Improving web site security with data flow management

This dissertation describes two systems, Resin and BFlow, whose goal is to help Web developers build more secure Web sites. Resin and BFlow use data flow management to help reduce the security risks of using buggy or malicious code. Resin provides programmers with language-level mechanisms to track and manage the flow of data within the server. These mechanisms make it easy for programmers to catch server-side data flow bugs that result in security vulnerabilities, and prevent these bugs from being exploited. BFlow is a system that adds information flow control, a restrictive form of data flow management, both to the Web browser and to the interface between a browser and a server. BFlow makes it possible for a Web site to combine confidential data with untrusted JavaScript in its Web pages, without risking leaks of that data. This work makes a number of contributions. Resin introduces the idea of a data flow assertion and demonstrates how to build them using three language-level mechanisms, policy objects, data tracking, and filter objects. We built prototype implementations of Resin in both the PHP and Python runtimes. We adapt seven real off-the-shelf applications and implement 11 different security policies in Resin which thwart at least 27 real security vulnerabilities. BFlow introduces an information flow control model that fits the JavaScript communication mechanisms, and a system that maps that model to JavaScript’s existing isolation system. Together, these techniques allow untrusted JavaScript to read, compute with, and display confidential data without the risk of leaking that data, yet requires only minor changes to existing software. We built a prototype of the BFlow system and three different applications including a social networking application, a novel shared-data Web platform, and BFlogger, a third-party JavaScript platform similar to that of Blogger.com. We ported several untrusted JavaScript extensions from Blogger.com to BFlogger, and show that the extensions cannot leak data as they can in Blogger.com. Thesis Supervisor: Robert T. Morris Title: Associate Professor Thesis Supervisor: Nickolai Zeldovich Title: Assistant Professor

[1]  Eddie Kohler Hot Crap! , 2008, WOWCS.

[2]  Maxwell N. Krohn,et al.  Building Secure High-Performance Web Services with OKWS , 2004, USENIX Annual Technical Conference, General Track.

[3]  Benjamin Livshits,et al.  Finding Security Vulnerabilities in Java Applications with Static Analysis , 2005, USENIX Security Symposium.

[4]  D. Elliott Bell,et al.  Secure Computer System: Unified Exposition and Multics Interpretation , 1976 .

[5]  Butler W. Lampson,et al.  A note on the confinement problem , 1973, CACM.

[6]  Giovanni Vigna,et al.  Detecting malicious JavaScript code in Mozilla , 2005, 10th IEEE International Conference on Engineering of Complex Computer Systems (ICECCS'05).

[7]  Andrew C. Myers,et al.  SIF: Enforcing Confidentiality and Integrity in Web Applications , 2007, USENIX Security Symposium.

[8]  Roxana Geambasu,et al.  Organizing and sharing distributed personal web-service data , 2008, WWW.

[9]  Silas Boyd-Wickizer,et al.  Securing Distributed Systems with Information Flow Control , 2008, NSDI.

[10]  Helen J. Wang,et al.  Protection and communication abstractions for web browsers in MashupOS , 2007, SOSP.

[11]  Mark Pruett,et al.  Yahoo! pipes , 2007 .

[12]  Guy L. Steele,et al.  The Java Language Specification , 1996 .

[13]  Steve Vandebogart,et al.  Labels and event processes in the Asbestos operating system , 2005, TOCS.

[14]  James A. Reeds,et al.  Multilevel security in the UNIX tradition , 1992, Softw. Pract. Exp..

[15]  Christopher Krügel,et al.  Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis , 2007, NDSS.

[16]  Robert Tappan Morris,et al.  Privacy-preserving browser-side scripting with BFlow , 2009, EuroSys '09.

[17]  Andrew C. Myers,et al.  Protecting privacy using the decentralized label model , 2003, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[18]  Zhendong Su,et al.  Sound and precise analysis of web applications for injection vulnerabilities , 2007, PLDI '07.

[19]  Helen J. Wang,et al.  BrowserShield: vulnerability-driven filtering of dynamic HTML , 2006, OSDI '06.

[20]  Anh Nguyen-Tuong,et al.  Automatically Hardening Web Applications Using Precise Tainting , 2005, SEC.

[21]  Xin Zheng,et al.  Secure web applications via automatic partitioning , 2007, SOSP.

[22]  Alessandro Orso,et al.  Using positive tainting and syntax-aware evaluation to counter SQL injection attacks , 2006, SIGSOFT '06/FSE-14.

[23]  Charles Reis,et al.  Architectural Principles for Safe Web Programs , 2007, HotNets.

[24]  Tadeusz Pietraszek,et al.  Defending Against Injection Attacks Through Context-Sensitive String Evaluation , 2005, RAID.

[25]  Douglas Kilpatrick,et al.  Privman: A Library for Partitioning Applications , 2003, USENIX Annual Technical Conference, FREENIX Track.

[26]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[27]  Collin Jackson,et al.  Securing frame communication in browsers , 2008, CACM.

[28]  Eddie Kohler,et al.  Information flow control for standard OS abstractions , 2007, SOSP.

[29]  Anne H. Anderson An introduction to the Web Services Policy Language (WSPL) , 2004, Proceedings. Fifth IEEE International Workshop on Policies for Distributed Systems and Networks, 2004. POLICY 2004..

[30]  Dorothy E. Denning,et al.  The SeaView security model , 1988, Proceedings. 1988 IEEE Symposium on Security and Privacy.

[31]  Benjamin Livshits,et al.  Finding application errors and security flaws using PQL: a program query language , 2005, OOPSLA '05.

[32]  Andrew C. Myers,et al.  Protecting privacy using the decentralized label model , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[33]  Alessandro Orso,et al.  AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks , 2005, ASE.

[34]  Michael Hicks,et al.  Fable: A Language for Enforcing User-defined Security Policies , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[35]  Michael Hicks,et al.  Defeating script injection attacks with browser-enforced embedded policies , 2007, WWW '07.

[36]  Lujo Bauer,et al.  Detecting and resolving policy misconfigurations in access-control systems , 2008, SACMAT '08.

[37]  Benjamin Livshits,et al.  Spectator: Detection and Containment of JavaScript Worms , 2008, USENIX Annual Technical Conference.

[38]  Alexander Aiken,et al.  Static Detection of Security Vulnerabilities in Scripting Languages , 2006, USENIX Security Symposium.

[39]  Michael Walfish,et al.  World Wide Web Without Walls , 2007, HotNets.

[40]  Gail-Joon Ahn,et al.  Systematic Policy Analysis for High-Assurance Services in SELinux , 2008, 2008 IEEE Workshop on Policies for Distributed Systems and Networks.

[41]  David Thomas,et al.  Programming Ruby: the pragmatic programmer's guide , 2000 .

[42]  Landon P. Cox,et al.  TightLip: Keeping Applications from Spilling the Beans , 2007, NSDI.

[43]  David Evans,et al.  Improving Security Using Extensible Lightweight Static Analysis , 2002, IEEE Softw..

[44]  Andrew C. Myers,et al.  A decentralized model for information flow control , 1997, SOSP.

[45]  Emil C. Lupu,et al.  The Ponder Policy Specification Language , 2001, POLICY.

[46]  Steve Barker The next 700 access control models or a unifying meta-model? , 2009, SACMAT '09.

[47]  Bor-Yuh Evan Chang,et al.  Boogie: A Modular Reusable Verifier for Object-Oriented Programs , 2005, FMCO.

[48]  Michael Carl Tschantz,et al.  Towards reasonability properties for access-control policy languages , 2006, SACMAT '06.

[49]  Dawson R. Engler,et al.  Checking system rules using system-specific, programmer-written compiler extensions , 2000, OSDI.

[50]  K. Rustan M. Leino,et al.  The Spec# Programming System: An Overview , 2004, CASSIS.

[51]  Eddie Kohler,et al.  Making information flow explicit in HiStar , 2006, OSDI '06.

[52]  Lujo Bauer,et al.  Composing security policies with polymer , 2005, PLDI '05.

[53]  Calvin Lin,et al.  Efficient and extensible security enforcement using dynamic data flow analysis , 2008, CCS.

[54]  M. F.,et al.  Bibliography , 1985, Experimental Gerontology.

[55]  Eddie Kohler,et al.  Manageable fine-grained information flow , 2008, Eurosys '08.

[56]  Guy L. Steele,et al.  Java(TM) Language Specification, The (3rd Edition) (Java (Addison-Wesley)) , 2005 .

[57]  Vijayalakshmi Atluri,et al.  Role-based Access Control , 1992 .

[58]  Xi Wang,et al.  Improving application security with data flow assertions , 2009, SOSP '09.