integrity and confidentiality in web applications jeff
play

Integrity and Confidentiality in Web Applications Jeff Johnson 1 - PowerPoint PPT Presentation

Nov 21, 2023 •244 likes •682 views

Integrity and Confidentiality in Web Applications Jeff Johnson 1 Where We're At We have been mostly focusing on Fixing vulnerabilities inherent to languages Finding/protecting against programmer follies Today we will look at

  1. Integrity and Confidentiality in Web Applications Jeff Johnson 1

  2. Where We're At • We have been mostly focusing on – Fixing vulnerabilities inherent to languages – Finding/protecting against programmer follies • Today we will look at security at a slightly different angle – Assume we have good programmers – Concern ourself with the environment in which the code is run – Focus on trust 2

  3. Security in Web Apps Client Server INTERNET Fast Response Slow Response Untrusted Trusted Exposed to User Secret 3

  4. Attack From the Client-Side function submitRPC(s) { if (validate(s)) { Trivial to circumvent ajaxWrapper.submit(s); validation! box.display(“submitted!”); } else { // bad input box.display(“bad input”); } } function submitRPC(s) { //if (validate(s)) { ajaxWrapper.submit(s); FireBug and/or Proxy box.display(“submitted!”); //} else { // bad input // box.display(“bad input”); //} } 4

  5. Attack From the Client-Side Bottom Line: NEVER trust ANYTHING Client gives you NEVER store secrets at the Client 5

  6. Web Apps: Current State of the Art • Write two closely-coupled programs glued together with AJAX – Client-side: Javascript – Server: Java, C#, etc. • Programmer reasons about security – Who should do what computations? • Remember: the client-side is so very responsive but so very untrusted – What data goes where? • This is difficult for many reasons 6

  7. Alleviating Stress: Two Approaches  Swift  Make the app's security requirements explicit  Use static checking to enforce  Secure by design  Ripley  Replicate untrusted computation in a trusted environment  Compare results to detect misbehaving clients 7

  8. Secure Web Applications via Automatic Partitioning S. Chong, J. Liu, A. C. Myers, X. Qi, K. Vikram, L. Zheng, X. Zheng 8

  9. Swift  Key insight: reasoning about security is difficult because it is:  Across two entities  Not explicit  Not enforced or checked  Swift says: Write one program using security labels  Enforce security with a static checker  Compiler: split code between client and server based on labels 9

  10. Swift Overview 1) Write source with security labels (in Jif programming language) Swift 2) Check labels, source convert to WebIL code (what can go on client, server?) 3) Determine placement, Compiler convert to JS and Java Partitioner 4) Runtime Java Javascript server client code code 10

  11. Write Source Using Jif  Java-like syntax  Plus labels for specifying read/write capabilities between 'principals' Confidentiality policy int {bob -> alice} x; String {bob <- alice} s; Integrity policy 11

  12. Jif (2) Can strengthen/weaken policies as needed (dangerous but necessary): declassify change confidentiality of an expression or a statement endorse changes integrity of an expression or a statement 12

  13. Jif in Swift • Two principals – “*” denotes server – “client” denotes client • * is trusted – In Jif terms: * actsfor client • Bottom line – client sees data no greater than {* -> client} – client produces data no greater than {* <- client} 13

  14. Example: Labels int secret; int count; ... void guess(int i) { if (i == secret) { messageBox.display(“winner”); } else { count++; messageBox.display(“looser”); } } 14

  15. Labeling Variables int {*->*; *<-*} secret; int {*->client; *<-*} count; ... void guess(int i) { if (i == secret) { messageBox.display(“winner”); } else { count++; messageBox.display(“looser”); } } 15

  16. Labeling Methods int {*->*; *<-*} secret; int {*->client; *<-*} count; ... void guess {*->client} (int i) where authority(*) { if (i == secret) { messageBox.display(“winner”); } else { count++; messageBox.display(“looser”); } } 16

  17. Declassify int {*->*; *<-*} secret; int {*->client; *<-*} count; ... void guess {*->client} (int i) where authority(*) { if (i == secret) { declassify({*->*} to {*->client}) messageBox.display(“winner”); } else { count++; declassify({*->*} to {*->client}) messageBox.display(“looser”); } } 17

  18. Endorse int {*->*; *<-*} secret; int {*->client; *<-*} count; ... void guess {*->client} (int i) where authority(*) { if (i == secret) { declassify({*->*} to {*->client}) messageBox.display(“winner”); } else { endorse(i, {*<-client} to {*<-*}) count++; declassify({*->*} to {*->client}) messageBox.display(“looser”); } } 18

  19. Next Step: WebIL  Analyze source and verify the security specified by labels  Determine what data/computations can go where by transforming to WebIL  Not committing to placement yet  This step enforces and guarantees our security model expressed in source 19

  20. Example: Source to WebIL int {*->*; *<-*} secret; Sh int secret; int {*->client; *<-*} count; C?Sh int count; ... ... void guess {*->client} (int i) where authority(*) void guess(int i) { { if (i == secret) { Sh if (i == secret) { declassify({*->*} to {*->client}) messageBox.display(“winner”); C messageBox.display(“winner”); } else { } else { count++; endorse(i, {*<-client} to {*<-*}) C?Sh count++; C messageBox.display(“looser”); declassify({*->*} to {*->client}) } messageBox.display(“looser”); } } } C – Client S – Server ? – Optional h – high integrity 20

  21. Next Step: Partitioning  Goal: Place code to optimize performance without harming security  Main cost is network traffic  Approach:  Approximate weighted control flow graph over the whole program  Translate into an integer programming problem  Reduce to maximum flow problem  Solve 21

  22. Partitioning Message cost of edge e: STMT1 W e * ( X e + Y e ) where X e = 1 if STMT1 is on Client and STMT2 is on Server Y e = 1 if STMT1 is on Server and STMT2 is on Client e Minimize sum of message costs over the whole CFG while keeping the security policies in place STMT2 See the paper for more details... 22

  23. Result of Partitioning block1 (S): if (i == secret) goto block2; else goto block3; block2 (C): messageBox.display(“winner”); goto block5; block3 (SC): block3 (SC): count++; count++; goto block4; goto block4; block4 (C): messageBox.display(“looser”); goto block5; block5 (SC): block5 (SC): // end // end SERVER CLIENT 23

  24. Last Step: Translation Located WebIL code Java client code Java Swift Java Javascript Swift GWT servlet server server client client runtime HTTP framework runtime code code runtime library Web Browser Web Server 24

  25. Swift Runtime 25

  26. Evaluation 26

  27. Discussion • The good – Security policies are explicit and checked – One program makes it easier to reason about security – Minimizes network traffic • The bad – Labeling is verbose and slightly confusing (~20-30% of lines are annotated) – Difficult to retrofit legacy code (that may already be split) – Still only as good as the programmer's ability to reason about security 27

  28. Do Better? • Can we ensure confidentiality and integrity without creating extra work for the programmer? • Confidentiality – no (why not?) – programmer must mark confidential information as being such • Integrity – yes 28

  29. Integrity • Integrity is directly tied to the location of computation • Solution: move untrusted computation to trusted location – Move client-side computation to server • But then we loose performance... – Better: replicate client-side computations on server, compare results 29

  30. Ripley: Automatically Securing Web 2.0 Applications Through Replicated Execution K. Vikram, A. Prateek, B. Livshits 30

  31. Ripley Execution Model CLIENT SERVER EVENTS Client Events (Clicks, etc.) Replay Events COMPUTATION COMPUTATION (Generate RPC) (Generate RPC) RPC Send RPC to Server Compare Results DOESN'T MATCHES MATCH Pass to Server Terminate Session 31

  32. What Ripley Does and Doesn't Do • Ripley ensures integrity of Client-run code • Protects against any attacks involved in manipulating client-side code/state that results in malformed RPCs – Remember example from before • Not for protecting against malformed input that is accepted by the client and server code – Ripley protects the developer-intended protection for the application 32

  33. Implementation Workflow Volta Program TIER-SPLITTING Client (C) .NET IL Server (S) .NET IL IL to JS INSTRUMENT to ADD Ripley layer capture events Mirror (C') .NET IL Client (C) JS S + Ripley 33

  34. Volta Writing one program (similar to Jif) class C1 { [RunAt(“server”)] void foo(){...} class C2 { void bar(){...} void baz(){...} } void faz(){...} } 34

  35. Volta Advantages • Write one program • Glue together with RPCs • No funny JS (e.g. innerHTML editing) • Produces fast Client mirror (C) in .NET IL 35

  36. C' Instrumentation • Intercept primitive and custom events via bytecode rewriting • Transfer events to server – Batch: Queue events, send packet-sized set – Flush queue when client generates an RPC call Event { type, DOM object id, other info } Client (C') JS RPC 36

  37. Adding Ripley Checker to S EVENTS RPC RPC Ripley Server (S) Response Response Response EVENTS RPC Client Mirror (C) 37

Recommend

Mobile Systems Availability Mobile Systems Availability Integrity and Confidentiality Integrity

Mobile Systems Availability Mobile Systems Availability Integrity and Confidentiality Integrity

Mobile Systems Availability Mobile Systems Availability Integrity and Confidentiality Integrity and Confidentiality MoSAIC MoSAIC M.O.Killijian, D.Powell, M.Bantre, P.Couderc, Y.Roudier LAAS-CNRS - IRISA- Eurcom Context Context 3

159 views • 14 slides
InterMAClib: Beyond Confidentiality and Integrity in Practice Torben B. Hansen

InterMAClib: Beyond Confidentiality and Integrity in Practice Torben B. Hansen

InterMAClib: Beyond Confidentiality and Integrity in Practice Torben B. Hansen @n_tbh Joint work with Martin R. Albrecht @martinralbrecht Kenneth G. Paterson @kennyog Information Security Group Centre

302 views • 18 slides
Other threats Threat model (beyond TLS) TLS = confidentiality, integrity, authenticity

Other threats Threat model (beyond TLS) TLS = confidentiality, integrity, authenticity

Other threats Threat model (beyond TLS) TLS = confidentiality, integrity, authenticity Metadata leaks Resource starvation Topic Virtual Private Networks (VPNs) Run as closed networks on Internet Use IPSEC to secure messages

736 views • 30 slides
Other defenses Threat model (beyond TLS) TLS = confidentiality, integrity, authenticity

Other defenses Threat model (beyond TLS) TLS = confidentiality, integrity, authenticity

Other defenses Threat model (beyond TLS) TLS = confidentiality, integrity, authenticity Metadata leaks Resource starvation Topic Virtual Private Networks (VPNs) Run as closed networks on Internet Use IPSEC to secure

605 views • 38 slides
Introduction to Cryptology: confidentiality, integrity, authenticity 2015/12 Yaound,

Introduction to Cryptology: confidentiality, integrity, authenticity 2015/12 Yaound,

Introduction to Cryptology: confidentiality, integrity, authenticity 2015/12 Yaound, Cameroun Damien Robert quipe LFANT, Inria Bordeaux Sud-Ouest Institut de Mathmatiques de Bordeaux quipe MACISA, Laboratoire International de

753 views • 53 slides
AuraConf: A Unified Approach to Authorization and Confidentiality Jeff Vaughan Department of

AuraConf: A Unified Approach to Authorization and Confidentiality Jeff Vaughan Department of

AuraConf: A Unified Approach to Authorization and Confidentiality Jeff Vaughan Department of Computer Science University of California, Los Angeles TLDI January 25, 2011 Some attackers dont play fair. playFor: (s: Song) (p: prin )

841 views • 83 slides
CS/COE 1520 pitt.edu/~ach54/cs1520 Web security Security basics: CIA Confidentiality

CS/COE 1520 pitt.edu/~ach54/cs1520 Web security Security basics: CIA Confidentiality

CS/COE 1520 pitt.edu/~ach54/cs1520 Web security Security basics: CIA Confidentiality Keeping information secret from those who should not be able to see it Integrity Two portions: Data integrity: has the content of

680 views • 19 slides
On Protecting Integrity and Confidentiality of Cryptographic File System for Outsourced Storage

On Protecting Integrity and Confidentiality of Cryptographic File System for Outsourced Storage

On Protecting Integrity and Confidentiality of Cryptographic File System for Outsourced Storage Aaram Yun , Chunhui Shi, Yongdae Kim University of Minnesota CCSW 2009, 13 Nov 2009 Cryptographic network file system How to achieve a

348 views • 16 slides
CREDENTIALS PRESENTATION Corporate Advisory Solutions INTEGRITY, CONFIDENTIALITY, EXPERIENCE

CREDENTIALS PRESENTATION Corporate Advisory Solutions INTEGRITY, CONFIDENTIALITY, EXPERIENCE

CREDENTIALS PRESENTATION Corporate Advisory Solutions INTEGRITY, CONFIDENTIALITY, EXPERIENCE ABOUT CORPORATE ADVISORY SOLUTIONS CAS is a merchant bank based in Philadelphia and Washington, D.C., specializing in M&amp;A, and strategic advisory

338 views • 13 slides
Applications &amp; Usage A Brief Insight Scenario :: Identification, Authentication &amp; Non-

Applications &amp; Usage A Brief Insight Scenario :: Identification, Authentication &amp; Non-

Public Key Applications &amp; Usage A Brief Insight Scenario :: Identification, Authentication &amp; Non- :: Authenticity, e-business transaction Repudiation requirements for electronic :: Confidentiality and Integrity requirements ::

252 views • 11 slides
Constrained Environments Ted Hromadka 1 and Cameron Hunt 2 1 Integrity Applications Incorporated

Constrained Environments Ted Hromadka 1 and Cameron Hunt 2 1 Integrity Applications Incorporated

= Prototyping Vision-Based Classifiers in Constrained Environments Ted Hromadka 1 and Cameron Hunt 2 1 Integrity Applications Incorporated , 2 SOFWERX (DEFENSEWERX, Inc.) Presented at GTC 2018 Integrity Applications Incorporated &lt; &gt;

429 views • 28 slides
KILOBAR KILOBAR KILOBAR INTEGRITY KILOBAR KILOBAR KILOBAR KILOBAR INTEGRITY KILOBAR

KILOBAR KILOBAR KILOBAR INTEGRITY KILOBAR KILOBAR KILOBAR KILOBAR INTEGRITY KILOBAR

KILOBAR KILOBAR KILOBAR INTEGRITY KILOBAR KILOBAR KILOBAR KILOBAR INTEGRITY KILOBAR INTEGRITY INTEGRITY INTEGRITY INTEGRITY INTEGRITY INTEGRITY Blockchain &amp; Security Ruth Crowell, Chief Executive Asia Pacific Precious Metals

460 views • 10 slides
MODERN MEMORY DEFENSES GRAD SEC SEP 14 2017 TODAYS PAPERS CONTROL FLOW INTEGRITY

MODERN MEMORY DEFENSES GRAD SEC SEP 14 2017 TODAYS PAPERS CONTROL FLOW INTEGRITY

MODERN MEMORY DEFENSES GRAD SEC SEP 14 2017 TODAYS PAPERS CONTROL FLOW INTEGRITY Fundamentally, code injection attacks altered the target programs control flow Recall: Confidentiality, Integrity, Availability Most integrity

937 views • 30 slides
Verena: End-to-End Integrity Protection for Web Applications IEEE Security &amp; Privacy 2016

Verena: End-to-End Integrity Protection for Web Applications IEEE Security &amp; Privacy 2016

Verena: End-to-End Integrity Protection for Web Applications IEEE Security &amp; Privacy 2016 Nikos Karapanos, Alexandros Filios, Raluca Ada Popa, Srdjan Capkun Information Integrity is Critical for Decision Making EKG, EKG, heart rate,

534 views • 15 slides
Alice and Bob want to communicate securely Achieve confidentiality and

Alice and Bob want to communicate securely Achieve confidentiality and

Alice and Bob want to communicate securely Achieve confidentiality and integrity/authenticity Both know each others public key Example: A-&gt;B: E Bob (M), S Alice (M) Works, but expensive Recall hybrid encryption

488 views • 16 slides
Using Messaging Protocols to Build Mobile and Web Applications Jeff Mesnil Jeff Mesnil

Using Messaging Protocols to Build Mobile and Web Applications Jeff Mesnil Jeff Mesnil

Using Messaging Protocols to Build Mobile and Web Applications Jeff Mesnil Jeff Mesnil Software Engineer at Red Hat Core developer on WildFly Application Server, lead for its messaging component Developed messaging brokers (HornetQ,

965 views • 82 slides
Information security has relied upon the following pillars: Confidentiality only allow

Information security has relied upon the following pillars: Confidentiality only allow

Security &amp; Knowledge Management a.a. 2019/20 Information security has relied upon the following pillars: Confidentiality only allow access to data for which the user is permitted Integrity ensure data is not tampered or

657 views • 52 slides
Confidentiality &amp; Disclaimer Confidentiality The recipient of the information contained in

Confidentiality &amp; Disclaimer Confidentiality The recipient of the information contained in

Confidentiality &amp; Disclaimer Confidentiality The recipient of the information contained in this presentation, in receiving it, agrees not to copy or disclose any of its contents to third parties without the written consent of Kendeil

790 views • 34 slides
Confidentiality &amp; Disclaimer Confidentiality The recipient of the information contained in

Confidentiality &amp; Disclaimer Confidentiality The recipient of the information contained in

Confidentiality &amp; Disclaimer Confidentiality The recipient of the information contained in this presentation, in receiving it, agrees not to copy or disclose any of its contents to third parties without the written consent of Kendeil

952 views • 33 slides
May 1: Integrity Models Biba Clark-Wilson Comparison Trust models May 1, 2017 ECS

May 1: Integrity Models Biba Clark-Wilson Comparison Trust models May 1, 2017 ECS

May 1: Integrity Models Biba Clark-Wilson Comparison Trust models May 1, 2017 ECS 235B Spring Quarter 2017 Slide #1 Integrity Overview Requirements Very different than confidentiality policies Biba s models

514 views • 33 slides
Control-Flow Integrity Principles, Implementations, and Applications

Control-Flow Integrity Principles, Implementations, and Applications

Control-Flow Integrity Principles, Implementations, and Applications 2634 2528 2690 CFI: Goal Provably correct mechanisms

540 views • 26 slides
Le Lecture 15 15 Access Control 1 Recall: Secu curity Service ces Confidentiality: to

Le Lecture 15 15 Access Control 1 Recall: Secu curity Service ces Confidentiality: to

Le Lecture 15 15 Access Control 1 Recall: Secu curity Service ces Confidentiality: to assure information privacy and secrecy Authentication: to assert who created or sent data Integrity: to show that data has not been altered

656 views • 32 slides
will be posted on the LBAB website soon! Confidentiality Reminder of Confidentiality: Board

will be posted on the LBAB website soon! Confidentiality Reminder of Confidentiality: Board

This presentation will be posted on the LBAB website soon! Confidentiality Reminder of Confidentiality: Board members and staff are not at liberty to discuss application files, criminal background checks, or other matters that occur in

961 views • 51 slides
Io IoT T Security In Informatio ion sec securit ity Confidentiality Data accessed

Io IoT T Security In Informatio ion sec securit ity Confidentiality Data accessed

Security &amp; Knowledge Management a.a. 2019/20 Io IoT T Security In Informatio ion sec securit ity Confidentiality Data accessed just by permitted users Integrity Not tampered by not permitted users Availability

558 views • 21 slides

More recommend