Swift: Secure Web Applications via Automatic Partitioning

Swift: Secure Web Applications via Automatic

Partitioning

Stephen Chong, Jed Liu, Andrew C. Myers,Xin Qi, K. Vikram, Lantian Zheng, Xin ZhengCornell UniversitySOSP 2007 (October 15)Speaker: K. Vikram

Splitting Webapps via Information Flow Types

• Ubiquitous, important, yet insecure– 61% of Internet vulnerabilities affect webapps*– Cross-site scripting, SQL injection, Information Leakage, etc.

• Development methods lack security reasoning– Distributed system in multiple languages

• Client: CSS, XHTML, JavaScript, Flash• Server: PHP, ASP, Ruby, SQL

– Ajax/Web 2.0: Complex JavaScript UIs generating HTTP requests

*Symantec Internet Security Threat Report 2007

Can we make web applications secure?

Swift*

• Make interactive web applications secure and easier to write

*Splitting Webapps via Information Flow Types

• Easier to Write– One program (in one general

purpose language) automatically split by the compiler

• Security by construction– Rich security policies as

declarative annotations• Interactivity

– Finding an optimal split for performance

Swiftsourcecode

Compiler

Partitioner

Javascriptclientcode

Javaservercode

K.Vikram Swift Cornell University

The Guess-the-Number Game

Secret Number: 7

Tries: 3

Take a Guess!

(You have 3 chances)

Random number between 1 and 10



Secret Number: 7

Tries: 3

Take a Guess!


6

Try Again

12

Out of range

4

Try Again

7

You win $500

Tries: 2Tries: 1

(You have 2 chances)(You have 1 chance)You win $500

Bounds Check

Compare Guess

Tries: 0



Secret Number: 7

Tries: 3

Take a Guess!


7

You win $500

Confidentiality Requirement

Tries: 10

1234567

Integrity Requirement

I win $500

Integrity Requirement

Bounds Check

Compare Guess

Buggy or malicious Trusted



Secret Number: 7

Tries: 3

Take a Guess!


Tries: 3

Compare Guess

Bounds Check

A secure optimal

split

Bounds Check


Input Validation

CheckFails

Called from a Listener

Guess-the-number in Swift

{

if (guess >= 1 && guess <= 10) {

int secret;int tries;

} else { message.setText("Out of range:" + guess);

} }

void makeGuess (int guess)…


Compare with stored secret

Successful Guess

Guess-the-number in Swift…

{

if (guess >= 1 && guess <= 10) {


} }

if (tries > 0 && correct) { finishApp("You win $500!");

}

boolean correct = guess == secret;

void makeGuess (int guess)



Compare with stored secret

Guess-the-number in Swift…

{

if (guess >= 1 && guess <= 10) {


} }


} else {




tries--; if (tries > 0)

elsemessage.setText("Try again");

finishApp("Game over");

Unsuccessful Guess

}


…

{

if (guess >= 1 && guess <= 10) {


} }


} else {






finishApp("Game over"); }


…

{

if (guess >= 1 && guess <= 10) {


} }


} else {







…

{

if (guess >= 1 && guess <= 10) {


} }


} else {








Writing security labels in Swift • A label denotes the security policy enforced on

data (using the Decentralized Label Model[ML97])

int{server→server; server←server} secret;int{server→client; server←server} tries;

Alice Bob Alice permits Bob to read

Alice Bob Alice permits Bob to write

• The compiler allows only those information flows that conform to security policies (Jif[ML99])

int{server→client} display;

display = secret;

server→serverserver→client

server←serverserver←server


…

{

if (guess >= 1 && guess <= 10) {

int{server→server; server←server} secret;int{server→client; server←server} tries;

Guess-the-number in Swift

} } else {

message.setText("Out of range:" + guess); }

}

{server→server} to {server→client}); if (tries > 0 && correct) {

finishApp("You win $500!"); } else {



boolean correct = declassify (guess == secret,

finishApp("Game over");

endorse (guess, {server←client} to {server←server}) If guess is within bounds the server is prepared to trust it

Client is allowed to learn if guess is correct


The Swift

Architecture

Jifsourcecode

WebILcode

LocatedWebIL code

label projection

partitioning

Confidentiality/Integrity labels

Server/ClientPlacement

HTTP

Javaservlet

framework

Swiftserver

runtime

Javaservercode

Web Server

Java client code

GWTSwiftclient

runtime

GWTruntimelibrary


Web Browser

Swiftserver

runtime

Javaservlet

framework

GWTruntimelibrary

Swiftclient

runtime

Javaservercode


The Swift

Architecture WebIL

code

LocatedWebIL code

partitioning

HTTP

Web Server

Java client code

GWT

Web Browser

Jifsourcecode

label projection


Placement Constraints from Labels

{Alice→Bob; Alice←Bob}

{Chuck→Alice,Bob;Alice←Chuck}

{Alice→Bob, Dave}

{Chuck←Chuck, Alice}

{Chuck←Chuck, Alice}

{Chuck←Bob, Alice}

{Alice→Bob, Dave}

{Fiona→Bob, Eve, Alice; Bob←Fiona}

{Eve←Chuck, Alice}

{George→Bob, Dave; Fiona→Bob; George←Alice,Dave}

{Dave→Bob, Heather}

{}

{Alice→Bob, Dave; w}

{*l}

{x}

{p←p}

{Irina→Bob; Heather←Dave,Bob,Irina}

{p→Bob, q; n}

{Alice→Bob, Dave}

client cannot read

client can read

clientcanwrite

clientcannotwrite

(low confidentiality)

(high confidentiality)

(low integrity) (high integrity)

client orserverS?C?

server andmaybeclientShC?

serveronly

S

serveronlySh



client cannot read

client can read

clientcanwrite

clientcannotwrite

(low confidentiality)

(high confidentiality)

(low integrity) (high integrity)

S Sh

S?C? ShC?


C

Security ConstraintsS?C?

S Sh

Architectural Constraints

SDatabaselibrary calls

UI Widgetcalls


ShC?


S?C?:

S?C?:

int secret;int tries;…void makeGuess (int guess) {

if (guess >= 1 && guess <= 10) {


} }

finishApp("You win $500!");

} } else {


else finishApp("Game over"); }

Guess-the-number in WebIL

Sh:ShC?:

ShC?:Sh:

ShC?:

message.setText("Try again");S?C?:

C:

C:

Comparison only on server

Calls to UI methods on

client

if (tries > 0 && correct) {boolean correct = guess == secret;

Sh:


WebILcode

LocatedWebIL code

partitioning

Swiftserver

runtime

Javaservlet

framework

GWTruntimelibrary

Swiftclient

runtime

Javaservercode


The Swift

Architecture

Jifsourcecode

label projection

HTTP

Web Server

Java client code

GWT

Web Browser


• Minimize number of network messages– Network latency has biggest impact on responsiveness– Control transfer might require a network message

• Modeling the run-time behavior of the program by a weighted control flow graph – Interprocedural dataflow analysis

• Construct an instance of the min-cut problem• Min-cut/Max-flow algorithm runs in O(n3) time

Performance Optimization

S

CC

S

SS

C

C

S

S

S C10

10

10

10

10

5

7.515

57.5

7.5

7.5101010

10

10

5

7.5

15

5

7.5

7.5

7.5


Guess-the-numberwith placements

C:

C:


if (guess >= 1 && guess <= 10) {


} }


} } else {



Sh:ShC:

Sh:

ShC:

message.setText("Try again");C:C:

C:


Sh:

ShC:

Each statement/field is given one of five possible annotations: {C, S, SC, Sh, ShC}

Input validation code replicated


The Swift

Architecture

LocatedWebIL code

HTTP

Javaservlet

framework

Swiftserver

runtime

Javaservercode

Web Server

Java client code

GWTSwiftclient

runtime

GWTruntimelibrary


Web Browser

Jifsourcecode

WebILcode

label projection

partitioning

guess=6 if (guess >= 1 && guess <= 10) {

void makeGuess (int guess) {…

if (guess >= 1 && guess <= 10) {


} }


} else { tries--; if (tries > 0)


message.setText("Try again");



} }






[Code to execute, Local Variable Values]

boolean correct = guess == secret; boolean correct = guess == secret;




} }







} }





[Code to execute, Local variable values]

updates to locals

if (guess >= 1 && guess <= 10) { if (guess >= 1 && guess <= 10) {boolean correct = guess == secret;



} }







} }





boolean correct = guess == secret; if (guess >= 1 && guess <= 10) { if (guess >= 1 && guess <= 10) {



• Client could cheat and request execution of arbitrary server code– Server keeps enough state about expected control

flow• Client could corrupt local variables

– Server does not accept updates for high integrity variables

• Client cannot – Violate data integrity– Influence execution of high integrity code– Learn confidential values

[Code to execute, Local variable values]Code to execute Local variable values

Evaluation: Code size measurements

Guess-the-Number142 lines

Poll113 lines

Secret Keeper324 lines

Treasure Hunt92 lines

Auction502 lines

Shop1094 lines


Evaluation: Network message counts

Example TaskActual Optimal

Server! Client Client! Server Server! Client Client! Server

Guess-the-Number

guessing a number 1 2 1 1

Shop adding an item 0 0 0 0

Poll casting a vote 1 1 0 1

Secret Keeper

viewing the secret 1 1 1 1

Treasure Hunt

exploring a cell 1 2 1 1

Auction bidding 1 1 1 1


Related Work• Unified Programming

Models– Links [CLWY 06] – Hop [SGL 06] – Hilda [YGQDGS 07,YSRG 06]

• Web Application Security– Static Analysis

[HYHTLK 04, XA 06, JKK 06]– Dynamic Taint Tracking

[HO 05, NGGE 05, XBS 06, CVM 07]

• Security by construction– Jif/Split [ZZNM 02, ZCMZ 03]– Fairplay [MNPS 04]– SMCL [NS 07]

- Tracking over multiple requests- Client side computation- Confidentiality

- Security- Replication for responsiveness- Automated, fine-grained

optimization

Swift

- Bigger, more practical applications- Web application security


Conclusions/Questions?

• Web applications are critical and handle sensitive data

• Secure web applications are hard to write• The Swift programming system provides

– Greater security assurance– A responsive interface– Cleaner programming model

• http://www.cs.cornell.edu/jif/swift/

Swift: Secure Web Applications via Automatic Partitioning

Documents

Transcript of Swift: Secure Web Applications via Automatic Partitioning