2nd USENIX Conference on Web Application Development ...

More documents

Recommendations

Info

Application Description Source Lines of Code Onyx image gallery http://www.hulihanapplications.com/projects/onyx 680 Spree shopping cart http://spreecommerce.com/ 11561 Substruct shopping cart http://code.google.com/p/substruct/ 5556 Redmine project management http://www.redmine.org/ 30747 PaperTracks publication and citation tracker developed ourselves 1980 also succeeded at blocking SQL injection and cross-site scripting attacks, as explained in Section 4.4. While performance was not a major design goal, it is still a practical concern. To estimate the overhead imposed by our system, we transformed the image gallery application Onyx with various configurations of GuardRails and measured the average throughput for 50 concurrent users. Table 4 summarizes the results. As currently implemented, GuardRails does impose a significant performance cost. But, we believe most of this performance overhead is due to limitations of our prototype system rather than intrinsic costs of our approach. Performing the access control checking decreases throughput by around 25 percent. Most of the performance overhead comes from the code needed to assign policies dynamically. This code is independent of the number of policies, so the performance does not greatly depend on the number of annotated policies. We could reduce this overhead by using static analysis to determine which policies can be assigned statically instead of dynamically. Taint tracking incurs substantial overhead, reducing throughput by more than 75 percent for some requests. Our taint tracking implementation replaces the native C string implementations provided by Ruby with interpreted Ruby implementations. Since the Ruby string implementations are highly optimized, and interpreting Ruby code is much slower than native C, it is not surprising that this incurs a substantial performance hit. Complex functions like gsub, split, delete, and slice require more code to ensure that taint status is handled correctly. The split method, for example, took 0.14 seconds to run 400 times without the taint system applied in one test. With the taint system applied, the same test took 0.15 seconds when operating on untainted strings but nearly 5 seconds to split tainted strings. In future work, we hope both to optimize string methods both by rewriting them in C and using more efficient algorithms, and we are optimistic that much of the performance overhead imposed by GuardRails could be eliminated by doing this. Table 3: Test Applications 6 Related Work Much research has been done towards the goal of improving security of web applications and developing access control policies. Here, we review the most closely related work on data policy enforcement and taint tracking. 6.1 Data Policy Enforcement Aspect-oriented programming is a design paradigm that centralizes code that would normally be spread throughout an application, often referred to as cross-cutting concerns [8]. Data policy enforcement is such a concern and several authors have suggested using aspectoriented programming to implement security policy enforcement [24, 27]. Like our project, this work seeks to reduce implementation errors and improve readability by centralizing information about security policies. Automated data policy enforcement is becoming a popular method for preventing security vulnerabilities. Some projects let developers specify data policies, assign the policies to object instances explicitly, and enforce the policies using a runtime system [29, 19]. It is often difficult to define security policies in a clear and concise format. Some projects attempt to remedy this by creating a policy description language [5] while others aim to infer appropriate policies [3] without developer input. The most similar previous work is RESIN, a tool that enforces developer-specified policies on web applications [29]. GuardRails and RESIN differ in several fundamental ways. RESIN handles policies attached to individual object instances, so developers must manually add the policies on each object instance they want to protect. GuardRails instead associates policies with data models (classes), so the appropriate policy is automatically applied to all instances of the class. Additionally, GuardRails automates much more of the work required to build a secure web application than RESIN does. RESIN requires the developer to write an entire class for each security policy while GuardRails only requires a small annotation. 10 WebApps ’11: <strong>2nd</strong> <strong>USENIX</strong> <strong>Conference</strong> on Web Application Development <strong>USENIX</strong> Association
Transformation Status Homepage Login Interface Image Gallery Original Application 8.9 9.6 9.2 Access Control Only 7.1 7.1 6.6 Taint Tracking w/o HTML Parsing 2.5 2.8 2.5 Full System 2.0 2.5 2.2 Table 4: Performance Measurements from Onyx Each number indicates the number of transactions per second for the given request and configuration. 6.2 Taint Tracking Taint tracking techniques have been used to find format string vulnerabilities [20, 22, 28], prevent buffer overflows [22, 28], improve signature generation [12], and even to track information flow at the operating system level [7]. Several systems, like the GIFT framework [9], are designed, like GuardRails, to be extensible to prevent many types of injection attacks [1, 15]. As mentioned in Section 4.1, some recent research has focused on solving the over/undertainting problem with character-bycharacter taint tracking [2, 13, 29]. Many systems are limited to using boolean taint states [22, 28] or make use of the compiler, making them difficult to directly apply to a dynamic, interpreted language like Ruby [1, 11]. Similar to our context-specific transformers, the Context-Sensitive String Evaluation (CSSE) [15] system treats tainted strings differently depending on the context of their use. CSSE uses meta-data tags to allow for complex taint statuses. CSSE, however, focuses on propagating information about where the content originated from, with the context-specific code dealing with the tainted strings at the location of their use based on this origin information. The Auto Escape mode in Google’s Template System is another similar system that uses different sanitization routines depending on the context of a string in HTML [6]. Without taint-tracking, however, Auto Escape cannot distinguish between safe and unsafe strings without explicit specifications from the developer, so it is necessary to explicitly identify templates that should use auto escape mode. Other systems do not modify the web application itself or the underlying platform, but instead operate between the application’s key entry and exit points. Sekar developed one such tool [18] that records the input received by the application, and later uses taint inference in output and database commands to find similar strings that may have been derived from this input. The tool also focuses on looking for changes in syntax of important commands that might be indicative of an injection attack. Another system, DBTaint [4] works outside of the application, helping to preserve arbitrary taint information given from an arbitrary application in the database. Both of these tools have the advantage of being largely platform-independent, and neither needs any application modifications. 7 Conclusion GuardRails seeks to reduce the effort required to build a secure web application by enforcing security policies defined with the data model, in particular, access control policies and context-sensitive string transformations. The main novelty of GuardRails is the way policies are tied directly to data models which fits developer understanding naturally, provides a large amount of expressiveness, and centralized policies in a way that minimizes the likelihood of missing necessary access control checks. Our early experience with GuardRails provides cause for optimism that application developers can be relieved of much of the tedious and error-prone work typically required to build a secure web application. Although the performance overhead is prohibitive for large scale commercial sites, many web applications can tolerate fairly poor performance. Further, although our current prototype implementation incurs substantial overhead, we believe many of techniques we advocate could be implemented more efficiently if they are more fully integrated into the underlying framework implementation, and that reducing developer effort and mitigating security risk will become increasingly important in rapid web application development. Availability GuardRails is available under an open source license from http://guardrails.cs.virginia.edu/. Acknowledgements This work was funded in part by grants from the National Science Foundation and a MURI award from the Air Force Office of Scientific Research. The authors thank Armando Fox for his helpful comments and suggestions, and thank Dawn Song, Prateek Saxena, and the attendees at RubyNation for helpful discussions about this work. <strong>USENIX</strong> Association WebApps ’11: <strong>2nd</strong> <strong>USENIX</strong> <strong>Conference</strong> on Web Application Development 11
Page 1 and 2: Proceedings of the 2nd</str
Page 3 and 4: USENIX Association
Page 5: WebApps ’11: 2nd
Page 9 and 10: GuardRails: A Data-Centric Web Appl
Page 11 and 12: Policy Annotation Only admins can d
Page 13 and 14: @edit, price, false, :nothing To ma
Page 15 and 16: tags in the Project description, bu
Page 17: String Command Result "foobar".gsub
Page 21 and 22: Abstract Ioannis Papagiannis Imperi
Page 23 and 24: Num. of Occurrences Type Wordpress
Page 25 and 26: Sanitisation htmlentities() functio
Page 27 and 28: Original expression Transformed exp
Page 29 and 30: non-tracking code with a simple str
Page 31 and 32: Direct request vulnerabilities. The
Page 33 and 34: Abstract Secure Data Preservers for
Page 35 and 36: e found for a variety of services.
Page 37 and 38: 3.2 Operational View The lifecycle
Page 39 and 40: it automatically). A user or servic
Page 41 and 42: given the availability of client-si
Page 43 and 44: can only be decrypted by the base l
Page 45 and 46: BenchLab: An Open Testbed for Reali
Page 47 and 48: 2.2. Realistic load generation Real
Page 49 and 50: virtual machine with the software s
Page 51 and 52: the Olio calendaring applications (
Page 53 and 54: able to match Firefox’s optimized
Page 55 and 56: 5.4.1. Local vs remote users We obs
Page 57 and 58: Resource Provisioning of Web Applic
Page 59 and 60: in a directed acyclic graph [3]. Th
Page 61 and 62: accordingly. This is the goal of in
Page 63 and 64: Although expressing performance pro
Page 65 and 66: Response time (ms) Response time (m
Page 67 and 68: Response time (ms) Response time (m
Page 69 and 70:
C3: An Experimental, Extensible, Re
Page 71 and 72:
HtmlParser CssParser IHtmlParser IC
Page 73 and 74:
node during construction. This immu
Page 75 and 76:
public interface IDOMTagFactory { I
Page 77 and 78:
3.2 JS execution Point (2): Runtime
Page 79 and 80:
Extensions IE: Available from C3-eq
Page 81:
extensions for web-scale use. The r
Page 84 and 85:
dangerous permissions. In compariso
Page 86 and 87:
Permission Popular Unpopular Plug-i
Page 88 and 89:
(a) Prevalence of Dangerous permiss
Page 90 and 91:
its functionality to the permission
Page 92 and 93:
y ACCESS COARSE LOCATION. 358 appli
Page 94 and 95:
7 Conclusion This study contributes
Page 96 and 97:
5 discusses the pros and cons of th
Page 98 and 99:
the client is free to use them how
Page 100 and 101:
data it uses RESTful API which in t
Page 102 and 103:
On top of Django we are using a sma
Page 104 and 105:
nal design. Moreover, when the whol
Page 106 and 107:
[5] The spring framework. http://ww
Page 108 and 109:
of strcpy can preclude the introduc
Page 110 and 111:
Integer-valued Binary Stored XSS Re
Page 112 and 113:
Java Perl PHP Number of programmers
Page 114 and 115:
0 2 4 6 8 10 0 1 2 3 Team Number La
Page 116 and 117:
0 10 20 30 Number of Vulnerabilitie
Page 118 and 119:
Automated black-box penetration tes
Page 121 and 122:
Abstract Integrating Long Polling w
Page 123 and 124:
the Web server, the framework dispa
Page 125 and 126:
all() => [Record] filter(condition)
Page 127 and 128:
in any future requests associated w
Page 129 and 130:
��
Page 131 and 132:
quests to be put to sleep. For exam
Page 133 and 134:
Abstract Detecting Malicious Web Li
Page 135 and 136:
3 Discriminative Features Our metho
Page 137 and 138:
the total number of unique IPs and
Page 139 and 140:
Table 8: Detection accuracy and tru
Page 141 and 142:
centraldevideoscomhomensmaduros. bl
Page 143 and 144:
Web content by executing the conten
Page 145 and 146:
Maverick: Providing Web Application
Page 147 and 148:
must schedule USB messages to provi
Page 149 and 150:
priate Web driver. USB events sent
Page 151 and 152:
hardware IDs to the browser kernel
Page 153 and 154:
PhotoBooth latency JavaScript drive
Page 155 and 156:
delegate the higher-level abstracti
show all

2nd USENIX Conference on Web Application Development ...

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?