (tries > 0 && correct) { finishApp("You win $500!"); finishApp("You win $500!"); } else { } else { tries--; tries--; if (tries > 0) if (tries > 0) message.setText("Try again"); message.setText("Try again"); else finishApp("Game over"); else finishApp("Game over"); } } } else { } else { message.setText("Out of range:"+ guess); message.setText("Out of range:" + guess); } } } }

  28. [Code to execute, Local variable values] Code to execute Local variable values • Client could cheat and request execution of arbitrary server code • Server keeps enough state about expected control flow • Client could corrupt local variables • Server does not accept updates for high integrity variables • Client cannot • Violate data integrity • Influence execution of high integrity code • Learn confidential values K.Vikram Swift Cornell University

  29. Evaluation: Code size measurements Secret Keeper 324 lines Guess-the-Number 142 lines Poll 113 lines Shop 1094 lines Auction 502 lines Treasure Hunt 92 lines

  30. Evaluation: Network message counts K.Vikram Swift Cornell University

  31. Swift Related Work - Security - Replication for responsiveness - Automated, fine-grained optimization • Unified Programming Models • Links [CLWY 06] • Hop [SGL 06] • Hilda [YGQDGS 07,YSRG 06] • Web Application Security • Static Analysis [HYHTLK 04, XA 06, JKK 06] • Dynamic Taint Tracking [HO 05, NGGE 05, XBS 06, CVM 07] • Security by construction • Jif/Split [ZZNM 02, ZCMZ 03] • Fairplay [MNPS 04] • SMCL [NS 07] - Tracking over multiple requests - Client side computation - Confidentiality - Bigger, more practical applications - Web application security K.Vikram Swift Cornell University

  32. Conclusions/Questions? • Web applications are critical and handle sensitive data • Secure web applications are hard to write • The Swift programming system provides • Greater security assurance • A responsive interface • Cleaner programming model • http://www.cs.cornell.edu/jif/swift/ K.Vikram Swift Cornell University

More Related