information flow control for the web
play

Information flow control for the web Prof. Frank PIESSENS Overview - PowerPoint PPT Presentation

Oct 15, 2022 •920 likes •2.25k views

Information flow control for the web Prof. Frank PIESSENS Overview The web platform Web script security: threats and countermeasures A formal model of web scripts Information flow security Secure multi-execution The

  1. attack.com good.com Determining existence of resources • By inserting remote entities in the DOM, Browser a script can trigger HTTP requests to other servers • By registering an event-handler for the onload event, the script can determine if that server exists / is accessible to the user of this specific browser

  2. good.com Injecting malicious scripts attacker • How can an attacker inject a script? Browser o By means of cross-site scripting (XSS) • By exploiting vulnerabilities similar to SQL injection vulnerabilities • Better name for XSS: script injection o By a variety of other means • Distributing a malicious advertisement • Hacking a website that hosts a widely used script • The site may support third-party extensions ( gadgets ) • ... • Once part of a page, the script can violate confidentiality and integrity of the page (and corresponding session)

  3. good.com Leaking information attacker • The SOP prevents scripts from directly connecting Browser to attacker-controlled servers • But scripts can include remote entities into the web page, leading to a HTTP request to a script-specified server • E.g. To leak the cookies of a page: • By including remote scripts, the attacker can even set up two-way communication ( JSONP )

  4. good.com Taking over the user’s session attacker • The script can initiate arbitrary requests to the Browser originating server o I.e. Blindly inject additional requests in the user session • Alternatively, the script can leak the session cookie (as shown before) o The attacker can now completely take over the user’s session

  5. Countermeasures • The two main countermeasures for script security are: o The design of the JavaScript API / browser o The Same-Origin-Policy enforcement by the browser • These handle mainly the two first threat scenarios ( ) attack. com and ( ) attack.c good.co om m Brows er Browser • Additional countermeasures for script injection are important

  6. Defensive server-side programming • Defensive programming protects against XSS vulnerabilities (cfr SQL injection) o E.g. input validation and output encoding good.com attacker Browser

  7. Content Security Policies • Content security policies o New W3C standard that lets the web app authors declare where they expect the client to load resources good.com attacker CSP Policy Browser

  8. Sandboxing • “Sandboxing” of JavaScript code o Limit the capabilities of an included script by means of a programmer provided policy good.com attacker Browser

  9. Information flow security • Information flow control for JavaScript o Limit how information can flow through scripts from sensitive sources to public sinks good.com attacker Browser

  10. Conclusions • The web is a very influential application platform • The technological complexity makes it vulnerable in many ways o Another instance of the attacker-defender race o Sometimes, vulnerabilities become features! • Many attack techniques are well understood, but new ones can be expected to surface • Similar attacks (and defenses) can be expected on the mobile platforms

  11. Further reading • Web platform and security: The Tangled Web: A Guide to Securing Modern Web Applications , M. o Zalewski www.owasp.org o • Web script security: Code Injection Vulnerabilities in Web Applications - Exemplified at Cross- o site Scripting , PhD thesis Martin Johns Content Security Policies: o • http://www.w3.org/TR/CSP/ JavaScript Sandboxing: o • L. Meyerovich , B. Livshits, ConScript: Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser , IEEE Symposium on Security and Privacy, 2010 • P. Agten, S. Van Acker, Y. Brondsema, P. Phung, L. Desmet, F. Piessens: JSand: complete client-side sandboxing of third-party JavaScript without browser modifications. ACSAC 2012 JavaScript Information flow control: o • W. De Groef, D. Devriese, N. Nikiforakis, F. Piessens: FlowFox: a web browser with flexible and precise information flow control. ACM CCS 2012

  12. Overview • The web platform • Web script security: threats and countermeasures • A formal model of web scripts • Information flow security • Secure multi-execution • The FlowFox browser • Conclusions

  13. A very simple model of scripts • Inspired by: A. Bohannon, B. C. Pierce, et al. Reactive noninterference (CCS '09). • Syntax:

  14. Some example scripts • Example 1: • Example 2: • Example 3:

  15. Connection to real JavaScript

  16. Semantics:

  17. Semantic rules (part 1)

  18. Semantic rules (part 2)

  19. Executions of web scripts • A state is passive if the command-part is skip • One can prove: o Progress: a script is either in a passive state or it can make a step o The only non-determinism is in the inputs

  20. Example • Consider the program: • The following is an execution (showing only non-silent actions):

  21. Overview • The web platform • Web script security: threats and countermeasures • A formal model of web scripts • Information flow security • Secure multi-execution • The FlowFox browser • Conclusions

  22. Information flow security • Information flow control is a class of technical countermeasures that try to enforce that software can not leak information – not even indirectly! All kinds All kinds Untrusted SW of input of output

  23. Information flow security • Information flow control is a class of technical countermeasures that try to enforce that software can not leak information – not even indirectly! Private Private POLICY POLICY All kinds All kinds Untrusted SW of input of output Public Public

  24. Information flow security • Information flow control is a class of technical countermeasures that try to enforce that software can not leak information – not even indirectly! Private Private POLICY POLICY All kinds All kinds Untrusted SW of input of output Public Public

  25. Information flow security • Information flow control is a class of technical countermeasures that try to enforce that software can not leak information – not even indirectly! Private Private POLICY POLICY All kinds All kinds Untrusted SW of input of output Public Public

  26. Noninterference • Information flow security can be formalized as non- interference , which roughly says: o There are no two runs of the program that 1. Receive the same public inputs (but different private inputs), 2. And produce different public outputs • This definition can be generalized to an arbitrary partially ordered set of security levels It then ensures that information can only flow upward o in the lattice • But we restrict our attention to the set with two levels: Public (or Low, or L) and Private (or High, or H)

  27. Noninterference for web scripts • Policy should assign security levels to inputs and outputs o Inputs are the events o Outputs are the output actions • So a policy is a function σ that gives a security level to all event names and output method names • In examples, we will assume the following policy o KeyPress, Display are H o MouseClick, Load, Unload, Send are L

  28. Noninterference for web scripts

  29. Noninterference for web scripts

  30. Examples • The following program is interferent: • This can be seen as follows:

  31. Are the following scripts noninterferent?

  32. Are the following scripts noninterferent? • Termination-insensitivity: • Leaking before looping: • Possible solutions o Forbid non-terminating event handlers o More complex definition of non-interference

  33. How can we enforce non-interference? • Statically, for instance through typing o Basic idea: • Label variables as H or L • Compute the levels of expressions and control contexts • Make sure no low side effect (assignment to L variable or L output) happens in a H control context or dependent on a H expression. o For details: • Bohannon et al. (CCS 2009) for a reactive language like ours • Sabelfeld and Myers, Language-based information-flow security o BUT: • Not a good fit for web scripts, very difficult to scale to JavaScript

  34. [OPTIONAL]: An example of a type system • From Bohannon et al. , CCS 2009 • Typing of expressions: (intuition = the type is an upper bound for the secrecy of the expression)

  35. • Typing of commands: (Intuition = type of command is a lower bound for the secrecy of the effects it has)

  36. • See Bohannon et al. for a proof that well typedness implies non-interference

  37. How can we enforce non-interference? • Dynamically, by monitoring o Basic idea: • Give a security label to all data entering the program, and propagate that through assignments and control flow o For details for a JavaScript-like language, see: • Hedin, Sabelfeld, Information-flow security for a core of JavaScript (CSF 2012) • PhD Thesis Gurvan Le Guernic • This is an interesting technique to pursue for JavaScript, but dealing with exceptions, eval, higher-order functions and so forth is non-trivial.

  38. How can we enforce non-interference? • Dynamically, by secure multi-execution o Basic idea: • Execute the program once for every security level • Make sure high output is only done by the high execution, and high input is only given to the high execution • Non-interference follows easily and does not depend on the complexity of the programming language o For details see: • Devriese, Piessens, Non-interference through secure multi- execution, IEEE Symposium on Security and Privacy 2010 • We will work out this technique in detail for web scripts

  39. EXERCISES • Prove that web scripts are deterministic in our model, i.e., for any two event-complete executions that have the same list of input actions, these two executions are equal o A simple example of how to prove properties of scripts • Refine the definition of non-interference so that it covers the “leaking before looping” issue • Change the semantics of web scripts so that processing of one event can only take MAXSTEP steps. • The definition of non-interference also does not handle timing leaks. Give an example of a program that leaks high information through the timing channel

  40. Overview • The web platform • Web script security: threats and countermeasures • A formal model of web scripts • Information flow security • Secure multi-execution • The FlowFox browser • Conclusions

  41. Introduction • Information flow analysis has received much attention: o Static analysis methods: • From Denning to JIF/JFLow and FlowCaml • But: • Substantial programmer effort • In general undecidable statically o Dynamic methods, usually program monitors: • Many practical but unsound methods, some sound but not so practical methods • But: • Some use cases require sound methods (e.g. web page scripts) • Scaling sound monitors to complex languages is very challenging

  42. Introduction • Secure Multi-Execution is o A dynamic method for enforcing non-interference o With nice theoretical properties: • the first sound and precise enforcement method o With possibly bad performance (both in terms of execution time and memory use) o But it can be practical in some scenarios • Benchmarks on an implementation in JavaScript • Dominique Devriese, Frank Piessens, Non-interference through secure multi-execution, IEEE Symposium on Security and Privacy 2010

  43. Example: information flow control in Javascript var text = document.getElementById('email-input').text; var abc = 0; if (text.indexOf('abc') != -1) { abc = 1 }; var url = 'http://example.com/img.jpg' + '?t=' + escape(text) + abc; document.getElementById('banner-img').src = url;

  44. Example: information flow control in Javascript HIGH INPUT var text = document.getElementById('email-input').text; var abc = 0; if (text.indexOf('abc') != -1) { abc = 1 }; var url = 'http://example.com/img.jpg' + '?t=' + escape(text) + abc; document.getElementById('banner-img').src = url; LOW OUTPUT

  45. Example: information flow control in Javascript HIGH INPUT var text = document.getElementById('email-input').text; var abc = 0; Explicit if (text.indexOf('abc') != -1) flow Implicit { abc = 1 }; flow var url = 'http://example.com/img.jpg' + '?t=' + escape(text) + abc; document.getElementById('banner-img').src = url; LOW OUTPUT

  46. Secure Multi-Execution • Basic idea: o Run the program multiple times (once per security level) o If an execution at level l1 performs input at level l2, • If l1 < l2, feed it the default input • If l1=l2, do the actual input • If l1 > l2, wait for the execution at level l2 to do the input and reuse o Execution at level l only performs the outputs that go to a channel of level l

  49. Properties • “Obviously” sound: o Only execution at high level gets to see high inputs o Only execution at low level gets to output at low level • “Obviously” precise: o If a program really was non-interferent, then all executions (at all levels) will behave exactly the same

  50. Formalization • The original SME paper formalized SME for a simple imperative language with synchronous I/O, and proved: o Security: any program run under SME is (timing- and termination-sensitively!) noninterferent o Precision: any (termination-sensitively) noninterferent program has the same behaviour when executed with or without SME • See the paper for details • Let’s redo these results for our simple model of web scripts

  51. Recall our simple model of scripts • Syntax:

  52. Standard Semantics:

  53. SME Semantics:

  54. Examples • Executing the following program under SME • gives as executions: o KeyPress(10), KeyPress(20), … (i.e., the Send’s are suppressed) • SME fixes the execution

  55. Examples • Executing the following program:

  56. Examples • Executing the following program: • gives as executions: o KeyPress(10), Unload(10), Send(0) … (i.e., the Send’s happen but with default data) • Again, SME fixes the execution

  57. Examples • The following secure program • Has the same executions under SME as under standard semantics o KeyPress(10), Display(10), KeyPress(4), Display(4),… • SME is transparent for this program. • Is it transparent for this one?

  58. Examples • What about the following one?

  59. Examples • What about the following one? • Is changed, in the sense that outputs get reordered: o MouseClick(10), Send(10), Display(10), … • SME is not fully transparent for this program o This can be fixed by scheduling the L and H executions • See Rafnsson and Sabelfeld (CSF 2013) • But SME is transparent for observers that can only observe at a single level

  60. Security • Theorem: any script is non-interferent when executed under SME • Proof sketch: o Consider two arbitrary executions with o By induction on the length of the executions, one can prove that the L-parts of the program state remain in- sync o Since only the L-parts can produce L outputs, it follows that

  61. Precision • Theorem (precision for L observers): consider a noninterferent program p. Given an (event-complete) execution α under the standard semantics and an (event-complete) execution β under SME semantics. If α | I = β | I then α | L = β | L Proof sketch: o • the L execution under SME is isomorphic to a standard execution with the same low inputs • the L outputs are the same independent of the presence of H inputs because the program is noninterferent: • Theorem (precision for H observers): consider any program p. Given an (event-complete) execution α under the standard semantics and an (event-complete) execution β under SME semantics. If α | I = β | I then α | H = β | H Proof sketch: o • the H execution under SME is isomorphic to a standard execution with the same inputs

  62. The technique’s merits • On the plus side: o Very strong soundness guarantees o Very general (can deal with many language features) o Good precision o Dynamic: security levels can be assigned at run-time. o No programmer effort • On the down side: o Performance and memory cost • Further research needed: o Dealing with interferent programs o Declassification

  63. Overview • The web platform • Web script security: threats and countermeasures • A formal model of web scripts • Information flow security • Secure multi-execution • The FlowFox browser • Conclusions

  64. The FlowFox browser • Introduction • Design of FlowFox • Formal model and properties • Experimental evaluation o Compatibility o Performance • Conclusions

  65. Introduction • We now set out to integrate SME into a full-scale browser • Challenges: o Handling full JavaScript • Relatively easy thanks to the language independence of SME o Handling all script I/O • This is very challenging, as interactions between browser and scripts are complex • For full details, see the paper: o Willem De Groef, Dominique Devriese, Nick Nikiforakis, Frank Piessens, FlowFox: a web browser with flexible and precise information flow control (CCS 2012)

  66. Design of FlowFox • Key design decision: • FlowFox follows the left alternative • For the right alternative, see: o Bielova et al. Reactive non-interference for a browser model, NSS 2011 o Capizzi et al., Preventing Information Leaks through Shadow Executions, ACSAC 2008

  67. Example Synchronous API calls that can perform I/O • Script fragment: • L execution: Reuse of inputs • H execution:

  68. Example • Event handling: • Can be handled as in our simple script model before o But handlers can be set by scripts

  69. Summary • We need to deal with several additional complications compared to the simple script model we used before: o Synchronous API calls that perform I/O o Event handling where handlers can be set at runtime

  70. The FlowFox browser • Introduction • Design of FlowFox • Formal model and properties • Experimental evaluation o Compatibility o Performance • Conclusions

  71. The new script (or browser) model • Syntax:

  73. New semantic rules

  74. Example • Example executions: • Note how the cookie and the key code leak to the network

  75. Example • Leaking information through setting of event handlers

Recommend

with Deferrable constraints in Haskell through the tale of a Haskell information flow control

with Deferrable constraints in Haskell through the tale of a Haskell information flow control

Gradually typed DSLs with Deferrable constraints in Haskell through the tale of a Haskell information flow control library Pablo Buiras, Alejandro Russo, Dimitrios Vytiniotis Information flow control 101 Non- interference:

465 views • 31 slides
Ni Nickel A Framework for Design and Verification of Information Flow Control Systems Helgi

Ni Nickel A Framework for Design and Verification of Information Flow Control Systems Helgi

Ni Nickel A Framework for Design and Verification of Information Flow Control Systems Helgi Sigurbjarnarson , Luke Nelson, Bruno Castro-Karney, James Bornholt, Emina Torlak, and Xi Wang .org Enforcing information flow control is critical

1.02k views • 58 slides
1 What Is Control-Flow Analysis? Loop Concepts Control-flow analysis discovers the flow of

1 What Is Control-Flow Analysis? Loop Concepts Control-flow analysis discovers the flow of

Control-Flow Analysis and Loop Detection Context Last time Data-flow Speeding up data-flow analysis Flow of data values from defs to uses Could alternatively be represented as a data dependence Today Control-flow analysis

516 views • 5 slides
Information flow control 1 D. Denning and P. Denning Certification of Programs for Secure

Information flow control 1 D. Denning and P. Denning Certification of Programs for Secure

Secure Architecture Principles Information flow control 1 D. Denning and P. Denning Certification of Programs for Secure Information Flow (CACM 1976) Review Access Control Discretionary access control (DAC) Philosophy: users have

321 views • 16 slides
Flow and Congestion Control CS 218 F2003 Oct 29, 03 Flow control goals Classification

Flow and Congestion Control CS 218 F2003 Oct 29, 03 Flow control goals Classification

Flow and Congestion Control CS 218 F2003 Oct 29, 03 Flow control goals Classification and overview of main techniques TCP Tahoe, Reno, Vegas TCP Westwood Readings: (1) Keshavs book Chapter on Flow Control; (2)

374 views • 22 slides
Control flow Conditionals and Control Flow l A conditional branch

Control flow Conditionals and Control Flow l A conditional branch

10/2/15 Control flow Conditionals and Control Flow l A conditional branch is sufficient to implement most control Condition codes flow constructs offered in higher

356 views • 12 slides
1 Why Why flow flow control? control? sender

1 Why Why flow flow control? control? sender

Lecture 7. Lecture 7. TCP mechanisms for: TCP mechanisms for: data transfer control / flow control error control congestion control Graphical examples (applet java) of several algorithms at:

589 views • 13 slides
Motivation Intra-procedural analysis depends upon accurate control-flow information. In the

Motivation Intra-procedural analysis depends upon accurate control-flow information. In the

Motivation Intra-procedural analysis depends upon accurate control-flow information. In the presence of certain language features (e.g. indirect calls) it is nontrivial to predict accurately how control may flow at execution time the nave

594 views • 42 slides
Flow of Control Flow of Control Recitation 09/(11,12)/2008 CS 180 CS 180 Department of

Flow of Control Flow of Control Recitation 09/(11,12)/2008 CS 180 CS 180 Department of

Flow of Control Flow of Control Recitation 09/(11,12)/2008 CS 180 CS 180 Department of Computer Science, Purdue University Project 2 j Now posted on the class webpage. Due Wed, Sept. 17 at 10 pm. Start early All

663 views • 22 slides
V3 1/3/2015 Programming in C 1 Flow of Control Flow of control The order in which

V3 1/3/2015 Programming in C 1 Flow of Control Flow of control The order in which

V3 1/3/2015 Programming in C 1 Flow of Control Flow of control The order in which statements are executed Transfer of control When the next statement executed is not the next one in sequence 2 Flow of Control Control

310 views • 12 slides
Programming in C 1 Flow of Control Flow of control The order in which statements are

Programming in C 1 Flow of Control Flow of control The order in which statements are

Programming in C 1 Flow of Control Flow of control The order in which statements are executed Transfer of control When the next statement executed is not the next one in sequence 2 Flow of Control Control structures

540 views • 34 slides
Exceptional Control Flow: Hardware support for reacting to the rest of the world. Control Flow

Exceptional Control Flow: Hardware support for reacting to the rest of the world. Control Flow

Exceptional Control Flow: Hardware support for reacting to the rest of the world. Control Flow Processor: read instruction, execute it, go to next instruction, repeat Physical control flow Explicit changes: Jumps (conditional, unconditional)

428 views • 8 slides
ex 1. compare and test : conditions Aside: save conditions b,a computes a - b , sets flags,

ex 1. compare and test : conditions Aside: save conditions b,a computes a - b , sets flags,

Conditionals and Control Flow Two key pieces 1. Comparisons and tests: check conditions 2. Transfer control: choose next instruction Control flow Processor Control-Flow State Familiar C constructs Condition codes (a.k.a. flags ) if else l

191 views • 8 slides
Control Structures Lecture 4 COP 3014 Fall 2020 September 10, 2020 Control Flow Control flow

Control Structures Lecture 4 COP 3014 Fall 2020 September 10, 2020 Control Flow Control flow

Control Structures Lecture 4 COP 3014 Fall 2020 September 10, 2020 Control Flow Control flow refers to the specification of the order in which the individual statements, instructions or function calls of an imperative program are executed or

333 views • 19 slides
Control-flow analysis ? ? ? ? ? Discovering information about how control (e.g. the program

Control-flow analysis ? ? ? ? ? Discovering information about how control (e.g. the program

Control-flow analysis ? ? ? ? ? Discovering information about how control (e.g. the program counter) may move through a program. Intra-procedural analysis An intra-procedural analysis collects information about the code inside a single

1.3k views • 53 slides
JFlow: Practical Mostly- Static Information Flow Control By Andrew C. Myers (POPL 99)

JFlow: Practical Mostly- Static Information Flow Control By Andrew C. Myers (POPL 99)

JFlow: Practical Mostly- Static Information Flow Control By Andrew C. Myers (POPL 99) Presented by Daryl Zuniga Overview Information-flow: what and why JFlow: Intro JFlow: How it works JFlow: Characteristics and limitations

810 views • 53 slides
Diagnostic Information for Control-Flow Analysis of Workflow Graphs (aka Free-Choice Workflow Nets)

Diagnostic Information for Control-Flow Analysis of Workflow Graphs (aka Free-Choice Workflow Nets)

Diagnostic Information for Control-Flow Analysis of Workflow Graphs (aka Free-Choice Workflow Nets) Cdric Favre(1,2), Hagen Vlzer(1), Peter Mller(2) (1) IBM Research - Zurich (2) ETH Zurich 1 Outline Problem - Control-flow analysis

624 views • 44 slides
Quantifying Information is a fundamental issue in computer security: Flow Using Min-Entropy

Quantifying Information is a fundamental issue in computer security: Flow Using Min-Entropy

Secure Information Flow ! Protecting the confidentiality of secret information Quantifying Information is a fundamental issue in computer security: Flow Using Min-Entropy Blood type: AB Birth date: 9/5/46 HIV: positive ! Access control and

399 views • 10 slides
Python language: Control Flow The FOSSEE Group Department of Aerospace Engineering IIT Bombay

Python language: Control Flow The FOSSEE Group Department of Aerospace Engineering IIT Bombay

Python language: Control Flow The FOSSEE Group Department of Aerospace Engineering IIT Bombay Mumbai, India FOSSEE Team (FOSSEE IITB) Control flow 1 / 32 Outline Control flow 1 Basic Conditional flow Control flow 2 Basic Looping

560 views • 37 slides
Optimal Control of Plane Poiseuille Flow Workshop on Flow Control, Poitiers 11-14th Oct 04 J.

Optimal Control of Plane Poiseuille Flow Workshop on Flow Control, Poitiers 11-14th Oct 04 J.

Optimal Control of Plane Poiseuille Flow Workshop on Flow Control, Poitiers 11-14th Oct 04 J. Mckernan , J.F .Whidborne , G.Papadakis Cranfield University, U.K. Kings College, London, U.K. Optimal Control of

572 views • 22 slides
Information Flow Control by Program Analysis Markus Mller-Olm Westflische

Information Flow Control by Program Analysis Markus Mller-Olm Westflische

Information Flow Control by Program Analysis Markus Mller-Olm Westflische Wilhelms-Universitt Mnster, Germany IFIP WG 2.2 Meeting Bordeaux, September 18-20, 2017 Context Work in progress from a joint project with Gregor Snelting

313 views • 19 slides
Control Flow Integrity Lujo Bauer 18-732 Spring 2015 Control Hijacking Arms Race Control

Control Flow Integrity Lujo Bauer 18-732 Spring 2015 Control Hijacking Arms Race Control

Control Flow Integrity Lujo Bauer 18-732 Spring 2015 Control Hijacking Arms Race Control Control Flow Flow Integrity Integrity Attacks Attacks 2 http://propercourse.blogspot.com/2010/05/i-believe-in-duct-tape.html CFI: Goal Provably

744 views • 41 slides
Processes, Exceptional Control Flow CSAPPe2, Chapter 8 Plan for Today Exceptional Control Flow

Processes, Exceptional Control Flow CSAPPe2, Chapter 8 Plan for Today Exceptional Control Flow

CIS330, Week 9 Processes, Exceptional Control Flow CSAPPe2, Chapter 8 Plan for Today Exceptional Control Flow Exceptions Process context switches Creating and destroying processes CIS330 Week 9 Control Flow Computers do Only One Thing

1.08k views • 85 slides
Flexible Dynamic Information Flow Control in Haskell Deian Stefan 1 Alejandro Russo 2 John C.

Flexible Dynamic Information Flow Control in Haskell Deian Stefan 1 Alejandro Russo 2 John C.

Flexible Dynamic Information Flow Control in Haskell Flexible Dynamic Information Flow Control in Haskell Deian Stefan 1 Alejandro Russo 2 John C. Mitchell 1 David Mazires 1 1 2 Haskell11 www.scs.stanford.edu/ deian/lio Flexible

820 views • 55 slides

More recommend