improving security using data flow assertions
play

Improving security using data flow assertions Alex Yip, Xi Wang, - PowerPoint PPT Presentation

Apr 26, 2023 •334 likes •912 views

Improving security using data flow assertions Alex Yip, Xi Wang, Nickolai Zeldovich , Frans Kaashoek MIT CSAIL Many security vulnerabilities caused by programming errors Attack vector Percentage SQL injection 20.4% Cross-site scripting

  1. Improving security using data flow assertions Alex Yip, Xi Wang, Nickolai Zeldovich , Frans Kaashoek MIT CSAIL

  2. Many security vulnerabilities caused by programming errors Attack vector Percentage SQL injection 20.4% Cross-site scripting 14.0% Buffer overflow 9.5% Directory traversal 6.6% Script eval injection 5.0% Missing access checks 4.6% ( … long tail of others … ) 39.8% Top 6 classes of security vulnerabilities found in 2008 [CVE]

  3. Many security vulnerabilities caused by programming errors ● SQL injection: attacker's input used in SQL query ● XSS: attacker's input used in HTML page ● Directory traversal: attacker-supplied path has “..” ● Script injection: attacker's input executed as code ● Missing ACL: sensitive data sent without check

  4. Common programming error: missing checks … … … … … … Application … …

  5. Common programming error: missing checks … … … … … … Application … …

  6. SQL injection attack Stored … query … Attacker's browser … … Application … SQL database ● Goal: quote user input before using in SQL

  7. SQL injection attack Stored … query … Attacker's browser … … Application … SQL database ● Goal: quote user input before using in SQL

  8. Missing access control check Attacker's … browser … … … … Application … Protected file ● Goal: check ACL when sending file to user

  9. Missing access control check Attacker's … browser … … … … Application … Protected file ● Goal: check ACL when sending file to user

  10. Cross-site scripting attack … … Attacker's … browser Victim's … Application browser … … ● Goal: remove Javascript from user input before using in HTML

  11. Cross-site scripting attack … … Attacker's … browser Victim's … Application browser … … ● Goal: remove Javascript from user input before using in HTML

  12. Challenge: knowing where to check … … Attacker's … browser Victim's … Application browser … … ● Today: invoke check on all paths from source to sink ● Easy to miss one (out of 572 in phpBB, a popular web app) ● Security check cannot be made based on data alone ● At the source, don't know where data is going yet ● At the sink, don't know where data came from

  13. Approach: Associate checks with data ● Assume trusted runtime & non-malicious app code ● Programmers tag data with assertions at source ● Track assertions when data is copied or moved ● Assertions checked at the sinks

  14. Example bug: HotCRP password disclosure

  15. Example bug: HotCRP password disclosure

  16. Example bug: HotCRP password disclosure From: tom@cs.washington.edu To: nickolai@csail.mit.edu Dear Nickolai Zeldovich, Here is your account information: Email: nickolai@csail.mit.edu Password: cluprerast

  17. Example bug: HotCRP password disclosure ● Helpful feature: email preview mode ● Display emails instead of sending them ● Useful to fine-tune messages sent to everyone

  20. Programmer has a security plan ● Programmers often have a data flow plan in mind ● Sanitize HTML; only send password to user's email ● Hard: plan must be enforced everywhere

  21. Programmer has a security plan ● Programmers often have a data flow plan in mind ● Sanitize HTML; only send password to user's email ● Hard: plan must be enforced everywhere ● Challenge: many flow paths, easy to miss one ● phpBB: 572 calls to check for cross-site scripting

  22. Programmer has a security plan ● Programmers often have a data flow plan in mind ● Sanitize HTML; only send password to user's email ● Hard: plan must be enforced everywhere ● Challenge: many flow paths, easy to miss one ● phpBB: 572 calls to check for cross-site scripting ● Challenge: 3rd-party developers don't know plan ● phpBB: 879 plug-ins written by 505 programmers

  23. Our approach: Allow programmers to make security plan explicit ● Resin : modified language runtime (Python, PHP) ● Programmer specifies explicit data flow assertions ● Runtime checks assertion on every source→sink path ● Assertion prevents attacker from exploiting missing check ● Not a bug-finding tool; prevents exploits at runtime

  24. Challenges and ideas ● Plan: “only send this password to nickolai@mit.edu” ● How would we check if a program obeys this plan? ● How would the programmer express this assertion?

  25. Challenges and ideas ● Plan: “only send this password to nickolai@mit.edu” ● How would we check if a program obeys this plan? ● Associate the assertions with data (e.g. password) ● Track assertions along with data in language runtime ● Check at programmer-defined boundaries – E.g. external I/O (file, network), when data leaves our control ● How would the programmer express this assertion?

  26. Challenges and ideas ● Plan: “only send this password to nickolai@mit.edu” ● How would we check if a program obeys this plan? ● Associate the assertions with data (e.g. password) ● Track assertions along with data in language runtime ● Check at programmer-defined boundaries – E.g. external I/O (file, network), when data leaves our control ● How would the programmer express this assertion? ● Express using code – simple, general-purpose ● Programmers can reuse code, data structures

  27. Example: Preventing HotCRP's bug in Resin Pipe to sendmail for nickolai@mit.edu “myPassw0rd” HTTP conn to browser SQL database Resin Language Runtime World-readable log file

  28. Programmer attaches a policy object to a string Pipe to sendmail for nickolai@mit.edu “myPassw0rd” HTTP conn to browser Policy: Only email to nickolai@mit.edu SQL database Resin Language Runtime World-readable log file

  29. Programmer attaches filter objects to security boundaries Pipe to sendmail for nickolai@mit.edu Filter “myPassw0rd” HTTP conn to browser Policy: Filter Only email to nickolai@mit.edu Filter SQL database Filter Resin Language Runtime World-readable log file

  30. Runtime propagates policies for strings Pipe to sendmail for nickolai@mit.edu Filter “myPassw0rd” HTTP conn to browser Policy: Filter Dear Nickolai Zeldovich, Only email to nickolai@mit.edu Here is your account info Email: nickolai@mit.edu Filter Password: myPassw0rd SQL database Filter Resin Language Runtime World-readable log file

  31. Runtime propagates policies for strings Pipe to sendmail for nickolai@mit.edu Filter “myPassw0rd” HTTP conn to browser Policy: Filter Dear Nickolai Zeldovich, Only email to nickolai@mit.edu Here is your account info Email: nickolai@mit.edu Filter Password: myPassw0rd Policy: Only email to SQL database nickolai@mit.edu Filter Resin Language Runtime World-readable log file

  32. Filters check assertions by invoking policy objects Pipe to sendmail for nickolai@mit.edu Filter “myPassw0rd” HTTP conn to browser Policy: Filter Dear Nickolai Zeldovich, Only email to X nickolai@mit.edu Here is your account info X Email: nickolai@mit.edu Filter Password: myPassw0rd Policy: X Only email to SQL database nickolai@mit.edu Filter Resin Language Runtime World-readable log file

  33. Assertions avoid the need to understand all code Pipe to sendmail for nickolai@mit.edu Third-party Filter email module “myPassw0rd” HTTP conn X to browser Policy: Filter Dear Nickolai Zeldovich, Only email to nickolai@mit.edu Here is your account info X Email: nickolai@mit.edu Filter Password: myPassw0rd Policy: Only email to SQL database nickolai@mit.edu Filter Resin Language Runtime World-readable log file

  34. PHP code for HotCRP's policy class PasswordPolicy extends Policy { private $user; function __construct($username) { $this->user = $username; } function export_check($context) { if ($context[‘type’] == “mail” && $context[‘rcpt’] == $this- >user) return; if ($Me->valid() && $Me->privChair) return; throw new Exception (“unauthorized disclosure”); } }

  35. PHP code for HotCRP's policy class PasswordPolicy extends Policy { private $user; Stores owner's username (email address in HotCRP) function __construct($username) { $this->user = $username; } function export_check($context) { if ($context[‘type’] == “mail” && $context[‘rcpt’] == $this- >user) return; if ($Me->valid() && $Me->privChair) return; throw new Exception (“unauthorized disclosure”); } }

  36. PHP code for HotCRP's policy class PasswordPolicy extends Policy { private $user; Filter consults policy; function __construct($username) { context provided by filter $this->user = $username; at security boundary } function export_check($context) { if ($context[‘type’] == “mail” && $context[‘rcpt’] == $this- >user) return; if ($Me->valid() && $Me->privChair) return; throw new Exception (“unauthorized disclosure”); } }

Recommend

Hardware-Software Interface Memory addressing, C language, pointers Assertions, debugging

Hardware-Software Interface Memory addressing, C language, pointers Assertions, debugging

CS 240 Stage 2 Hardware-Software Interface Memory addressing, C language, pointers Assertions, debugging Machine code, assembly language, program translation Control flow Procedures, stacks Data layout, security, linking and loading Program,

822 views • 29 slides
Hardware-Software Interface Memory addressing, C language, pointers Assertions, debugging

Hardware-Software Interface Memory addressing, C language, pointers Assertions, debugging

CS 240 Stage 2 Hardware-Software Interface Memory addressing, C language, pointers Assertions, debugging Machine code, assembly language, program translation Control flow Procedures, stacks Data layout, security, linking and loading Program,

415 views • 30 slides
Model Assertions for Monitoring and Improving ML Models Daniel Kang* , , Deepti Raghavan*, Peter

Model Assertions for Monitoring and Improving ML Models Daniel Kang* , , Deepti Raghavan*, Peter

Model Assertions for Monitoring and Improving ML Models Daniel Kang* , , Deepti Raghavan*, Peter Bailis, Matei Zaharia DAWN Project, Stanford InfoLab http://dawn.cs.stanford.edu/ 1 Machine learning is deployed in mission-critical settings with

952 views • 37 slides
1 What Is Control-Flow Analysis? Loop Concepts Control-flow analysis discovers the flow of

1 What Is Control-Flow Analysis? Loop Concepts Control-flow analysis discovers the flow of

Control-Flow Analysis and Loop Detection Context Last time Data-flow Speeding up data-flow analysis Flow of data values from defs to uses Could alternatively be represented as a data dependence Today Control-flow analysis

516 views • 5 slides
1 Java assert statement Java assert (cont.) an assert statement can be placed anywhere you

1 Java assert statement Java assert (cont.) an assert statement can be placed anywhere you

Assertions assertions communicate assumptions about the state of the program, and stop processing if they turn out to be false very often comments are statements about the state Assertions the program should be in but assertions can

61 views • 3 slides
Company Introduction Improving the security and performance of your data centres, networks and

Company Introduction Improving the security and performance of your data centres, networks and

SOLUTIONS & SUPPORT PROFESSIONAL & MANAGED SERVICES Company Introduction Improving the security and performance of your data centres, networks and applications Network Data Cyber Application Network Test www.phoenixdatacom.com

476 views • 10 slides
Improving Usability of Information Flow Security in Java Mark Thober Joint work with Scott F.

Improving Usability of Information Flow Security in Java Mark Thober Joint work with Scott F.

Mark Thober June 14, 2007 Improving Usability of Information Flow Security in Java Mark Thober Joint work with Scott F. Smith Department of Computer Science Johns Hopkins University PLAS 07 1 Mark Thober June 14, 2007 Motivation

580 views • 37 slides
Computer Security environment, without compromising functionality or security? Three parts

Computer Security environment, without compromising functionality or security? Three parts

9/7/2013 Some topics Im working on Computing on encrypted data Information flow: Dynamic IFC in Haskell, web Sandboxing Untrusted JavaScript Third party web tracking and other web security stories Practical web security

572 views • 21 slides
Enforcing Kernel Security Invariants with Data Flow Integrity Chengyu Song , ByoungyoungLee,

Enforcing Kernel Security Invariants with Data Flow Integrity Chengyu Song , ByoungyoungLee,

Enforcing Kernel Security Invariants with Data Flow Integrity Chengyu Song , ByoungyoungLee, Kangjie Lu, William Harris, Taesoo Kim, Wenke Lee Institute for Information Security & Privacy Georgia Tech Kernel Memory Corruption Vulnerability

493 views • 24 slides
Flow++: Improving Flow-Based Generative Models with Variational Dequantization and Architecture

Flow++: Improving Flow-Based Generative Models with Variational Dequantization and Architecture

Flow++: Improving Flow-Based Generative Models with Variational Dequantization and Architecture Design Jonathan Ho*, Xi Chen*, Aravind Srinivas, Yan Duan, Pieter Abbeel Overview - Goal: likelihood-based model with Fast sampling and training -

363 views • 11 slides
CSE 504: Project Proposal Jennifer Niederlnder 01/13/2016 Improving Security Testing

CSE 504: Project Proposal Jennifer Niederlnder 01/13/2016 Improving Security Testing

CSE 504: Project Proposal Jennifer Niederlnder 01/13/2016 Improving Security Testing Improving Security Testing or Collect security errors Derive Patterns Improving Performance Improving Performance 1. Take the code 2. Point out

423 views • 9 slides
Assertions, pre/post- conditions Assertions: Section 4.2 in Savitch (p. 239) Programming as a

Assertions, pre/post- conditions Assertions: Section 4.2 in Savitch (p. 239) Programming as a

Assertions, pre/post- conditions Assertions: Section 4.2 in Savitch (p. 239) Programming as a contract n Specifying what each method does q Specify it in a comment before method's header n Precondition q What is assumed to be true

625 views • 33 slides
Assertions and Triggers Rose-Hulman Institute of Technology Curt Clifton Assertions Like

Assertions and Triggers Rose-Hulman Institute of Technology Curt Clifton Assertions Like

Assertions and Triggers Rose-Hulman Institute of Technology Curt Clifton Assertions Like constraints: Recall: state IN {'IA', 'MN', 'WI', 'MI', 'IL'} But can reference all tables Defined by: CREATE ASSERTION <name>

552 views • 30 slides
Information Flow Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security

Information Flow Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security

Information Flow Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security Information Flow 3 Many security requirements can be formulated as what information flow is allowed/disallowed E.g., confidential data should not

478 views • 27 slides
1 Ways to improve data-flow analysis efficiency Example (liveness) 1st 2nd 3rd

1 Ways to improve data-flow analysis efficiency Example (liveness) 1st 2nd 3rd

Speeding Up Data-Flow Analysis Solving the Data-flow Equations Last time Algorithm Various optimizations that use data-flow analysis for each node n in CFG initialize solutions in[n] = ; out[n] = Today repeat Speeding up

418 views • 4 slides
Flow Analysis Data-flow analysis, Control-flow analysis, Abstract interpretation, AAM Helpful

Flow Analysis Data-flow analysis, Control-flow analysis, Abstract interpretation, AAM Helpful

Flow Analysis Data-flow analysis, Control-flow analysis, Abstract interpretation, AAM Helpful Reading: Sections 1.1-1.5, 2.1 Data-flow analysis (DFA) A framework for statically proving facts about program data. Focuses on simple, finite

1.04k views • 54 slides
1 Liveness by Example (cont) Control Flow Graphs (CFGs) Live range of a Definition a is live

1 Liveness by Example (cont) Control Flow Graphs (CFGs) Live range of a Definition a is live

Introduction to Data-flow analysis Data-flow Analysis Last Time Idea Undergraduate compilers review Data-flow analysis derives information about the dynamic behavior of a program by only examining the static code Assem.Instr data

903 views • 4 slides
Flow Visualization Overview: Flow Visualization (1) Introduction, overview Fl Flow data d t

Flow Visualization Overview: Flow Visualization (1) Introduction, overview Fl Flow data d t

Flow Visualization Overview: Flow Visualization (1) Introduction, overview Fl Flow data d t Simulation vs. measurement vs. modelling 2D vs. surfaces vs. 3D Steady vs time-dependent flow St d ti d d t fl Direct vs. indirect flow

957 views • 92 slides
Flow Visualization Overview: Flow Visualization (1) Introduction, overview Flow data Simulation

Flow Visualization Overview: Flow Visualization (1) Introduction, overview Flow data Simulation

Flow Visualization Overview: Flow Visualization (1) Introduction, overview Flow data Simulation vs. measurement vs. modelling 2D vs. surfaces vs. 3D Steady vs time-dependent flow Direct vs. indirect flow visualization Experimental flow

1.18k views • 92 slides
Information Flow Security DD2460 Software Safety and Security: Part III, lecture 1 Gurvan Le

Information Flow Security DD2460 Software Safety and Security: Part III, lecture 1 Gurvan Le

Information Flow Security DD2460 Software Safety and Security: Part III, lecture 1 Gurvan Le Guernic DD2460 (III, L1) February 14 th , 2012 C ONTEXT F ORMALIZATION C HANNELS , F LOWS AND L ABELS W RAP - UP Outline Information Flow Security deals

532 views • 35 slides
Data Flow Computing James Spooner, VP of Acceleration QCon, Finance Track, 08 March 2012

Data Flow Computing James Spooner, VP of Acceleration QCon, Finance Track, 08 March 2012

Acceleration in the Wild, with Data Flow Computing James Spooner, VP of Acceleration QCon, Finance Track, 08 March 2012 Acceleration in the Wild with Data Flow Deliberate, focused approach to improving application speed Involves adding

697 views • 48 slides
Types of Formal Specifications for Assertions Concurrent and Reactive Systems Assertions

Types of Formal Specifications for Assertions Concurrent and Reactive Systems Assertions

Outline Formal specifications CISC422/853: Formal Methods Types of formal specifications: in Software Engineering: assertions invariants Computer-Aided Verification safety and liveness properties How to express safety

226 views • 22 slides
HW/SW Codesign w/ FPGAs Data Flow Modeling II ECE 522 Synchronous Data Flow Graphs Synchronous

HW/SW Codesign w/ FPGAs Data Flow Modeling II ECE 522 Synchronous Data Flow Graphs Synchronous

HW/SW Codesign w/ FPGAs Data Flow Modeling II ECE 522 Synchronous Data Flow Graphs Synchronous Data Flow (SDF) graphs refer to systems where the number of tokens consumed and produced per actor firing is fixed and constant The term synchronous

734 views • 17 slides
Data-flow analysis Introduction to data-flow analysis Michel Schinz based on material by

Data-flow analysis Introduction to data-flow analysis Michel Schinz based on material by

Data-flow analysis Introduction to data-flow analysis Michel Schinz based on material by Erik Stenman and Michael Schwartzbach Data-flow analysis Example: liveness Data-flow analysis is a global analysis framework that can be used to

635 views • 11 slides

More recommend