Tradition Sandstorm 95% of CVEs? Research Report: Mitigating LangSec Problems With Capabilities Or: How Sandstorm Taught Me to Stop Worrying and Love the Web Nathaniel Wesley Filardo May 26, 2016 1 / 14
Tradition Sandstorm 95% of CVEs? One-Slide Elevator Pitch Actually two, related, pitches: ❼ Sandstorm’s capability-based design enables very fine-grained sandboxing of application software, which largely (sometimes completely!) mitigates the majority of LangSec bugs seen in practice. ❼ Capability systems offer the potential to turn difficult authorization decisions into LangSec’s bread and butter: syntactic constraints on requests; every well-formed request which can be stated is authorized. 2 / 14
❼ ❼ ❼ ❼ ❼ ❼ ❼ ❼ Tradition Sandstorm 95% of CVEs? Traditional Web Application Hosting The Sad Story Consider a standard LAMP-esque stack. ❼ Many co-hosted applications at different paths. ❼ Maybe have separate kernel UIDs when executing? 3 / 14
❼ ❼ ❼ ❼ ❼ ❼ Tradition Sandstorm 95% of CVEs? Traditional Web Application Hosting The Sad Story Consider a standard LAMP-esque stack. ❼ Many co-hosted applications at different paths. ❼ Maybe have separate kernel UIDs when executing? ❼ System design encourages ambient authority : ❼ esp. to filesystem, network resources. 3 / 14
❼ ❼ ❼ ❼ Tradition Sandstorm 95% of CVEs? Traditional Web Application Hosting The Sad Story Consider a standard LAMP-esque stack. ❼ Many co-hosted applications at different paths. ❼ Maybe have separate kernel UIDs when executing? ❼ System design encourages ambient authority : ❼ esp. to filesystem, network resources. ❼ Database processes per-server ❼ Own notion of users (typ. “app”) and permissions. 3 / 14
❼ Tradition Sandstorm 95% of CVEs? Traditional Web Application Hosting The Sad Story Consider a standard LAMP-esque stack. ❼ Many co-hosted applications at different paths. ❼ Maybe have separate kernel UIDs when executing? ❼ System design encourages ambient authority : ❼ esp. to filesystem, network resources. ❼ Database processes per-server ❼ Own notion of users (typ. “app”) and permissions. ❼ Client authn, authz up to each hosted application. ❼ Even SSO systems typically require application buy-in. ❼ Groups, ACLs, etc. per application. 3 / 14
Tradition Sandstorm 95% of CVEs? Traditional Web Application Hosting The Sad Story Consider a standard LAMP-esque stack. ❼ Many co-hosted applications at different paths. ❼ Maybe have separate kernel UIDs when executing? ❼ System design encourages ambient authority : ❼ esp. to filesystem, network resources. ❼ Database processes per-server ❼ Own notion of users (typ. “app”) and permissions. ❼ Client authn, authz up to each hosted application. ❼ Even SSO systems typically require application buy-in. ❼ Groups, ACLs, etc. per application. ❼ Web’s failings left to apps: XSRF, XSS, SRI, . . . 3 / 14
❼ ❼ ❼ ❼ ❼ ❼ ❼ ❼ Tradition Sandstorm 95% of CVEs? Traditional Web Application Hosting The Impact of LangSec Bugs In this environment, what do LangSec bugs buy an attacker? ❼ Outright authn/authz confusion: ❼ Authn/authz cookie leak & replay ❼ XSRF & XSS 4 / 14
❼ ❼ ❼ ❼ Tradition Sandstorm 95% of CVEs? Traditional Web Application Hosting The Impact of LangSec Bugs In this environment, what do LangSec bugs buy an attacker? ❼ Outright authn/authz confusion: ❼ Authn/authz cookie leak & replay ❼ XSRF & XSS ❼ Path traversals: ❼ Access to intra-application resources (almost surely) ❼ Access to other applications’ resources (maybe) ❼ Access to system configuration (likely) 4 / 14
Tradition Sandstorm 95% of CVEs? Traditional Web Application Hosting The Impact of LangSec Bugs In this environment, what do LangSec bugs buy an attacker? ❼ Outright authn/authz confusion: ❼ Authn/authz cookie leak & replay ❼ XSRF & XSS ❼ Path traversals: ❼ Access to intra-application resources (almost surely) ❼ Access to other applications’ resources (maybe) ❼ Access to system configuration (likely) ❼ Code injection: ❼ Probe file system, loopback network ❼ Make remote network connections ❼ Probe local kernel for vulnerabilities Too easy for bug in one application to impact entire server . 4 / 14
❼ ❼ ❼ ❼ ❼ ❼ ❼ ❼ ❼ Tradition Sandstorm 95% of CVEs? Sandstorm Application Hosting What a mess! Alternative design? Sweeping changes to design of system: ❼ Replace web server with application supervisor. ❼ Not “Web Application Firewall” ❼ No dynamic inspection of application display content! 5 / 14
❼ ❼ ❼ ❼ ❼ ❼ ❼ Tradition Sandstorm 95% of CVEs? Sandstorm Application Hosting What a mess! Alternative design? Sweeping changes to design of system: ❼ Replace web server with application supervisor. ❼ Not “Web Application Firewall” ❼ No dynamic inspection of application display content! ❼ Centralize authn to supervisor. ❼ Send user display information to application. 5 / 14
❼ ❼ ❼ ❼ Tradition Sandstorm 95% of CVEs? Sandstorm Application Hosting What a mess! Alternative design? Sweeping changes to design of system: ❼ Replace web server with application supervisor. ❼ Not “Web Application Firewall” ❼ No dynamic inspection of application display content! ❼ Centralize authn to supervisor. ❼ Send user display information to application. ❼ Centralize authz to supervisor (mostly). ❼ Applications enumerate possible “rights”. ❼ Supervisor computes agent’s rights; tells application. 5 / 14
Tradition Sandstorm 95% of CVEs? Sandstorm Application Hosting What a mess! Alternative design? Sweeping changes to design of system: ❼ Replace web server with application supervisor. ❼ Not “Web Application Firewall” ❼ No dynamic inspection of application display content! ❼ Centralize authn to supervisor. ❼ Send user display information to application. ❼ Centralize authz to supervisor (mostly). ❼ Applications enumerate possible “rights”. ❼ Supervisor computes agent’s rights; tells application. ❼ Sandbox server-side resources very tightly . ❼ Each document in its own container is possible! ❼ Granularity up to application author and user. ❼ Possible due to centralized management of sharing. 5 / 14
❼ ❼ ❼ ❼ ❼ ❼ ❼ Tradition Sandstorm 95% of CVEs? Sandstorm Application Hosting What a mess! Alternative design? Old world: ❼ As admin, install application to web server (or find host) ❼ Users register with each application (or be anonymous) ❼ Application juggles many documents / objects / . . . ❼ User rights managed within each application 6 / 14
Tradition Sandstorm 95% of CVEs? Sandstorm Application Hosting What a mess! Alternative design? Old world: ❼ As admin, install application to web server (or find host) ❼ Users register with each application (or be anonymous) ❼ Application juggles many documents / objects / . . . ❼ User rights managed within each application New world: ❼ As admin, install sandstorm server (or . . . ) ❼ Users register once with sandstorm installation (or . . . ) ❼ Users install arbitrary applications as desired! ❼ Users instantiate applications as “grains.” ❼ Each user may have zero or more grains of any app. ❼ Grains begin private to creator . ❼ Users share (and revoke) appropriate access to grains. 6 / 14
Tradition Sandstorm 95% of CVEs? Sandstorm Application Hosting User’s Perspective 7 / 14
Tradition Sandstorm 95% of CVEs? Sandstorm Application Hosting User’s Perspective 7 / 14
Tradition Sandstorm 95% of CVEs? Sandstorm Application Hosting User’s Perspective https://main.sandstorm.acm.jhu.edu/shared/ pruMzgByO3ReRVV9tT5uQQyhwXJulmoMCSNSFutPjXJ 7 / 14
❼ ❼ ❼ ❼ Tradition Sandstorm 95% of CVEs? Sandstorm Application Hosting Supervisor’s Perspective Supervisor tracks capabilities conveying rights to grains: ❼ Each application specifies a collection of rights. ❼ ShareLaTeX: “read”, “write” ❼ DokuWiki: “user”, “manager”, “admin” ❼ When grain is created, owner gets all rights. ❼ Nobody else gets any rights 8 / 14
Tradition Sandstorm 95% of CVEs? Sandstorm Application Hosting Supervisor’s Perspective Supervisor tracks capabilities conveying rights to grains: ❼ Each application specifies a collection of rights. ❼ ShareLaTeX: “read”, “write” ❼ DokuWiki: “user”, “manager”, “admin” ❼ When grain is created, owner gets all rights. ❼ Nobody else gets any rights ❼ Users delegate access to grains: ❼ Creates a new capability object held by designated user(s) or within a sharing link. ❼ Delegated access is a subset of delegator’s access. ❼ Sandstorm tracks provenance of rights & adjusts. 8 / 14
❼ ❼ ❼ ❼ Tradition Sandstorm 95% of CVEs? Sandstorm Application Hosting Supervisor’s Perspective Supervisor juggles sessions : user’s live connection to a grain. ❼ Grains started and stopped by supervisor as needed. 9 / 14
Recommend
More recommend