2nd USENIX Conference on Web Application Development ...

More documents

Recommendations

Info

References [1] CHANG, W.,STREIFF, B., AND LIN, C. Efficient and extensible security enforcement using dynamic data flow analysis. In Proceedings of the 15th ACM conference on Computer and communications security (New York, NY, USA, 2008), CCS ’08, ACM, pp. 39–50. [2] CHIN, E., AND WAGNER, D. Efficient Character-level Taint Tracking for Java. In 2009 ACM Workshop on Secure Web Services (2009). [3] DALTON, M., KOZYRAKIS, C., AND ZELDOVICH, N. Nemesis: preventing authentication & access control vulnerabilities in web applications. In Proceedings of the 18th conference on <strong>USENIX</strong> security symposium (Berkeley, CA, USA, 2009), SSYM’09, <strong>USENIX</strong> Association, pp. 267–282. [4] DAVIS, B., AND CHEN, H. DBTaint: Cross-application Information Flow Tracking via Databases. In 2010 <strong>USENIX</strong> <strong>Conference</strong> on Web Application Development (2010), WebApps’10. [5] EFSTATHOPOULOS, P., AND KOHLER, E. Manageable finegrained information flow. In Proceedings of the 3rd ACM SIGOP- S/EuroSys European <strong>Conference</strong> on Computer Systems 2008 (New York, NY, USA, 2008), Eurosys ’08, ACM, pp. 301–313. [6] GOOGLE. Auto escape. http://google-ctemplate.googlecode. com/svn/trunk/doc/auto escape.html, 2010. [7] HO, A., FETTERMAN, M., CLARK, C., WARFIELD, A., AND HAND, S. Practical taint-based protection using demand emulation. In Proceedings of the 1st ACM SIGOPS/EuroSys European <strong>Conference</strong> on Computer Systems 2006 (New York, NY, USA, 2006), EuroSys ’06, ACM, pp. 29–41. [8] KICZALES, G., LAMPING, J., MENDHEKAR, A., MAEDA, C., LOPES, C., LOINGTIER, J.-M., AND IRWIN, J. Aspect-Oriented Programming. In European <strong>Conference</strong> on Object-Oriented Programming (1997). [9] LAM, L. C., AND CHIUEH, T.-C. A general dynamic information flow tracking framework for security applications. In Proceedings of the 2<strong>2nd</strong> Annual Computer Security Applications <strong>Conference</strong> (Washington, DC, USA, 2006), IEEE Computer Society, pp. 463–472. [10] LIVSHITS, V. B., AND LAM, M. S. Finding security vulnerabilities in java applications with static analysis. In Proceedings of the 14th conference on <strong>USENIX</strong> Security Symposium - Volume 14 (Berkeley, CA, USA, 2005), <strong>USENIX</strong> Association, pp. 18–18. [11] NANDA, S., LAM, L.-C., AND CHIUEH, T.-C. Dynamic Multiprocess Information Flow Tracking for Web Application Security. In 2007 ACM/IFIP/<strong>USENIX</strong> International <strong>Conference</strong> on Middleware Companion (2007). [12] NEWSOME, J., AND SONG, D. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploitson commodity software. In Proceedings of the 12th AnnualNetwork and Distributed System Security Symposium (2005), NDSS05. [13] NGUYEN-TUONG, A., GUARNIERI, S., GREENE, D., SHIRLEY, J., AND EVANS, D. Automatically Hardening Web applications Using Precise Tainting. In Security and Privacy in the Age of Ubiquitous Computing (2005). [14] PATTERSON, A., DALESSIO, M., NUTTER, C., ARBEO, S., MAHONEY, P., AND HARADA, Y. Nokogiri: an HTML, XML, SAX, and Reader Parser. http://nokogiri.org/, 2008. [15] PIETRASZEK, T., AND BERGHE, C. Defending against injection attacks through context-sensitive string evaluation. In Recent Advances in Intrusion Detection, A. Valdes and D. Zamboni, Eds., vol. 3858 of Lecture Notes in Computer Science. Springer Berlin / Heidelberg, 2006, pp. 124–145. [16] PROJECT, O. W. A. S. OWASP Top 10 — The Ten Most Critical Web Application Security Risks. http://www.owasp.org/index. php/Top 10, 2010. [17] SCHWARTZ, E. J., AVGERINOS, T., AND BRUMLEY, D. All You Ever Wanted to Know about Dynamic Taint Analysis and Forward Symbolic Execution (but Might Have Been Afraid to Ask). In IEEE Symposium on Security and Privacy (Oakland) (2010). [18] SEKAR, R. An Efficient Black-box Technique for Defeating Web Application Attacks. In 16th Annual Network and Distributed System Security Symposium (NDSS) (2009). [19] SEO, J., AND LAM, M. S. InvisiType: Object-Oriented Security Policies. In 17th Annual Network and Distributed System Security Symposium (2010). [20] SHANKAR, U., TALWAR, K., FOSTER, J. S., AND WAGNER, D. Detecting format string vulnerabilities with type qualifiers. In Proceedings of the 10th conference on <strong>USENIX</strong> Security Symposium - Volume 10 (Berkeley, CA, USA, 2001), SSYM’01, <strong>USENIX</strong> Association, pp. 16–16. [21] SUBSTRUCT DEVELOPER. Preference.save settings is insecure. http://code.google.com/p/substruct/issues/detail?id= 36, Mar. 2008. [22] SUH, G. E., LEE, J. W., ZHANG, D., AND DEVADAS, S. Secure program execution via dynamic information flow tracking. In Proceedings of the 11th international conference on Architectural support for programming languages and operating systems (New York, NY, USA, 2004), ASPLOS-XI, ACM, pp. 85–96. [23] TRIPP, O., PISTOIA, M., FINK, S. J., SRIDHARAN, M., AND WEISMAN, O. TAJ: Effective Taint Analysis of Web Applications. In ACM SIGPLAN <strong>Conference</strong> on Programming Language Design and Implementation (New York, NY, USA, 2009), PLDI ’09, ACM, pp. 87–97. [24] VIEGA, J., BLOCH, J. T., AND CH, P. Applying aspect-oriented programming to security. Cutter IT Journal 14 (2001), 31–39. [25] VOGT, P., NENTWICH, F., JOVANOVIC, N., KIRDA, E., KRUEGEL, C., AND VIGNA, G. Cross-Site Scripting Prevention with Dynamic Data Tainting and Static Analysis. In Proceedings of the Network and Distributed System Security Symposium (NDSS ’07) (2007). [26] WEINBERGER, J., SAXENA, P., AKHAWE, D., FINIFTER, M., SHIN, R., AND SONG, D. An empirical analysis of xss sanitization in web application frameworks. Tech. Rep. UCB/EECS- 2011-11, EECS Department, University of California, Berkeley, Feb 2011. [27] WIN, B. D., VANHAUTE, B., AND DECKE, B. D. Developing secure applications through aspect-oriented programming. Advances in Network and Distributed Systems Security (2001), 125– 138. [28] XU, W.,BHATKAR, S., AND SEKAR, R. Taint-Enhanced Policy Enforcement: A Practical Approach to Defeat a Wide Range of Attacks. In Proceedings of the 15th conference on <strong>USENIX</strong> Security Symposium (<strong>USENIX</strong>-SS ’06) (2006). [29] YIP, A., WANG, X., ZELDOVICH, N., AND KAASHOEK, M. F. Improving Application Security with Data Flow Assertions. In ACM SIGOPS 2<strong>2nd</strong> Symposium on Operating Systems Principles (2009). 12 WebApps ’11: <strong>2nd</strong> <strong>USENIX</strong> <strong>Conference</strong> on Web Application Development <strong>USENIX</strong> Association
Abstract Ioannis Papagiannis Imperial College London PHP Aspis: Using Partial Taint Tracking To Protect Against Injection Attacks Web applications are increasingly popular victims of security attacks. Injection attacks, such as Cross Site Scripting or SQL Injection, are a persistent problem. Even though developers are aware of them, the suggested best practices for protection are error prone: unless all user input is consistently filtered, any application may be vulnerable. When hosting web applications, administrators face a dilemma: they can only deploy applications that are trusted or they risk their system’s security. To prevent injection vulnerabilities, we introduce PHP Aspis: a source code transformation tool that applies partial taint tracking at the language level. PHP Aspis augments values with taint meta-data to track their origin in order to detect injection vulnerabilities. To improve performance, PHP Aspis carries out taint propagation only in an application’s most vulnerable parts: thirdparty plugins. We evaluate PHP Aspis with Wordpress, a popular open source weblog platform, and show that it prevents all code injection exploits that were found in Wordpress plugins in 2010. 1 Introduction The most common types of web application attacks involve code injection [4]: Javascript that is embedded into the generated HTML (Cross Site Scripting, or XSS), SQL that is part of a generated database query (SQL Injection, or SQLI) or scripts that are executed on the web server (Shell Injection and Eval Injection). These attacks commonly exploit the web application’s trust in user-provided data. If user-provided data are not properly filtered and sanitised before use, an attacker can trick the application into generating arbitrary HMTL responses and SQL queries, or even execute user-supplied, malicious code. Even though web developers are generally aware of code injection vulnerabilities, applications continue to suffer from relevant exploits. In 2010, 23.9% of the total reported vulnerabilities to the CVE database were classi- Matteo Migliavacca Imperial College London 1 Peter Pietzuch Imperial College London fied as SQLI or XSS [12]. Morover, injection vulnerabilities are often common in third-party plugins instead of the well-tested core of a web application: in 2010, 10 out of 12 reported Wordpress injection exploits in the CVE database involved plugins and not Wordpress itself. Such vulnerabilities still remain because suggested solutions often require manual tracking and filtering of user-generated data throughout the source code of an application. Yet, even a single unprotected input channel in an application is enough to cause an injection vulnerability. Thus, less experienced and therefore less security-conscious developers of third-party plugins are more likely to write vulnerable code. Past research has suggested runtime taint tracking [19, 18, 14] as an effective solution to prevent injection exploits. In this approach, the origin of all data within the application is tracked by associating meta-data with strings. When an application executes a sensitive operation, such as outputting HTML, these meta-data are used to escape potentially dangerous values. The most efficient implementation of taint tracking is within the language runtime. Runtime taint tracking is not widely used in PHP, however, because it relies on custom runtimes that are not available in production environments. Thus, developers are forced to avoid vulnerabilities manually. We show that injection vulnerabilities in PHP can be addressed by applying taint tracking entirely at the source code level without modifications to the PHP language runtime. To reduce the incurred performance overhead due to extensive source code rewriting, we introduce partial taint tracking, which limits taint tracking only to functions of the web application in which vulnerabilities are more likely to occur. Partial taint tracking effectively captures the different levels of trust placed into different parts of web applications. It offers better performance because parts of the application code remain unchanged. We demonstrate this approach using PHP Aspis 1 ,a 1An Aspis was the circular wooden shield carried by soldiers in ancient Greece. <strong>USENIX</strong> Association WebApps ’11: <strong>2nd</strong> <strong>USENIX</strong> <strong>Conference</strong> on Web Application Development 13
Page 1 and 2: Proceedings of the 2nd</str
Page 3 and 4: USENIX Association
Page 5: WebApps ’11: 2nd
Page 9 and 10: GuardRails: A Data-Centric Web Appl
Page 11 and 12: Policy Annotation Only admins can d
Page 13 and 14: @edit, price, false, :nothing To ma
Page 15 and 16: tags in the Project description, bu
Page 17 and 18: String Command Result "foobar".gsub
Page 19: Transformation Status Homepage Logi
Page 23 and 24: Num. of Occurrences Type Wordpress
Page 25 and 26: Sanitisation htmlentities() functio
Page 27 and 28: Original expression Transformed exp
Page 29 and 30: non-tracking code with a simple str
Page 31 and 32: Direct request vulnerabilities. The
Page 33 and 34: Abstract Secure Data Preservers for
Page 35 and 36: e found for a variety of services.
Page 37 and 38: 3.2 Operational View The lifecycle
Page 39 and 40: it automatically). A user or servic
Page 41 and 42: given the availability of client-si
Page 43 and 44: can only be decrypted by the base l
Page 45 and 46: BenchLab: An Open Testbed for Reali
Page 47 and 48: 2.2. Realistic load generation Real
Page 49 and 50: virtual machine with the software s
Page 51 and 52: the Olio calendaring applications (
Page 53 and 54: able to match Firefox’s optimized
Page 55 and 56: 5.4.1. Local vs remote users We obs
Page 57 and 58: Resource Provisioning of Web Applic
Page 59 and 60: in a directed acyclic graph [3]. Th
Page 61 and 62: accordingly. This is the goal of in
Page 63 and 64: Although expressing performance pro
Page 65 and 66: Response time (ms) Response time (m
Page 67 and 68: Response time (ms) Response time (m
Page 69 and 70: C3: An Experimental, Extensible, Re
Page 71 and 72:
HtmlParser CssParser IHtmlParser IC
Page 73 and 74:
node during construction. This immu
Page 75 and 76:
public interface IDOMTagFactory { I
Page 77 and 78:
3.2 JS execution Point (2): Runtime
Page 79 and 80:
Extensions IE: Available from C3-eq
Page 81:
extensions for web-scale use. The r
Page 84 and 85:
dangerous permissions. In compariso
Page 86 and 87:
Permission Popular Unpopular Plug-i
Page 88 and 89:
(a) Prevalence of Dangerous permiss
Page 90 and 91:
its functionality to the permission
Page 92 and 93:
y ACCESS COARSE LOCATION. 358 appli
Page 94 and 95:
7 Conclusion This study contributes
Page 96 and 97:
5 discusses the pros and cons of th
Page 98 and 99:
the client is free to use them how
Page 100 and 101:
data it uses RESTful API which in t
Page 102 and 103:
On top of Django we are using a sma
Page 104 and 105:
nal design. Moreover, when the whol
Page 106 and 107:
[5] The spring framework. http://ww
Page 108 and 109:
of strcpy can preclude the introduc
Page 110 and 111:
Integer-valued Binary Stored XSS Re
Page 112 and 113:
Java Perl PHP Number of programmers
Page 114 and 115:
0 2 4 6 8 10 0 1 2 3 Team Number La
Page 116 and 117:
0 10 20 30 Number of Vulnerabilitie
Page 118 and 119:
Automated black-box penetration tes
Page 121 and 122:
Abstract Integrating Long Polling w
Page 123 and 124:
the Web server, the framework dispa
Page 125 and 126:
all() => [Record] filter(condition)
Page 127 and 128:
in any future requests associated w
Page 129 and 130:
��
Page 131 and 132:
quests to be put to sleep. For exam
Page 133 and 134:
Abstract Detecting Malicious Web Li
Page 135 and 136:
3 Discriminative Features Our metho
Page 137 and 138:
the total number of unique IPs and
Page 139 and 140:
Table 8: Detection accuracy and tru
Page 141 and 142:
centraldevideoscomhomensmaduros. bl
Page 143 and 144:
Web content by executing the conten
Page 145 and 146:
Maverick: Providing Web Application
Page 147 and 148:
must schedule USB messages to provi
Page 149 and 150:
priate Web driver. USB events sent
Page 151 and 152:
hardware IDs to the browser kernel
Page 153 and 154:
PhotoBooth latency JavaScript drive
Page 155 and 156:
delegate the higher-level abstracti
show all

2nd USENIX Conference on Web Application Development ...

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?