ImprovingWebSiteSecuritywithDataFlowManagementbyAlexanderSiumannYipS.
B.
,ComputerScienceandEngineering(2001)M.
Eng.
,ElectricalEngineeringandComputerScience(2002)MassachusettsInstituteofTechnologySubmittedtotheDepartmentofElectricalEngineeringandComputerScienceinpartialfulllmentoftherequirementsforthedegreeofDoctorofPhilosophyinComputerScienceattheMASSACHUSETTSINSTITUTEOFTECHNOLOGYSeptember2009cMassachusettsInstituteofTechnology2009.
Allrightsreserved.
AuthorDepartmentofElectricalEngineeringandComputerScienceAugust21,2009Certiedby.
RobertT.
MorrisAssociateProfessorThesisSupervisorCertiedby.
NickolaiZeldovichAssistantProfessorThesisSupervisorAcceptedbyTerryP.
OrlandoChair,DepartmentCommitteeonGraduateStudents2ImprovingWebSiteSecuritywithDataFlowManagementbyAlexanderSiumannYipSubmittedtotheDepartmentofElectricalEngineeringandComputerScienceonAugust21,2009,inpartialfulllmentoftherequirementsforthedegreeofDoctorofPhilosophyinComputerScienceAbstractThisdissertationdescribestwosystems,ResinandBFlow,whosegoalistohelpWebdevelopersbuildmoresecureWebsites.
ResinandBFlowusedataowmanagementtohelpreducethesecurityrisksofusingbuggyormaliciouscode.
Resinprovidesprogrammerswithlanguage-levelmechanismstotrackandmanagetheowofdatawithintheserver.
Thesemechanismsmakeiteasyforprogrammerstocatchserver-sidedataowbugsthatresultinsecurityvulnerabilities,andpreventthesebugsfrombeingexploited.
BFlowisasystemthataddsinformationowcontrol,arestrictiveformofdataowmanagement,bothtotheWebbrowserandtotheinterfacebetweenabrowserandaserver.
BFlowmakesitpossibleforaWebsitetocombinecondentialdatawithuntrustedJavaScriptinitsWebpages,withoutriskingleaksofthatdata.
Thisworkmakesanumberofcontributions.
Resinintroducestheideaofadataowassertionanddemonstrateshowtobuildthemusingthreelanguage-levelmechanisms,policyobjects,datatracking,andlterobjects.
Webuiltprototypeim-plementationsofResininboththePHPandPythonruntimes.
Weadaptsevenrealo-the-shelfapplicationsandimplement11dierentsecuritypoliciesinResinwhichthwartatleast27realsecurityvulnerabilities.
BFlowintroducesaninformationowcontrolmodelthattstheJavaScriptcommunicationmechanisms,andasys-temthatmapsthatmodeltoJavaScript'sexistingisolationsystem.
Together,thesetechniquesallowuntrustedJavaScripttoread,computewith,anddisplaycondentialdatawithouttheriskofleakingthatdata,yetrequiresonlyminorchangestoexistingsoftware.
WebuiltaprototypeoftheBFlowsystemandthreedierentapplica-tionsincludingasocialnetworkingapplication,anovelshared-dataWebplatform,andBFlogger,athird-partyJavaScriptplatformsimilartothatofBlogger.
com.
WeportedseveraluntrustedJavaScriptextensionsfromBlogger.
comtoBFlogger,andshowthattheextensionscannotleakdataastheycaninBlogger.
com.
ThesisSupervisor:RobertT.
MorrisTitle:AssociateProfessorThesisSupervisor:NickolaiZeldovichTitle:AssistantProfessor34PublishedMaterialsPortionsofChapter2willappearinthepublication[87]:AlexanderYip,XiWang,NickolaiZeldovich,andM.
FransKaashoek.
Improvingapplicationsecuritywithdataowassertions.
InProceedingsofthe22ndACMSymposiumonOperatingSystemsPrinciples(SOSP),BigSky,MT,USA,October2009.
PortionsofChapter3appearedinthepublication[86]:AlexanderYip,NehaNarula,MaxwellKrohn,andRobertMorris.
Privacy-preservingbrowser-sidescriptingwithBFlow.
InProceedingsofthe4thACMSIGOPS/EuroSysEuropeanConferenceonComputerSystems,pages233–246,Nuremberg,Germany,March2009.
56AcknowledgmentsManypeoplecontributedtothecompletionofthisdissertation,includingcolleaguesinPDOSandthesystemscommunityatMIT'sCSAIL,aswellasoutsideofthelab,athomeandoncampus.
AlthoughIcannotlistthemall,Iwillattempttoacknowledgethesepeoplehere.
Myadvisers,bothRobertMorrisandNickolaiZeldovich,wereinstrumentaltothiswork.
Theytaughtmehowtodoresearch,thinkcritically,beagraduatestudent,andteacheectively.
FransKaashoek,EddieKohler,andBarbaraLiskovalsoprovidedinvaluableadviceandguidancealongtheway.
Mycoauthorsalsocontributedtothisdissertation.
XiWangmadesubstantialcontributionstothedesignandevaluationofResin,includingnewdataowasser-tionsandperformanceenhancements,aswellasthetextinChapter2.
NehaNarulamademajorcontributionstothedesignandevaluationofBFlow,inadditiontothetextinChapter3.
MaxwellKrohnalsocontributedtothedesignofBFlowandtheearlierworkinWikiCodeandW5.
MicahBrodsky,PetrosEfstathopoulos,SteveVanDeBogart,andMichaelWalshalsocontributedtoBFlowthroughtheircontributionstoWikiCodeandW5.
SimplyspendingtimeinPDOShadanimpactonmeandthiswork.
SharinganocewithThomerM.
Gil,ChrisLesniewski-Laas,JinyangLi,AthichaMuthi-tacharoen,JacobStrauss,andJayashreeSubramanianhasbeenbothentertainingandenlightening.
EatinglunchwiththelikesofSilasBoyd-Wickizer,BenjieChen,RussCox,FrankDabek,AlexPesterev,JeremyStribling,andcompanyhadasimilareect.
Lastly,thisworkwouldhaveneverbeencompletedwithouttheconsistentsup-portandencouragementfrommyfriendsandfamilythroughoutthegraduateschoolprocess.
Myparents,LauraYip,MichelleYip,SeannaKim,andallmyfriendssharecreditforthiswork.
78Contents1Introduction171.
1Resin171.
2BFlow181.
3Contributions191.
3.
1Resin191.
3.
2BFlow191.
4Organization202Resin212.
1Introduction212.
2GoalsandExamples232.
2.
1ThreatModel262.
3Design272.
3.
1DesignOverview272.
3.
2FilterObjects292.
3.
3PolicyObjects322.
3.
4DataTracking332.
4Implementation352.
5ApplyingResin362.
5.
1AccessControlChecks362.
5.
2Server-SideScriptInjection382.
5.
3SQLInjectionandCross-SiteScripting392.
5.
4OtherAttackVectors402.
5.
5ApplicationIntegration402.
6SecurityEvaluation412.
6.
1ProgrammerEort412.
6.
2PreventingVulnerabilities432.
6.
3Generality442.
7PerformanceEvaluation452.
7.
1ApplicationPerformance462.
7.
2Microbenchmarks462.
8Deployment482.
9LimitationsandFutureWork482.
9.
1DataFlowAssertionModel482.
9.
2LanguageRuntimes4992.
9.
3Applications502.
10RelatedWork502.
10.
1PolicySpecication502.
10.
2DataTracking522.
11Summary533BFlow553.
1Introduction553.
2Background:JavaScript573.
3Challenges583.
3.
1ThreatModelandSecurity583.
3.
2FlexibilityandAdoption603.
4Design603.
4.
1InformationFlowControl613.
4.
2ProtectionZones633.
4.
3ControllingIntra-browserCommunication643.
4.
4ControllingBrowser-ServerCommunication663.
5VisibleModel673.
5.
1DeveloperVisibleModel683.
5.
2UsersVisibleModel703.
6Implementation703.
6.
1ClientImplementation703.
6.
2UserAuthentication713.
6.
3ServerImplementation723.
6.
4ServerStorage723.
7Applications733.
7.
1BF-Blogger733.
7.
2BF-Socialnet743.
7.
3W5753.
8Evaluation783.
8.
1Security783.
8.
2Adoption793.
9Deployment813.
10LimitationsandFutureWork813.
10.
1InformationFlowControl813.
10.
2UserInterfaceandUnderstandingLabels823.
10.
3Applications823.
10.
4OutofScopeAttacks833.
10.
5DesignVariations833.
11RelatedWork843.
11.
1DiscretionaryAccessControl843.
11.
2MandatoryAccessControl853.
12Summary864IntegratingResinandBFlow87105Conclusion895.
1Resin895.
2BFlow895.
3Summary901112ListofFigures2-1OverviewoftheHotCRPpassworddataowassertion.
272-2SimpliedPHPcodefordeningtheHotCRPpasswordpolicyclassandannotatingthepassworddata.
Thispolicyonlyallowsapasswordtobedisclosedtotheuser'sownemailaddressortotheprogramchair.
282-3Pythoncodeforthedefaultlterforsockets.
312-4SavingpersistentpoliciestoaSQLdatabaseforHotCRPpasswords.
UsessymbolsfromFigure2-1.
342-5PythoncodeforadataowassertionthatchecksreadaccesscontrolinMoinMoin.
TheprocessclientandupdatebodyfunctionsaresimpliedversionsofMoinMoinequivalents.
372-6SimpliedPHPcodeforadataowassertionthatcatchesserver-sidescriptinjection.
Intheactualimplementation,lterreadveriesthateachcharacterin$bufhastheCodeApprovalpolicy.
383-1MaliciousJavaScriptreadscondentialdata(a)viatheDOMand(b)byexploitingvulnerableJavaScript.
593-2Afterreadingcondentialdata,themaliciousJavaScriptleakscon-dentialdatatoanadversaryviathe(a)adversary'sserver(b)Website'spublicdata.
593-3BFlowoverview.
Untrustedprotectionzonesareshaded.
613-4Webpageframehierarchywithzonesandlabels.
Eachboxisaframe.
653-5W5overviewshowingthreeapplications.
761314ListofTables2.
1TopCVEsecurityvulnerabilitiesof2008[71]232.
2TopWebsitevulnerabilitiesof2007[82]242.
3TheResinAPI.
A::B(args)denotesmethodBofanobjectoftypeA.
NotshownistheAPIusedbytheprogrammertospecifyandaccesslterobjectsfordierentdataowboundaries.
302.
4ResultsfromusingResinassertionstopreventpreviously-knownandnewlydiscoveredvulnerabilitiesinseveralWebapplications.
422.
5Theaveragetimetakentoexecutedierentoperationsinanunmod-iedPHPinterpreter,aResinPHPinterpreterwithoutanypolicy,andaResinPHPinterpreterwithanemptypolicy.
473.
1DefaultIFCcommunicationrulesanddeclassicationexceptions;zonesSandRareuntrusted.
TheprototypeimplementstheserulesforcommunicationthroughpostMessageBF,theFIDchannelandHTTPrequests,butitismorerestrictivethantheserulesforsharedDOMvariablesandcookiecommunicationacrosszones.
623.
2Linesofcode(LOC)changedtoportexistingwidgetstoBF-Bloggerandwhethertheyseecondentialdata.
801516Chapter1IntroductionThisdissertationaddressestwosecurityissuesthataectWebsitestoday.
TherstissueisthatWebsitesareoftenvulnerabletoattackbecausetheWebsitesoftwarehasbugsthatresultinfaultydataow.
Afaultydataowoccurswhenaprogrammerhasanimplicitinvariantofhowdatashouldowwithintheapplication,butthenaccidentallyusesthedatainawaythatviolatesthatinvariant.
Forexample,aprogrammermightwanttokeepauser'spasswordcondentialbutaccidentallysendthepasswordtoanotheruser,ortheapplicationmighttakeuntrusteduserinputandaccidentallyinterpretitascode.
Resin[87]isaprogrammingtoolthathelpsprogrammersavoidtheseandotherkindsofdataowbugs.
ThesecondissueisthatWebsiteshavebeguntorunthird-partycodewithaccesstocondentialuserdata,whichcanresultindataleakage.
BFlow[86]isasystemthatallowsWebsitestorunthird-partycodewithcondentialdatawithouttheriskofleakingthatdata.
Thischapterintroducesthesetwosystems.
1.
1ResinSoftwaredevelopersoftenhaveaplanforcorrectdataowintheirapplications.
Forexample,inorderforaWebsitetoavoidSQLinjectionattacks,userinputmustowthroughasanitizationfunctionbeforetheapplicationcanusethedatainaSQLquery.
Today,programmersusuallyimplementtheirdataowplansimplicitlyintheirapplicationcode;forexampletoaddressSQLinjection,programmersoftentrytocallthesanitizationfunctioninallthecorrectplaces,onallthedataowpaths.
Unfortunately,thereareoftenmanysuchplaces,anditiseasytomisssome,whichresultsinvulnerabilities.
Resinisaprogrammingtoolthatallowsprogrammerstoimplementanimplicitdataowplanexplicitlyintheformofahigh-leveldataowassertionthatappliestotheentireapplication.
Resinveriesthattheapplicationabidesbytheexplicitdataowplanthroughouttheapplication,eveninplaceswheretheprogrammermighthaveaccidentallyviolatedtheplan.
ThemainchallengesfacingResinareknowingwhentoverifyadataowassertion,providingaconvenientwayforprogrammerstoexpressdataowassertions,and17designingmechanismsthatmakeitpossibleformanydierentassertionstocoexistinthesameapplicationwithoutinterferingwitheachother.
Resinaddressesthesechallengesusingthreeideas:policyobjects,datatracking,andlterobjects.
Programmersexplicitlyannotatedata,suchasstrings,withpolicyobjects,thathelptheassertioncodeunderstandthedataanddecidewhatkindofassertionsapplytothedata.
TheResinruntimethentracksthesepolicyobjectsasthedatapropagatesthroughtheapplication.
WhenthedataisabouttoleavethecontrolofResin,suchasbeingsentoverthenetwork,Resininvokeslterobjectstocheckthedataowassertionswithassistancefromthedata'spolicyobjects.
WeimplementedResinintwodierentlanguageruntimes,PythonandPHP.
WethenevaluateResinbyimplementingawiderangeofdataowassertionsinrealWebapplications.
Theresultsshowthatassertionsareshort,ontheorderoftensoflinesofcode,andrequirechangesinonlyafewplacesintheapplicationcode.
TheyalsoshowthatResinpoliciesareeectiveatpreventingmanyvulnerabilitiessuchasSQLinjection,cross-sitescripting,directorytraversal,missingaccesscontrolchecks,andserver-sidescriptinjection.
1.
2BFlowInadditiontoserver-sidebugscausingvulnerabilities,Websitedevelopershavebegunfacingvulnerabilitiesduetothird-partyscriptsrunninginthebrowser.
Inparticular,programmershavebeguntoincorporateJavaScriptwrittenbyuntrustedprogram-mersintotheirWebsitestoexpandandimprovefunctionality.
However,anincreasingnumberofWebsitesmanageusers'condentialdata,andwhenaWebsitecombinesuntrustedJavaScriptwithcondentialuserdata,thesiteopensitselftoattack.
TheuntrustedJavaScriptcanleakthatcondentialdatatoadversariesbysendingthedataviaotherJavaScriptrunninginthebrowser,orbysendingthedatainarequesttoaWebserver.
SupportinguntrustedJavaScriptwithcondentialdataissignicantlydierentfromthegoalsofResinsinceaWebsitethatincorporatesuntrustedJavaScriptwilllikelyrunmaliciousJavaScriptcode,whereasResinonlyhelpsaprogrammersecuretrustedcode.
BFlowisasystemthataddsinformationowcontrol(IFC)[18]toWebbrowsersandthebrowser-serverinterface.
BFlowtrackscondentialdataasitowsfromtheservertothebrowser,withinthebrowser,andfromthebrowserbacktotheserver.
SinceBFlowknowswhetheruntrustedJavaScriptmayhavereadcondentialdata,BFlowcanrestricttheJavaScript'scommunicationchannelssothattheJavaScriptcannotleakthatdatatosomeonewholackspermissiontoreadit.
BFlowmakesitpossibletorununtrustedJavaScriptinthebrowser,withaccesstocondentialdata,withouttheriskofleakingthatdata.
TherearetwomainchallengesinapplyingIFCtoWebbrowserscripts.
Therst,isttingIFCintotheWebenvironment;inaWebsystem,whoaretheprincipals,whoshouldcongurethesecuritypolicies,andhowdoesdatafromdierentprincipalsinteractAlso,atwhatgranularityshouldthesystemapplyIFC,canthesystempre-18servethespecialdataowchannelsthattheWebarchitectureassumesexistbetweenbrowserscripts,andbetweenascriptandaWebserverThesecondmainchallengeistosupportthelargeamountofexistingsoftwareincludingbrowser-sidescriptsandthebrowsersthemselves.
Toaddresstherstchallenge,BFlowgiveseachWebsitecontroloveritsowndata.
WhenauserinsertscondentialdataintoaWebsite,theWebsiteisresponsibleforthatdata,andsite'sprogrammerscontrolwhomayreceivethedataaccordingtotheWebsite'sdisclosurepolicy.
IfaWebsitedisclosesdatatoanotherWebsite,thentherecipientsitewillhavetheabilitytofurtherdisclosethedatatoanyothersiteoruser.
Toaddressthesecondchallenge,BFlowoverlaysitsIFCmechanismsontoexistingJavaScriptabstractionssuchasbrowserframesandserverorigins.
Forexample,BFlowperformsIFCatthegranularityofprotectionzoneswhicharesetsofHTMLframes.
BFlowthenusesthebrowser'sexistingisolationmechanismstoimplementzoneisolationtoavoidmodifyingthebrowsertoaddbrowsersupportforBFlow.
WeimplementedaBFlowprototypeasareferencemonitorrunninginthebrowserandanumberofminorchangestothebrowser-serverinterface.
Thepro-totypereferencemonitorisabrowserextensionforano-the-shelfbrowser.
ThisimplementationrequiresnomodicationstothebasebrowserortheJavaScriptin-terpreter.
WealsoimplementedthreeWebapplicationsthatdemonstratetherangeoffunctionalitythatuntrustedJavaScriptcanhavewhilerunninginBFlow.
Theseapplicationsinclude:ablogthatsupportsexistingthird-partyextensions;asocialnet-workingsitethatimplementscommonapplicationfeaturesinuntrustedJavaScript;andamulti-applicationWebplatformthatpermitssharinguserdatabetweenappli-cations,yetpreservestheprivacyofuserdata.
1.
3ContributionsThisdissertationmakesanumberofcontributions.
1.
3.
1ResinResin'scontributionsaretheideaofadataowassertion,andatechniqueforim-plementingdataowassertionsusinglterobjects,policyobjects,anddatatracking.
Experimentswithseveralrealapplicationsfurthershowthatdataowassertionsareconcise,eectiveatpreventingmanysecurityvulnerabilities,andincrementallydeployableinexistingapplications.
1.
3.
2BFlowBFlow'scontributionsareasetofinformationowcontrolrulesthatgoverntheJavaScriptcommunicationmechanisms,amappingfromBFlow'sIFCrulestothebrowser'sexistingJavaScriptisolationsystem,andanabstractioncalledaprotectionzonethateasesthedeploymentofexistingJavaScriptintoBFlow.
Together,these19techniquesallowuntrustedJavaScripttoread,computewith,anddisplaycondentialdatawithouttheriskofleakingthatdata.
Experimentswithportingexistingthird-partyJavaScripttoBFlow,andbuildingnewapplicationsinBFlowshowthatitispossibleforexistingcodetorunintheBFlowenvironmentwithfewchanges,andthatprogrammerscanbuildapplicationsinBFlowthatmighthavebeentooinsecuretobuildwithexistingtechniques.
1.
4OrganizationTheremainderofthisdissertationisorganizedasfollows:Chapter2describestheResinsystem,andChapter3describestheBFlowsystem.
Chapter4providessomethoughtsaboutfutureresearchdirections.
Finally,Chapter5concludes.
20Chapter2ResinResinisanewlanguageruntimethathelpspreventsecurityvulnerabilities,byal-lowingprogrammerstospecifydataowassertions.
Resinprovidespolicyobjects,whichprogrammersusetospecifyassertioncodeandmetadata;datatracking,whichallowsprogrammerstoassociateassertionswithapplicationdata,andtokeeptrackofassertionsasthedataowthroughtheapplication;andlterobjects,whichpro-grammersusetodenedataowboundariesatwhichassertionsarechecked.
Resin'sruntimechecksdataowassertionsbypropagatingpolicyobjectsalongwithdata,asthatdatamovesthroughtheapplication,andtheninvokinglterobjectswhendatacrossesadataowboundary,suchaswhenwritingdatatothenetworkorale.
UsingResin,Webapplicationprogrammerscanpreventarangeofproblems,fromSQLinjectionandcross-sitescripting,toinadvertentpassworddisclosureandmissingaccesscontrolchecks.
AddingaResinassertiontoanapplicationrequiresfewchangestotheexistingapplicationcode,andanassertioncanreuseexistingcodeanddatastructures.
Forinstance,23linesofcodedetectandpreventthreepreviously-unknownmissingaccesscontrolvulnerabilitiesinphpBB,apopularWebforumapplication.
OtherassertionscomprisingtensoflinesofcodepreventarangeofvulnerabilitiesinPythonandPHPapplications.
AprototypeofResinincursa33%CPUoverheadrunningtheHotCRPconferencemanagementapplication.
2.
1IntroductionSoftwaredevelopersoftenhaveaplanforcorrectdataowwithintheirapplications.
Forexample,auseru'spasswordmayowoutofaWebsiteonlyviaanemailtouseru'semailaddress.
Asanotherexample,userinputsmustalwaysowthroughasani-tizingfunctionbeforeowingintoaSQLqueryorHTML,toavoidSQLinjectionorcross-sitescriptingvulnerabilities.
Unfortunately,todaytheseplansareimplementedimplicitly:programmerstrytoinsertcodeinalltheappropriateplacestoensurecorrectow,butitiseasytomisssome,whichcanleadtoexploits.
Forexample,onepopularWebapplication,phpMyAdmin[65],requiressanitizinguserinputin1,409places.
Notsurprisingly,phpMyAdminhassuered60vulnerabilitiesbecausesomeofthesecallswereforgotten[71].
21ThischapterpresentsResin,asystemthatallowsprogrammerstomaketheirplanforcorrectdataowexplicitusingdataowassertions.
Programmerscanwriteadataowassertioninoneplacetocapturetheapplication'shigh-leveldataowinvariant,andResincheckstheassertioninallrelevantplaces,evenplaceswheretheprogrammermighthaveotherwiseforgottentocheck.
Resinoperateswithinalanguageruntime,suchasthePythonorPHPinterpreter.
Resintracksapplicationdataasitowsthroughtheapplication,andchecksdataowassertionsoneveryexecutedpath.
Resinusesruntimemechanismsbecausetheycancapturedynamicproperties,likeuser-denedaccesscontrollists,whileintegrationwiththelanguageallowsprogrammerstoreusetheapplication'sexistingcodeinanassertion.
Resinisdesignedtohelpprogrammersgaincondenceinthecorrectnessoftheirapplication,andisnotdesignedtohandlemaliciouscode.
AkeychallengefacingResinisknowingwhentoverifyadataowassertion.
Considertheassertionthatauser'spasswordcanowonlytotheuserherself.
Therearemanydierentwaysthatanadversarymightviolatethisassertion,andextractsomeone'spasswordfromthesystem.
Theadversarymighttricktheapplicationintoemailingthepassword;theadversarymightuseaSQLinjectionattacktoquerythepasswordsfromthedatabase;ortheadversarymightfetchthepasswordlefromtheserverusingadirectorytraversalattack.
Resinneedstocovereveryoneofthesepathstopreventpassworddisclosure.
Asecondchallengeistodesignagenericmechanismthatmakesiteasytoexpressdataowassertions,includingcommonassertionslikecross-sitescriptingavoidance,aswellasapplication-specicassertions.
Forexample,HotCRP[44],aconferencemanagementapplication,hasitsowndataowrulesrelatingtopassworddisclosureandreviewerconictsofinterest,amongothers.
CanasingleassertionAPIallowforsuccinctassertionsforcross-sitescriptingavoidanceaswellasHotCRP'suniquedataowrulesThenalchallengeistomakedataowassertionscoexistwitheachotherandwiththeapplicationcode.
Asingleapplicationmayhavemanydierentdataowassertions,anditmustbeeasytoaddanadditionalassertionifanewdataowrulearises,withouthavingtochangeexistingassertions.
Moreover,applicationsareoftenwrittenbymanydierentprogrammers.
Oneprogrammermayworkononepartoftheapplicationandlackunderstandingoftheapplication'soveralldataowplan.
Resinshouldbeabletoenforcedataowassertionswithoutalltheprogrammersbeingawareoftheassertions.
Resinaddressesthesechallengesusingthreeideas:policyobjects,datatracking,andlterobjects.
Programmersexplicitlyannotatedata,suchasstrings,withpolicyobjects,whichencapsulatetheassertionfunctionalitythatisspecictothatdata.
Programmerswritepolicyobjectsinthesamelanguagethattherestoftheapplicationiswrittenin,andcanreuseexistingcodeanddatastructures,whichsimplieswritingapplication-specicassertions.
TheResinruntimethentracksthesepolicyobjectsasthedatapropagatesthroughtheapplication.
WhenthedataisabouttoleavethecontrolofResin,suchasbeingsentoverthenetwork,Resininvokeslterobjectstocheckthedataowassertionswithassistancefromthedata'spolicyobjects.
22VulnerabilityCountPercentageSQLinjection117620.
4%Cross-sitescripting80514.
0%Denialofservice66111.
5%Bueroverow5509.
5%Directorytraversal3796.
6%Server-sidescriptinjection2875.
0%Missingaccesschecks2634.
6%Othervulnerabilities164728.
6%Total5768100%Table2.
1:TopCVEsecurityvulnerabilitiesof2008[71].
WeevaluateResininthecontextofapplicationsecuritybyshowinghowthesethreemechanismscanpreventawiderangeofvulnerabilitiesinrealWebapplications,whilerequiringprogrammerstowriteonlytensoflinesofcode.
Oneapplication,theMoinMoinwiki[56],requiredonly8linesofcodetocatchthesameaccesscontrolbugsthatrequired2,000linesinFlume[46],althoughFlumeprovidesstrongerguar-antees.
HotCRPcanuseResintoupholditsdataowrules,byaddingdataowassertionsthatcontrolwhomayreadapaper'sreviews,andtowhomHotCRPcanemailapasswordreminder.
Dataowassertionsalsohelppreventarangeofotherpreviously-unknownvulnerabilitiesinPythonandPHPWebapplications.
Aproto-typeResinruntimeforPHPhasacceptableperformanceoverhead,amountingto33%forHotCRP.
Thecontributionsofthisworkaretheideaofadataowassertion,andatech-niqueforimplementingdataowassertionsusinglterobjects,policyobjects,anddatatracking.
Experimentswithseveralrealapplicationsfurthershowthatdataowassertionsareconcise,eectiveatpreventingmanysecurityvulnerabilities,andincrementallydeployableinexistingapplications.
Therestofthechapterisorganizedasfollows.
ThenextsectiondiscussesthespecicgoalsandmotivationforResin.
Section2.
3presentsthedesignoftheResinruntime,andSection2.
4describesourimplementation.
Section2.
5illustrateshowResinpreventsarangeofsecurityvulnerabilities.
Sections2.
6and2.
7presentourevaluationofResin'seaseofuse,eectiveness,andperformance.
WediscussResin'slimitationsinSection2.
9.
Section2.
10coversrelatedwork,andSection2.
11summa-rizes.
2.
2GoalsandExamplesResin'smaingoalistohelpprogrammersavoidsecurityvulnerabilitiesbytreatingexploitsasdataowviolations,andthenusingdataowassertionstodetecttheseviolations.
Thissectionexplainshowfaultydataowscausevulnerabilities,andhowdataowassertionscanpreventthosevulnerabilities.
23VulnerablesitesVulnerabilityamongthosesurveyedCross-sitescripting31.
5%Informationleakage23.
3%Predictableresourcelocation10.
2%SQLinjection7.
9%Insucientaccesscontrol1.
5%HTTPresponsesplitting0.
8%Table2.
2:TopWebsitevulnerabilitiesof2007[82].
SQLInjectionandCross-SiteScriptingSQLinjectionandcross-sitescriptingvulnerabilitiesarecommonandcanaectal-mostanyWebapplication.
Together,theyaccountforoverathirdofallreportedsecurityvulnerabilitiesin2008,asseeninTable2.
1.
ThesevulnerabilitiesresultfromuserinputdataowingintoaSQLquerystringorHTMLwithoutrstowingthroughtheirrespectivesanitizationfunctions.
Toavoidthesevulnerabilitiestoday,programmersinsertcallstothecorrectsanitizationfunctiononeverysinglepathonwhichuserinputcanowtoSQLorHTML.
Inpracticethisisdiculttoaccom-plishbecausetherearemanydataowpathstokeeptrackof,andsomeofthemarenon-intuitive.
Forexample,inonecross-sitescriptingvulnerability,phpBBqueriedamaliciouswhoisserver,andthenincorporatedtheresponseintoHTMLwithoutrstsanitizingtheresponse.
AsurveyofWebapplications[82]summarizedinTable2.
2illustrateshowcommonthesebugsarewithcross-sitescriptingaectingmorethan31%ofapplications,andSQLinjectionaectingalmost8%.
Iftherewereatoolthatcouldenforceadataowassertiononanentireapplication,aprogrammercouldwriteanassertiontocatchthesebugsandpreventanadversaryfromexploitingthem.
Forexample,anassertiontopreventSQLinjectionexploitswouldverifythat:DataFlowAssertion1Anyuserinputdatamustowthroughasanitizationfunc-tionbeforeitowsintoaSQLquery.
Resinaimstobesuchatool.
DirectoryTraversalDirectorytraversalisanothercommonvulnerabilitythataccountsfor6.
6%ofthevulnerabilitiesinTable2.
1.
Inadirectorytraversalattack,avulnerableapplicationallowstheusertoenteralename,butneglectstolimitthedirectoriesavailabletotheuser.
Toexploitthisvulnerability,anadversarytypicallyinsertsthe".
.
"stringaspartofthelenamewhichallowstheadversarytogainunauthorizedaccesstoread,orwritelesintheserver'slesystem.
Theseexploitscanbeviewedasfaultydataows.
Iftheadversaryreadsalewithouttheproperauthorization,thele'sdataisincorrectlyowingtotheadversary.
Iftheadversarywritestoalewithouttheproperauthorization,theadversaryiscausinganinvalidowintothele.
Dataow24assertionscanaddressdirectorytraversalvulnerabilitiesbyenforcingdataowrulesontheuseofles.
Forexample,aprogrammercouldencodethefollowingdirectorytraversalassertiontoprotectagainstinvalidwrites:DataFlowAssertion2Nodatamayowintodirectorydunlesstheauthenticateduserhaswritepermissionford.
Server-SideScriptInjectionServer-sidescriptinjectionaccountsfor5%ofthevulnerabilitiesreportedinTable2.
1.
Toexploitthesevulnerabilities,anadversaryuploadscodetotheserverandthenfoolstheapplicationintorunningthatcode.
Forinstance,manyPHPapplicationsloadscriptcodefordierentvisualthemesatruntime,byhavingtheuserspecifythelenamefortheirdesiredtheme.
Anadversarycanexploitthisbyuploadingalewiththedesiredcodeontotheserver(manyapplicationsallowuploadingimagesorattachments),andthensupplyingthenameofthatleasthethemetoload.
Eveniftheapplicationiscarefultonotincludeuser-suppliedlenames,amoresubtleproblemcanoccur.
Ifanadversaryuploadsalewitha.
phpextension,theWebservermayallowtheadversarytodirectlyexecutethatle'scontentsbysimplyissuinganHTTPrequestforthatle.
Avoidingsuchproblemsrequirescoordinationbetweenmanypartsoftheapplication,andeventheWebserver,tounderstandwhichleextensionsare"dangerous".
Thisattackcanbeviewedasafaultydataowandcouldbeaddressedbythefollowingdataowassertion:DataFlowAssertion3Theinterpretermaynotinterpretanyuser-suppliedcode.
AccessControlInsucientaccesscontrolcanalsobeviewedasadataowviolation.
Thesevulner-abilitiesallowanadversarytoreaddatawithoutproperauthorizationandmakeup4.
6%ofthevulnerabilitiesreportedin2008.
Forexample,amissingaccesscontrolcheckinMoinMoinwikiallowedausertoreadanywikipage,evenifthepage'saccesscontrollist(ACL)didnotpermittheusertoreadthatpage[79].
Likethepreviousvulnerabilities,thisdataleakcanbeviewedasadataowviolation;thewikipageisowingtoauserwholackspermissiontoreceivethepage.
Thisvulnerabilitycouldbeaddressedwiththedataowassertion:DataFlowAssertion4Wikipagepmayowoutofthesystemonlytoauseronp'sACL.
Insucientaccesscontrolisparticularlychallengingtoaddressbecauseaccesscontrolrulesareoftenuniquetotheapplication.
Forexample,MoinMoin'sACLrulesdierfromHotCRP'saccesscontrolrules,whichensurethatonlypaperauthorsandprogramcommittee(PC)membersmayreadpaperreviews,andthatPCmembersmaynotviewapaper'sauthorsiftheauthorlistisanonymous.
Ideally,adataowassertioncouldtakeadvantageofthecodeanddatastructuresthatanapplicationalreadyusestoimplementitsaccesscontrolchecks.
25PasswordDisclosureAnotherexampleofaspecicaccesscontrolvulnerabilityisapassworddisclosurevulnerabilitythatwasdiscoveredinHotCRP;weusethisbugasarunningexamplefortherestofthischapter.
Thisbugwasaresultoftwoseparatefeatures,asfollows.
First,aHotCRPusercanaskHotCRPtosendapasswordreminderemailtotheuser'semailaddress,incasetheuserforgetsthepassword.
HotCRPmakessuretosendtheemailonlytotheemailaddressoftheaccountholderasstoredintheserver.
Thesecondfeatureisanemailpreviewmode,inwhichthesiteadministra-torconguresHotCRPtodisplayemailmessagesinthebrowser,ratherthansendthemviaemail.
Inthisvulnerability,anadversaryasksHotCRPtosendapasswordreminderforanotherHotCRPuser(thevictim)whileHotCRPisinemailpreviewmode.
HotCRPwilldisplaythecontentofthepasswordreminderemailintheadver-sary'sbrowser,insteadofsendingthepasswordtothatvictim'semailaddress,thusrevealingthevictim'spasswordtotheadversary.
Adataowassertioncouldhavepreventedthisvulnerabilitybecausetheassertionwouldhavecaughttheinvalidpasswordowdespitetheunexpectedcombinationofthepasswordreminderandemailpreviewmode.
Theassertioninthiscasewouldhavebeen:DataFlowAssertion5Useru'spasswordmayleavethesystemonlyviaemailtou'semailaddress,ortotheprogramchair.
2.
2.
1ThreatModelAswehaveshown,manyvulnerabilitiesintoday'sapplicationscanbethoughtofasprogrammingerrorsthatallowfaultydataows.
Adversariesexploitthesefaultydataowstobypasstheapplication'ssecurityplan.
Resinaimstopreventadversariesfromexploitingthesefaultydataowsbyallowingprogrammerstoexplicitlyspecifydataowassertions,whicharethencheckedatruntimeinallplacesintheapplication.
Weexpectthatprogrammerswouldspecifydataowassertionstopreventwell-knownvulnerabilitiesshowninTable2.
1,aswellasexistingapplication-specicrules,suchasHotCRP'srulesforpassworddisclosureorreviewerconictsofinterest.
Asprogrammerswritenewcode,theycanusedataowassertionstomakesuretheirdataisproperlyhandledincodewrittenbyotherdevelopers,withouthavingtolookattheentirecodebase.
Finally,asnewproblemsarediscovered,eitherbyattackersorbyprogrammersauditingthecode,dataowassertionscanbeusedtoxanentireclassofvulnerabilities,ratherthanjustaspecicinstanceofthebug.
Resintreatstheentirelanguageruntime,andapplicationcode,aspartofthetrustedcomputingbase.
Resinassumestheapplicationcodeisnotmalicious,anddoesnotpreventanadversaryfromcompromisingtheunderlyinglanguageruntimeortheOS.
Ingeneral,abueroverowattackcancompromisealanguageruntime,butbueroverowsarelessofanissueforResinbecausecodewritteninlanguageslikePHPandPythonisnotsusceptibletobueroverows.
26Figure2-1:OverviewoftheHotCRPpassworddataowassertion.
2.
3DesignManyofthevulnerabilitiesdescribedinSection2.
2canbeaddressedwithdataowassertions,butthedesignofsuchanassertionsystemrequiressolutionstoanumberofchallenges.
First,thesystemmustenforceassertionsonthemanycommunicationchannelsavailabletotheapplication.
Second,thesystemmustprovideaconvenientAPIinwhichprogrammerscanexpressmanydierenttypesofdataowassertions.
Finally,thesystemmusthandleseveralassertionsinasingleapplicationgracefully;itshouldbeeasytoaddnewassertions,anddoingsoshouldnotdisruptexistingassertions.
ThissectiondescribeshowResinaddressesthesedesignchallenges,be-ginningwithanexampleofhowadataowassertionpreventstheHotCRPpassworddisclosurevulnerabilitydescribedinSection2.
2.
2.
3.
1DesignOverviewToillustratethehigh-leveldesignofResinandwhataprogrammermustdotoimplementadataowassertion,thissectiondescribeshowaprogrammerwouldimplementDataFlowAssertion5,theHotCRPpasswordassertion,usingResin.
ThisexampledoesnotuseallofResin'sfeatures,butitdoesshowResin'smainconcepts.
Conceptually,theprogrammerneedstorestricttheowofpasswords.
However,passwordsarehandledbyanumberofmodulesinHotCRP,includingtheauthenti-cationcodeandcodethatformatsandsendsemailmessages.
Thus,theprogrammermustconnepasswordsbydeningadataowboundarythatsurroundstheentireapplication.
Thentheprogrammerallowsapasswordtoexitthatboundaryonlyifthatpasswordisowingtotheownerviaemail,ortotheprogramchair.
Finally,theprogrammermarksthepasswordsassensitivesothattheboundarycanidentifywhichdatacontainspasswordinformation,andwritesasmallamountofassertioncheckingcode.
27classPasswordPolicyextendsPolicy{private$email;function__construct($email){$this->email=$email;}functionexport_check($context){if($context['type']=='email'&&$context['email']==$this->email)return;global$Me;if($context['type']=='http'&&$Me->privChair)return;thrownewException('unauthorizeddisclosure');}}policy_add($password,newPasswordPolicy('u@foo.
com'));Figure2-2:SimpliedPHPcodefordeningtheHotCRPpasswordpolicyclassandannotatingthepassworddata.
Thispolicyonlyallowsapasswordtobedisclosedtotheuser'sownemailaddressortotheprogramchair.
Resinprovidesthreemechanismsthathelptheprogrammerimplementsuchanassertion(seeFigure2-1):Programmersuselterobjectstodenedataowboundaries.
Alterobjectinterposesonaninput/outputchannelorafunctioncallinterface.
Programmersexplicitlyannotatesensitivedatawithpolicyobjects.
Apolicyobjectcancontaincodeandmetadataforcheckingassertions.
ProgrammersrelyonResin'sruntimetoperformdatatrackingtopropagatepolicyobjectsalongwithsensitivedatawhentheapplicationcopiesthatdatawithinthesystem.
ResinbydefaultdenesadataowboundaryaroundthelanguageruntimeusinglterobjectsthatcoverallI/Ochannels,includingpipesandsockets.
Bydefault,Resinalsoannotatessomeofthesedefaultlterobjectswithcontextmetadatathatdescribesthespeciclterobject.
Forexample,Resinannotateseachlterobjectconnectedtoanoutgoingemailchannelwiththeemail'srecipientaddress.
ThedefaultsetofltersandcontextsdeningtheboundaryareappropriatefortheHotCRPpasswordassertion,sotheprogrammerneednotdenethemmanually.
InorderforResintotrackthepasswords,theprogrammermustannotateeachpasswordwithapolicyobject,whichisalanguage-levelobjectthatcontainseldsandmethods.
Inthisassertion,auser'spasswordwillhaveapolicyobjectthatcontainsacopyoftheuser'semailaddresssothattheassertioncandeterminewhichemailaddressmayreceivethepassworddata.
Whentheuserrstsetstheirpassword,theprogrammercopiestheuser'semailaddressfromthecurrentsessioninformationintothepassword'spolicyobject.
Theprogrammeralsowritesthecodethatcheckstheassertion,inamethodcalledexportcheckwithinthepasswordpolicyobject'sclassdenition.
Figure2-2showsthecodetheprogrammermustwritetoimplementthisdataowassertion,includingthepolicyobject'sclassdenitionandthecodethatannotatesapasswordwitha28policyobject.
Thepolicyobjectalsoshowshowanassertioncanbenetfromtheapplication'sdatastructures;thisassertionusesanexistingag,$Me->privChair,todeterminewhetherthecurrentuseristheprogramchair.
Onceapasswordhastheappropriatepolicyobject,Resin'sdatatrackingprop-agatesthatpolicyobjectalongwiththepassworddata;whentheapplicationcopiesormovesthedatawithinthesystem,thepolicygoesalongwiththepassworddata.
Forexample,afterHotCRPcomposestheemailcontentusingthepassworddata,theemailcontentwillalsohavethepasswordpolicyannotation(asshowninFigure2-1).
Resinenforcestheassertionbymakingeachlterobjectcallexportcheckonthepolicyobjectofanydatathatowsthroughthelter.
ThelterobjectpassesitscontextasanargumenttoexportchecktoprovidedetailsaboutthespecicI/Ochannel(e.
g.
,theemail'srecipient).
ThisassertioncatchesHotCRP'sfaultydataowbeforeitcanleakapassword.
WhenHotCRPtriestosendthepassworddataoveranHTTPconnection,theconnec-tion'slterobjectinvokestheexportcheckmethodonthepassword'spolicyobject.
TheexportcheckcodeobservesthatHotCRPisincorrectlytryingtosendthepass-wordoveranHTTPconnection,andthrowsanexceptionwhichpreventsHotCRPfromsendingthepasswordtotheadversary.
ThissolutionworksforalldisclosurepathsthroughthecodebecauseResin'sdefaultboundarycontrolsalloutputchan-nels;HotCRPcannotrevealthepasswordwithouttraversingalterobject.
Thisexampleisjustonewaytoimplementthepassworddataowassertion,andtheremaybeotherways.
Forexample,theprogrammercouldimplementtheassertioncheckingcodeinthelterobjectsratherthanthepassword'spolicyobject.
However,modifyinglterobjectsislessattractivebecausetheprogrammerwouldneedtomodifyeverylterobjectthatapasswordcantraverse.
Puttingtheassertioncodeinthepolicyobjectallowstheprogrammertowritetheassertioncodeinoneplace.
2.
3.
2FilterObjectsAlterobject,representedbyadiamondinFigure2-1,isagenericinterpositionmechanismthatapplicationprogrammersusetocreatedataowboundariesaroundtheirapplications.
Anapplicationcanassociatealterobjectwithafunctioncallinterface,oranI/Ochannelsuchasalehandle,socket,orpipe.
Resinaimstosupportdataowassertionsthatarespecictoanapplication,soResinallowsaprogrammertoimplementalterobjectasalanguage-levelobjectinthesamelanguageastherestoftheapplication.
Thisallowstheprogrammertoreusetheapplication'scodeanddatastructures,andallowsforbetterintegrationwithapplications.
Whenanapplicationsendsdataacrossachannelguardedbyalterobject,Resininvokesamethodinthatlterobjectwiththedataasanargument.
Iftheinter-positionpointisanI/Ochannel,Resinwillinvokeeitherlterreadorlterwrite;forfunctioncalls,Resinwillinvokelterfunc(seeTable2.
3).
Filterreadandl-terwritecancheckoralterthein-transitdata.
Filterfunccancheckoralterthefunction'sargumentsandreturnvalue.
29FunctionCallerSemanticslter::lterread(data,oset)RuntimeInvokedwhendatacomesinthroughadataowboundary,andcanassigninitialpoliciesfordata;e.
g.
,byde-serializingfrompersistentstorage.
lter::lterwrite(data,oset)RuntimeInvokedwhendataisexportedthroughadataowboundary;typi-callyinvokesassertionchecksorserializespolicyobjectstopersistentstorage.
lter::lterfunc(args)RuntimeChecksand/orproxiesafunctioncall.
policy::exportcheck(context)FilterobjectChecksifdataowassertionallowsexportingdata,andthrowsexcep-tionifnot;contextprovidesinformationaboutthedataowboundary.
policy::merge(policyobjectset)RuntimeReturnssetofpolicies(typicallyzeroorone)thatshouldapplytomergingofdatataggedwiththispolicyanddatataggedwithpol-icyobjectset.
policyadd(data,policy)ProgrammerAddspolicytodata'spolicyset.
policyremove(data,policy)ProgrammerRemovespolicyfromdata'spolicyset.
policyget(data)ProgrammerReturnssetofpoliciesassociatedwithdata.
Table2.
3:TheResinAPI.
A::B(args)denotesmethodBofanobjectoftypeA.
NotshownistheAPIusedbytheprogrammertospecifyandaccesslterobjectsfordierentdataowboundaries.
30classDefaultFilter(Filter):def__init__(self):self.
context={}deffilter_write(self,buf):forpinpolicy_get(buf):ifhasattr(p,'export_check'):p.
export_check(self.
context)returnbufFigure2-3:Pythoncodeforthedefaultlterforsockets.
Forexample,inanHTTPsplittingattack,theadversaryinsertsanextraCR-LF-CR-LFdelimiterintotheHTTPoutputtoconfusebrowsersintothinkingtherearetwoHTTPresponses.
Tothwartthistypeofattack,theapplicationprogram-mercouldwritealterobjectthatscansforunexpectedCR-LF-CR-LFcharactersequences,andthenattachthisltertotheHTTPoutputchannel.
Asasecondex-ample,afunctionthatencryptsdataisanaturaldataowboundary.
AprogrammermaychoosetoattachalterobjecttotheencryptionfunctionthatremovespolicyobjectsforcondentialityassertionssuchasthePasswordPolicyfromSection2.
3.
1.
DefaultFilterObjectsResinpre-denesdefaultlterobjectsonallI/Ochannelsintoandoutoftherun-time,includingsockets,pipes,les,HTTPoutput,email,SQL,andcodeimport.
Sincethesedefaultlterobjectsareattheedgeoftheruntime,datacanowfreelywithintheapplicationandthedefaultlterswillonlycheckassertionsbeforemakingprogramoutputvisibletotheoutsideworld.
Thisboundaryshouldbesuitableformanyassertionsbecauseitsurroundstheentireapplication.
ThedefaultboundaryalsohelpsprogrammersavoidaccidentallyoverlookinganI/Ochannel,whichwouldresultinanincompleteboundarythatwouldnotcoverallpossibleows.
Thedefaultlterobjectscheckthein-transitdataforpolicies,asshowninFig-ure2-3.
Ifalterndsapolicythathasanexportcheckmethod,thelterinvokesthepolicy'sexportcheckmethod.
AsdescribedinSection2.
3.
1,exportchecktypicallycheckstheassertionandthrowsanexceptioniftheowwouldviolatetheassertion.
Sincethepolicy'sexportcheckmethodmayneedadditionalinformationaboutthelter'sspecicI/Ochannelorfunctioncalltochecktheassertion,Resinattachescontextinformation,intheformofahashtable,tosomeofthedefaultltersasdescribedinSection2.
3.
1.
Resinalsoallowstheapplicationtoadditsownkey-valuepairstothecontexthashtableofdefaultlterobjects.
Thecontextkey-valuepairsarelikelyspecictotheI/Ochannelorfunctioncallthatthelterguards,andthedefaultlterpassesthecontexthashtableasanargumenttoexportcheck.
IntheHotCRPexample,thecontextforasendmailpipecontainstherecipientoftheemail(asshowninFigure2-1).
ImportingCodeResintreatstheinterpreter'sexecutionofscriptcodeasanotherdataowchannel,withitsownlterobject.
Thisallowsprogrammerstointerposeonallcodeow-31ingintotheinterpreter,andensurethatsuchcodecamefromanapprovedsource.
Thiscanpreventserver-sidescriptinjectionattacks,whereanadversarytrickstheinterpreterintoexecutingadversary-providedscriptcode.
WriteAccessControlInadditiontoruntimeboundaries,Resinalsopermitsanapplicationtoplacelterobjectsonpersistentlestocontrolwriteaccess,becausedatatrackingalonecannotpreventmodications.
Inparticular,Resinallowsprogrammerstospecifyaccesscontrolchecksforlesanddirectoriesinapersistentlterobjectthat'sstoredintheextendedattributesofaspecicleordirectory.
Theruntimeautomaticallyinvokesthispersistentlterobjectwhendataowsintooroutofthatle,ormodiesthatdirectory(suchascreating,deleting,orrenamingles).
Thisprogrammer-speciedlterobjectcancheckwhetherthecurrentuserisauthorizedtoaccessthatleordirectory.
Thesepersistentlterobjectsassociatedwithaspecicleordirectoryareseparatefromthelterobjectsassociatedbydefaultwitheveryle'sI/Ochannel.
2.
3.
3PolicyObjectsLikealterobject,apolicyobjectisalanguage-levelobject,andcanreusetheapplication'sexistingcodeanddatastructures.
Apolicyobjectcancontaineldsandmethodsthatworkinconcertwithlterobjects;policyobjectsarerepresentedbytheroundedrectanglesinFigure2-1.
Toworkwithdefaultlterobjects,apolicyobjectshouldhaveanexportcheckmethodasshowninTable2.
3.
Asmentionedearlier,defaultlterobjectsinvokeexportcheckwhendatawithapolicypassesthroughalter,soexportcheckiswhereprogrammersimplementanassertioncheckforusewithdefaultlters.
Iftheassertionfails,exportcheckshouldthrowanexceptionsothatResincanpreventthefaultydataow.
Themaindistinctionbetweenpolicyobjectsandlterobjectsisthatapolicyobjectisspecictodata,andalterobjectisspecictoachannel.
Apolicyobjectwouldcontaindataspecicmetadataandcode;forexample,theHotCRPpasswordpolicycontainstheemailaddressofthepassword'saccountholder.
Alterobjectwouldcontainchannelspecicmetadata;forexample,theemaillterobjectcontainstherecipient'semailaddress.
EventhoughResinallowsprogrammerstowritemanydierentlterandpolicyobjects,theinterfacebetweenallltersandpoliciesremainslargelythesame,iftheapplicationusesexportcheck.
Thislimitsthecomplexityofaddingorchangingltersandpolicies,becauseeachpolicyobjectneednotknowaboutallpossiblelterobjects,andeachlterobjectneednotknowaboutallpossiblepolicyobjects(althoughthisdoesnotprecludetheprogrammerfromimplementingspecialcasesforcertainpolicy-lterpairs).
322.
3.
4DataTrackingResinkeepstrackofpolicyobjectsassociatedwithdata.
Theprogrammerattachesapolicyobjecttoadatum—aprimitivedataelementsuchasanintegeroracharacterinastring(althoughitiscommontoassignthesamepolicytoallcharactersinastring).
TheResinruntimethenpropagatesthatpolicyobjectalongwiththedata,astheapplicationcodemovesorcopiesthedata.
Toattachapolicyobjecttodata,theprogrammerusesthepolicyaddfunctionlistedinTable2.
3.
Sinceanapplicationmayhavemultipledataowassertions,asingledatummayhavemultiplepolicyobjects,allcontainedinthedatum'spolicyset.
Resinpropagatespoliciesinanegrainedmanner.
Forexample,ifanapplicationconcatenatesthestring"foo"(withpolicyp1),and"bar"(withpolicyp2),thenintheresultingstring"foobar",therstthreecharacterswillhaveonlypolicyp1andthelastthreecharacterswillhaveonlyp2.
Iftheprogrammerthentakestherstthreecharactersofthecombinedstring,theresultingsubstring"foo"willonlyhavepolicyp1.
Trackingdataatthecharacterlevelminimizesinterferencebetweendierentdataowassertions,whosedatamaybecombinedinthesamestring,andminimizesunintendedpolicypropagation,whenmarshalingandun-marshalingdatastructures.
Forexample,intheHotCRPpasswordreminderemailmessage,onlythecharacterscomprisingtheuser'spasswordhavethepasswordpolicyobject.
Therestofthestringisnotassociatedwiththepasswordpolicyobject,andcanpotentiallybemanipulatedandsentoverthenetworkwithoutworryingaboutthepasswordpolicy(assumingtherearenootherpolicies).
Resintracksexplicitdataowssuchasvariableassignment;mostofthebugsweencountered,includingallthebugsdescribedinSections2.
2and2.
6,useexplicitdataows.
However,somedataowsareimplicit.
Oneexampleisacontrolowchannel,suchaswhenavaluethathasapolicyobjectinuencesaconditionalbranch,whichthenchangestheprogram'soutput.
Anotherexampleofanimplicitowisthroughdatastructurelayout;anapplicationcanstoredatainanarrayusingaparticularorder.
Resindoesnottrackthisorderinformation,andaprogrammercannotattachapolicyobjecttothearray'sorder.
Theseimplicitdataowsaresometimessurprisinganddiculttounderstand,andResindoesnottrackthem.
Iftheprogrammerwantstospecifydataowassertionsaboutsuchdata,theprogrammermustrstmakethisdataexplicit,andonlythenattachapolicytoit.
PersistentPoliciesResinonlytracksdataowinsidethelanguageruntime,andchecksassertionsattheruntimeboundary,becauseitcannotcontrolwhathappenstothedataafteritleavestheruntime.
However,manyapplicationsstoredatapersistentlyinlesystemsanddatabases.
Forexample,HotCRPstoresuserpasswordsinaSQLdatabase.
Itcanbeinconvenientanderror-pronefortheprogrammertomanuallysavemetadataaboutthepassword'spolicyobjectwhensavingittothedatabase,andthenreconstructthepolicyobjectwhenreadingthepasswordlater.
33Figure2-4:SavingpersistentpoliciestoaSQLdatabaseforHotCRPpasswords.
UsessymbolsfromFigure2-1.
Tohelpprogrammersofsuchapplications,Resintransparentlytracksdataowstoandfrompersistentstorage.
Resin'sdefaultlterobjectsserializepolicyobjectstopersistentlesanddatabasestoragewhendataiswrittenout,andde-serializesthepolicyobjectswhendataisreadbackintotheruntime.
Fordatagoingtoale,thele'sdefaultlterobjectserializesthedata'spolicyobjectsintothele'sextendedattributes.
Whenevertheapplicationreadsdatafromthele,thelterreadstheserializedpolicyfromthele'sextendedattributes,andassociatesitwiththenewly-readdata.
Resintrackspoliciesforledataatbyte-levelgranularity,asitdoesforstrings.
ResinalsoserializespoliciesfordatastoredinaSQLdatabase,asshowninFigure2-4.
ResinaccomplishesthisbyattachingadefaultlterobjecttothefunctionusedtoissueSQLqueries,andusingthatltertorewritequeriesandresults.
ForaCREATETABLEquery,thelteraddsanadditionalpolicycolumntostoretheserializedpolicyforeachdatacolumn.
Foraquerythatwritestothedatabase,thelteraugmentsthequerytostoretheserializedpolicyofeachcell'svalueintothecorrespondingpolicycolumn.
Last,foraquerythatfetchesdata,thelteraugmentsthequerytofetchthecorrespondingpolicycolumn,andassociateseachde-serializedpolicyobjectwiththecorrespondingdatacellintheresultingsetofrows.
Storingpoliciespersistentlyalsohelpsotherprograms,suchastheWebserver,tocheckinvariantsonledata.
Forexample,ifanapplicationaccidentallystorespasswordsinaworld-readablele,andanadversarytriestofetchthatleviaHTTP,aResin-awareWebserverwillinvokethele'spolicyobjectsbeforetransmittingthele,failtheexportcheck,andpreventpassworddisclosure.
Resinonlyserializestheclassnameanddataeldsofapolicyobject.
Thisallowsprogrammerstochangethecodeforapolicyclasstoevolveitsbehaviorovertime.
Forexample,aprogrammercouldchangetheexportcheckmethodofHotCRP'spasswordpolicyobjecttodisallowdisclosuretotheprogramchairwithoutchangingtheexistingpersistentpolicyobjects.
However,iftheapplicationneedstochangetheeldsofapersistentpolicy,theprogrammerwillneedtoupdatethepersistentpolicies,muchlikedatabaseschemamigration.
34MergingPoliciesResinusescharacter-leveltrackingtoavoidhavingtomergepolicieswhenindividualdataelementsarepropagatedverbatim,suchasthroughconcatenationortakingasubstring.
Unfortunately,mergingisinevitableinsomecases,suchaswhenstringcharacterswithdierentpoliciesareconvertedtointegervaluesandaddeduptocomputeachecksum.
Inmanysituations,suchlow-leveldatatransformationcorre-spondstoaboundary,suchasencryptionorhashing,andwouldbeagoodtforanapplication-speciclterobject.
However,relyingontheprogrammertoinsertlterobjectsinallsuchplaceswouldbeerror-prone,andResinprovidesasafetynetbymergingpolicyobjectsintheabsenceofanyexplicitactionsbytheprogrammer.
Bydefault,Resintakestheunionofpolicyobjectsofsourceoperands,andat-tachesthemtotheresultingdatum.
Theunionstrategyissuitableforsomedataowassertions.
Forexample,anassertionthattracksuser-suppliedinputsbymark-ingthemwithaUserDatapolicywouldliketolabeltheresultasUserDataifanysourceoperandwaslabeledassuch.
Incontrast,theintersectionstrategymaybeapplicabletootherpolicies.
AnassertionthattracksdataauthenticitybymarkingdatawithanAuthenticDatapolicywouldliketolabeltheresultasAuthenticDataonlyifallsourceoperandswerelabeledthatway.
Becausedierentpoliciesmayhavedierentnotionsofasafemergestrategy,ResinallowsapolicyobjecttooverridethemergemethodshowninTable2.
3.
Whenapplicationcodemergestwodataelements,Resininvokesthemergemethodoneachpolicyofeachsourceoperand,passingintheentirepolicysetoftheotheroperandastheargument.
Themergemethodreturnsasetofpolicyobjectsthatitwantsassociatedwiththenewdatum,orthrowsanexceptionifthispolicyshouldnotbemerged.
Themergemethodcanconsultthesetofpoliciesassociatedwiththeotheroperandtoimplementeithertheunionorintersectionstrategies.
TheResinruntimethenlabelstheresultingdatumwiththeunionofallpoliciesreturnedbyallmergemethods.
2.
4ImplementationWehaveimplementedtwoResinprototypes,oneinthePHPruntime,andtheotherinPython.
Atahigh-level,Resinrequirestheadditionofapointer,thatpointstoasetofpolicyobjects,totheruntime'sinternalrepresentationofadatum.
Forexample,inPHP,theadditionalpointerresidesinthezvalobjectforstringsandnumbers.
Forstrings,eachpolicyobjectcontainsacharacterrangeforwhichthepolicyapplies.
Whencopyingormovingdatafromoneprimitiveobjecttoanother,thelanguageruntimecopiesthepolicysetfromthesourcetothedestination,andmodiesthecharacterrangesifnecessary.
Whenmergingindividualdataelements,theruntimeinvokesthepolicies'mergefunctions.
ThePHPprototypeinvolved5,944linesofcode.
ThelargestmoduleistheSQLparsingandtranslationmechanismatabout2,600lines.
Thecoredatastructuresandrelatedfunctionsmakeupabout1,100lines.
Mostoftheremaining2,200linesare35spentpropagatingandmergingpolicyobjects.
AddingpropagationtothecorePHPlanguagerequiredchangestoitsvirtualmachineopcodehandlers,suchasvariableassignment,addition,andstringconcatenation.
Inaddition,PHPimplementsmanyofitslibraryfunctions,suchassubstrandprintf,inC,whichareoutsideofPHP'svirtualmachineandrequireadditionalpropagationcode.
ToallowtheWebservertocheckpersistentpoliciesforledata,asdescribedinSection2.
3.
4,wemodiedthemodphpApachemoduletode-serializeandinvokepolicyobjectsforallstaticlesitserves.
Doingsorequiredmodifying49linesofcodeinmodphp.
ThePythonprototypeonlyinvolved681linesofcode;thisisfewerthanthePHPprototypefortworeasons.
First,ourPythonprototypedoesnotimplementalltheResinfeatures;itlackscharacter-leveldatatracking,persistentpolicystorageinSQLdatabases,andApachestaticlesupport.
Second,PythonusesfewerClibraries,soitrequiredlittlepropagationcodebeyondtheopcodehandlers.
2.
5ApplyingResinResin'smaingoalistoallowprogrammerstoavoidsecurityvulnerabilitiesbyspec-ifyingdataowassertions.
Section2.
3.
1alreadyshowedhowaprogrammercanimplementadataowassertionthatpreventspassworddisclosureinHotCRP.
ThissectionshowshowaprogrammerwouldimplementdataowassertionsforanumberofothervulnerabilitiesandapplicationsusingResin.
ThefollowingexamplesusethesyntaxdescribedinTable2.
3.
Additionally,theseexamplesusesock.
filtertoaccessasocket'slterobject,andinthePythoncode,policyaddandpolicyremovereturnanewstringwiththesamecontentsbutadierentpolicyset,becausePythonstringsareimmutable.
2.
5.
1AccessControlChecksAsmentionedinSection2.
2,Resinaimstoaddressmissingaccesscontrolchecks.
ToillustratehowaprogrammerwoulduseResintoverifyaccesscontrolchecks,thissectionprovidesanexampleimplementationofDataFlowAssertion4,theassertionthatveriesMoinMoinwiki'sreadACLscheme(seeSection2.
2).
TheMoinMoinACLassertionpreventsawikipagefromowingtoauserthat'snotonthepage'sACL.
OnewayforaprogrammertoimplementthisassertioninResinisto:1.
annotateHTTPoutputchannelswithcontextthatidentiestheuserontheotherendofthechannel;2.
deneaPagePolicyobjectthatcontainsanACL;3.
implementanexportcheckmethodinPagePolicythatmatchestheoutputchan-nelagainstthePagePolicy'sACL;4.
attachaPagePolicytothedataineachwikipage.
36defprocess_client(client_sock):req=parse_request(client_sock)client_sock.
__filter.
context['user']=req.
user.
.
.
processreq.
.
.
classPagePolicy(Policy):def__init__(self,acl):self.
acl=acldefexport_check(self,context):ifnotself.
acl.
may(context['user'],'read'):raiseException("insufficientaccess")classPage:defupdate_body(self,text):text=policy_add(text,PagePolicy(self.
getACL())).
.
.
writetexttopage'sfile.
.
.
Figure2-5:PythoncodeforadataowassertionthatchecksreadaccesscontrolinMoinMoin.
TheprocessclientandupdatebodyfunctionsaresimpliedversionsofMoinMoinequivalents.
Figure2-5showsallthecodenecessaryforthisimplementation.
TheprocessclientfunctionannotateseachHTTPconnection'scontextwiththecurrentuser,afterpars-ingtheuser'srequestandcredentials.
PagePolicycontainsacopyoftheACL,andimplementsexportcheck.
TheupdatebodymethodcreatesaPagePolicyobjectandattachesittothepage'sdatabeforesavingthepagetothelesystem.
OnereasonwhythePagePolicyisshortisthatitreusesexistingapplicationcodetoperformtheaccesscontrolcheck.
Thisexampleassertionillustratestheuseofpersistentpolicies.
TheupdatebodyfunctionassociatesaPagePolicywiththecontentsofapageimmediatelybeforewritingthepagetoale.
Asthepagedataowstothele,thedefaultlterobjectserializesthePagePolicyobject,includingtheaccesscontrollist,tothelesystem.
WhenMoinMoinreadsthislelater,thedefaultlterwillde-serializethePagePolicyandattachittothepagedataintheruntime,sothatResinwillautomaticallyenforcethesameaccesscontrolpolicy.
Inthisimplementation,theupdatebodyfunctionprovidesasingleplacewhereMoinMoinsavesthepagetothelesystem,andathusasingleplacetoattachthePagePolicy.
If,however,MoinMoinhadmultiplecodepathsthatstoredpagesinthelesystem,theprogrammercouldassignthepolicytothepagecontentsearlier,perhapsdirectlytotheCGIinputvariables.
Inadditiontoreadaccesschecks,theprogrammercanalsodeneadataowas-sertionthatverieswriteaccesschecks.
MoinMoin'swriteACLsimplytheassertion:datamayowintowikipageponlyiftheuserisonp'swriteACL.
MoinMoinstoresawikipageasadirectorythatcontainseachversionofthepageasaseparatele.
TheprogrammercanimplementthisassertionbycreatingalterclassthatveriesthewriteACLagainstthecurrentuser,andthenattachinglterinstancestothelesanddirectorythatrepresentawikipage.
Theltersrestrictthemodicationofexistingversions,andalsothecreationofnewversionsbasedonthepage'sACL.
37classCodeApprovalextendsPolicy{functionexport_check($context){}}functionmake_file_executable($f){$code=file_get_contents($f);policy_add($code,newCodeApproval());file_put_contents($f,$code);}classInterpreterFilterextendsFilter{functionfilter_read($buf){foreach(policy_get($buf)as$p)if($pinstanceofCodeApproval)return$buf;thrownewException('notexecutable');}}Figure2-6:SimpliedPHPcodeforadataowassertionthatcatchesserver-sidescriptinjection.
Intheactualimplementation,lterreadveriesthateachcharacterin$bufhastheCodeApprovalpolicy.
2.
5.
2Server-SideScriptInjectionAnotherclassofvulnerabilitiesthatResinaimstoaddressisserver-sidescriptinjec-tion,asdescribedinSection2.
2,whichcanbeaddressedwithDataFlowAssertion3.
Onewayfortheprogrammertoimplementthisassertionisto:1.
deneanemptyCodeApprovalpolicyobject;12.
annotateapplicationcodeandlibrarieswithCodeApprovalpolicyobjects;3.
changetheinterpreter'sdefaultinputlter(seeSection2.
3.
2)torequireaCodeApprovalpolicyonallimportedcode.
ThisdataowassertioninstructsResintolimitwhatcodetheinterpretermayuse.
Figure2-6liststhecodeforimplementingthisassertion.
Wheninstallinganappli-cation,thedevelopertagstheapplicationcodeandsystemlibrarieswithapersistentCodeApprovalpolicyobjectusingmakeleexecutable.
ThelterreadmethodonlyallowscodewithaCodeApprovalpolicyobjecttopass,ensuringthatcodefromanadversarywhichwouldlacktheCodeApprovalpolicy,willnotbeexecuted,whetherthroughincludestatements,eval,ordirectHTTPrequests.
Theprogrammermustoverridetheinterpreter'slterinaglobalcongurationle,toensurethelterissetbeforeanyothercodeexecutes;PHP'sautoprependleoptionisonewaytodothis.
If,instead,theapplicationsetthelteratthebeginningoftheapplication'sowncode,adversariescouldbypassthecheckiftheyareabletouploadandruntheirown.
phples.
Thisexampleillustratestheneedforprogrammer-speciedlterobjectsinad-ditiontoprogrammer-speciedcontextfordefaultlters.
Thedefaultltercalls1TheCodeApprovalpolicydoesnotneedtotaketheintersectionofpoliciesduringmergebecauseResin'scharacter-leveldatatrackingavoidshavingtomergeledata.
38exportcheckonallthepoliciesthatpassthrough,butthedefaultlteralwaysper-mitsdatathathasnopolicy.
ThelterinthisscriptinjectionassertionrequiresthatdatahaveaCodeApprovalpolicy,andrejectdatathatdoesnot.
2.
5.
3SQLInjectionandCross-SiteScriptingAsmentionedinSection2.
2,thetwomostpopularattackvectorsinWebapplicationstodayareSQLinjectionandcross-sitescripting.
ThissectionpresentstwodierentstrategiesforusingResintoaddressthesevulnerabilities.
Toimplementtherststrategy,theprogrammer:1.
denestwopolicyobjectclasses:UntrustedDataandSQLSanitized;2.
annotatesuntrustedinputdatawithanUntrustedDatapolicy;3.
changestheexistingSQLsanitizationfunctiontoattachaSQLSanitizedobjecttothefreshlysanitizeddata;4.
changestheSQLlterobjecttocheckthepolicyobjectsoneachSQLquery.
IfthequerycontainsanycharactersthathavetheUntrustedDatapolicy,butnottheSQLSanitizedpolicy,thelterwillthrowanexceptionandrefusetoforwardthequerytothedatabase.
Addressingcross-sitescriptingissimilar,exceptthatitusesHTMLSanitizedratherthanSQLSanitized.
ThisstrategycatchesunsanitizeddatabecausethedatawilllackthecorrectSQLSanitizedorHTMLSanitizedpolicyobject.
ThereasonforappendingSQLSanitizedandHTMLSanitizedinsteadofremovingUntrustedDataistoallowtheassertiontodistinguishbetweendatathatmaybeincorporatedintoSQLversusHTMLsincetheyusedierentsanitizationfunctions.
Thisstrategyensuresthattheprogrammerusesthecorrectsanitizer(e.
g.
,theprogrammerdidnotaccidentallyuseSQLquotingforastringusedaspartofanHTMLdocument).
ThesecondstrategyforpreventingSQLinjectionandcross-sitescriptingvulnera-bilitiesistousethesameUntrustedDatapolicyfromthepreviousstrategy,butratherthanappendingapolicylikeSQLSanitized,theSQLlterinspectsthenalqueryandthrowsanexceptionifanycharactersinthequery'sstructure(keywords,whitespace,andidentiers)havetheUntrustedDatapolicy.
TheHTMLlterperformsasimi-larcheckforUntrustedDataonJavaScriptportionsoftheHTMLtocatchcross-sitescriptingerrors,similartoatechniqueusedinpriorwork[60].
AvariationonthesecondstrategyistochangetheSQLlter'stokenizertokeepcontiguousbyteswiththeUntrustedDatapolicyinthesametoken,andtoautomat-icallysanitizetheuntrusteddataintransittotheSQLdatabase.
Thiswillpreventuntrusteddatafromaectingthecommandstructureofthequery,andlikewisefortheHTMLtokenizer.
Thesetwovariationsrequiretheadditionofeithertokenizingorparsingtothelterobjects,buttheyavoidrelyingontrustedquotingfunctions.
Wehaveexperimentedwithbothofthesestrategies,andndthatwhilethesecondapproachrequiresmorecodefortheparsers,manyapplicationscanreusethesameparsingcode.
39ASQLinjectionassertioniscomplementarytotheotherassertionswedescribeinthissection.
Forinstance,evenifanapplicationhasaSQLinjectionvulnerability,andanadversarymanagestoexecutethequerySELECTuser,passwordFROMuserdb,thepolicyobjectforeachpasswordwillstillbede-serializedfromthedatabase,andwillpreventpassworddisclosure.
2.
5.
4OtherAttackVectorsFinally,thereareanumberofotherattackvectorsthatResincanhelpdefendagainst.
Forinstance,toaddresstheHTTPresponsesplittingattackdescribedinSection2.
3.
2,adevelopercanusealtertorejectanyCR-LF-CR-LFsequencesintheHTTPheaderthatcamefromuserinput.
AsWebapplicationsusemoreclient-sidecode,theyalsousemoreJSONtotrans-portdatafromtheservertotheclient.
Here,muchlikeinSQLinjection,anadver-sarymaybeabletocraftaninputstringthatchangesthestructureoftheJSON'sJavaScriptdatastructure,orworseyet,includeclient-sidecodeaspartofthedatastructure.
WebapplicationscanuseResin'sdatatrackingmechanismstoavoidthesepitfallsastheywouldforSQLinjection.
2.
5.
5ApplicationIntegrationOnepotentialconcernwhenusingResinisthatadataowassertioncanduplicatedataowchecksandsecuritychecksthatalreadyexistinanapplication.
Asaconcreteexample,considerHotCRP,whichmaintainsalistofauthorsforeachpaper.
Ifapapersubmissionisanonymous,HotCRPmustnotrevealthesubmission'slistofauthorstothePCmembers.
HotCRPalreadyperformsthischeckbeforeaddingtheauthorlisttotheHTMLoutput.
AddingaResindataowassertiontoverifyreadaccesstotheauthorlistwillmakeHotCRPperformtheaccesscheckasecondtimewithinthedataowassertion,duplicatingthecheckthatalreadyexists.
IfaprogrammerimplementsanapplicationwithResininmind,theprogrammercanuseanexceptiontoindicatethattheusermaynotreadcertaindata,therebyavoidingduplicateaccesschecks.
Forexample,wemodiedtheHotCRPcodethatdisplaysapapersubmissiontoalwaystrytodisplaythesubmission'sauthorlist.
Ifthesubmissionisanonymous,thedataowassertionraisesanexception;thedisplaycodecatchesthatexception,andthendisplaysthestring"Anonymous"insteadoftheauthorlist.
Thisavoidsduplicatechecksbecausethepagegenerationcodedoesnotexplicitlyperformtheaccesscontrolcheck.
However,iftheapplicationsendsHTMLoutputtothebrowserduringatryblockandthenencountersanexceptionlaterinthetryblock,thepreviouslyreleasedHTMLmightbeinvalidbecausethetryblockdidnotruntocompletion.
Resinprovidesanoutputbueringmechanismtoassistwiththisstyleofcode.
Touseoutputbuering,theapplicationstartsanewtryblockbeforerunningHTMLgenerationcodethatmightthrowanexception.
Atthestartofthetryblock,theapplicationnotiestheoutgoingHTMLlterobjecttostartbueringoutput.
Ifthetryblockthrowsanexception,thecorrespondingcatchblocknotiestheHTMLlter40todiscardtheoutputbuer,andpotentiallysendalternateoutputinitsplace(suchas"Anonymous"intheexample).
However,ifthetryblockrunstocompletion,thetryblocknotiestheHTMLltertoreleasethedataintheoutputbuer.
Usingexceptions,insteadofexplicitaccesschecks,freestheprogrammerfromneedingtoknowexactlywhichcheckstoinvokeineverysinglecase,becauseResininvokesthechecks.
Instead,programmersneedtoonlywrapcodethatmightfailacheckwithanappropriateexceptionhandler,andspecifyhowtopresentanexceptiontotheuser.
2.
6SecurityEvaluationThemaincriteriaforevaluatingResiniswhetheritiseectiveathelpingaprogram-merpreventdataowvulnerabilities.
ToprovideaquantitativemeasureofResin'seectiveness,wefocusonthreeareas.
First,wedeterminehowmuchworkapro-grammermustdotoimplementanexistingimplicitdataowplanasanexplicitdataowassertionusingResin.
Wethenevaluatewhethereachdataowassertionactu-allypreventstypicaldataowbugs,bothpreviously-knownandpreviously-unknownbugs.
Finally,weevaluatewhetherasinglehigh-levelassertioncanbegeneralenoughtocoverbothcommonanduncommondataowsthatmightviolatetheassertion,bytestingassertionsagainstbugsthatusesurprisingdatapaths.
2.
6.
1ProgrammerEortTodeterminethelevelofeortrequiredforaprogrammertouseResin,wetookanumberofexisting,o-the-shelfapplicationsandexaminedsomeoftheirimplicitsecurity-relateddataowplans.
WethenimplementedaResindataowassertionforeachofthoseimplicitplans.
Table2.
4summarizestheresults,showingtheap-plications,thenumberoflinesofcodeintheapplication,andthenumberoflinesofcodeineachdataowassertion.
TheresultsinTable2.
4showthateachdataowassertionrequiresasmallamountofcode,ontheorderoftensoflinesofcode.
TheassertionthatchecksreadaccesstoauthorlistsinHotCRPrequiresthemostchanges,32lines.
Thisismorecodethanotherassertionsbecauseourimplementationissuesdatabasequeriesandinterpretstheresultstoperformtheaccesscheck,requiringextracode.
However,manyoftheotherassertionsinTable2.
4reuseexistingcodefromtheapplication'sexistingsecurityplan,andareshorter.
Table2.
4alsoshowsthattheeortrequiredtoimplementadataowassertiondoesnotgrowwiththesizeoftheapplication.
Thisisbecauseimplementinganas-sertiononlyrequireschangeswheresensitivedatarstenterstheapplication,and/orwheredataexitsthesystem,notoneverypathdatatakesthroughtheapplication;Resin'sdatatrackinghandlesthosedatapaths.
Forexample,thecross-sitescriptingassertionforphpBBisonly22linesofcodeeventhoughphpBBis172,000linesofcode.
41App.
AssertionKnownDiscoveredPreventedApplicationLang.
LOCLOCvuln.
vuln.
vuln.
VulnerabilitytypeMITEECSgradadmissionsPython18,5009033SQLinjectionMoinMoinPython89,6008202Missingreadaccesscontrolchecks15000MissingwriteaccesscontrolchecksFileThingielemanagerPHP3,20019011Directorytraversal,leaccesscontrolHotCRPPHP29,00023101Passworddisclosure30000Missingaccesschecksforpapers32000MissingaccesschecksforauthorlistmyPHPscriptsloginlibraryPHP4256101PassworddisclosurePHPNavigatorPHP4,10017011Directorytraversal,leaccesscontrolphpBBPHP172,00023134Missingaccesscontrolchecks22404Cross-sitescriptingmany[23,40,16,61,4]PHP–12505Server-sidescriptinjectionTable2.
4:ResultsfromusingResinassertionstopreventpreviously-knownandnewlydiscoveredvulnerabilitiesinseveralWebapplications.
42Asapointofcomparisonforprogrammereort,considertheMoinMoinaccesscontrolschemethatappearedintheFlumeevaluation[46].
MoinMoinusesACLstolimitwhocanreadandwriteawikipage.
ToimplementthisschemeunderFlume,theprogrammerpartitionsMoinMoinintoanumberofcomponents,eachwithdierentprivileges,andthensetsuptheOStoenforcetheaccesscontrolsystemusinginfor-mationowcontrol.
AdaptingMoinMointouseFlumerequiresmodifyingorwritingabout2,000linesofapplicationcode.
Incontrast,ResincancheckthesameMoin-Moinaccesscontrolschemeusingtwoassertions,aneightlineassertionforreading,anda15lineassertionforwriting,asshowninTable2.
4.
Mostimportantly,addingthesecheckswithResinrequiresnostructuralordesignchangestotheapplication.
AlthoughFlumeprovidesassuranceagainstmaliciousservercodeandResindoesnot,theResinassertionscatchthesametwovulnerabilities(seeSection2.
6.
2)thatFlumecatches,becausetheydonotinvolvebinarycodeinjection.
Byfocusingonaweakerthreatmodel,Resin'slightweightandeasy-to-usemechanismsprovideacompellingchoiceforprogrammersthatwantadditionalsecurityassurancewithoutmuchextraeort.
2.
6.
2PreventingVulnerabilitiesToevaluatewhetherResin'sdataowassertionsarecapableofpreventingvulnera-bilities,wecheckedsomeoftheassertionsinTable2.
4againstknownvulnerabilitiesthattheassertionshouldbeabletoprevent.
TheresultsareshowninTable2.
4,wherethenumberofpreviously-knownvulnerabilitiesisgreaterthanzero.
TheresultsinTable2.
4showthateachResinassertiondoespreventthevul-nerabilitiesitaimstoprevent.
Forexample,thephpBBaccesscontrolassertionpreventsaknownmissingaccesscontrolchecklistedintheCVE[71],andtheHot-CRPpasswordprotectionassertionshowninSection2.
3.
1preventsthepassworddisclosurevulnerabilitydescribedinSection2.
2.
Theassertiontopreventserver-sidescriptinjectiondescribedinSection2.
5.
2preventssuchvulnerabilitiesinvedierentapplications[23,40,16,61,4].
Sinceweimplementedtheseassertionswithknowledgeofthepreviously-knownvulnerabilities,itispossiblethattheassertionsarebiasedtothwartonlythosevul-nerabilities.
Toaddressthisbias,wetriedtondnewbugs,asanadversarywould,thatviolatetheassertionsinTable2.
4.
TheseresultsareshowninTable2.
4wherethenumberofnewlydiscoveredvulnerabilitiesisgreaterthanzero.
TheseresultsshowthatResinassertionscanpreventvulnerabilities,eveniftheprogrammerhasnoknowledgeofthespecicvulnerabilitieswhenwritingtheasser-tion.
Forexample,weimplementedagenericdataowassertiontoaddressSQLinjectionvulnerabilitiesinMIT'sEECSgraduateadmissionssystem.
AlthoughtheoriginalprogrammerswerecarefultoavoidmostSQLinjectionvulnerabilities,theassertionrevealedthreepreviously-unknownSQLinjectionvulnerabilitiesinthead-missioncommittee'sinternaluserinterface.
Asasecondexample,FileThingieandPHPNavigatorareWebbasedleman-agers,andbothsupportafeaturethatlimitsauser'swriteaccesstoaparticularhomedirectory.
Weimplementedthisbehaviorasawriteaccesslterasdescribedin43Section2.
3.
2.
Again,bothapplicationshavecodeinplacetocheckdirectoryaccesses,butafteracarefulexamination,wediscoveredadirectorytraversalvulnerabilitythatviolatesthewriteaccessschemeineachapplication.
Thedataowassertionscatchbothofthesevulnerabilities.
Asanalexample,phpBBimplementsreadaccesscontrolssothatonlycertainuserscanreadcertainforummessages.
Weimplementedanassertiontoverifythisaccesscontrolscheme.
Inadditiontopreventingapreviously-knownaccesscontrolvulnerability,theassertionalsopreventsthreepreviously-unknownreadaccessvio-lationsthatwediscovered.
TheseresultsconrmthatResin'sdataowassertionscanthwartvulnerabilities,eveniftheprogrammerdoesnotknowtheyexist.
Fur-thermore,theseassertionslikelyeliminateevenmorevulnerabilitiesthatwearenotawareof.
ThethreevulnerabilitiesinphpBBarenotinthecorephpBBpackage,butinpluginswrittenbythird-partyprogrammers.
Large-scaleprojectslikephpBBareagoodexampleofthebenetofexplicitlyspecifyingdataowassertionswithResin.
Considerasituationwhereanewprogrammerstartsworkingonanexistingapplica-tionlikeHotCRPorphpBB.
Therearemanyimplicitrulesthatprogrammersmustfollowinhundredsofplaces,suchaswhoisresponsibleforsanitizingwhatdatatopreventSQLinjectionandcross-sitescripting,andwhoissupposedtocalltheaccesscontrolfunction.
Ifaprogrammerstartswritingcodebeforeunderstandingalloftheserules,theprogrammercaneasilyintroducevulnerabilities,andthisturnedouttobethecaseinthephpBBpluginsweexamined.
UsingResin,oneprogrammercanmakeadataowruleexplicitasanassertionandthenResinwillcheckthatassertionforalltheotherprogrammers.
Theseresultsalsoprovideexamplesofasingledataowassertionthwartingmorethanoneinstanceofanentireclassofvulnerabilities.
Forexample,thesinglereadaccessassertioninphpBBthwartsfourspecicinstancesofreadaccessvulnerabili-ties(seeTable2.
4).
Asanotherexample,asingleserver-sidescriptinjectionassertionthatworksinallPHPapplicationscatchesvedierentpreviously-knownvulnera-bilitiesinthePHPapplicationswetested(seeTable2.
4).
ThissuggeststhatwhenaprogrammerinevitablyndsasecurityvulnerabilityandwritesaResinassertionthataddressesit,theassertionwillpreventthebroadclassofproblemsthatallowthevulnerabilitytooccurintherstplace,ratherthanonlyxingtheonespecicinstanceoftheproblem.
2.
6.
3GeneralityToevaluatewhetherResindataowassertionsaregeneralenoughtocoverthemanydataowpathsavailabletoanadversary,wecheckedwhethertheassertionswewrotedetectanumberofdataowbugsthatusesurprisingdataowchannels.
Theresultsindicatethatahigh-levelResinassertioncandetectandpreventvul-nerabilitiesevenifthevulnerabilitytakesadvantageofanunanticipateddataowpath.
Forexample,acommonwayforanadversarytoexploitacross-sitescriptingvulnerabilityistoentermaliciousinputthroughHTMLforminputs.
However,therewasacross-sitescriptingvulnerabilityinphpBBduetoamoreunusualdatapath.
44Inthisvulnerability,phpBBrequestsdatafromawhoisserverandthenusesthere-sponsewithoutsanitizingitrst;anadversaryexploitsthisvulnerabilitybyinsertingmaliciousJavaScriptcodeintoawhoisrecordandthenrequestingthewhoisrecordviaphpBB.
TheResinassertionthatprotectsagainstcross-sitescriptinginphpBB,listedinTable2.
4,preventsvulnerabilitiesatahigh-level;theassertiontreatsallex-ternalinputasuntrustedandmakessurethattheexternalinputdataowsthroughasanitizerbeforephpBBmayusethedatainHTML.
ThisassertionisabletopreventboththemorecommonHTMLformattackaswellasthelesscommonwhoisstyleattackbecausetheassertionisgeneralenoughtocovermanypossibledataowpaths.
AsecondexampleisinthereadaccesscontrolsforphpBB'sforummessages.
Thecommonplacetocheckforreadaccessisbeforedisplayingthemessagetoauser,butoneofthereadaccessvulnerabilities,listedinTable2.
4,resultsfromadierentdataowpath.
Whenauserrepliestoamessage,phpBBincludesaquotationoftheoriginalmessageinthereplymessage.
Inthevulnerableversion,phpBBalsoallowsausertoreplytoamessageeveniftheuserlackspermissiontoreadthemessage.
Toexploitthisvulnerability,anadversary,lackingpermissiontoreadamessage,repliestothemessageusingitsmessageID,andthenreadsthecontentoftheoriginalmessage,quotedinthereplytemplate.
TheResinassertionthatchecksthereadaccesscontrolspreventsthisvulnerabilitybecausetheassertiondetectsdataowfromtheoriginalmessagetotheadversary'sbrowser,regardlessofthepathtaken.
AnalexamplecomesfromthetwopassworddisclosurevulnerabilitiesshowninTable2.
4.
AsdescribedinSection5,theHotCRPdisclosureresultsfromalogicbugintheemailpreviewandtheemailreminderfeatures.
Incontrast,thedisclosureinthemyPHPscriptsloginlibrary[59]resultsfromthelibrarystoringitsusers'passwordsinaplain-textleinthesameHTTP-accessibledirectorythatcontainsthelibrary'sPHPles[62].
Toexploitthis,anadversaryrequeststhepasswordlewithaWebbrowser.
Despitepreventingpassworddisclosurethroughtwodierentdataowpaths,theassertionsforpassworddisclosureinHotCRPandmyPHPscriptsareverysimilar(theonlydierenceisthatHotCRPallowsemailremindersandmyPHPscriptsdoesnot).
ThisshowsthatasingleResindataowassertioncanpreventattacksthroughawiderangeofattackvectorsanddatapaths.
2.
7PerformanceEvaluationAlthoughthemainfocusofResinistoimproveapplicationsecurity,applicationdevelopersmaybehesitanttousethesetechniquesiftheyimposeaprohibitiveper-formanceoverhead.
Inthissection,weshowthatResin'sperformanceisacceptable.
WerstmeasuretheoverheadofrunningHotCRPwithandwithouttheuseofResin,andthenbreakdownthelow-levelcoststhataccountfortheoverheadusingmicrobenchmarks.
TheoverallresultisthatacomplexWebapplicationlikeHotCRPincursa33%CPUoverheadforgeneratingapage,whichisunlikelytobenoticeablebyend-users.
45Thefollowingexperimentswererunonasinglecoreofa2.
3GHzXeon5140serverwith4GBofmemoryrunningLinux2.
6.
22.
TheunmodiedPHPinterpreterisversion5.
2.
5,thesameversionthattheResinPHPinterpreterisbasedon.
2.
7.
1ApplicationPerformanceToevaluatethesystem-leveloverheadofResin,wecompareamodiedversionofHotCRPrunningintheResinPHPinterpreteragainstanunmodiedversionofHotCRP2.
26runninginanunmodiedPHPinterpreter.
WemeasuredthetimetogeneratetheWebpageforaspecicpaperinHotCRP,includingthepaper'stitle,abstract,andauthorlist(ifnotanonymized),asifaPCmemberrequesteditthroughabrowser.
ThemeasuredruntimeincludesthetimetakentoparsePHPcode,recallthesessionstate,makeSQLqueries,andinvoketherelevantdataowassertions.
Inthisexample,Resininvokedtwoassertions:oneprotectedthepapertitleandabstract(andthePCmemberwasallowedtoseethem),andtheotherprotectedtheauthorlist(andthePCmemberwasnotallowedtoseeit,duetoanonymization).
WeusedtheoutputbueringtechniquefromSection2.
5.
5topresentaconsistentinterfaceevenwhentheauthorlistpolicyraisedanexception.
Theresultingpageconsistedof8.
5KBofHTML.
TheunmodiedversionofHotCRPgeneratesthepagein66ms(15.
2requestspersecond)andtheResinversionuses88ms(11.
4requestspersecond),averagedover2000trials.
TheperformanceofthisbenchmarkisCPUlimited.
DespiteourunoptimizedResinprototype,itsperformanceislikelytobeadequateformanyrealworldapplications.
Forexample,inthe30minutesbeforetheSOSPsubmissiondeadlinein2007,theHotCRPsubmissionsystemloggedonly390useractions.
Eveniftherewere10pagerequestsforeachloggedaction(likelyanoverestimate),thiswouldonlyaverageto2.
2requestspersecondandaCPUutilizationof14.
3%withoutResin,or19.
1%withResinonasinglecore.
AddingasecondCPUcoredoublesthethroughput.
2.
7.
2MicrobenchmarksTodeterminethesourceofResin'soverhead,wemeasuredthetimetakenbyindivid-ualoperationsinanunmodiedPHPinterpreter,andaResinPHPinterpreterbothwithoutanypolicyandwithanemptypolicy.
TheresultsofthesemicrobenchmarksareshowninTable2.
5.
Foroperationsthatsimplypropagatepolicies,suchasvariableassignmentsandfunctioncalls,Resinincursasmallabsoluteoverheadof4-21ns,butpercentagewise,thisisabouta10%overhead.
Thisoverheadisduetomanagingthepolicysetobjects.
Theoverheadforinvokingalterobject'sinterpositionmethod(lterread,l-terwrite,andlterfunc)isthesameasforastandardfunctioncall,exceptthatResincallstheinterpositionmethodonceforeverycalltoreadorwrite.
Thereforetheapplicationprogrammerhassomecontroloverhowmuchinterpositionoverheadtheapplicationwillincur.
Forexample,theprogrammercancontroltheamountof46UnmodiedResinResinOperationPHPnopolicyemptypolicyAssignvariable0.
196s0.
210s0.
214sFunctioncall0.
598s0.
602s0.
619sStringconcat0.
315s0.
340s0.
463sIntegeraddition0.
224s0.
247s0.
384sFileopen5.
60s7.
05s18.
2sFileread,1KB14.
0s16.
6s26.
7sFilewrite,1KB57.
4s60.
5s71.
7sSQLSELECT134s674s832sSQLINSERT64.
8s294s508sSQLDELETE64.
7s114s115sTable2.
5:TheaveragetimetakentoexecutedierentoperationsinanunmodiedPHPinterpreter,aResinPHPinterpreterwithoutanypolicy,andaResinPHPinterpreterwithanemptypolicy.
computationtheinterpositionmethodperforms,andthenumberoftimestheappli-cationcallsreadandwrite.
Foroperationsthattrackbyte-levelpolicies,suchasstringconcatenation,theoverheadwithoutanypolicyislow(8%),butincreaseswhenapolicyispresent(47%).
Thisreectsthecostofpropagatingbyte-levelpoliciesforpartsofthestringatruntimeaswellasmorecallstomallocandfree.
Amoreecientimplementationofbyte-levelpoliciescouldreducethesecalls.
Operationsthatmergepolicies(suchasintegeraddition,whichcannotdobyte-leveltracking)aresimilarlyinexpensivewithoutapolicy(10%),butaremoreexpen-sivewhenapolicyisapplied(71%).
Thisreectsthecostofinvokingtheprogrammer-suppliedmergefunction.
However,inallthedataowassertionsweencountered,wedidnotneedtoapplypoliciestointegers,sothismightnothavealargeimpactonrealapplications.
Forleopen,read,andwrite,Resinaddspotentiallynoticeableoverhead,largelyduetothecostofserializing,de-serializing,andinvokingpoliciesandltersstoredinale'sextendedattributes.
Cachinglepoliciesintheruntimewilllikelyreducethisoverhead.
TheINSERToperationlistedinTable2.
5inserts10cells,eachintoadierentcolumn,andtheSELECToperationreads10cells,eachfromadierentcolumn.
Whenthereisanemptypolicy,eachdatumhasthepolicy.
Theoverheadwithoutanypolicyis229–540s(354%–403%),andthatwithanemptypolicyis443–698s(521%–684%).
Resin'soverheadisrelatedtothesizeofthequery,andthenumberofcolumnsthathavepolicies;reducingthenumberofcolumnsreturnedbyaqueryreducestheoverheadforaquery.
Forexample,aSELECTquerythatonlyrequestssixcolumnswithpoliciestakes578sinResincomparedto109sinunmodiedPHP.
TheDELETEoperationhasaloweroverheadbecauseitdoesnotrequirerewritingqueriesorresults.
Resin'soverheadforSQLoperationsisrelativelyhighbecauseitparsesandtranslateseachSQLqueryinordertodeterminethepolicyobjectforeachdataitem47thatthequerystoresorfetches.
OurcurrentimplementationperformsmuchofthetranslationinalibrarywritteninPHP;weexpectthatconvertingallofittoCwouldoersignicantspeedup.
Notethat,evenwithourhighoverheadforSQLqueries,theoverallapplicationincursamuchsmallerperformanceoverhead,suchas33%inthecaseofHotCRP.
2.
8DeploymentAnotherimportantaspecttoconsiderforResinisdeployment.
AnindividualWebsitecanbenetfromadoptingResininisolation.
ResindoesnotrequireWebclientstodoanything,nordoesitrequiremorethanoneWebsitetoadoptResinbeforeitbecomesuseful.
Forthesereasons,eachWebsitecandecidetouseResinonacase-by-casebasisforitsownbenetwithoutregardforotherWebsitesorusers.
ThisisbenecialforanewtechnologylikeResin,andshouldmakeiteasiertopenetratethemarket.
2.
9LimitationsandFutureWorkResincurrentlyhasanumberoflimitationswhichweplantoaddressinfuturework.
2.
9.
1DataFlowAssertionModelDataIntegrityAssertionsInitscurrentdesign,adataintegrityassertioncanonlycheckwhetherawriteisallowedbeforethewriteactuallytakesplace.
Therefore,theassertionmusthavepriorknowledgeofwhetherthewritewillbevalidaftercompletion.
Currently,anassertioncannotpermitthewritetoproceedandthencheckwhetherthewriteisvalidafterward.
Onewaytoimprovesupportforintegrityassertionsistousetransactions.
Forexample,considerabankingapplication,whereabankwantstoensurethatallmoneytransfersareproperlyauthorized,andthatthesumofalldebitsandcreditsaddsuptozero.
Theexecutionofarequest,includinganydatabaseupdates,lechanges,andmemorymodications,wouldbewrappedinatransaction,andResinwouldnotcommittheupdatesuntilapolicyobjectapprovesthem.
Thepolicywouldcheckthatthesumofallbankaccountbalancesremainsthesame,andthattherequestinguserhadpermissiontoaccesseachaccountthatwastouched,beforecommittingthetransaction.
Inasense,thismechanismwouldtaketheintegrityconstraintsoftenfoundindatabasesandrunthemwithintheapplication,withaccesstoalltheextrainformationintheapplication'sruntime.
48InternalDataFlowBoundariesSecond,Resindoesnothavegoodsupportforconstructinginternaldataowbound-arieswithinanapplication.
Forexample,itwouldbediculttoimplementanas-sertiontopreventclear-textpasswordsfromowingoutofthesoftwaremodulethathandlespasswords.
Attachinglterobjectstofunctioncallsisastepintherightdirection,butlanguageslikePHPandPythonallowcodetoreadandwritedatainanothermodule'sscopeasiftheywereglobalvariables.
IntheResinruntimesforPHPandPython,aninternaldataowboundarywouldneedtoaddressthesedataowpaths.
Otherruntimes,likeJava's,havestrongerscopeenforcement,andmightrequirefewerchanges.
ServerBoundaryCurrently,ResinonlychecksassertionsuptotheedgeoftheWebserver.
Aftersensitivedataleavestheserver,aWebbrowserhasaccesstothesensitivedata,andcanperformcomputationandcommunicationthatcanviolatedataowassertions.
OnewaytoaddressthislimitationistoaddResin-likefunctionalitytothebrowser,whichisdiscussedmoreinChapters3and4.
2.
9.
2LanguageRuntimesMultipleRuntimesCurrently,ResinislimitedtothePHPandPythonruntimes.
Althoughsavingpoli-ciespersistentlyallowspolicestopropagatetodierentinstancesofthesameruntime(theResin-awareApacheWebserverinvokesPHPtocheckpolicies),thepolicyse-rializationisruntime-specic.
Forexample,inaSQLserver,theSQLcommandscancomputeondata,transformit,andsaveittothedatabase.
Resin'sSQLtrans-latorunderstandssomesimpleSQLcomputationsandpropagatespoliciesinthosecases,butingeneral,ResinlosestrackofdatawithintheSQLruntime.
Currently,Resin'sprototypeSQLtranslatorunderstandsafewbasicfunctions,andcancom-putethepolicyontheresultofafunction,likeaddition,beforewritingtheresulttothedatabase,butageneralsolutionwouldrequiretheSQLruntime,andotherruntimes,tobeawareofpolicyobjects.
Resinalsodoesnotpropagatepoliciesacrossdierentmachines,soResinwilllosetrackofpoliciesinadistributedsystem,likeathree-tieredWebarchitecture.
OnewaytoaddressthislimitationistoextendResintopropagatepoliciesbetweenmachinesinadistributedsystemsimilartothewayDStar[90]doeswithinformationowlabels.
RuntimeModicationsAddingResintoaruntimecurrentlyrequiressubstantialchangestotheruntime,anditmightbediculttopersuaderuntimedeveloperstoadoptthosechanges.
Forexample,addingdatatrackingtoPHPrequiredmodifyingtheinterpreterin10349locationstopropagatepolicies;ideally,applyingthesetechniquestonewruntimeswouldrequirefewerchanges.
OneapproachtoimplementingResinwithfewerchangestotheruntimemightbetouseOSorVMMsupport.
ItmightalsobepossibletoimplementResinwithoutmodifyingthelanguageruntimeatall,givenasuitableobject-orientedsystem.
Theimplementationwouldoverrideallstringoperationstopropagatepolicyobjects,andoverridestoragesysteminterfacestoimplementlterobjects.
StaticAnalysisDynamicdatatrackingaddsruntimeoverheadsandpresentschallengestotrackingdatathroughcontrolowpaths.
Itmaybepossibletousestaticanalysisorprogram-merannotationstocheckResin-styledataowassertionsatcompiletimeinsteadofatruntime.
However,Resin'suseofgeneralpurposecodetoexpressassertionsdoesposeachallengetothisapproach.
2.
9.
3ApplicationsMoreSecurityApplicationsOneadvantageofResinoverexistingdatatrackingsystemsisthatResinisgeneralpurposeandcansupportmanydierentsecuritypolicies.
OneareaforfutureworkistoexplorethespaceofsecuritypoliciesandtrytoimplementResinpoliciestopreservethem.
SomepossiblecandidatesareHTTPresponsesplittingandcross-siterequestforgery.
Non-SecurityApplicationsFinally,thisworkfocusesonsecurityasthedrivingneedforResin,butnotalldataowbugsarerelatedtosecurity;somebugsjustproduceincorrectapplicationbehavior.
ProgrammersmaybeabletouseResintocatchthesebugs.
Forexample,aWebstoremighthavethehigh-levelassertionthatgoodsarepaidforbeforesendingarequesttotheshippingdepartment.
ItmaybepossibletocapturethisassertionbyattachingaResinpolicyobjecttotherequest,andinterposingonthemessaginginterfacetotheshippingdepartment.
2.
10RelatedWorkResinmakesanumberofdesigndecisionsregardinghowprogrammersspecifypoliciesandhowResintracksdata.
ThissectionrelatesResin'sdesigntopriorwork.
2.
10.
1PolicySpecicationWhenusingResin,programmersdeneadataowassertionbywritingpolicyobjectsandlterobjectsinthesamelanguageastherestoftheapplication.
Previouswork50inpolicydescriptionlanguagesfocusesonspecifyingpoliciesatahigherlevel,tomakepolicieseasiertounderstand,manage[7,17,21],analyze[30],andspecify[3].
Whilethesepolicylanguagesdonotenforcesecuritydirectly,havingaclearlydenedpolicyspecicationallowsreasoningaboutthesecurityofasystem,performingstaticanalysis[25,24],andcomposingpoliciesinwell-denedways[73,2,9].
DoingthesameusingResinischallengingbecauseprogrammerswriteassertionsingeneral-purposecode.
Infuturework,techniqueslikeprogramanalysiscouldhelpformalizeResin'spolicies[5],tobringsomeofthesebenetstoResin,ortoallowperformanceoptimizations.
Lattice-basedlabelsystems[58,15,14,22,89,46,18]controldataowbyas-signinglabelstoobjects.
Expressingpoliciesusinglabelscanbedicult[21],andcanrequirere-structuringapplications.
Oncespecied,labelsobjectivelydenethepolicy,whereasResinassertionsrequirereasoningaboutcode.
Formorecomplexpolicies,labelsarenotenough,andmanyapplicationsusetrusteddeclassierstotransformlabelsaccordingtoapplication-specicrules(e.
g.
encryptiondeclassiesprivatedata).
Indeed,alargepartofre-structuringanapplicationtouselabelsinvolveswritingandplacingdeclassiers.
Resin'sdesigncanbethoughtofasspec-ifyingthedeclassier(policyobject)inthelabel,thusavoidingtheneedtoplacedeclassiersthroughouttheapplicationcode.
SinceResinprogrammersdenetheirownpolicyandlterobjects,program-merscanimplementdataowassertionsspecictoanapplication,suchasensuringthateverystringthatcamefromoneuserissanitizedbeforebeingsenttoanotheruser'sbrowser.
Resin'sassertionsaremoreextensiblethanspecializedpolicylan-guages[27],ortoolsdesignedtondspecicproblems,suchasSQLinjectionorcross-sitescripting[37,81,53,51,76,60,66,38,83].
PQL[53]allowsprogrammerstorunapplication-specicprogramanalysesontheircodeatdevelopmenttime,includinganalysesthatlookfordataowbugssuchasSQLinjection.
However,PQLislimitedtondingdataowsthatcanbestaticallyanalyzed,withthehelpofsomedevelopment-timeruntimechecks,andcannotnddataowsthatinvolvepersistentstorage.
Thiscouldmisssomesubtlepathsthatanattackermighttriggeratruntime,andwouldnotpreventvulnerabilitiesinplug-insaddedbyend-users.
FABLE[70]allowsprogrammerstocustomizethetypesystemandlabeltransfor-mationrules,butrequirestheprogrammertodeneatypesysteminaspecializedlanguage,andusethetypesystemtoimplementtheapplications'dataowschemes.
Resin,ontheotherhand,implementsdatatrackingorthogonaltothetypesystem,requiringfewercodemodications,andallowingprogrammerstoreuseexistingcodeintheirassertions.
SystemslikeOKWS[45]andPrivman[43]enforcesecuritybyhavingprogrammerspartitiontheirapplicationintoless-privilegedprocesses.
Byoperatinginthelanguageruntime,Resin'spolicyandlterobjectstrackdataowsandcheckassertionsatahigherlevelofabstraction,avoidingtheneedtore-structureapplications.
However,Resincannotprotectagainstcompromisedserverprocesses.
512.
10.
2DataTrackingOncetheassertionsareinplace,Resintracksexplicitowsofapplicationdataatruntime,asitmovesthroughthesystem.
Resindoesnottrackdataowsthroughimplicitchannels,suchasprogramcontrolowanddatastructurelayout,becauseimplicitowscanbediculttoreasonabout,andoftendonotcorrespondtodataowplanstheprogrammerhadinmind.
Implicitdataowscanleadto"taintcreep",orincreasinglytaintedprogramcontrolow,astheapplicationexecutes,whichcanmakethesystemdiculttouseinpractice.
Incontrast,systemslikeJif[58]trackdatathroughallchannels,includingprogramcontrolow,andcancatchsubtlebugsthatleakdatathroughthesechannels.
Byrelyingonawell-denedlabelsystem,Jifcanalsoavoidruntimechecksinmanycases,andrelypurelyoncompile-timestaticchecking,whichreducesruntimeoverhead.
Resin'sdatatrackingiscentraltoitsabilitytoimplementdataowassertionsthatinvolvedatamovement,likeSQLinjectionorcross-sitescriptingprotection.
Otherprogramcheckers,likeSpec#[7,6],checkprograminvariants,butfocusoncheckingfunctionpre-andpost-conditionsanddonottrackdata.
Aspect-orientedprogramming(AOP)[77]providesawaytoaddfunctionality,includingsecuritychecks,thatcutsacrossmanydierentsoftwaremodules,butdoesnotperformdatatracking.
However,AOPdoeshelpprogrammersaddnewcodethroughoutanappli-cation'scodebase,andcouldbeusedtoimplementResinlterobjects.
Bytrackingdataowinalanguageruntime,Resincantrackdataatthelevelofexistingprogrammingabstractions—variables,I/Ochannels,andfunctioncalls—muchlikeinJif[58].
ThisallowsprogrammerstouseResinwithouthavingtorestructuretheirapplications.
ThisdiersfromOS-levelIFCsystems[22,89,88,46]whichtrackdataowingbetweenprocesses,andthusrequireprogrammerstoexposedataowstotheOSbyexplicitlypartitioningtheirapplicationsintomanycomponentsaccordingtothedataeachcomponentshouldobserve.
Ontheotherhand,theseOSIFCsystemscanprotectagainstcompromisedservercode,whereasResinassumesthatallapplicationcodeistrusted;acompromiseintheapplicationcodecanbypassResin'sassertions.
Somebug-specictoolsusedatatrackingtopreventvulnerabilitiessuchascross-sitescripting[42],SQLinjection[60,76],anduntrusteduserinput[72,64,13].
WhilethesetoolsinspiredResin'sdesign,theyeectivelyhard-codetheassertiontobecheckedintothedesignofthetool.
Asaresult,theyarenotgeneralenoughtoad-dressapplication-specicdataows,anddonotsupportdataowtrackingthroughpersistentstorage.
Onepotentialadvantageofthesetoolsisthattheydonotrequiretheprogrammertomodifytheirapplicationinordertopreventwell-knownvulner-abilitiessuchasSQLinjectionorcross-sitescripting.
WesuspectthatwithResin,onedevelopercouldalsowriteageneral-purposeassertionthatcanbethenappliedtootherapplications.
522.
11SummaryProgrammersoftenhaveaplanforcorrectdataowintheirapplications.
However,today'sprogrammersoftenimplementtheirplansimplicitly,whichrequiresthepro-grammertoinsertthecorrectcodechecksinmanyplacesthroughoutanapplication.
Thisisdiculttodoinpractice,andoftenleadstovulnerabilities.
Thisworktakesasteptowardssolvingthisproblembyintroducingtheideaofadataowassertion,whichallowsaprogrammertoexplicitlyspecifyadataowplan,andthenhavethelanguageruntimecheckitatruntime.
Resinprovidesthreemechanismsforimplementingdataowassertions:policyobjectsassociatedwithdata,datatrackingasdataowsthroughanapplication,andlterobjectsthatdenedataowboundariesandcontroldatamovement.
WeevaluatedResinbyaddingdataowassertionstopreventsecurityvulnerabil-itiesinexistingPHPandPythonapplications.
Resultsshowthatdataowassertionsareeectiveatpreventingawiderangeofvulnerabilities,thatassertionsareshortandeasytowrite,andthatassertionscanbeaddedincrementallywithouthavingtorestructureexistingapplications.
Wehopethesebenetswillenticeprogrammerstoadoptourideasinpractice.
5354Chapter3BFlowSomewebsitesprovideinteractiveextensionsusingbrowserscripts,oftenwithoutin-spectingthescriptstoverifythattheyarebenignandbug-free.
Othershandleusers'condentialdataanddisplayitviathebrowser.
Suchnewfeaturescontributetothepowerofonlineservices,buttheircombinationwouldallowattackerstostealcon-dentialdata.
ThischapterpresentsBFlow,asecuritysystemthatusesinformationowcontroltoallowthecombinationwhilepreventingattacksondatacondentiality.
BFlowallowsuntrustedJavaScripttocomputewith,render,andstorecon-dentialdata,whilepreventingleaksofthatdata.
BFlowtrackscondentialdataasitowswithinthebrowser,betweenscriptsonapageandbetweenscriptsandwebservers.
Usingtheseobservationsandassistancefromparticipatingwebservers,BFlowpreventsscriptsthathaveseencondentialdatafromleakingit,withoutdisruptingtheJavaScriptcommunicationtechniquesusedincomplexwebpages.
Toachievetheseends,BFlowintroducesaninformationowcontrolmodelfortheJavaScriptenvironment,amappingfromthatmodeltothebrowser'sexistingsecu-ritymechanisms,andanew"protectionzone"abstraction.
WehaveimplementedaBFlowbrowserreferencemonitorandserversupport.
ToevaluateBFlow'scondentialityprotectionandexibility,wehavebuiltaBFlow-protectedblogthatsupportsBlogger'sthirdpartyJavaScriptextensions.
BFlow'sblogiscompatiblewitheverylegitimateBloggerextensionthatwehavefound,yetBFlowpreventsmaliciousextensionsfromleakingcondentialdata.
Wehavealsobuiltasocialnetworkingsitethatsupportsthird-partyJavaScript,andaWebap-plicationplatformthatallowsapplicationstoshareuserdatawithoutleakingthatdata.
3.
1IntroductionThreeimportanttrendsinInternet-basedcomputinghaveemergedinrecentyears.
First,Websitesareincreasinglyhostingsensitiveuserdataandapplications;hostede-mailhasbeenjoinedbyotherapplications,suchashostedspreadsheetsandcon-dentialblogs.
Second,largeswathesofWebuserinterfacecodenowruninthebrowser,asJavaScriptandotherbrowserscriptinglanguages.
Third,manyWeb55sitesuseJavaScriptthattheymightnotfullyunderstand,includinglargeimportedlibrariesandevenextensionscriptswrittenbyarbitrarythird-partyprogrammers.
Theseextensionscanuseserver-sideAPIstoaccessandmanipulateusers'server-baseddata,givingrisetoapplication-likethird-partyextensionson"platform"sitessuchasFacebook[26]andBlogger[12].
Thecombinationofthird-partybrowserscriptsandsensitiveuserdataraisesthepossibilityofscriptsstealingcondentialdata.
Forthisreason,today'sWebappli-cationsthatvalueuserprivacymustforbidbrowserscriptextensions,orrefusetorevealsensitiveuserdatatoextensions.
Theseapproachescutousefulbehavior,underminingthevalueofextensibility.
Forexample,WebapplicationslikeGmailwouldbenetfromthird-partyJavaScriptextensions,butcondentialityproblemsmakethemdiculttosupport.
Asasubstitute,GmailusersmodifytheirbrowserstodothingslikeoptimizeGmail'sUIforparticularmobiledevicesandalterthewayGmailrendersemail[28].
ExistingWebsitesthatsupportextensionstendtodosowithlesssensitive,butstillcondentialdata.
Forexample,theBloggerWebsitehostscondentialblogs,yetpermitsuserstoinstallthird-partyJavaScriptextensions,thattheymightnotfullyunderstand,ontheirblogs.
Theseextensionscanreadcondentialdata,computeonit,anddisplayittotheuser(whichisreasonablebyitself),buttheycanalsocommunicateanyinformationtheyreadtooutsideparties(whichcanviolatetheuser'sprivacy).
PartoftheunderlyingproblemisthatthebrowsersecuritypolicygivesallscriptsthatcomefromagivenWebsitefullprivilegeswithrespecttothatsite.
Recentwork[80,55,41]proposesimprovementstotoday'sbrowsersecuritypolicysuchasner-grainedseparationofprivilegesbetweendierentpartsofthebrowser.
Butthesesolutionsstillforceusersordeveloperstomakeup-frontdecisionsastowhetherornottotrustthird-partycodewithcondentialdata.
Mistakenlydeciding"no"inhibitsextensibility;mistakenlydeciding"yes"invitesdatatheft.
ThischapterdescribesBFlow,anewbrowsersecuritysystem.
BFlowletsbrowserscriptscomputewithcondentialdatawhilerestrictingtheirabilitytorevealthatdata.
BFlowusesareferencemonitorinthebrowsertoenforceinformationowcontrol(IFC),observingthecommunicationofeachscriptwithotherscriptsandwithWebsites.
TheseobservationshelpBFlowdecidewhethereachscripthasseencondentialdata(whetherdirectlyortransitivelythroughanotherscript)andfromwhatsitethatdatacame.
TheBFlowreferencemonitorusesthetrackinginformationtorestricthowdataisrevealed:ifascripthasseencondentialdata,itcanonlycommunicatewiththesitewhencethecondentialdatacameunlessthatsiteexplicitlypermitscommunicationwithotherservers.
BFlowplacesfewnewrestrictionsonscriptsthathavenotbeenexposedtocondentialdata.
TotakeadvantageofBFlow,aWebsitemustcooperatebymarkingoutgoingcondentialdatawithsecuritymetadataandrecordingthecondentialityofincomingdata.
ThechallengesindesigningBFlowdierfromthosesolvedbyoperatingsystemIFCsystems[11,54,19,22]becausethebrowserhassomewhatunusualnotionsoftheprincipalsthatowndata(Websites),ofthenaturalcodeunitatwhichtoapplyIFC56(theframe),andofthespecialowsofinformationthatmustbesupported(amongframesandtoWebservers).
WehaveimplementedaprototypeBFlowbrowserreferencemonitorasaFirefoxplug-in.
WehavealsoimplementedtheserverpartofBFlowasagatewaylayerthatsitsbetweenanApacheWebserverandtheWebsite'sapplicationlogic.
Theseimplementationsareintendedtobeeasytodeploy:theFirefoxplug-iniseasytoinstall,andtheBFlowreferencemonitorsupportsthefullJavaScriptlanguagesothatmostscriptsrunwithnochanges.
ToevaluateBFlow'sprivacyprotectionandexibility,weimplementedthreeWebsitesthatincorporatethird-partyJavaScript:aWebsitecompatiblewithBlog-ger'sthird-partyextensions,asocialnetworkingsitethatimplementscommonappli-cationfeaturesinuntrustedJavaScript,andWebplatformthatsupportsthird-partyserverapplicationsthatsharecondentialuserdata.
TheblogexampleshowsthatmanyexistingscriptswillworkwithfewmodicationsandthatmaliciousJavaScriptthatleakscondentialdatainBloggerdoesnotleakwithinBFlow.
Thesocialnet-workexampleshowsthatBFlowsupportsawiderangeofthird-partyfunctionality,andtheWebplatformdemonstrateshowdeveloperscanuseBFlowtobuildnewkindsofWebarchitectures.
ThecontributionsofthisworkareasetofinformationowcontrolrulesthatgoverntheJavaScriptcommunicationmechanisms,amappingfromBFlow'sIFCrulestothebrowser'sexistingJavaScriptisolationsystem,andanabstractioncalledaprotectionzonethateasesthedeploymentofexistingJavaScriptintoBFlow.
Together,thesetechniquesallowuntrustedJavaScripttoread,computewith,anddisplaycondentialdatawithouttheriskofleakingthatdata.
3.
2Background:JavaScriptWebsitesusein-browserJavaScripttoprovidehigh-qualityuserinterfaces.
ThissectionbrieyreviewswhatJavaScriptcandowithinabrowser,focusingoncommu-nication.
Abrowserconsistsofoneormoreframes,eachcontainingaseparateHTMLdocumentandJavaScriptinterpreter.
Browserframescancontainsub-framesusingtheframeandiframeHTMLdirectives.
Eachbrowserwindowortabisatop-levelframe,eachframethatembedsasub-frameisaparent,andeachsub-frameisthechildofitsparent.
Thebrowserrepresentsthedisplayeddocumentineachframeasadatastruc-turecalledtheDocumentObjectModel(DOM).
JavaScriptcodeisallowedtoreadandmodifytheDOMofanyframefromthesameoriginserverasthecode.
1TwoJavaScriptscripts,eachrunninginadierentframe,butfromthesameorigin,cancommunicatewitheachotherviamodicationtoeachother'sDOMs.
Also,JavaScriptcancommunicatewithanyWebserverbyfetchingaWebdocument,in-cludingHTMLpagesandimages,fromthatserver.
1Anoriginisdenedasatriple:domainname,protocol,andport.
57TherestrictionthatJavaScriptonlyaccessDOMsfromthesameoriginiscalledthesame-originpolicy(SOP).
TheSOPalsoonlyallowsascripttosendAJAXrequeststoitsoriginserver.
Thehigh-levelgoaloftheSOPistoguardtheoperationofeachWebsiteanditsJavaScriptfrominterferencebyothersites'JavaScript.
TheSOPdoesnotrestrictJavaScriptfrominteractingwithdierent-originsitesinanumberofwayswhichwouldbeunlikelytointerferewiththeirproperoperation.
Forexample,ascriptcanmodifyitsframe'sdocumenttofetchanimagefromanyWebsite,whichallowsthescripttocommunicatewiththesitethroughthenameoftherequestedimage.
TheSOPalsoallowsscriptstouseJavaScript'sintra-browserchannelstosendmessagestolisteningscriptsfromanyorigin.
TheresultisthatscriptsthathaveaccesstocondentialdatacanleakthatdatatocooperatingoutsideWebsitesandJavaScript.
3.
3ChallengesBFlowrequiresastrongerpolicythantheSOPbecauseitmustpreventdatamovementevenwhenuntrustedscriptsanduntrustedserverscolludeagainsttheuser'swishes.
BFlowmustaccomplishthiswhilemaintainingsupportforuntrustedJavaScriptextensionswithoutencumberingdeployment.
3.
3.
1ThreatModelandSecurityBFlowappliestoWebsitesthatbothstorecondentialuserdataandallowun-trustedJavaScripttoaccessthatdata.
Theadversary'sgoalistoread,withhisowneyes,datathatheshouldnotbeabletoreadaccordingtotheWebsite'sstatedcondentialitypolicy.
Theadversary'scapabilitiesarelimitedtocreatinghisownac-countsontheWebsite,runninghisownWebservers,andwritingJavaScriptwhichthesiteincludesinpagesviewedbyotherusers.
Neitherthesiteoperatorsnortheusersinspecttheadversary'sJavaScript.
Moregeneraladversariesmighthaveothertoolsattheirdisposal.
Theymight:compromisethehostsite;eavesdroponorcorruptnetworktrac;infecttheuser'soperatingsystemwithmalware;infecttheuser'sbrowserwithmalware;andusesocial-engineeringattackslike"phishing"toluretheuserorherfriendsintogivingcondentialdataaway.
BFlowdoesnotdefendagainsttheseattacks,anditscorrectoperationdependsonadequatedefensestothemthatareoutsidethescopeofthiswork(e.
g.
SSL,timelyapplicationofO/Ssecuritypatches,etc.
).
TheabilitytoinjectarbitraryJavaScriptintoapageisquitepowerfulandiscommonlyreferredtoasacross-sitescriptingvulnerability.
WhileBFlowdoesnotaimtosolveallattacksavailablethroughXSS,itdoesaimtopreventXSSattacksfromleakingcondentialdata.
58Figure3-1:MaliciousJavaScriptreadscondentialdata(a)viatheDOMand(b)byexploitingvulnerableJavaScript.
Figure3-2:Afterreadingcondentialdata,themaliciousJavaScriptleakscondentialdatatoanadversaryviathe(a)adversary'sserver(b)Website'spublicdata.
AttackPathsOncetheadversaryinjectsJavaScriptintotheWebsite'spagesandauserviewsapage,theJavaScriptcanattempttoreadthecondentialdatadisplayedonthepageandleakittotheadversary.
Therearetwopossiblescenariosforreadingthecondentialdatainthismodel.
Intherstcase,themaliciousJavaScriptrunsinthesameoriginastheconden-tialdata.
Thiscouldoccurformanyreasons;today,WebsitesincorporatelargeJavaScriptlibrarieslikeScriptaculous[69]orGoogleMaps[34]intotheirsite'soriginandplatformslikeBlogger.
cominlinecompletelyunauditedthird-partyscripts.
Inthiscase,theJavaScriptcanreadthecondentialdatadirectlyfromtheDOMasshowninFigure3-1a.
Inthesecondcase,maliciousJavaScriptcanstealdataevenifthereisnomaliciouscodeinthesameoriginasthecondentialdata.
Today'sbrowsersnowsupportintra-browsercommunicationbetweenscriptsfromdierentoriginsanddevelopersarealreadybuildinglibrariestousethesechannels[75].
Ifli-brarieslikethesearebuggy,thenmaliciousJavaScriptrunninginthebrowserfromadierentorigin(andadierentframe)couldexploittheirbugstoreadthecondentialdataasinFigure3-1b.
Afterreadingcondentialdata,themaliciousJavaScriptcansendittoaWebserverusinganHTTPrequest,eithertotheWebsite'sownserverortoathird-partyexternalserver.
Forexample,theJavaScriptcanencodethedatainanimagenametobefetchedfromaservertheadversarycontrols(seeFigure3-2a).
59Evenifthesame-originpolicyappliedtoalltypesofrequestsandthescriptcouldonlysendHTTPrequeststotheWebsite'sserver,themaliciousJavaScriptcouldleakdataviatheWebsite'sownserver.
ThemaliciousscriptcouldcraftanHTTPrequestthatstoresthecondentialdatabackontotheserverinapublicarea.
Sincetheservernolongerrealizesthatthedataiscondential,theadversarycanreaditwithhisownbrowser(seeFigure3-2b).
Similarly,maliciousJavaScriptcouldwritecondentialdataintoabrowsercookieandthenanyothercodethatcomesfromthesamedomaincouldreadthedata.
3.
3.
2FlexibilityandAdoptionThesecondchallengeistodesignasystemthatiseasyfordevelopers,Websites,anduserstoadopt.
Oneaspectofthischallengeliesinpreventingdataleakswhilepreservingfea-turespopularamongJavaScriptdevelopers,suchaseval(),communicationamongconcurrentbrowserscripts,andcommunicationwithremoteWebservers.
ThislastJavaScriptuseisparticularlycommonplaceanddangerous.
Today'sbrowserscriptsroutinelyloadimagesanddatafrommultipleindependently-administeredservers.
InthecontextofBFlow,suchrequestscanencodecondentialinformation.
Ifoneconsiders(asoneshould)alargemajorityofWebserverstobeuntrustworthyrecep-taclesfordataleaks,BFlowmustblockrequests(e.
g,imageloads)tosuchserversbyscriptsprivytocondentialinformation.
Atthesametime,BFlowcanallowsuchrequestsfromscriptsthathavenotseencondentialdata.
Insum,BFlowshouldallowharmlessrequeststoexternalservers,allowrequeststhatreleaseinfor-mationifthereleaseistheintentionofthesiteowningthedata,anddetectandforbidaccidentalormaliciousreleases.
ThedesignofBFlowshouldalsobeeasyforuserstoinstall,sitedeveloperstoadopt,andextensiondeveloperstoadopt(inthatorderofpriority).
Somelevelofcomplexityisinevitable,butthegoalisthatdeploymenteortshouldbelimitedto:1)usersinstallingabrowserplugin,2)sitedevelopersdecidingwhichdataontheirsiteiscondentialandrearrangingthesite'sHTMLtopartitiondatabyconden-tialityconstraints,and3)third-partydevelopersdesigningextensionsthathandlecondentialdatatolivewithinBFlow'scommunicationrestrictions.
3.
4DesignThegoalofBFlowistoenforcetwopropertiesonhowabrowserhandlesdata.
First,ifcondentialdataarrivesfromaWebsite,onlythehumanuserandthatoriginWebsiteshouldseeanyinformationderivedfromthedataunlessthesitespecicallyallowsittogotoanotherWebsite.
Second,ifthebrowsersendsinformationderivedfromcondentialdatatotheoriginWebsite,theinformationmustbemarkedasconden-tialunlessthesitespecicallyallowstheremovalofthecondentialitymarking.
ThemaintensionintheBFlowdesignistheenforcementofthesepropertiesinawaythatiscompatiblewithhowdevelopersuseJavaScriptincomplexWebpages.
60Figure3-3:BFlowoverview.
Untrustedprotectionzonesareshaded.
Inoutline,theBFlowdesignisasfollows.
TheBFlowbrowserreferencemon-itorwatcheshowdataowsinto,outof,andwithinthebrowser.
ABFlow-awareserversendsalabelalongwithdataitsendstothebrowsertotellthereferencemonitorwhetherthedataiscondential.
Thereferencemonitorusesaformofinfor-mationowcontrol[18]toenforceacondentialitypolicy,trackingwhatdatawithinthebrowsermightbederivedfromcondentialdata.
Eachbrowserscriptrunsinabrowserframe,andframesaregroupedintoprotectionzones.
BFlowtracksdataatthegranularityofaprotectionzone(seeFigure3-3).
Whendataisabouttoleavethebrowserviathenetwork,thereferencemonitorenforcesasafetypropertyonthedata'slabel;ifthedataisgoingtoitsoriginWebsite,thereferencemonitorincludesthelabel;otherwise,ifthelabelindicatesthedataiscondential,thereferencemonitorforbidsitsreleaseunlessanexplicitdeclassicationexceptionapplies.
3.
4.
1InformationFlowControlTheBFlowreferencemonitor'sinformationowcontrolsystemkeepstrackofwhatcategoriesofcondentialdatatheJavaScriptineachprotectionzonemayhaveseen.
Thereferencemonitor(RM)maintainsalabelforeachzone.
Alabelisasetoftags.
Atagisanopaquetokensuppliedbyaserverthatindicatesaparticularcategoryofcondentialdata.
Themeaningofazonehavingalabelcontainingatagtis"theJavaScriptorHTMLinthiszonemayhaveobservedinformationderivedfromdatawithcondentialitycategoryt.
"Alabelwithmultipletagsindicatesthatthezonemayhaveobserveddatainmultiplecondentialitycategories.
Toensurethatazone'slabelreectsthecategoriesofcondentialdataithasseen,theRMenforcessomerulesrelatingtocommunicationacrosszoneboundaries.
Theeectoftherulesisthat,ifinformationistoowfromzoneStozoneR,R'slabelmustbeasupersetofS's.
Inthespecialcaseofdataowingfromaservertoazone,thezone'slabelmustbeasupersetofthelabelprovidedwiththedata.
Table3.
1summarizesthisandBFlow'sotherIFCrulesdescribedbelow.
Azoneexplicitlyaskstochangeitsownlabelandspecieswhichtagstoadd;BFlowdoesnotautomaticallychangezoneR'slabelinresponsetothedataRreceives.
BFlowalwayspermitsazonetoaddanytagtoitslabel.
Thisissafebecausethecommunicationrulesdescribedabovegetstrictlymorerestrictiveasthe61SenderReceiverDefaultRuleExceptionScriptintrustedzoneAnyAllowN/AScriptinzoneS,frameF,fromserverWScriptinW'strustedzoneAllowN/AScriptinzoneSAllowN/AScriptinzoneR,sub-frameofFLSLR(alwaystrue)N/AScriptinzoneR,notsub-frameofFLSLRTrustedzoneproxy.
SourceserverofWAllowN/AExternalserverELS={}LSDESourceserverWsendingdatawithlabelLScriptinW'strustedzoneAllowN/AScriptinzoneRLLRNoneTable3.
1:DefaultIFCcommunicationrulesanddeclassicationexceptions;zonesSandRareuntrusted.
TheprototypeimplementstheserulesforcommunicationthroughpostMessageBF,theFIDchannelandHTTPrequests,butitismorerestrictivethantheserulesforsharedDOMvariablesandcookiecommunicationacrosszones.
62sender'slabelgrows.
Inpractice,BFlowaddssomefurtherrestrictionswhichwedescribeinSection3.
4.
2.
TheRMimposestheIFCrulesinsideuseru'sbrowsertopreventbuggyormaliciousscriptsfromleakingu'sdata.
Atthesametime,itistheserver'sresponsibilitytoavoidsendingdatatou'sbrowserthatuisnotpermittedtoreadbecauseucouldhavemodiedherbrowsertoextractallthedataavailabletoit.
TheultimatesourceofeachtagisaparticularBFlow-awareWebsite.
ThebrowserRMinternallyaddsthesourceserveridentitytoeachtagsothattwotagsfromdierentserversarealwaysunique.
Intypicaluse,azone'slabelwilleitherbeempty(indicatingthatthezonehasseennocondentialdata)orcontainjustonetag.
Alabelmightcontainmultipletagsifazonehasconsultedmultiplecategoriesofcondentialdata.
Azone'slabelcannotcontaintagsfromdierentWebsitesbecauseitwouldviolatetheowinvariantdescribedinSection3.
4.
2AWebsitedecideswhatitstagsmean.
AtypicalWebsitemightassociateadierenttagwitheachuser,oratagwitheachcategoryofcondentialdataauserowns.
Forexample,aWebsitemightstorebothacondentialphotoalbumandacondentialblogforuserAlice,andassociateadierenttagwitheachkindofdata.
Then,ifthesitesendsblogdatatoAlice'sbrowser,andsomeJavaScriptthatexaminedthedatacommunicateswiththesite,thesitewillknowthatthecommunication(andanyresultingstoreddata)shouldhavethesametagasAlice'scondentialblog.
3.
4.
2ProtectionZonesOneofthechallengesindesigninganinformationowmodelforJavaScriptcomesfromhowdevelopersuseJavaScripttoday.
Often,developerswillconstructWebpagesoutofmanysub-frames,eachcontainingitsownJavaScript.
Furthermore,withinasinglepagedierentsub-framesmayhavedierentpurposes.
Forexample,atop-levelpagemaycontainachattoolandanemailtool,eachcontainedinitsownindividualsub-frame.
Eachofthosetoolsmayinturncontainitsownsub-frames.
Forexample,thechattoolmayusetwoseparatesub-frames,oneforshowingmessagesandonefordatainput.
Existingmulti-framemoduleslikethechattooltypicallyreadsharedvariablesandcallfunctionsacrossframeboundaries.
Modulesexpectthesefeaturestobereliable,soBFlowshouldaccommodatethisbehavior;ifonesub-frameinthemodulereadscondentialdata,thenitshouldstillbeabletocommunicatewiththeotherframesinthemodulewithoutexcessivecoordination.
BFlowaddressesthischallengebyapplyingIFCatthegranularityofaprotectionzone.
Aprotectionzoneisagroupofoneormorebrowserframes,includingtheirDOMsandtheJavaScriptrunninginsideofthem,plusitsownsetofbrowsercookies.
Allthescriptsanddatawithinazoneshareacommonlabel.
Groupingframesintozonesgivesdevelopersaneasywaytomodularizetheirscripts.
Oncethescriptsareinacommonzone,theycancommunicatewitheachotherregardlessofanylabelchanges,evenifascriptinoneofmanysub-frameschangesthezone'slabelunilaterally.
63AWebsitealsohasaspecialtrustedzonewhichalwayshasanemptyzonelabel;JavaScriptrunninginthetrustedzonecanbypassBFlow'sbrowserconstraints.
AWebsiteusesthetrustedzoneincaseswherecondentialdataisallowedtoleavethesystembyabrowserscript,buttheWebsitedevelopersmustinspectsuchscriptscarefully.
Tocreateanewzone,JavaScriptinanexistingzonerequestsanewzoneidfromBFlowandthenloadsadocumentfromtheserver(specifyingthenewzoneid)intooneofthezone'sexistingframes.
WhentheHTTPresponsearrives,theRMrecognizesthatthezoneidisnew,andcreatesitslocalrepresentationofthezone.
However,notallframeshavetheirownzone;whenaparentcreatesasub-frame,bydefaulttheRMplacesthesub-frameinthesamezoneastheparentasshownbyZ1inFigure3-4.
FlowInvariantBFlowmaintainsaowinvariantoverthebrowser'sframesandzones:rst,thebrowser'stoplevelframemustbeinthetrustedzoneandallitssub-framesmustbeabletolegallysendmessagestothetoplevelframe.
Second,ifaparentframePhaschildframesCi,thenthePmustbeabletosendmessagestoeachofitschildrenlegally.
Morespecically,ifPhaslabelLPandP'schildrenhavelabelsLCi,theni,LPLCi.
Thisinvariantmustholdregardlessofwhatzoneeachframeisamemberof.
TheBFlowRMpreservestheowinvariantbycheckingthetargetframeFandtargetzoneZbeforechangingazone'slabel.
WhenazoneZchangesitslabel,allotherscriptsrunninginZwillhavethenewlabeleveniftheyarerunninginotherframes;nozoneotherthanZwillexperiencealabelchange.
However,addingttoLZmaypermitanotherzoneZPtoaddttoitslabelbecauseoftheinvariant,ifaddingttoLZmeansallofZP'schildrennowcontaint.
Maintainingtheinvariantslightlylimitsthekindsofframehierarchiespossible:anuntrustedframecannotcontaintagsfromdierentWebsitesandaparentframewithLP={t}cannotcontainachildframewithLC={},butitensuresthatBFlowcansupportexistingmethodsofJavaScriptcommunicationdescribedinSection3.
4.
3.
3.
4.
3ControllingIntra-browserCommunicationTrackingtheowofcondentialdatabetweenscriptswithinthebrowseriscriticaltopreventingleaksbecauseBFlowcanonlypreventascriptfromleakingdataifitknowswhatdatathescripthasseen.
ThissectiondescribeswhichchannelsareavailableinBFlowbetweenscriptsinthesamezoneandindierentzones.
WefocusontheFirefox3.
0browserinwhichJavaScripthasfourtechniquestocommunicatebetweenscripts(otherbrowsersmayhaveothertechniques).
TheyareDOMvariables,browsercookies,thepostMessagechannel,andthefragment-ID(FID)channel.
64Figure3-4:Webpageframehierarchywithzonesandlabels.
Eachboxisaframe.
WithinOneZoneBFlowneednotrestrictcommunicationbetweentwoscriptsinthesamezone,sincealloftheJavaScript,frameDOMs,andcookieswithinazonesharethesamezonelabel.
ItisimportantthatBFlowaccommodatesscriptsfromdierentframesthatreadandwriteeachother'sDOMvariables,sincemanysiteshavescriptsthatusethatfeature.
BetweenTwoZonesSincetwoscriptsindierentzonescanhavedierentlabels,BFlowmustrestrictcommunicationbetweentwosuchscriptsaccordingtotheIFCrulesshowninTable3.
1.
Itdoessothroughacombinationofunconditionallyforbiddingsomeoperationsbetweenscriptsfromdierentzones,andallowingotheroperationsonlywhenthezonelabelsallow.
Althoughtoday'sbrowsersallowscriptsinthesameorigintoreadandwriteeachother'sDOMs,BFlowunconditionallyforbidsJavaScriptintwodierentzonesfromreadingorwritingeachother'sDOMvariablesorcookies.
ThisisaconservativerestrictionduetoourimplementationandtheonlyrestrictionBFlowplacesoncodethathasnotseencondentialdata.
AbetterimplementationwouldallowascriptinzoneStowritetovariablesandcookiesinzoneRifR'slabelwereasupersetofS'slabel.
InsteadofusingsharedDOMvariablesandcookies,BFlowallowsscriptsindierentzonestosendexplicitmessagestooneanotherusinganAPIfunctioncalledpostMessageBF.
TopreservetheIFCrules,theRMonlydeliversthemessageifthesender'slabelLSisasubsetofthereceiver'slabelLR;ifnot,itwilldropthemessage.
BFlow'spostMessageBFreplacesthepostMessageAPIfoundinHTML5becausepostMessagedoesnotenforcetheIFCrules.
Thefourthintra-zonecommunicationmethodistheFIDchannelwhichisanartifactofascript'sabilitytosetthelocationofbothitssub-framesandthetop65levelframe.
SettingthelocationofframeFcommunicatesdatatoframeF[8].
BFlowdoesnotspecicallyrestricttheFIDchannel;instead,BFlowensuresthatanyuseoftheFIDchannelislegalaccordingtotheIFCrulesinTable3.
1becauseBFlowpreservestheowinvariant.
Withouttheinvariant,asub-framePwithlabelLP={t}thathasreadcondentialdatacouldleakittoachildframeCwithLC={}thatdoesnothavetheproperlabel,i.
e.
LPLC.
TheseIFCrulesalonemightbetoostrictforanuntrustedscriptthathandlesbothcondentialandpublicdata,andalsoneedsawaytorevealthepublicdata.
Forex-ample,anuntrustedscriptmightneedtoreadauser'scondentialemailaddresswithlabelL={t}andalsoneedtosavepublicdatawithL={}totheserver.
BFlowsupportsthisusinganexceptiontothestrictIFCrulescalledbrowserdeclassication.
BFlowpermitsascriptrunninginazonefromserverWtosendmessagestoscriptsinthetrustedzoneofserverWandvice-versa,sotheuntrustedscriptwithlabelLR={}canrequesttheemailaddressfromthetrustedscriptandthetrustedscriptcanrespondwiththeemailaddressdespiteR'slabelifthesitedevelopersallowitto.
3.
4.
4ControllingBrowser-ServerCommunicationInadditiontodataowingwithinthebrowser,datacanalsoowbetweenthebrowserandWebserversinHTTPrequestsandresponses.
Totracktheseows,theBFlowreferencemonitorinterposesonrequestssentoutbythebrowserandonresponsesthatarriveatthebrowser.
WhenhandlinganHTTPrequestfromazonethathasseencondentialdatafromserverW,BFlowtreatsthesourceserverWdierentlyfromanyotherexternalserverEi.
SinceWsentthecondentialdataintherstplace,BFlowcansafelysendHTTPrequestscontainingthecondentialdatabacktoW.
SendingtoanyotherserverEirequiresadeclassicationexception,whetherEiisBFlowawareornot.
SourceServerProtocolForcommunicationbetweenthebrowserandthesourceserver,theBFlowRMandtheserverincludelabelsineachHTTPrequestandresponse.
Theserverlabelsre-sponsessothatthebrowserRMwillknowwhatlabeltoapplytoeachzone.
Similarly,thebrowserRMlabelsrequestssothattheserverwillknowwhatdataiscondentialotherwise,attackslikethatshowninFigure3-2bmightsucceed.
WhenabrowserscriptmakesanHTTPrequest,theBFlowRMsetsthelabeloftherequestequaltothescript'szonelabel,i.
e.
Lreq=Lzone.
Labelingtherequestaccordingtothescript'slabelensuresthattheserverwillknowwhatcondentialdatatherequestmaycontain.
Iftherequestcausestheservertostoredata,theservershouldstorethelabelalongwiththedataandreturnthelabelifasubsequentrequestreadsit.
Bydefault,theserver'sHTTPresponsewillhavethesamelabelastherequest(Lreq=Lresp).
Thisensuresthatanycondentialdatacontainedintherequestwillpropagatetotheresponseandthelabelofthezonethatreceivestheresponsewillreectthecondentialdatainitslabel.
Toavoidinappropriatelyleakingcondential66data,theservershouldnotuseanydatawithtagttogeneratetheresponseunlesstheresponse'slabelwillcontaint.
Also,sinceanyuser'sbrowsercanasktoaddttoazone'slabel(includinguserswhodonothavepermissiontoreaddatawithtagt),beforesendingdatawithtagttothebrowser,theserverrstcheckswhethertheuserloggedintothebrowserhaspermissiontoreadthedata.
InadditiontoaskingtheRMdirectly,ascriptcanalsoaddatagttothetargetzone'slabelaspartofanHTTPrequest.
Thisallowsaparentframetoloadapageintooneofitssub-framesinadierentzonewithadierentlabel.
Itisshort-handforrstloadingascriptintothesub-frame,havingthesub-framechangeitsownlabelandthenrequestingtheadditionalcondentialdata.
Theserverthenaddsttotheresponse'slabelLresp=Lreq∪{t}.
Thismethodonlyworksiftheframethatmakestherequesthaspermissiontoloadapageintothetargetframewhichimpliesthattherequestercansendamessagetothetarget;eitherthetwoframesareinthesamezone,orthetargetframeisasub-frameoftherequester.
Propagatingtheinformationowlabelstotheserverandbackensuresthattheclientcannotleakdatabybouncingitotheserver.
InIFCterms,ifascriptinzoneXtriestosenddatatozoneYviaanHTTPrequestthroughtheserver,theRMwillupdateY'slabelwiththeserverresponse'slabelLY←LY∪LrespandthereforethecommunicationwillabidebytheIFCruleLXLY.
ExternalServersBFlowforbidscommunicationfromscriptsthathaveseencondentialdatatoexter-nalservers,conservativelyassumingthattheyarenottrustworthy.
ThisappliesbothtoimageloadsandtoAJAXrequests.
TheRMpermitsascripttosendarequesttoanexternalserverifthescripthasnotseencondentialdata.
ThisruleistoorestrictiveforsomeWebsites.
Applicationssuchasmashupsmayneedtorequestdatafromexternalserversinawaythattherequestitselfnecessarilyleakscondentialinformation.
Insuchsites,thedeveloperscancreatearequestdeclassicationrulewhichallowscertainkindsofcondentialdatatoexittocertainexternalservers.
Forexample,aWebsiteWmightwanttofetchtheweatherforecastforauserbasedontheuser'spostalcodeeventhoughthepostalcodeiscondential.
IfW'sdeveloperstrusttheweatherserverEenoughtorevealitsusers'postalcodes,thenWcanaddarequestdeclassicationrulethatsays"anydatataggedwithtagtimaybesenttoE"andBFlowwillpermitscriptsthathavereaddatawithti(butonlyti)tosendHTTPrequeststoE.
Moreprecisely,thesiteadministratorwouldaddtitoE'sdeclassicationsetDE(seeTable3.
1).
3.
5VisibleModelDevelopersandusersmustunderstandsomeaspectsofBFlow.
673.
5.
1DeveloperVisibleModelLabelsAnapplicationdevelopermustcreatealabelingschemefortheapplication'sdata,anarrangementoftheapplication'sHTMLandscriptsintoframesandzones,andplanforlabelingthezones.
Zonelabelsareusuallypredictable:forexample,thedeveloperknowsthatacertainframewilldisplaytheuser'scondentialpostaladdressandthatitszonewillalwayshaveexactlythecorrespondinglabel.
ThispredictabilitypreventsunexpectedincreasesinlabelsandsurpriseviolationsofBFlow'srules.
Howmanytagsasiteusesandwhatthetagscorrespondtoarelargelyapplication-specic,andBFlowdoesnotprescribeanyparticularapproach.
Ingeneral,foreachcollectionofdatathatsomeusersand/orsomeexternalsitesshouldbeabletosee,butothersshouldnot,itislikelythatatagshouldbeassociatedwiththatdata.
Manysiteswillhaveahandfuloftagsforeachuser,forexampleonefortheuser'scontactdetailsandonefortheuser'scondentialblog.
FramesAtypicalBFlowWebpagewillconsistofseveralframes.
Thetoplevelframewillalwaysbeinthetrustedzone.
Itwillhavesub-frames,eachwithazoneandlabel,tocontainuntrustedscripts.
Scriptsthatneedtoseedierentkindsofcondentialdatawillbeinseparatezones.
Aparticularlycommoncasewillbeseparateframesthatdisplayimagesfromexternalserversbuthandlenocondentialdata,andframesthathandlecondentialdata.
Existingapplicationsmayneedtore-factortheirHTMLinorderthatscriptsthathandledatawithdierentcondentialitytagsareinseparateframesandzones.
Asanexample,apagethatallowsausertoeditbothhiscondentialphonenumberandhispublicpersonalprolewouldcontaintwoframesinseparatezones:onecontainingthephonenumber,andonecontainingthepersonalprole.
Becausethezonesareseparate,theusercanedithisprolewithouttheriskofascriptreadingthecondentialphonenumberandinsertingitintohispublicprole.
Datathattheuserentersintoaformeldtakesonthelabelofthezonesurround-ingtheeld.
Thus,evenifaframedoesnotinitiallycontaincondentialdata,iftheframecontainsaformeldintowhichthedeveloperknowstheusermayentercondentialdata,thedevelopershouldputtheeldinanappropriatelylabeledzone.
Developerscanalsoprivilege-separatelargepiecesofcodeintoasmallportionrunninginatrustedzoneandalargeportionrunninginanuntrustedzone.
Thetwoportionscancommunicateusingbrowserdeclassication.
Forexample,thetrustedportioncouldprovidealimitedAPItoaccessexternalWebservers.
LinkingIfanuntrustedpagehasnotseencondentialdata,itcanlinktoexternalWebsites,butifithasseencondentialdata,itcanonlylinktoexternalWebsitesifthedestinationserverhasarequestdeclassicationrule.
68SincethetoplevelframeinaBFlowWebpagemustbeinthetrustedzone,whenanuntrustedpagewithlabelL={t}loadsanewpageintothebrowser'stoplevelframe,theBFlowdoesnotpropagatetagttothetoplevelframe.
Sincethisisequivalenttodeclassifyingthettag,thetrustedpageshouldnottransmitanyuniquedatafromtheHTTPrequestsuchasPOSTparameterstoanuntrustedframeunlessitslabelalsocontainst.
CondentialDataandExternalServersAsdescribedinSection3.
3.
2,today'sbrowserscriptssometimesloadimagesanddatafromexternalserversafterseeingcondentialdata.
OneexampleofthisisacondentialblogpagethatloadsastaticbackgroundimagefromanuntrustedphotoWebsiteE.
SincetheHTMLcontainscondentialdataandJavaScript,BFlowcannotdetermineiftherequestfortheimagehasbeeninuencedbycondentialdataornot.
Ifthescriptrequestedtheimageaftercomputingonthecondentialblogcontent,theHTTPrequestwouldbeleakingdatatoE.
However,inthisscenario,theimagethatthepageisloadingisstaticandisnotbasedonthecondentialdata.
Tobuildsuchapage,thesitedevelopercanpre-declareasetofexternalWebdocumentswhichBFlowprefetchesdirectlyfromtheexternalserversandthencachesontheblog'sserver.
Sincetherequestshavenotbeeninuencedbycondentialdata,theywillnotleakanydatatotheexternalservers.
Whenthebrowserloadstheimage,itfetchesitfromtheblogserver,notthephotoserverE,thusdecouplingtherequestmadebythebrowserfromtherequestthatarrivesatthephotoserverandprotectingtheblog'scondentialcontent.
PrefetchingdoesnotworkforallWebapplications:ascriptmaynotknowwhatdataitneedsuntilafterreadingcondentialdata,orthepotentially-neededdatamaybetoolargetoprefetch.
Forexample,amashupscriptthatdisplaysauser'slocationonanexternally-fetchedmapwillnotknowwhatmapimagestofetchuntilafteritreadsthecondentialaddress.
Inthistypeofmashup,BFlowcannotprotecttheprivacyoftheaddressesfromthemapserver.
However,keepingtheaddresscondentialisanunrealisticsecurityrequirementbecausethemapservercannotfunctionecientlywithouttheaddress.
Amorerealisticsecurityrequirementisthatthemashuponlysendsthecondentialaddresstothemapserver,andnottootherexternalservers.
BFlowcanenforcethisrequirementusingrequestdeclassicationasdescribedinSection3.
4.
4.
ScriptChangesDependingontheWebsite,untrustedscriptsandlibrariesmayormaynotneedtounderstandtheinformationowsystem.
ForsomeWebsites,thesiteprogrammersmaybeabletodeterminewhatlabelanuntrustedscriptshouldrunwith,sothattheuntrustedscriptneednotbeawareofBFlow.
Forexample,ifaWebsiteimportsaJavaScriptlibrarylikeScriptaculous[69]andneverexpectsthelibrarytocontactexternalserversorcommunicatewithdierentzones,thesitecouldjustusethecorrectnon-emptylabelandimportthelibrarywithoutmodications.
Forscripts69thatonlyreaddataandrenderittotheuser,thesitecanjustloadthescriptwithalabelcontainingallthetagstheusercanread.
ServerCodeAserverthatsupportsBFlowscriptsmustbeabletorecordthelabelofdataarrivingfromascript,andemitthatlabelwhenitlaterservesthesamedatatoascript.
Astraightforwardapproachistostorealabelwitheachleordatabaseentry.
Thoughnotnecessary,itmightalsobehelpfulfortheservertouseanIFC-awareoperatingsystemorserverframework[22,89,46].
DebuggingTodebugapplicationswrittenforBFlow,developerstesttheirHTMLandJavaScriptinaBFlow-enabledbrowserwhichreportserrormessagespertainingtoBFlow'sinformationtrackingsystem.
3.
5.
2UsersVisibleModelEndusersinteractwithaBFlowsitemuchliketheydowithWebsitestoday.
DependingontheWebsite,ausermayneedtounderstandthatasub-framemayhaveadierentprivacypolicyfromtherestofthepage.
Forexample,aWebsitethatincludescondentialcontentmayalsoincludeanuntrustedJavaScriptwidgetrunninginasub-framethathasnotreadcondentialdata.
Inthiscase,itistheWebsite'sresponsibilitytoindicatetotheuserthatanydatahetypesintothesub-framemaybevisibletothepublic.
ThisresponsibilityismoreexplicitinBFlow,butitalreadyexistsinanyWebsitethatincludescontentfromuntrustedprogrammerswhetherusingsub-frameisolationornot.
3.
6ImplementationBFlowrequiresbrowserstoconnebrowserJavaScriptintoprotectionzonesandtoexchangesecuritymetadatawithserversineachHTTPrequest.
Sincetoday'sbrowsersdonotimplementthesefeatures,andreplacingtheinstalledbaseofWebbrowsersisdicult,themajorchallengeinimplementingBFlowismakingiteasytodeploytobrowsers.
3.
6.
1ClientImplementationToensurethatourBFlowclientmodicationsareeasytoinstallforendusers,weimplementedtheclient-sidereferencemonitorasaFirefox3plugin.
ThepluginisaportableJavaScriptandXMLpackagethatrunsonanyplatformthatsupportsFirefox3;userscaninstallthepluginwithonlytwomouseclicks.
Firefoxdoesnotprovidemanysecurityrelatedhooksintheplugininterface,butitdoesimplementthesame-originpolicywhichprovidesfairlystrongisolationbetweendierentorigins.
The70prototypeplugin'simplementationcurrentlyworksonlywithFirefox'spluginAPI,butitshouldbepossibletoimplementsimilarpluginsforotherbrowsers.
TheBFlowplugintakesadvantageoftheexistingSOPinthebrowsertoimple-mentbasicisolationbetweenprotectionzones.
Itassociateseachzonewithauniqueunforgeabledomainname,andeachdierentBFlowWebsitehasitsowndisjointsetofzonedomainnames.
ZonedomainsareoftheformZ.
sitewhereZandsitearetherespectiveuniquenamesofthezoneandWebsite.
BFlowusestheformZ.
siteratherthanZ.
site.
combecausebrowserspermitascripttoremoveitshostprexfromitsdomainnamebeforetheSOPcomparison;usingZ.
site.
comwouldallowtwoscriptswithzonesZ1.
site.
comandZ2.
site.
comtoremoveZ1andZ2,andthuscommunicatebasedonthecommonnamesite.
com.
2SeparatingzonesintodierentdomainsusestheSOPtopreventscriptsinonezonefromreadingandwritingDOMvariablesandcookiesinanotherzone.
However,theSOPalonedoesnotpreventJavaScriptintwodierentzonesfromcolludingtoleakcondentialdata;ascriptinonezonecancommunicatewithascriptinanotherzoneusingcross-domainchannelslikethefragment-IDchannelandpostMessagedescribedinSection3.
4.
3.
BFlow'sFirefoxplugindisablespostMessage,andtheowinvariantdescribedinSection3.
4.
2ensuresthatallavailablefragment-IDchannelsinFirefox3arealsolegaldataowpathsaccordingtoBFlow'sinformationowrules.
TheBFlowprototypereliesontheFIDdescendantpolicyinFirefox3andotherrecentbrowsersthatlimitsthechanneltoparentssendingdatatochildrenandframessendingdatatothetop-levelframe[8].
WhenthebrowsermakesanHTTPrequesttoazonedomainonaBFlowawareserverW,thebrowserRMdirectstherequesttoaWebproxyserverrunningonWwhichthenforwardsittoanApacheWebserverprocessonW.
Usingaproxypreventsthebrowserfromattemptingtoresolvethezone'sDNSnamewhichisnotanactualDNSdomainname;however,theproxyisspecictoourprototypeandthesamefunctionalitycouldbebuiltintotheWebserver.
Thebrowserpluginis1003linesofJavaScriptand89linesofXMLincludingcom-ments.
TointerceptHTTPrequestsforinspectionandmodicationweuseFirefox's"http-on-modify-request"and"http-on-examine-response"hooksinitsXPCOMob-serverservice.
ThesehooksarecalledbeforesendingeachHTTPrequestandbeforereturningtheresponsetotherenderingenginerespectively.
3.
6.
2UserAuthenticationAusercaninitiallyauthenticatehimselftoaBFlowsiteusinganytechnique,butanyscriptusedinaloginWebpageshouldbeatrustedscript.
Itcouldbepossibletouseanuntrustedscriptontheloginpagewithatagtoprotectthepassworddata,butthesitewouldneedtogenerateanewtagforeachloginattempt,orelseascriptcouldtransmittheusernameandpasswordtoanotheruserthatattemptstologintothesystemlater.
2TheRMusesFirefox'sSOPimplementation,soithandlesdomainslikecnn.
co.
uk.
71Afterloggingin,theuserauthenticateseachsubsequentHTTPrequestusinganauthenticationcookie.
Thecookieiscondentialdata,butBFlowdoesnotprotectitusingtheinformationowsystembecausethebrowsermustauthenticatetheuserforallHTTPrequests,evenrequestsforpublicdatawhereL={},sothecookiecannothaveitsowntag,otherwiseapublicpagewouldalsobeprotectedbythecookie'stag.
Instead,BFlowassociatesthecookiewiththeWebsite'srealdomainname,forexample,site.
com.
UntrustedJavaScriptrunninginaprotectionzonecannotreadtheWebsite'sauthenticationcookiebecausetheuntrustedzone'sdomainisoftheformZ.
siteandtheauthenticationcookieisfromthedomainsite.
com.
Sincethedomainsdonotmatch,orshareasux,thesameoriginpolicypreventstheuntrustedJavaScriptfromreadingtheauthenticationcookie.
However,astandardbrowserwillnotsendtheauthenticationcookieforrequestsoriginatingfromZ.
siteforrequeststosite.
combecauseoftheSOP,sotheBFlowRMattachesthecookietotheseHTTPrequests.
3.
6.
3ServerImplementationIntheBFlowprototype,theserverimplementstheinterfacedescribedinSection3.
4.
4withserverprocessescalledgateways.
TheclientsendsrawtagvaluestotheserverintheheadersofeachHTTPrequest,andtheserverresponsewithtagvaluesintheresponseheaders.
Theserverusesagatewayprocesstohandleeachrequestwhichinturninvokesapplicationlogic.
Thegatewaylaunchestheapplicationlogicwiththereadprivilegesoftheuser,soitcanonlyreadthedatathattheendusermayread.
Thisensuresthattheuserwillnotreceivedatahedoesnothavepermissiontoread.
AlthoughitisnotnecessaryforaBFlowservertouseanIFCoperatingsystem,theprototype'sgatewaysandapplicationlogicbothrunintheFlumeIFCsystem[46]whichprovidesIFCwithintheLinuxoperatingsystem.
RunningtheapplicationlogicinanIFCOShastheadvantagethatuntrustedcodecansafelyrunbothintheclientandintheserverinauniedIFCspace.
Atalowerlevel,eachgatewayisalong-runningPythonFastCGIprocess.
Thegatewayservesstaticlesdirectlyothelesystemandqueriesapplicationrequesthandlers,whichareFlume-connedFastCGIprocesses,toservedynamicHTTPre-quests.
Thegatewayis4144linesofPythonincludingcomments.
3.
6.
4ServerStorageAsdescribedinSection3.
4.
4,aBFlowservercanallowuntrustedscriptstostoredataontheserveraslongastheserverassociatesalabelwiththedatawhenwritingandreading.
TheBFlowserverprototypeimplementsakey-valuestoragesystemwithinitsIFCenvironment.
UntrustedbrowserscriptscanreadandwritedatatoserverstorageusingAJAXHTTPrequests.
WhenanAJAXrequeststoresdataontheserver,thestoragesystemlabelsthedatawiththelabeloftherequest.
Later,whenanHTTPrequestreadsthatdata,thestoragesystemonlyreadsdatawhoselabelisasubsetoftheHTTPresponse's72label.
TheunderlyingstoragesystemisanIFCdatabasewrapperbuiltontopofPostgreSQLthatresemblestheSeaView[52]datamodel.
AlthoughtheprototypestoragesystemrunsinanIFCoperatingsystem,itisnotnecessarytouseone.
Inmanycases,itshouldbesucientfortheservertostorealabelalongsidethedataandapplythelabelwhenreadingthedata.
TogethertheIFCdatabasewrapperandtheHTTPstoragerequesthandlerare3288linesofPythonincludingcomments.
3.
7ApplicationsTodemonstratethatBFlowpreservesprivacyandisexibleenoughtobuildWebplatforms,weimplementedtwoWebapplicationswithintheBFlowframeworkandacollectionofuntrustedJavaScriptextensions.
3.
7.
1BF-BloggerBlogger[12]isapopularbloghostingservicethatsupportscondentialblogsthatonlyspecicuserscanread.
Bloggerallowsablog'sauthortoinstallthird-partyJavaScriptextensionsthatruninthebrowsersofallviewersoftheblog.
Theseextensionscanusecondentialdata,suchasrecentpostsinthecurrentblog.
OtherextensionstalktoexternalWebservers:forexample,oneextensiondisplaysrandomimagesfromaphoto-sharingWebsite.
AllJavaScriptrunsinthesamebrowserframewithaccesstotheblog'scondentialdata,includingtheblogpostsandthereader'sbrowsercookiesmakingitpossibleformaliciousscriptstoleakthedata.
BF-BloggerisderivedfromBlogger'sHTML,JavaScript,andthird-partyexten-sions,butitrunsinBFlow.
InaBF-Bloggerblog,thetop-leveltrustedzonecon-tainsonechildandprotectionzoneforthemainblogcontent(includingBlogger'sJavaScript)andaseparatechildandzoneforeachextension.
BF-Bloggerassociatesthedatafromacondentialblogwithtagt.
Themainblogcontent'szonecontainstheblog'scondentialcontent,soitstartswiththelabelL={t}.
EachextensionzonestartswithanemptylabelL={}.
AnextensioncanmakeanHTTPrequesttotheservertoreadcondentialblogcontents,thuschangingitslabeltoL={t}.
WeportedsevenBloggerextensionstoBF-Blogger.
TheTwitterandFlickrex-tensionsfetchdatafromexternalWebservers;theydonotreadthecondentialblogcontents,soBFlowpermitsthemtofetchtheexternaldata.
TheRecentPostsextensionfetchesthecurrentblog'scontents,computesasetofpostsnippets,anddisplaysthemtotheuser.
TheCboxextensionimplementsamulti-userchatroom.
Cboxconsistsofmultiplecooperatingframes,eachwithitsownJavaScriptandtheindividualframesreadandwritetheotherframe'sDOM.
BF-BloggerrunsCboxasifithadreadcondentialdata(L={t})becauseitstoresdataontheserver,andusersmightchataboutthecondentialblogcontents.
Cboxconsistsofmultipleframes,butsinceBF-Bloggergroupsthemintoasingleprotectionzone,BF-Bloggercansetthezonelabeljustonce.
ThischangesthelabelforallofCbox'sframeswithout73BF-BloggerbeingawareofallofCbox'ssub-frames.
Becausethechatcontentsmightbecondential,wemodiedCboxtostoreitsdatainBFlowserverstoragewithlabelL={t}.
WealsowrotetwoEvilextensionsthatruninbothBloggerandBF-Blogger;theirgoalistoleakdatafromacondentialblog(seeSection3.
8.
1).
ExtensiondevelopersforBF-BloggerneednotunderstandthedetailsofBFlowotherthanthattheymaynotmakeexternalHTTPrequestsafterreadingcondentialdata.
3.
7.
2BF-SocialnetBF-Socialnetisamulti-usersocialnetworkthatusesBFlowtoprotectprivacy.
Eachuserhasaproleandasetoffriends.
BF-SocialnetpermitsJavaScriptextensionstorunwithinitspageswithaccesstotheuser'sproleandfriendlist.
WeimplementedtwoJavaScriptextensions,aprolecomparisontoolandamessagingtooltoexerciseBFlow'ssupportfordierentcommunicationpatternsandprivacypolicies.
BF-Socialnet'sbasefriendprivacypolicyisthatuserAlice'sproleandfriendlistisonlyvisibletoAlice'sfriends.
Inaddition,BF-SocialnetsupportspersonaldatawhichonlyAlicemayreadandpairwisedatathataparticularpairofusersmayread.
Toimplementthesepolicies,BF-Socialnetusesasetoftagsforeachuser,onetagforpersonaldatathatonlyAlicecansee(talice),onetagfortheAlice'sfriend-visibledata(talice:friends),andonetagforeachofAlice'sfriendsforpairwise-visibledata;forexampleifAliceisfriendswithBob,BF-Socialnetwouldusethetagtalice:bob.
TheBF-Socialnetpagehasatrustedrootpagethatcontainsdierentsub-framesforeachthird-partyextension.
Therootpagehasmultipleframesforeachextension,eachwithadierentcondentialitymode.
Forexample,inoneframe,themessagingextensionrunsinamodethatallowsittoreadalldatathattheusercanread.
Inaseparateframe,themessagingextensionrunswithapairwisetagdeterminedbytherootpage.
Theuserselectswhotosendamessagetousingadropdownboxintherootframe,andtherootframeadjuststhelabelontheframeaccordingly.
Theprolecomparisontoolonlyreadsdata,andthereforeonlyrunsinamodethatallowsittoreadalldatathattheusercanread.
ItusesAJAXrequeststoreadtheprolesofalltheuser'sfriends,comparestheminthebrowser,andoutputsalistoffriendswithsimilarinterests.
UserandDeveloperVisibleModel:InBF-Socialnet,anapplicationwriterneedstoknowwhatcondentialitymodehisapplicationwillrununderandwhatdataithopestoread.
However,hedoesnotneedtounderstandlabels,tags,ortheinformationowmodel.
Similarly,usersshouldbeabletounderstandthatthedier-entsub-framesabidebydierentcondentialitymodesbecausedatathattheyinputtoasub-framewillabidebytheframescondentialitymode.
Thisdecisionissimilartothedecisionthatusersmakecurrentlywhenchoosingtheirprole'sprivacypolicy,soweexpectuserswillbeabletounderstandit.
74ImplementationBF-Socialnetisimplementedas283linesofPythonand124linesofHTMLusingtheDjangoWebframework[20].
BF-SocialnetrunsasaFlumeconnedprocessandsavesdataontheserverintheIFCdatabasewrapperdescribedinSection3.
6.
3.
Theprolecomparisontoolandthemessagingtoolare,respectively,104and103lineDjangoapplications.
3.
7.
3W5W5isaWebserverplatforminwhichanythird-partyprogrammercanwriteanappli-cationanddeployittoautility-likeW5server.
W5servesasanexampleapplicationmadepossiblebycombiningBFlowwithanoperatingsystemlevelIFCsystem.
TheuniquepropertyofW5isthatanyapplicationrunningonaW5servercanreaddatathatotherapplicationsstoreonthesameserverevenifthatdataiscondentialtotheuser(suchasauser'scondentialphotos).
However,theW5serverpreventsapplicationsfromleakingthatcondentialuserdatatounauthorizedrecipients,eventotheauthoroftheapplication.
W5accomplishesthisbyrunningapplicationsinanIFCenvironmentontheserver,runningtheapplication'sHTMLandJavaScriptinBFlow,andintegratingthetwoIFCsystemsinasingleinformationowrealm.
W5needstouseBFlowinthebrowserbecausethethird-partycoderunningontheservercangeneratearbitraryJavaScript.
WithoutBFlow,thatJavaScriptcouldleakcondentialdatafromtheservertoanadversarybysendingHTTPrequeststhatcontaincondentialdatatoanadversary'sWebserver.
Reusingandrepurposingofdataisanadvantagetoapplicationsthatwantaccesstoexistingdatafromotherapplicationsbecauseanapplicationwriterneednotper-suadeuserstoenteroruploadtheirdataintohisapplicationifitalreadyexistsinanotherW5application.
Usersbenetbecausetheycantrynewapplicationswith-outtheoverheadofreinsertingtheirdata,anduserscanuseapplicationswithoutworryingthattheapplicationwillstealtheirdata.
ThemainchallengeinbuildingW5istosupportdierenttypesofapplicationsanddierentwaystosharedatabetweenapplications.
Usingahigh-levelIFCpolicyhelpstoaddressthischallengebecausetheapplicationscansharedatawitheachotheraslongasthehigh-levelcondentialitypolicyisupheld.
ThissectiondemonstrateshowtocombineBFlowandFlumetoconstructW5.
High-levelArchitectureFigure3-5showsthehigh-levelW5architecture.
W5involvesthreemainentities:providers,developers,andend-users.
TheW5providersuppliesaserver3,database,andlesystem,andrunstheW5frameworktocontrolhowapplicationsusetheseresources.
Toenforcetheframework'ssecuritypolicies,theprovidersupplies"gateway"processesthatresideontheserver3Forclarity,weusethetermserver,butW5couldgeneralizetoaclusterofservers.
75Figure3-5:W5overviewshowingthreeapplications.
andgovernallcommunicationbetweentheW5serverapplicationsandtheend-userbrowsers.
DevelopersdeployapplicationsoftwareontheW5server.
Theycanuploadbi-naries,libraries,andscriptstoW5,andassemblethemintoWebapplications.
W5givesdeveloperswidelatitudeinhowtoengineertheirapplications,allowinguseofthird-partylibrariesandpluginsalongwithmostofthefacilitiesoftheunderlyingoperatingsystem(e.
g.
Linux).
Applicationscanreadandwriteshareddata,andapplicationscanexchangedatawithexternalWebservers.
TheintentisthatanyonecanbeaW5developer.
End-usersinteractwithW5sitesthroughWebbrowsers.
Whenestablishinganaccount,loggingon,orconguringhersecuritypreferences,theuserinteractswiththeW5gatewayviaanapplicationstartpage.
Otherwise,developer-writtencodehandlesherdataandrequestsviathegateway.
W5canenforceopen-endeduser-orprovider-speciedpolicies.
Thedefaultpolicyletsausermarkdataasoneofthreelevelsofprivacy:private,friends-only,andpublic.
Anyapplicationmayreadauser'sprivatedatabutmayonlycauseittoberevealedtothatuser'sbrowser.
Anapplicationmayrevealauser'sfriends-onlydatatothebrowserofsomeoneontheuser'sfriendslist.
Anapplicationmayrevealpublicdatatoanyone.
ImplementationTheW5serverprototyperunsontheFlumeoperatingsystem[46],whichprovidesDIFCextensionstoastandardLinuxoperatingsystems.
Third-partyapplicationsrunassandboxedFlumeprocesses.
Assuch,theycanaccessthecoreLinuxAPI(e.
g.
,fork,leI/O,pipes,etc)butcannotaccessthosethatwouldallowdataleaksorprivilegeescalation(e.
g.
,ioctl,ptrace,bindincertaincircumstances,etc).
WhenFlumedoesallowAPIcalls,ittracksuserinformationasitowsbetweenprocesses,lesandthedatabase.
W5usesFlume'sDIFClesystemandBFlow'sdatabaseforpersistentlabels.
TheW5gatewayalsorunsasaprocessinuserspace,butownsmanysensitiveprivileges(suchastheabilitytoexportuserdata)andmustthereforerunoutsideastrictsandbox.
Inthissense,thegatewaysitsatthesecurityperimeteroftheserver:76third-partyapplicationsmustgothroughthegatewaytocommunicatewithclientsorotheroutsidenetworkhosts.
Atalowerlevel,thegatewayisalong-runningPythonFastCGIprocess.
ThegatewayservesstaticlesdirectlyothelesystemandforksanewFlume-connedCGIprocesstoserveeachdynamicHTTPrequest.
W5currentlysupportsapplica-tionswritteninPythonaswellasbinaryexecutables.
Thegatewayis4641linesofPythonandtheW5databaseisa3400linePythonwrapperaroundaPostgreSQLdatabase.
W5ApplicationsTodemonstratethefeasibilityoftheW5platform,webuiltanumberofextensibleapplicationsthatexercisedierentpartsofW5.
AlloftheseapplicationsarewritteninPythonandusetheDjangoframework,whichexplainswhytheyrequireonlyasmallamountofsourcecode.
Calendars:W5hastwoseparatecalendarapplications,CalendarandWeather-Calendar.
Together,theydemonstratehowtwomutuallydistrustfulapplicationscanworktogether,andhowanapplicationcancommunicateoutsidetheW5serverwithintheW5securitypolicy.
TheCalendarisastandardcalendarprogramthatstoreseventdatesandtimes.
WeatherCalendarissimilartotheCalendarandreadsCalendar'sdatabaseentries,butalsoperiodicallyfetchesdatafromanonlineweatherdatabase[85]anddisplaystheweatheralongsidethecalendardata.
TheCalendarapplicationis206linesofcode,andtheWeatherCalendaris321.
W5allowsWeatherCalendartoreadCalendar'sdatabaseentriesandusetheminitseventlisting,butW5ensuresthatWeatherCalendarcannotleaktheuser'scon-dentialCalendarentries,despitecommunicatingwiththeremoteweatherdatabase,eveniftheWeatherCalendarismalicious.
Blog:W5hasablogapplicationthatdemonstratesW5'ssupportforsharingdatabetweenusers,readaccesscontrolandsearchfunctionality.
Ablogauthorcancong-ureeachindividualblogandblogposttobepubliclyreadable,ortohaverestrictedreadaccessusingdierentlevelsofprivacyasdescribedabove.
TheBlogalsosupportssearchingthroughtheblogpostsbykeyword.
ItmightseemthatanapplicationinW5couldnotsupportanapplicationthatsearchesthroughallthepostsbecausetheyallhavedierentsecrecylabels.
Aprocessthatreadseachpostandchecksformatcheswouldlikelyreadapostthattheuserisnotallowedtoreadandthusbecomeunabletosenditsresultsbacktotheclient.
Toimplementkeywordsearching,W5'sdatabasecreatesaviewfortheuserthatcon-tainsonlydatathattheuserhaspermissiontoread.
Thisensuresthatthekeywordmatchingquerywillonlyreturnthepoststhatarebothreadableandmatchthesearchquery.
TheBlogapplicationis268linesofcode.
W5enforcestheblog'sreadaccesscontrols,sousersneednottrustthattheblogapplicationimplementsthecorrectaccesscontrolchecks;usersonlyneedtotrustthatW5'sgatewayandIFCsystemareimplementedcorrectly.
Usersconguretheirread77accesscontrolsthroughaninterfacetotheW5gateway,andtheW5enforcesitontheblogapplication.
PhotoSharingandEditor:TheW5photosharingapplicationillustratesdatasharingbetweenapplications.
Userscreatealbums,uploadphotos,andviewalbums.
Liketheblog,userscanalsoviewotherusers'albums,ifthealbum'sprivacypolicyallows.
Thephotosharingapplicationis451linesofcode.
TheW5photoeditorworkswiththephotosharingapplicationtoshowhowsep-arateapplicationscansharecodeandwritabledataontheserver.
Thephotosharingapplicationandthephotoeditingapplicationarewrittenbydierentdevelopers,yetthephotoeditorcaneditthephotosinthephotosharingapplication.
Toimplementsharing,thephotoeditorimportssoftwaremodulesrelatedtothedataformatfromthephotosharingapplication.
Thephotoeditoralsousesanopen-sourceimaginglibrary,includingCextensionstoreadandmodifyimages.
Thephotoeditoris119linesofcode,andtheCextensionis45,258linesofcode.
Asinthecalendarandblogapplications,W5permitsdatasharingbetweenusersandapplications.
W5alsopreventsthephotoeditorfromleakingtheusers'con-dentialphotos,whetherbyaccidentormaliciously.
3.
8EvaluationThissectionevaluateshowwellBFlowachievesitstwomaingoals:preventionofcondentialdataleaksfromin-browserJavaScript,andcompatibilitywithexistingdeveloperusesofJavaScript.
WefocusonthesetopicsratherthanperformancebecausetheperformancepenaltyofthebrowserextensionshouldbeminimalandtheHTTPproxycanbeeliminatedbymovingitsfunctionalityintotheWebserver.
3.
8.
1SecurityAttackAnalysisThissectionexplainshowBFlowpreventstheexampleattacksdescribedinSection3.
3.
1,Figures3-1and3-2.
InFigure3-1a,maliciousJavaScriptresidesinthesameframe(andthusthesamezone)asthecondentialdata.
BFlowensurestheazone'slabelincludestagtbeforeitallowsthezonetoreadcondentialdatawithtagt,thereforethemaliciousscriptwillberunninginazonewithtagt.
Thislabelconstrainsthemaliciousscriptsothatitcandisplaydataonlytothebrowser'shumanreaderandthesourceWebserver.
Theformerisnotaleak,sincethesourceserverwouldnothavesentthedataunlessthebrowser'suserhadpermissiontoreadit.
ThelatterisnotaleakbecauseBFlowpropagatestagtalongwiththedata,sothatthesourceserverwillknowitiscondential.
InFigure3-1b,thecondentialdata(andbenignJavaScript)isnotinthesamezoneasthemaliciousJavaScript.
IfthebenignJavaScriptaccidentallytriestocom-municatewiththemaliciousJavaScript,theBFlowreferencemonitorwillforbidthe78communicationunlessthemaliciousJavaScript'szone'slabelisasupersetofthelabelofthezonewiththecondentialdata.
InthelattercasethemaliciousJavaScriptwillberestrictedfromleakingasdescribedinthepreviousexample.
AttackExamplesinBloggerInordertoverifythatBFlowxesexistingsecurityproblems,weimplementedtwoJavaScriptextensionsforBloggerthatstealcondentialinformation.
Therstextensioncontainsacross-sitescripting(XSS)attackthatexploitsatypicalscriptinjectionvulnerability.
Wewrotethisattack,butwebelievethatXSSattacksinthewildwouldusethesameleaktechniquesincetoday'sWebsitesdonotusuallyuseanycountermeasures.
Inthisattack,theadversarytricksuserAintoplacingtheextensiononhisblogsothatviewersofhisblogexecutetheextension'sscript.
WhensomeuserBviewsA'sblog,theextensionreadsuserA'scondentialblogcontentsanduserB'sBloggercookieandsendsittoanexternalserverusinganimagerequest,thusleakingAandB'scondentialdata.
ThisattackworkswhenrunontherealBloggerWebsite,buttheextensionisunabletoleakdatawhenrunonBF-Blogger,sinceBFlowforbidstheextensionfromcontactingtheexternalserverbecauseitszonehasseencondentialdata.
ThesecondattackismeanttoapproximatetheonepicturedinFigure3-1b.
Webelievethisisanewstyleofattackandareunawareofsuchattacksinthewildbecauseintra-browserJavaScriptAPIsarecurrentlyuncommon.
Theattackconsistsoftwoparts:thelistenerandtheleaker.
TheleakertakestheplaceofavulnerablescriptAPIandthelistenertakestheplaceofanadversarythattricksthevulnerablescriptintoreadingcondentialdataandsendingittothelistener.
Inthisattackthelistenerscriptresidesinaframeintheadversary'sorigin,andlistensforamessagefromtheleaker.
TheleakerrunsinthesameoriginasthecondentialBloggerpage,andsendscondentialdatatothelistenerusingpostMessage.
Again,thisattackworkswhenrunontherealBloggerWebsite,buttheleakerisunabletosenddatatothelistenerwithpostMessageBFinBF-Blogger,becauseBFlowforbidstheleaker(whohasseencondentialdata)frommessagingthelistener(whohasanemptylabelL={}).
3.
8.
2AdoptionInordertoevaluatethecomplexityofdeveloperadoption,weportedseveralexistingBloggerwidgets[10,74,29]toBF-Blogger.
Theyfallintothreecategories:Thosethatloaddata,images,orlibrariesfromexternalservers,orlinktoexternalservers.
Thosethatreadtheblog'scondentialcontentusingtheblog'sJSONfeed.
Thosethatdobothoftheabove.
Extensionsintherstcategory,suchastheFlickr,Twitter,andBuzzextensionsrequirednochangestoworkonBF-Blogger.
Theseextensionsneednocondential79ExtensionLOCLOCIncludedLOCChangedCondentialDataTwitter6190NoFlickr1000NoBuzz100NoBloggerJS608510NoYoutube12826100NoCalendar80411410NoWeather29937970NoPopularPosts1601YesCommenters1501YesRecentPosts9652YesRandomPost3402YesCBox801089YesTable3.
2:Linesofcode(LOC)changedtoportexistingwidgetstoBF-Bloggerandwhethertheyseecondentialdata.
data,sotheycanbeloadedinframesthathaveanemptylabel,andarefreetofetchdatafromexternalservers.
TheRecentPostsextensionisinthesecondcategory.
Itfetchestheblog'smostrecentpostsanddisplaysalistofthemontheblog'ssidebar.
TheoriginalversionloadsaJavaScriptlefromanexternalsite,whichfailsbecausethescriptreadstheblogcontentbeforemakingtheexternalHTTPrequestfortheJavaScriptle.
TomakethisextensionworkinBF-Blogger,wecopiedthecontentoftheexternalJavaScriptleintotheextension.
Thetwoextensionswefoundinthethirdcategory,namelyPopularPostsandTopCommentersareaformofmashup.
Theyuseanexternalserver(YahooPipes[84])toprocessthecontentoftheblog'scondentialcommentsandthendisplaytheresultsinthepage.
Theyillustratehowamashupsometimestrustsanexternalserverwithcondentialdata.
ToaddsupportfortheseinBF-BloggerweaddedacommentfeedtotheblogandmadethefeedavailabletoonlytheYahooPipesclienthost.
ThisfeedpolicyisanexplicitdeclassicationofthecondentialcommentstotheYahooPipeshost.
WealsoexaminedanumberofGoogleGadgets[32].
ThetwentymostpopularGoogleGadgetsdon'tactoncondentialdata,andjustimportdatafromexternalsitesorfromGoogle'splatform.
WeportedthegeneratedJavaScriptofthreeGoogleGadgetstorunonourplatform:YoutubeSearch,GoogleCalendar,andCurrentWeather.
Allworkedwithoutchanges.
TheCboxmessagingsystemrequiredmorecodechangessinceitstorespersistentdatatotheserver;itwasmodiedtoreadincludedlesfromourplatformandtostoremessagesusingourserverstorageAPI.
803.
9DeploymentWhenconsideringdeploymentandadoption,itisclearthatBFlowfacesmorehur-dlesthanResinbecauseboththeWebsitedevelopersandtheendusersmustadoptBFlowbeforeitcanbeuseful.
However,addingsupportforBFlowinaWebsitedoesnotmakethatWebsiteincompatiblewithtoday'sbrowsers;BFlowisback-wardscompatiblewithbrowsers.
AWebsitecanadoptBFlowevenifnoneofitsclientsbuy-in.
TodeployBFlow,aWebsitewouldaddsupportinternally,andthenenableBFlowfeatureslikethird-partyJavaScriptonlyforbrowserclientsthatsupportBFlow.
Thisway,thesitewillstillworkfornon-BFlowclients,buttheusersmaybeenticedtoinstalltheBFlow'sbrowserextensiontousetheWebsitefeatures.
Asaconcreteexample,GooglecouldintegrateBFlow'sreferencemonitorintotheGoogletoolbar,andafewpopularapplicationslikeGmail.
ThenuserscanadoptBFlowincrementallywithoutrequiringtheinstallationofanewbrowser,orrequiringalluserstoinstallBFlowatonce.
3.
10LimitationsandFutureWorkBFlowcurrentlyhasanumberoflimitationswhichweplantoaddressinfuturework.
3.
10.
1InformationFlowControlCross-ZoneCommunicationThecurrentBFlowprototypeisolateszonesusingthebrowser'ssame-originpolicy.
Thismeansthattwodierentzonescannotreadandwriteeachother'sDOMvari-ablesandcookies,buttwozonesshouldbeabletoreadandwritecookiesandDOMvariablesfromotherzonesaslongastheirlabelswouldallow.
Itshouldbepossibletoaddcross-zoneDOMvariableaccessthroughtheFire-foxextensioninterface.
OneapproachistoaddafunctioncallinterfacesimilartopostMessageBFforvariableaccess,butitmayalsobepossibletoprovidedirectlan-guageintegrationtoavoidchangingtheJavaScriptAPI.
BFlowcouldusethesametechniquestoprovideaccesstocookiesindierentzones.
DistributedIFCinBFlowAsdesigned,BFlowonlytracksinformationonaper-Websitebasis.
Forexam-ple,asingleprotectionzonecannotcontaintagsfromtwodierentWebsites,andtransferringcondentialdatafromonesitetoanothersiteinamashupwillremovethetaginformationfromthedata.
CurrentlyBFlowdoesnotallowthisbecausetheprototypepreservesJavaScript'sabilitytosendmessagestothetop-levelframethroughtheFIDchannel.
81However,itshouldbepossibletoextendBFlowsothatzonescanreadconden-tialdatafromdierentsitesandcomputeonit,aslongasitdoesnotthensenddatatoaserver.
ThiswouldrequireawaytoclosetheFIDchannelaftertheJavaScriptaddsacross-sitetagtoitslabelandmorelenientrulesforsendingrequeststoexternalservers.
GranularityCurrently,BFlowlimitsthewayprogrammerscandesigntheirWebpagesduetoBFlow'scoarsegrainedIFC.
SinceBFlowonlytracksdataatthegranularityofframes,asingleuntrustedbrowserframecannotsimultaneouslyhandlecondentialdataandpublicdatawithoutmarkingthepublicdataascondential.
Inordertoprotectthecondentialdata,aBFlowapplicationwouldlabeltheframewithL={t},butthenthepublicdatawouldalsobelabelledwithL={t}andbeunavailabletothepublic.
Thisisascenariowherenergrainedinformationtracking[57]wouldhelp.
SitedevelopersmightalsohavetorefactortheirHTMLtopartitiondataintoframestoseparatecondentialdatawithdierenttags.
BrowserPluginsAnotherlimitationofBFlowisthatitdoesnotapplytobrowserplugins.
Forexample,BFlowdoesnotsupportFlash[1]orJava[36]plugins.
ItmaybepossibletointegrateBFlow-likeIFCtopluginlikethese.
3.
10.
2UserInterfaceandUnderstandingLabelsGiventhatBFlowusesframestodoprivilegeseparation,usersmightbeconfusedthatframeshavedierentsecuritylabelsandtypesensitivedataintoframeswithL={}whichwouldleakthedata.
Websitescanhelpbymarkingframes,butBFlowdoesnotcurrentlyprovideasolutionforthis.
FutureversionsofBFlowcouldusedierentuserinterfaceannotationstomarkframeswithlabelinformation.
Whendesigningalabelbasedcondentialityscheme,reasoningaboutlabelsisnotalwaysstraightforwardanderrorsindesigningaschemecanresultindataleaks.
BFlowdoesnotprovideassistanceforusinglabels,butotherprojectshavemadeprogressinthisarea[21].
3.
10.
3ApplicationsApplicationsforThird-PartyJavaScriptAsweexplaininSection3.
1,mostoftoday'sWebsitesdonotsupportthird-partyJavaScriptforsecurityreasons.
However,givenBFlow,moreWebsitescouldsafelytakeadvantageofthird-partyJavaScriptincludingwidget-likeextensions.
Web-basedemail,calendar,andnancesystemscouldsupportextensionssuchasencryption,pageformatting,andlayoutcustomization.
ManyofthepopularGreasemonkey[49]extensionscouldalsoworkinaBFlowenvironment.
82In-BrowserJavaScriptAPIsTheexampleapplicationsgiveninSection3.
7donotusecross-zonemessagingbe-causethoseapplicationscommunicatethroughtheserver.
Inthefuture,applicationsmayusemoreintra-browsermessaging,asevidencedbythenewJavaScriptAPIlibraries[75]thataimtoeasecross-domainmessaging.
BFlowcanprovidebetterassurancestoprogrammerswhowanttolimittheirexposuretosuchin-browserAPIs;programmerswouldlabeltheirdatadierentlydependingonwhethertheywanttoexposeittotheAPIornot.
Forexample,abankingapplicationmightbewillingtosendinformationaboutonemonth'spayments,butnottheaccountbalance,toawidgetthatgraphsonemonth'sexpenses.
3.
10.
4OutofScopeAttacksThereareanumberofattacksforwhichBFlowdoesnotoerasolution;thefollow-ingchallengesareleftopenforfuturework.
IfamaliciousscriptwithlabelL={t}usesacovertchannel[48]likeCPUmodulationtosenddatatoascriptwithlabelL={},itcanleakthecondentialdata.
Ifamaliciousscriptusesaphishingattacktotrickauserintorevealinghispasswordtheattackercansubsequentlyloginastheuserandreadallhiscondentialdata.
AsdescribedinSection3.
3.
1,BFlowdoesnotprotectagainstacompromiseintheservers,browsers,operatingsystems,ortheBFlowsoftwareitself.
Forexample,ifanattackercantrickauserintoinstallinghismaliciousFirefoxextension,hecoulddisableBFlow.
Similarly,WebsiteswithweakuserauthenticationarevulnerableinwaysthatBFlowdoesnotx.
IfanattackerisabletocauseatrustedzoneinBFlowtoloadandrunhismaliciouscode,thenthescriptwillactwiththeprivilegesofthetrustedzoneandwillbepermittedtoleakcondentialdata.
However,trustedzonesareintendedtobeverycarefullyvalidatedandtoneverrunthird-partycode;BFlowprotectsdatainallnon-trustedzonesfromleaks.
3.
10.
5DesignVariationsIntermediateDesignsAlthoughBFlowismeanttobebackwardscompatible,WebsitedevelopersmightbereluctanttouseallofBFlow'selements,orbrowserdevelopersmightbereluctanttoimplementthenecessarybrowserchangestosupportBFlow.
OnedirectionforfutureworkistotaketheBFlow'sgoalsandtrytoimplementthemusingfewerchangestothebrowser,server,orboth.
Forexample,itmightbepossibletogetmostofBFlow'sbenetsbyrunninguntrustedJavaScriptwithinabrowsersandbox,runningwithlimitedoutgoingcommunicationchannels.
83BeyondBackwardsCompatibilityBFlowincorporatesanumberofdesignchoicesthatpreservebackwardscompati-bilitywithexistingJavaScriptandbrowsers;redesigningBFlowwithoutregardforbackwardscompatibilitywouldlikelyresultinadierentdesign.
Forexample,touseBFlow,aWebsitedeveloperneedstopartitionJavaScriptintodierentframesandprotectionzonesdependingonwhethertheWebsitedeveloperstrusttheJavaScript;developersalsoneedtocommunicatebetweenthesezonesusingmessagepassing.
UsingzonesastheIFCgranularityisanadvantagewhenreusingexistingbrowsersbecausebrowsersalreadyprovidesomeisolationbetweenframes.
However,iftherewerenolegacybrowsers,itmightbemoreconvenientifWebsitedevelopersdidnotneedtopartitionJavaScript.
Instead,BFlowcouldusener-grained,language-levelIFCasinsystemslikeJif[57]orResin,andcommunicationbetweentrustedandun-trustedJavaScriptcouldusesharedvariablesandfunctioncallsratherthanmessagepassing.
Futureresearchisnecessaryforaclean-slatedesignforuntrustedthird-partybrowserscripts,althoughprojectslikeCaja[55]doshowpromise.
3.
11RelatedWorkOnewaytounderstandexistingworkisintwobroadcategories:discretionaryaccesscontrol(DAC)(includingcapabilities-basedsystemsandleast-privilegeisolationtech-niques)andmandatoryaccesscontrol(MAC)(includinglanguage-basedandruntimeIFC).
3.
11.
1DiscretionaryAccessControlWorkslikeTahoma[68],GoogleChrome[33]andMashupOS[80],Caja[55],andBitfrost[63]allttheDACmodel.
TahomaisolatesapplicationsfromeachotherusingvirtualmachinessothatevenbuggybrowsersrunningmaliciouscodecannottamperwithcookiesorDOMobjectsinotherbrowsers.
UserscanchoosetosharedataacrossWebsiteswithexplicitwhitelistsofallotherhoststhatcanbecontactedasthepageisrenderedandastheJavaScript(orotherplugins)run.
Thus,Tahomaoersall-or-nothingsharingatthediscretionoftheoriginalWebsite;itdoesnotallowaWebsitetosafelygivecondentialdatatopotentiallymaliciousscripts.
TheChromebrowserimplementsthesamestyleofisolationbetweenbrowserwindows,butwithprocess-basedratherthanVMbasedisolation.
MashupOSproposeschangestoWebbrowsersandserverstoisolatethird-partyJavaScriptcodewithmoreexibilitythantoday'sbrowserframesandnergran-ularitythaninliningscriptstoday.
MashupOSproposesHTMLextensionssuchasand,whichoccupyamiddleground:theyallowthecallerandcalleetocommunicatebutonlyalongwell-understoodchannels(asopposedtoacrossthewholeDOMunderthestatusquo).
However,MashupOShasthesamelimitationsthatDAC-basedoperatingsystemshave:theuser(ortheintegratorinMashupOS'sterminology)muststilldecideaprioriwhethertotrustathird-party84ornotwithsensitivedatabecausesandboxedscriptsinMashupOScanleakdatatoexternalservers.
InBFlow,untrustedscriptscandecidewhethertoreadprivatedataatruntime.
OtherworkslikeCajafollowMashupOS'slead.
CajaconnesasubsetofJavaScriptintoanobject-capabilitymodel.
AsinMashupOS,thegoalistoallowner-grainedsharingofdatabetweencooperatingbrowsercomponents.
LikeCaja,Bitfrostallowsanapplicationwritertoconneherownapplicationsothattheycanonlyaccesscertainoperatingsystemservices.
Forexample,theauthorofasingle-usercardgamewouldcongurethegametovoluntarily,andirreversiblygiveupaccesstothenetworkandlocalstorage,atinstall-time.
Thisway,evenifthecardgameiscompromised,itcannotreadcondentialdatafromlocalstorageandsenditoverthenetwork.
BFlowdiersbecauseitdoesnotrequireapplicationwriterstomakethischoiceatinstall-time,insteadtheapplicationcandecideatruntimewhetheritneedstheseresourcesornot.
3.
11.
2MandatoryAccessControlBycontrast,MACsystemsallowuntrustedsoftwaretocomputewithcondentialdata,whilepreventingthatsoftwarefromexposingit.
MAChaslongbeenatechniqueatplayinprogramminglanguages[18]andoperatingsystems[11,54,19],whichmodernresearch[22,89,46,57]suggestsispracticalforserver-sideWebapplications.
Thesametoolsapplyinthecontextofbrowser-basedsecurity.
TheSIFsystem[15]useslanguage-basedinformationowcontroltomaintainprivacyconstraintsbetweenbrowserandserver,butassumesnomaliciousorbuggyJavaScript.
TheSwiftsystem[14]usesIFCtoautomaticallysplitWebapplicationsintotrustedserver-sideJavaanduntrustedbrowser-sideJavaScript.
BFlowappliessimilarinformationcontrolanalysis,butatruntime.
BFlowretainsasimilarcor-rectnessproperty,thatcodewillproduceafail-stoperrorinsteadofleakingdata.
WhileSwiftonlyappliestoJavaScriptoutputbytheSwiftcompiler,BFlow'srefer-encemonitorappliestoallJavaScriptcode,suchaslegacyandhand-writtenlibraries.
However,BFlowdoesmaketrade-os;rstly,ithascoarser-grainedsecuritycom-partments(browserzones)whileSwifttracksinformationowpervariable.
Secondly,BFlowrequiresuserstoinstallabrowserpluginandSwift-likesystemwouldnot.
UsingabrowserpluginenablesBFlowtoeasetheadoptionburdenplacedonsitedevelopersattheexpenseoftheendusers.
Vogtetal.
[78]alsotrackinformationowcontrolatruntimetopreventcross-sitescriptingattacks.
However,theyhavelimitedtheirsystemtoclient-sidechangesonly,andthereforecannotpreventattacksthatmovedatabackandforthbetweenthebrowserandserver.
Spectator[50]trackstaintbetweenbrowsersandservers,butitsgoalistodetectJavaScriptworms,notprotectprivacy.
OtherworkproposescurtailingJavaScript'spowertosolvetraditionalXSSprob-lems.
BrowserShield[67]rewritesarbitrary(potentiallymalicious)JavaScripttoasafercore.
BEEP[41]rewallsunsafeJavaScriptbylimitingwhichserversitcancontactasitexecutes.
Hallarakeretal.
[39]auditJavaScriptexecution,anduseintrusion-detectiontechniquestosenseanomalousexecutionpatterns.
Theseveins85ofworkshowpromiseagainsttraditionalXSSattacksbutdonothandledataleakswhichinvolvesendingdatabackandforthtotheoriginserver.
AcomplementarywaytobuildWebextensionsisontheserver-side,ratherthanonthebrowser.
Facebook[26]andOpenSocial[35]givethird-partydevelopersaccesstoserver-baseddata,allowingthemtocustomizeandextendexistingserver-basedfeatures.
TheMenagerie[31]systempresentsaninterfacetomakeserverdatamoreaccessible.
Allofthesesystemsusediscretionarysecuritycontrols,requiringuserstoeithertrustorrejectthird-partycode.
W5[47]proposestoachievesimilarfeatureswithMAC,butaW5implementationwouldneedtosolvethesecuritychallengesdiscussedinSection3.
3toallowthird-partyserver-sideextensionstopushunvettedJavaScripttobrowsers.
3.
12SummaryManyoftoday'sWebsitescurrentlyuseJavaScriptthattheymightnotunderstand,includinglargelibrariesandthird-partyextensions.
Thecombinationofthesepossiblybuggyormaliciousscriptsandcondentialdataleavesthatdataopentoattack.
BFlowisanovelbrowserbasedinformationowcontrolsystemthatallowsmostlyunmodiedlegacyJavaScripttoread,computewith,andwritecondentialdatawithouttheriskofcompromisinguserprivacy.
86Chapter4IntegratingResinandBFlowBFlowandResinareindependentsystems,butaWebsitecanusethemtogethertoitsadvantage.
AsarguedinSection2.
2,itisdicultforprogrammerstounderstandallthedataowpathswithinacomplexapplication,yetBFlowreliesontheWebsiteprogrammertopropagateIFClabelsfromanHTTPrequesttoanyresponsethatisderivedfromthatrequest(seeSection3.
4.
4).
Asasolution,theWebsiteprogrammercanuseResintoattachapolicyobjecttodatainanHTTPrequest,foreachtagintherequest'slabel.
Resinwillpropagatethepolicytovariablesandpersistentstorage.
Finally,whentheapplicationpreparestosendanHTTPresponse,itcancheckforpolicyobjectsonthedataintheresponseandthenattachatagforeachpolicyobjectintheresponse'sdata.
8788Chapter5ConclusionBuildingsecureWebsitestodayisdicultanderrorprone,despitethegrowingmaturityofWebtechnology.
Webserversoftwarecontinuestoexhibitsecurityvul-nerabilitiessuchascross-sitescripting,SQLinjection,HTTPresponsesplitting,dataleakage,andforgottenauthorizationchecks.
WebsitesuseincreasingamountsofJavaScript,muchofwhichtheydonotwrite.
Insomecases,Websitessacricedatacondentialityinordertosupportthird-partyJavaScript.
Atahighlevel,thesevulnerabilitiesareduetodataowingwhereitshouldnot,andthisworkshowsthatbytrackingdataows,itispossibletopreventthesefaultydataows,andthevulnerabilitiestheycause.
5.
1ResinResinprovidesprogrammerswithtoolstoconvertanimplicitdataowplanintoanexplicitdataowassertion,andthenhaveResincheckthatassertiononalldataowpaths,evenwheretheprogrammermayhaveforgotten.
Theassertionsallowaprogrammertoreasonaboutthesecurityofthesystemasawholeandenforceahigh-levelsecurityplanwithouthavingtoworryabouteverypossibledataowpathinthebulkofthesystem.
ThecontributionsofResinaretheideaofadataowassertion;amethodforimplementingdataowassertionsusinglterobjects,policyobjects,anddatatrack-ing;andnally,anevaluationshowingthatdataowassertionsareconcise,eective,andincrementallydeployable.
5.
2BFlowBFlowisasystemthatmakesitpossibleforWebsitestoincorporateuntrustedJavaScriptandallowtheJavaScripttocomputewithcondentialdatawithouttheriskofleakingthatdata.
Toaccomplishthis,BFlowaddsinformationowcontroltothebrowser,andtothebrowser-serverinteractionsusinganin-browserreferencemonitorandsmallchangestotheserver.
Usinginformationowcontrol,BFlowdetermineswhetheruntrustedJavaScriptmayhaveseencondentialdata,andifso,89BFlowpreventstheJavaScriptfromleakingthatdatatouserswholackpermissiontoreadit.
ThecontributionsofBFlowareasetofinformationowcontrolrulesthatgoverntheJavaScriptcommunicationmechanisms,amappingfromBFlow'sIFCrulestothebrowser'sexistingJavaScriptisolationsystem,andanabstractioncalledaprotectionzonethateasesthedeploymentofexistingJavaScriptintoBFlow.
Together,thesetechniquesallowuntrustedJavaScripttoread,computewith,anddisplaycondentialdatawithouttheriskofleakingthatdata.
5.
3SummaryThisdissertationpresentsResinandBFlow,twosystemsthatcanimprovethestateofWebsecuritytodaythroughdatatracking.
Wehopethatprogrammerswilladoptthiswork,extendittosuittheirneeds,andndnewapplicationsforthetechnology.
90Bibliography[1]Adobe.
Flash.
http://www.
adobe.
com/products/flash,January2009.
[2]GailAhn,XinwenZhang,andWenjuanXu.
Systematicpolicyanalysisforhigh-assuranceservicesinSELinux.
InProceedingsofthe2008IEEEWorkshoponPoliciesforDistributedSystemsandNetworks,Palisades,NY,June2008.
[3]AnneH.
Anderson.
AnintroductiontotheWebservicespolicylanguage(WSPL).
InProceedingsofthe2004IEEEWorkshoponPoliciesforDistributedSystemsandNetworks,YorktownHeights,NY,June2004.
[4]JeremyBae.
VulnerabilityofuploadingleswithmultipleextensionsinphpBBattachmentmod.
http://seclists.
org/fulldisclosure/2004/Dec/0347.
html.
CVE-2004-1404.
[5]SteveBarker.
Thenext700accesscontrolmodelsoraunifyingmeta-modelInProceedingsofthe14thACMSymposiumonAccessControlModelsandTech-nologies,Stresa,Italy,June2009.
[6]MikeBarnett,Bor-YuhEvanChang,RobertDeLine,BartJacobs,andK.
Rus-tanM.
Leino.
Boogie:Amodularreusableverierforobject-orientedprograms.
InProceedingsoftheFourthInternationalSymposiumonFormalMethodsforComponentsandObjects,Amsterdam,TheNetherlands,November2005.
[7]MikeBarnett,K.
Rustan,M.
Leino,andWolframSchulte.
TheSpec#program-mingsystem:Anoverview.
InProceedingsoftheWorkshoponConstructionandAnalysisofSafe,SecureandInteroperableSmartdevices,Marseille,France,March2004.
[8]AdamBarth,CollinJackson,andJohnC.
Mitchell.
Securingbrowserframecommunication.
InProceedingsofthe17thUSENIXSecuritySymposium,pages17–30,SanJose,CA,USA,July2008.
[9]LujoBauer,JayLigatti,andDavidWalker.
ComposingsecuritypolicieswithPolymer.
InProceedingsofthe2005ACMSIGPLANConferenceonProgram-mingLanguageDesignandImplementation(PLDI),pages305–314,Chicago,IL,June2005.
[10]Beautifulbeta.
Bloggerwidgets.
http://beautifulbeta.
blogspot.
com,Jan-uary2009.
91[11]DavidE.
BellandLeonardLaPadula.
Securecomputersystem:Uniedexpo-sitionandmulticsinterpretation.
TechnicalReportMTR-2997,Rev.
1,MITRECorp.
,Bedford,MA,USA,March1976.
[12]Blogger.
com.
Site.
http://www.
blogger.
com,January2009.
[13]WalterChang,BrandonStrei,andCalvinLin.
Ecientandextensiblesecu-rityenforcementusingdynamicdataowanalysis.
InProceedingsofthe15thACMComputerandCommunicationsSecurityConference(CCS),pages39–50,Alexandria,VA,October2008.
[14]StephenChong,JedLiu,AndrewC.
Myers,XinQi,K.
Vikram,LantianZheng,andXinZheng.
SecureWebapplicationsviaautomaticpartitioning.
InPro-ceedingsofthe21stACMSymposiumonOperatingSystemsPrinciples(SOSP),pages31–44,Stevenson,WA,October2007.
[15]StephenChong,K.
Vikram,andAndrewC.
Myers.
SIF:EnforcingcondentialityandintegrityinWebapplications.
InProceedingsofthe16thUSENIXSecuritySymposium,pages1–16,Boston,MA,August2007.
[16]CWHUnderground.
Kwalbumarbitraryleuploadvulnerabilities.
http://www.
milw0rm.
com/exploits/6664.
CVE-2008-5677.
[17]NicodemosDamianou,NarankerDulay,EmilLupu,andMorrisSloman.
ThePonderpolicyspecicationlanguage.
InProceedingsofthePOLICY2001Work-shop,pages18–38,Bristol,UK,January2001.
[18]DorothyE.
Denning.
Alatticemodelofsecureinformationow.
CommunicationsoftheACM,19(5):236–243,1976.
[19]DepartmentofDefense.
TrustedComputerSystemEvaluationCriteria(OrangeBook),dod5200.
28-stdedition,December1985.
[20]DjangoSoftwareFoundation.
Django.
http://www.
djangoproject.
com,May2009.
[21]PetrosEfstathopoulosandEddieKohler.
Manageablene-grainedinformationow.
InProceedingsofthe3rdACMSIGOPS/EuroSysEuropeanConferenceonComputerSystems,pages301–313,Glasgow,Scotland,March2008.
[22]PetrosEfstathopoulos,MaxwellKrohn,SteveVanDeBogart,CliFrey,DavidZiegler,EddieKohler,DavidMazi`eres,FransKaashoek,andRobertMorris.
LabelsandeventprocessesintheAsbestosoperatingsystem.
InProceedingsofthe20thACMSymposiumonOperatingSystemsPrinciples(SOSP),pages17–30,Brighton,UK,October2005.
[23]EmoryUniversity.
MultiplevulnerabilitiesinAWStatsTotals.
http://userwww.
service.
emory.
edu/ekenda2/EMORY-2008-01.
txt.
CVE-2008-3922.
92[24]DawsonEngler,BenjaminChelf,AndyChou,andSethHallem.
Checkingsys-temrulesusingsystem-specic,programmer-writtencompilerextensions.
InProceedingsofthe4thUSENIXSymposiumonOperatingSystemsDesignandImplementation(OSDI),pages1–16,SanDiego,CA,October2000.
[25]DavidEvansandDavidLarochelle.
Improvingsecurityusingextensiblelightweightstaticanalysis.
IEEESoftware,19(1):42–51,January/February2002.
[26]Facebook.
Site.
http://www.
facebook.
com,January2009.
[27]DavidF.
FerraioloandD.
RichardKuhn.
Rolebasedaccesscontrol.
InProceed-ingsofthe15thNationalComputerSecurityConference,October1992.
[28]Firefox.
Add-ons.
https://addons.
mozilla.
org/,January2009.
[29]Flickr.
Badge.
http://www.
flickr.
com/badge.
gne,January2009.
[30]ScottGarriss,LujoBauer,andMichaelK.
Reiter.
Detectingandresolvingpolicymiscongurationsinaccess-controlsystems.
InProceedingsofthe13thACMSymposiumonAccessControlModelsandTechnologies,EstesPark,CO,June2008.
[31]RoxanaGeambasu,CherieCheung,AlexanderMoshchuk,StevenD.
Gribble,andHenryM.
Levy.
OrganizingandsharingdistributedpersonalWebservicedatawithmenagerie.
InProceedingsofthe17thInternationalWorldWideWebConference,pages755–764,Beijing,China,April2008.
[32]Google.
Gadgets.
http://www.
google.
com/webmasters/gadgets/,January2009.
[33]Google.
Googlechrome:anewwebbrowserforwindows.
http://www.
google.
com/chrome,January2009.
[34]Google.
MapsAPI.
http://code.
google.
com/apis/maps,January2009.
[35]Google.
OpenSocial.
http://code.
google.
com/apis/opensocial,January2009.
[36]JamesGosling,BillJoy,GuySteele,andGiladBracha.
TheJavaLanguageSpecication.
Addison-WesleyProfessional,thirdedition,2005.
[37]WilliamG.
J.
HalfondandAlessandroOrso.
AMNESIA:analysisandmoni-toringforneutralizingSQL-injectionattacks.
InProceedingsofthe20thACMInternationalConferenceonAutomatedSoftwareEngineering,pages174–183,LongBeach,CA,November2005.
[38]WilliamG.
J.
Halfond,AlessandroOrso,andPanagiotisManolios.
Usingpositivetaintingandsyntax-awareevaluationtocounterSQLinjectionattacks.
InPro-ceedingsofthe2006ACMSIGSOFTSymposiumontheFoundationsofSoftwareEngineering,pages175–185,Portland,OR,November2006.
93[39]OysteinHallarakerandGiovanniVigna.
DetectingmaliciousJavaScriptcodeinMozilla.
InProceedingsofthe10thIEEEInternationalConferenceonEn-gineeringofComplexComputerSystems,pages85–94,Shanghai,China,June2005.
[40]NormanHippert.
phpMyAdmincodeexecutionvulnerability.
http://fd.
the-wildcat.
de/pmae36a091q11.
php.
CVE-2008-4096.
[41]TrevorJim,NikhilSwamy,andMichaelHicks.
Defeatingscriptinjectionattackswithbrowser-enforcedembeddedpolicies.
InProceedingsofthe16thInterna-tionalWorldWideWebConference,pages601–610,Ban,Alberta,Canada,May2007.
[42]ShinyaKasatani.
SafeERBplugin.
http://agilewebdevelopment.
com/plugins/safeerb,January2009.
[43]DouglasKilpatrick.
Privman:Alibraryforpartitioningapplications.
InPro-ceedingsoftheUSENIX2003AnnualTechnicalConference,FREENIXtrack,pages273–284,SanAntonio,TX,June2003.
[44]EddieKohler.
Hotcrap!
InProceedingsoftheWorkshoponOrganizingWork-shops,Conferences,andSymposiaforComputerSystems,SanFrancisco,CA,April2008.
[45]MaxwellKrohn.
Buildingsecurehigh-performanceWebserviceswithOKWS.
InProceedingsofthe2004USENIXAnnualTechnicalConference,Boston,MA,June–July2004.
[46]MaxwellKrohn,AlexanderYip,MicahBrodsky,NatanClier,M.
FransKaashoek,EddieKohler,andRobertMorris.
Informationowcontrolforstan-dardOSabstractions.
InProceedingsofthe21stACMSymposiumonOperatingSystemsPrinciples(SOSP),pages321–334,Stevenson,WA,October2007.
[47]MaxwellKrohn,AlexanderYip,MicahBrodsky,RobertMorris,andMichaelWalsh.
AWorldWideWebwithoutwalls.
InProceedingsofthe6thACMWorkshoponHotTopicsinNetworks,Atlanta,GA,USA,November2007.
[48]ButlerW.
Lampson.
Anoteontheconnementproblem.
CommunicationsoftheACM,16(10):613–615,1973.
[49]AnthonyLieuallen,AaronBoodman,andJohanSundstrm.
Greasemonkey.
https://addons.
mozilla.
org/en-US/firefox/addon/748,June2009.
[50]BenjaminLivshitsandWeidongCui.
Spectator:DetectionandcontainmentofJavaScriptworms.
InProceedingsofthe2008USENIXAnnualTechnicalConference,pages335–348,Boston,MA,USA,June2008.
94[51]V.
BenjaminLivshitsandMonicaS.
Lam.
FindingsecurityvulnerabilitiesinJavaapplicationswithstaticanalysis.
InProceedingsofthe14thUsenixSecuritySymposium,pages271–286,Baltimore,MD,August2005.
[52]T.
F.
Lunt,D.
E.
Denning,R.
R.
Schell,M.
Heckman,andW.
R.
Shockley.
Theseaviewsecuritymodel.
IEEETransactionsonSoftwareEngineering,16(6):593–607,1990.
[53]MichaelMartin,BenjaminLivshits,andMonicaLam.
Findingapplicationer-rorsandsecurityawsusingPQL:aprogramquerylanguage.
InProceedingsofthe2005ACMSIGPLANInternationalConferenceonObject-OrientedPro-gramming,Systems,Languages,andApplications(OOPSLA),pages365–383,SanDiego,CA,October2005.
[54]M.
DouglasMcIlroyandJamesA.
Reeds.
MultilevelsecurityintheUNIXtra-dition.
Software—PracticeandExperience,22(8):673–694,1992.
[55]MarkS.
Miller,MikeSamuel,BenLaurie,IhabAwad,andMikeStay.
Caja:SafeactivecontentinsanitizedJavaScript,2008.
http://code.
google.
com/p/google-caja/downloads/list.
[56]MoinMoin.
TheMoinMoinwikiengine.
http://moinmoin.
wikiwikiweb.
de/,May2009.
[57]AndrewC.
MyersandBarbaraLiskov.
Adecentralizedmodelforinformationowcontrol.
InProceedingsofthe16thACMSymposiumonOperatingSystemsPrinciples(SOSP),pages129–142,Saint-Malo,France,October1997.
[58]AndrewC.
MyersandBarbaraLiskov.
Protectingprivacyusingthedecentralizedlabelmodel.
ACMTransactionsonComputerSystems(TOCS),9(4):410–442,October2000.
[59]Myphpscripts.
Loginsessionscript.
http://www.
myphpscripts.
net/sid=7,May2009.
CVE-2008-5855.
[60]AnhNguyen-tuong,SalvatoreGuarnieri,DougGreene,JeShirley,andDavidEvans.
Automaticallyhardeningwebapplicationsusingprecisetainting.
InPro-ceedingsofthe20thIFIPInternationalInformationSecurityConference,pages295–307,Chiba,Japan,May2005.
[61]Osirys.
wPortfolioarbitraryleuploadexploit.
http://www.
milw0rm.
com/exploits/7165.
CVE-2008-5220.
[62]Osirys.
myPHPscriptsloginsessionpassworddisclosure.
http://nvd.
nist.
gov/nvd.
cfmcvename=CVE-2008-5855,May2009.
[63]OneLaptopperChild.
Bitfrost.
http://wiki.
laptop.
org/go/OLPCBitfrost,June2009.
95[64]Perldoc.
Perltaintmode.
http://perldoc.
perl.
org/perlsec.
html,May2009.
[65]phpMyAdmin.
phpMyAdmin3.
1.
0.
http://www.
phpmyadmin.
net/.
[66]TadeuszPietraszekandChrisVandenBerghe.
Defendingagainstinjectionat-tacksthroughcontext-sensitivestringevaluation.
InProceedingsofthe8thInter-nationalSymposiumonRecentAdvancesinIntrusionDetection,pages124–145,Seattle,WA,September2005.
[67]C.
Reis,J.
Dunagan,H.
Wang,O.
Dubrovsky,andS.
Esmeir.
BrowserShield:Vulnerability-drivenlteringofdynamicHTML.
InProceedingsofthe7thUSENIXSymposiumonOperatingSystemsDesignandImplementation(OSDI),pages61–74,Seattle,WA,November2006.
[68]CharlesReis,StevenD.
Gribble,andHenryM.
Levy.
ArchitecturalprinciplesforsafeWebprograms.
InProceedingsofthe6thACMWorkshoponHotTopicsinNetworks,Atlanta,GA,USA,November2007.
[69]script.
aculo.
us.
Library.
http://script.
aculo.
us,January2009.
[70]NikhilSwamy,BrianJ.
Corcoran,andMichaelHicks.
Fable:Alanguageforenforcinguser-denedsecuritypolicies.
InProceedingsofthe2008IEEESym-posiumonSecurityandPrivacy,pages369–383,Oakland,CA,May2008.
[71]TheMITRECorporation.
Commonvulnerabilitiesandexposures(CVE)database.
http://cve.
mitre.
org/data/downloads/,May2009.
[72]DaveThomas,ChadFowler,andAndyHunt.
ProgrammingRuby:ThePrag-maticProgrammers'Guide.
PragmaticBookshelf,2004.
[73]MichaelCarlTschantzandShriramKrishnamurthi.
Towardsreasonabilityprop-ertiesforaccess-controlpolicylanguages.
InProceedingsofthe11thACMSym-posiumonAccessControlModelsandTechnologies,pages160–169,LakeTahoe,CA,June2006.
[74]Twitter.
Badge.
http://twitter.
com/badges/blogger,January2009.
[75]MalteUbl.
Xssinterface:JavaScriptlibraryforsecurecrossbrowserJavaScriptmessaging.
http://code.
google.
com/p/xssinterface/,January2009.
[76]WietseVenema.
TaintsupportforPHP.
http://wiki.
php.
net/rfc/taint,May2009.
[77]JohnViega,JTBloch,andPravirChandra.
Applyingaspect-orientedprogram-mingtosecurity.
CutterITJournal,14(2):31–39,February2001.
96[78]P.
Vogt,F.
Nentwich,N.
Jovanovic,E.
Kirda,C.
Kruegel,andG.
Vigna.
Cross-sitescriptingpreventionwithdynamicdatataintingandstaticanalysis.
InPro-ceedingofthe14thISOCNetworkandDistributedSystemSecuritySymposium,SanDiego,CA,February2007.
[79]ThomasWaldmann.
ChecktheACLoftheincludedpagewhenusingtherstparser'sincludedirective.
http://hg.
moinmo.
in/moin/1.
6/rev/35ff7a9b1546.
CVE-2008-6548.
[80]HelenJ.
Wang,XiaofengFan,JonHowell,andCollinJackson.
ProtectionandcommunicationabstractionsforWebbrowsersinMashupOS.
InProceedingsofthe21stACMSymposiumonOperatingSystemsPrinciples(SOSP),pages1–16,Stevenson,WA,October2007.
[81]GaryWassermannandZhendongSu.
Soundandpreciseanalysisofwebappli-cationsforinjectionvulnerabilities.
InProceedingsofthe2007ACMSIGPLANConferenceonProgrammingLanguageDesignandImplementation(PLDI),pages32–41,SanDiego,CA,June2007.
[82]WebApplicationSecurityConsortium.
2007Webapplicationsecuritystatis-tics.
http://www.
webappsec.
org/projects/statistics/wascwass2007.
pdf,May2009.
[83]YichenXieandAlexAiken.
Staticdetectionofsecurityvulnerabilitiesinscript-inglanguages.
InProceedingsofthe15thUSENIXSecuritySymposium,pages179–192,Vancouver,BC,Canada,July2006.
[84]Yahoo.
Yahoo!
Pipes.
htpp://pipes.
yahoo.
com,January2009.
[85]Yahoo.
Yahoo!
Weather.
http://developer.
yahoo.
com/weather,January2009.
[86]AlexanderYip,NehaNarula,MaxwellKrohn,andRobertMorris.
Privacy-preservingbrowser-sidescriptingwithBFlow.
InProceedingsofthe4thACMSIGOPS/EuroSysEuropeanConferenceonComputerSystems,pages233–246,Nuremberg,Germany,March2009.
[87]AlexanderYip,XiWang,NickolaiZeldovich,andM.
FransKaashoek.
Improvingapplicationsecuritywithdataowassertions.
InProceedingsofthe22ndACMSymposiumonOperatingSystemsPrinciples(SOSP)(toappear),BigSky,MT,October2009.
[88]AydanYumerefendi,BenjaminMickle,andLandonP.
Cox.
TightLip:Keepingapplicationsfromspillingthebeans.
InProceedingsofthe4thUSENIXSympo-siumonNetworkedSystemsDesignandImplementation(NSDI),pages159–172,Cambridge,MA,Apr2007.
97[89]NickolaiZeldovich,SilasBoyd-Wickizer,EddieKohler,andDavidMazi`eres.
MakinginformationowexplicitinHiStar.
InProceedingsofthe7thUSENIXSymposiumonOperatingSystemsDesignandImplementation(OSDI),pages263–278,Seattle,WA,November2006.
[90]NickolaiZeldovich,SilasBoyd-Wickizer,andDavidMazi`eres.
Securingdis-tributedsystemswithinformationowcontrol.
InProceedingsofthe5thUSENIXSymposiumonNetworkedSystemsDesignandImplementation(NSDI),pages293–308,SanFrancisco,CA,April2008.
98
CloudCone商家我们很多喜欢低价便宜VPS主机的肯定是熟悉的,个人不是特别喜欢他。因为我之前测试过几次,开通的机器IP都是不通的,需要删除且开通好几次才能得到一个可用的IP地址。当然他们家的优势也是有的,就是价格确实便宜,而且还支持删除重新开通,而且机房只有一个洛杉矶MC。实话,如果他们家能多几个机房,保持现在的特点,还是有很多市场的。CloudCone是来自美国的主机销售商,成立于2017...
ReliableSite怎么样?ReliableSite好不好。ReliableSite是一家成立于2006年的老牌美国商家,主要经营美国独立服务器租赁,数据中心位于:洛杉矶、迈阿密、纽约,带宽1Gbps起步,花19美元/月即可升级到10Gbps带宽,月流量150T足够各种业务场景使用,且免费提供20Gbps DDoS防护。当前商家有几款大硬盘美国独服,地点位于美国洛杉矶或纽约机房,机器配置很具有...
香港ceranetworks提速啦是成立于2012年的十分老牌的一个商家这次给大家评测的是 香港ceranetworks 8核16G 100M 这款产品 提速啦老板真的是豪气每次都给高配我测试 不像别的商家每次就给1核1G,废话不多说开始跑脚本。香港ceranetworks 2核2G 50G硬盘20M 69元/月30M 99元/月50M 219元/月100M 519元/月香港ceranetwork...
file_get_contents为你推荐
签约xp浙江世纪华通集团股份有限公司支持ipad支持ipad城乡居民社会养老保险人脸识别生存认证win7telnetwindows7的TELNET服务在哪里开启啊win7telnet怎样在win7下打开telnet 命令canvas2html5创建两个canvas后,怎么回到第一个canvasgoogle分析google analysis干什么用的?google分析google分析打不开了?
vps优惠码 singlehop googleapps 国内永久免费云服务器 长沙服务器 建立邮箱 百兆独享 七夕促销 169邮箱 阿里校园 空间合租 网通服务器托管 paypal注册教程 空间租赁 沈阳主机托管 德隆中文网 lamp兄弟连 114dns 97rb rewritecond 更多