Dynamic Code Evaluation & Taint Analysis Prof. Tom Austin San - PowerPoint PPT Presentation

CS 152: Programming Language Paradigms Dynamic Code Evaluation & Taint Analysis Prof. Tom Austin San José State University

Parsing JSON (in-class)

Review: additional Ruby eval methods • instance_eval evaluates code within the body of an object. • class_eval evaluates code within the body of a class. • These methods can take a string or (more safely) a block of code.

class_eval example (in class)

The mind of a developer What does my code Stupid need to do? documentation Hmm… I wonder if my code is secure

Web Security in the News

How do companies/developers cope? • Train/shame developers to follow best practices. • Hire security experts • Use analysis tools • Hush up mistakes • Budget to handle emergencies • Bury their heads in the sand.

Secure By Architecture Developers make mistakes. Can we design tools to create secure systems, despite developer mistakes?

Success story: memory-safe languages • Buffer overflows were once ubiquitous • Memory-safe languages manage memory automatically – Developer focus on functionality – Security-critical bugs are eliminated • Buffer overflows have virtually disappeared – Except in your OS, web browser, etc.

Three Security Mechanisms • Taint analysis : – protect critical fields from "dirty" data • Information flow analysis : – Prevent secrets from leaking.

Taint Analysis: Protecting against dirty data

Taint analysis • Taint analysis focuses on integrity: – does "dirty" data corrupt trusted data? • Integrated into Perl and Ruby • Handles explicit flows only – direct assignment – passing parameters

Attacks preventable by taint analysis • Data under the control of the user may pose a security risk – SQL injection – cross-site scripting (XSS) – cross-site request forgery (CSRF) • Taint tracking tracks untrusted variables and prevents then from being used in unsafe operations

Taint Tracking History • 1989 – Perl 3 support for a taint mode • 1996 – Netscape included support for a taint mode in server-side JavaScript – Later abandoned • Ruby later implemented a taint mode; we'll review in more depth.

Taint Mode in Ruby • Protect against integrity attacks. – E.g. Data pulled from an HTML form cannot be passed to eval . • Cannot taint booleans or ints. • Multiple ways to run in safe mode: – Use –T command line flag. – Include $SAFE variable in code.

$SAFE levels in Ruby • 0 – No checking (default) • 1 – Tainted data cannot be passed to eval – Cannot load/require new files • 2 – Can't change, make, or remove directories • 3 – New strings/objects are automatically tainted – Cannot untaint tainted values • 4 – Safe objects become immutable

s = "puts 4-3".taint $SAFE = 1 # Can't eval tainted data s.untaint # Removes taint from data puts s.tainted? eval s $SAFE = 3 s2 = "puts 2 * 7" # Tainted s2.untaint # Won't work now eval s2 eval s # this is OK

# Data from web s = "Robert'); DROP TABLE " + "STUDENTS;--" s .taint exec_query("SELECT *" + " FROM STUDENTS" + " WHERE NAME='" + s + "';"

class Record def exec_query(query_str) if query_str. tainted? puts "Err: tainted string" else # Perform the query ... end end end

Information Flow Analysis H er ere be d e be dragon ons…

Information Flow Analysis • Related to taint analysis • F ocuses on confidentiality: – does secret data leak to public channels? • Assumes attacker controls some code • Must consider implicit flows – can the attacker deduce secrets?

Challenge of Securing Information Sensitive Data Private Channel Policy : Keep location of the spray paint can from leaking to public channels. Developer Public Channel

Challenge of Securing Information if (chan.police){ Sensitive Data write(chan, spraycanLocation); Private Channel } if (chan.police){ write(chan, spraycanLocation); } Developer Public Channel

New System Requirements if (chan.police){ Sensitive Data write(chan, spraycanLocation); Private Channel } if (chan.police){ write(chan, spraycanLocation); } Developer write(chan, spraycanLocation); Public Channel New Developers

Information Leaked

Additional Information Flow Challenges Applications often make use of 3 rd party libraries of questionable quality... …or have vulnerabilities to code injection attacks... …so we must assume that the attacker is able to inject code into our system.

Information Flow Analysis in Action Sensitive Data Private Channel Public Data Public Channel

Information Flow Analysis in Action Sensitive Data Private Channel Public Data Public Channel

Termination-Insensitive Non-Interference Sensitive Data Private Channel Public outputs do not depend on private inputs Public Data Public Channel

Explicit and Implicit Flows spraycanLocation = "Kwik-E-Mart" police ; Location is only visible to the police. x = spraycanLocation ; Explicit flow from spraycanLocation to x . if (x.charAt(0) < 'N') { firstCharMax = 12; Implicit flow from x to firstCharMax . }

Business Security Core Functionality Domain Expert Expert label: police chan: police Enforcement Mechanism write(chan, spraycanLocation); Label Data Attach label police to spraycanLocation Developer

Business Security Core Functionality Domain Expert Expert label: police chan: public Enforcement Mechanism write(chan, spraycanLocation); Label Data Attach label police to DENIED spraycanLocation Developer

Denning-style Static Analysis • Certification process, perhaps integrated into a compiler. • Data can flow down the lattice • Programs can be guaranteed to be secure before the program is ever executed.

Static Analysis Certification var secret = true bank ; • Analysis ensures var y = true; that private data if (secret) does not affect y = false; public data. var leak = true; • In this example, if (y) y 's final value leak = false; depends on x . • [Denning 1976]

Purely Dynamic Info Flow Controls • Instrument interpreter with runtime controls • Implicit flows can be handled by: – Ignoring unsafe updates – Crashing on unsafe updates – Leaking some data (not satisfying noninterference)

A Tainting Approach One obvious strategy: if a public variable is updated in a private context, make it private as well. var secret = true bank ; var y = true; if (secret) Set y=false bank y = false;

Challenges With Implicit Flows var secret = true bank ; secret=false bank var y = true; if (secret) y=false bank y = false; y=true var leak = true; if (y) leak = false; leak=false leak=true

Dynamic Monitors Reject Executions var secret = true bank ; var y = true; if (secret) y = false; Execution terminates to protect the value of secret . Zdancewic 2002

Secure Multi-Execution Executes program multiple: • High execution – Sees all information – Only writes to authorized channels • Low execution – Only sees public data – Writes to public channels – Confidential data replaced with default values.

Original Program var pass = mkSecret("scytale"); if (pass[0]==("s")) write(chan,"s"); Low Execution Program High Execution Program var pass=""; var pass="scytale"; if (pass[0] if (pass[0] ==("s")) ==("s")){ write(chan, write(chan, "s"); "s");

Secure Multi-Execution High execution Private inputs Private outputs Dummy Values Public Public inputs outputs Low execution

Lab: Taint tracking Today's lab explores taint tracking in Ruby. Starter code is available on the course website. Details in Canvas.