Csas

384 views

Published on

Csas

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
384
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Csas

  1. 1. Context-Sensitive Auto-Sanitization In Web Templating Languages Using Type Qualifiers Prateek Saxena UC Berkeley Mike Samuel Google Dawn Song UC Berkeley 1
  2. 2. Script Injection Vulnerabilities •  OWASP Top Ten Vulnerabilities – 2nd in 2010 & 2011 •  Today Affects – Major Web Services – Client-side Libraries – Browser Extensions – Devices & Smartphones 2
  3. 3. Predominant Defense Practice •  Why Does it Fail? – Developers forget to Sanitize [Pixy’06, PhpTaint’06,Cqual’04, Merlin’09,Securifly’05, PhpAspis’11] – Pick the wrong sanitizer [CCS’11] 3 String  Div.Render  ()     {    print(“<div>”);    print(userimg);    print(“</div>”);   }   String  Div.Render  ()     {    print(“<div>”);                                                                  print(Sanitize(userimg));    print(“</div>”);   }   Sanitizer Library
  4. 4. Vision •  Eliminate Scripting Attacks – Make Applications Secure by Construction Developer Code Application Code 4
  5. 5. Contributions •  A New "Push-Button" Defense Primitive –  "Security By Construction" Approach •  Context-Sensitive Auto-Sanitization (CSAS) –  New Challenge: Which Sanitizers To Place Where? –  Targets Existing Web Templating Frameworks •  It is Practical •  Deployed Commercially –  Google Closure Templates powers Google+ 5 Fast Auditable Compatible Secure
  6. 6. <script> var o = new soy.StringBuilder(); imgRender({O: o, imglink: $_GET(‘extlink’), name: [$_GET(‘name’)] })); document.write(o); </script> Web Templating Frameworks Templating   Framework     Compiler   Java JS Application calls Target Language Code Template Application Code template imgRender($imgLink, $name) { print (“<img src=“”); print ($imglink); print “”/>” . $name. “<br>”; return; } Template Code Template Language does not have complex constructs 6 Explicitly Separates Untrusted Inputs
  7. 7. Talk Outline •  System Architecture & Features •  Challenges •  The CSAS Engine Design •  Implementation •  Evaluation & Deployment 7
  8. 8. CSAS System Architecture Compiler   Jav a JS JS Application calls Instrumented Auto-Sanitization Template Sanitizer Library Static Error 8
  9. 9. CSAS Auditability & Compatibility Compiler   Jav a JS JS Instrumented Auto- Sanitization Sanitizer Library Static Error •  Easily Auditable •  Compatibility –  No Developer Involvement –  Minimize Static Errors •  Security •  Performance 9
  10. 10. HtmlSanitizerURLSanitizer template ImgRender($imgLink, $name) {……………} Security & Correctness (I) •  Property CSAN: Context-Sensitive Sanitization <img src=" /img?f= "/> <br>$name $imgLink $name HTML Tag Context URI START Context URI PATH Context URI QUERY Parameter Context HTML Tag Context Attacks Vary By Contexts! 10
  11. 11. Security & Correctness (II) •  Property NOS: No Over Sanitization <img src=" / /img?f= "/> <br>$name $imgLink $name Sanitize Only Untrusted Data Not Constant Strings 11
  12. 12. Security Assumptions •  Canonical HTML Parser –  Flexible to recognize browser differences [GWT, CTemplates] •  Correct Sanitizers –  Extensive Community Effort [OWASP, HtmlPurify, GWT, Django] –  Research on Secure Sanitization Primitives [Bek’11, Hampi’09,Min’06] –  Already Used in Many Frameworks
  13. 13. Challenges •  Easily Auditable •  Compatibility •  Security •  Performance Security Performance Compatibility 13
  14. 14. Approach #1: Context-Insensitive Sanitization template ImgRender($imgLink, $name) { print (“<img src=”); x := $imgLink; print ($x); print “/>” . $name. “<br>”; return; } template ImgRender($imgLink, $name) { print (“<img src=‘”); x := HtmlEncode($imgLink); print ($x); print “’/>” . HtmlEncode($name). “<br>”; return; } javascript: bad(); Security Performance Compatibility False Sense of Security! 14
  15. 15. Approach #2: Context-Sensitive Runtime Parsing (CSRP) URI START Context URI Param Context template ImgRender($imgLink, $name) {……………} <img src=" /img?f=$name $imgLink URLSanitizer URLParamSanitiz er Security Performance Compatibility 15
  16. 16. Rich Language Features <img src=' / /img?f= '/> <br>$name $imgLink $name 16 template ImgRender($imgLink, $name) { print (“<img src='”); x := “/” . $name. “/img?f=”. $imgLink; print ($x); print “'/>” . $name. “<br>”; return; }
  17. 17. template ImgRender($imgLink, $name) { print (“<img src='”); if ($name != “”) then x := “/” . $name. “/img?f=”. $imgLink; else x:= $imgLink; fi print ($x); print “'/>” . $name. “<br>”; return; } Rich Language Features: Control Flow <img src=' / /img?f= '/> <br>$name $imgLink $name Usage Contexts Statically Ambiguous: Sanitization Requirements vary by path! 17
  18. 18. Our Approach Type Inference Well-Typed IR Untyped Template Compilation Compiled Code 18 •  CSAS Engine – Context Type Qualifiers
  19. 19. Context Type Qualifiers •  Context Type Qualifier: – "Which contexts is a string safe to be rendered in" x:=“<img src='” . $imgLink; <img src=' $imgLink y:= UrlAttribSsanitize($imgLink) 𝐻𝑇𝑀𝐿_ 𝑆𝑇𝐴𝑅𝑇                       𝑈𝑅𝐼_ 𝑆𝑇𝐴𝑅𝑇 𝑈𝑅𝐼_ 𝑆𝑇𝐴𝑅𝑇                                 𝑈𝑅𝐼 x:=“<img src='” . y; 𝐻𝑇𝑀𝐿_ 𝑆𝑇𝐴𝑅𝑇                                 𝑈𝑅𝐼 TERMS TYPES 19 Type Inference: Where To Place Sanitizers?
  20. 20. Ensuring Compatibility: Key Ideas 𝐻𝑇𝑀𝐿_ 𝑇𝐴𝐺                           𝐻𝑇𝑀𝐿_ 𝑇𝐴𝐺𝑈𝑅𝐼_ 𝑆𝑇𝐴𝑅𝑇                       𝑈𝑅𝐼 ≠ Flow-sensitive Type Qualifiers 20 template StatAmb($imgLink, $name) { if ($name == “”) then print (“<img src=“”); else print (“<div>”); fi print ($imgLink); } DYN STATIC CSRP Approach (1%) Statically Sanitized (99%)
  21. 21. Implementation & Evaluation •  Google Closure Templates – Powers several Google products – 3045 LOC Java •  Evaluation Benchmarks: – 1035 templates from production Google code – Rich Features •  2997 calls •  1224 print/sink statements using 600 untrusted input variables 21
  22. 22. Evaluation: Compatibility •  All 1035 templates auto-sanitized! – No Developer Involvement – No Static Errors •  Compared to original sanitization – 21 cases differ out of 1224 – CSAS engine inferred a more accurate sanitizer 22
  23. 23. Evaluation: Security 602 380 231 39 33 27 15 10 7 3 1 0 100 200 300 400 500 600 700 escapeHtml escapeHtmlAttribute filterNormalizeURI, escapeHtml escapeJsValue filterCSSValue escapeJsString escapeUri escapeHtmlRcdata escapeHtmlAttributeNospace filterHtmlIdent filternormalizeURI Context-Insensitive Approach Fails on 28% prints 23 UNSAFE
  24. 24. Java JavaScript Evaluation: Performance Overhead CI CSRP CSAS Chrome 9 3.0% 78.8% 3.0% FF 3.6 9.6% 425% 9.6% Safari 5 2.5% 189% 3.1% CI CSRP CSAS Java 0% 72% 0% 24 Order Of Magnitude Faster Than CSRP •  Benchmarks – Templates Only, No Other Application Logic •  Base: No Sanitization Practical Performance: Upto 9.6%
  25. 25. Conclusion 25 •  CSAS: A New "Push-Button" Defense Primitive – Fast, Secure, Compatible and Auditable – Increasing Commercially Adoption •  Other Frameworks 0 1000 2000 3000 4000 5000 6000 July Today
  26. 26. Thanks 26 http://code.google.com/closure/templates/docs/security.html Questions?

×