End-to-end Protection of Web Services. Tracking. Hao Chen and Benjamin Davis UC Davis. Web services are highly attractive targets

(1)

of Web Services

with Information Flow

Tracking

H

Ch

d B j

i D i

Hao Chen and Benjamin Davis

UC Davis

MURI Final Review Briefing

June 13, 2012

Helix MURI Project -- http://helix.cs.virginia.edu



Web services are highly attractive targets



Over 60% of attacks target Web applications

O e 60% o attac s ta get eb app cat o s



Over 80% of vulnerabilities found are in Web

(2)

<h1>Latest Comment</h1>

<p>

{User Content} 3 3

</p>

<h1>Latest Comment</h1>

<p>

This is <b>great!</b>

(3)

<h1>Latest Comment</h1>

<p>

<script>

steal(document.cookie);

</script>

5 5

</script>

</p>

Application ? ? ? ? ?

(4)

Information Flow Tracking System Application   Input !! 7 7   Information Flow Tracking System Application  

(5)

Information Flow Tracking System Application   !! 9 9  !!  Information Flow Tracking System Application   !!  !!  Output !!

(6)

Information Flow Tracking System Application   !!

X

11 11  !!  !! Output

X



Language-based “taint mode”

◦

_Perl

◦

_Ruby



Adding support to language structures

◦

_{Java [Chin, Wagner 09]}

◦

_{PHP [Venema]}

(7)

Information Flow Tracking System Web Application Input Database Interface Database 13 13 Output Information Flow Tracking System Web Application Input Database Interface Database   !! Output  

(8)

Information Flow Tracking System Web Application Input Database Interface Database   15 15 Output  !!  Information Flow Tracking System Input Database Interface Database   !!

(9)

Information Flow Tracking System Web Application Input Database Interface Database   !! 17 17 Output   Information Flow Tracking System Web Application Input Database Interface Database   ? Output  

(10)

Information Flow Tracking System Web Application Input Database Interface Database   ? 19 19 Output   Information Flow Tracking System Input Database Interface Database   ?

(11)



What if you have multiple applications?



How to treat data from the database?

o to t eat data o t e database

◦

_{All tainted -> false positives}

◦

_{All untainted -> false negatives}

◦

_{Require manual annotation?}

◦

_{Application-specific decisions?}

21



Taint tracking through the entire system

◦

_{[Asbestos, 05]}

◦

_{[HiStar, 06]}



Implemented in

◦

_Hardware

◦

_OS

◦

_VMM/emulator

(12)

Web Application Input Database Interface Database !! 23 23 Output Input Database Interface Database

(13)

Web Application Input Database Interface Database !! 25 25 Output Web Application Input Database Interface Database Output

(14)



Low level/fine granularity

◦

_{Hardware mechanism [Suh, Lee, Devadas 04]}

◦

_{Minos [Crandall, Chong, 04]}



Lacks high-level database semantics

◦

_{Aggregate functions}

◦

_{Comparisons, SELECT DISTINCT}

27



End-to-end taint tracking

◦

_{Across Web applications and databases}



Leverage existing single-application

information flow tracking engines



Compatible with existing Web services

(15)

DB Interface W b A li i Database Engine SQL 29 29 Web Application DBT i DB Interface W b A li i Database Engine SQL DBTaint Web Application

(16)



Store taint data in database composite types

◦

_{Tuple of form: (<value>, <taint_value>)}



Store/retrieve taint values via SQL

◦

_{No additional mechanisms needed in the database}

◦

_{No change to underlying database data structures}

Id Status (19 0) (‘ l d’ 1) Id Status 19 ‘ l d’ 31 31 (19, 0) (‘closed’, 1) (27, 0) (‘open’, 1) (32, 0) (‘pending, 1) 19 ‘closed’ 27 ‘open’ 32 ‘pending’

Before DBTaint With DBTaint



Create functions that operate on composite

types

yp

◦

_{Comparison operators (=, !=, <, …)}

◦

_{Arithmetic operations (+, -, …)}

◦

_{Text operations (upper, lower, …)}

◦

_{Aggregate functions (MAX, MIN, SUM, …)}

(17)



Arithmetic operations

(4 0) + (5 1) (9 ?)

(4, 0) + (5, 1) = (9, ?)

33 33 

Arithmetic operations

(4 0) + (5 1) (9 ?)

(4, 0) + (5, 1) = (9, ?)

untainted tainted

(18)



Arithmetic operations

(4 0) + (5 1) (9 1)

(4, 0) + (5, 1) = (9, 1)

untainted tainted tainted

35



MAX

{(2 0) (3 1) (5 0)} = (5 ?)

{(2, 0), (3, 1), (5, 0)} = (5, ?)

(19)



MAX

{(2 0) (3 1) (5 0)} = (5 ?)

{(2, 0), (3, 1), (5, 0)} = (5, ?)

untainted tainted untainted

37



Untainted: trusted source

◦

_{Web application defaults}

◦

_{Values generated entirely by the Web application}



Tainted: from untrusted source, or unknown

◦

_{User input}



Explicit information flow

b

d l

l f



Database returns untainted value only if

(20)



MAX

{(2 0) (3 1) (5 0)} = (5 ?)

{(2, 0), (3, 1), (5, 0)} = (5, ?)

39



MAX

{(2 0) (3 1) (5 0)} = (5 0)

{(2, 0), (3, 1), (5, 0)} = (5, 0)

(21)



Equality

(3 0)

?

(3 1)

(3, 0) = (3, 1)

untainted tainted

?

41 41 

Equality

3

3 3 == 3

(22)



Equality

(3 0)

(3 1)

(3, 0) == (3, 1)

untainted tainted

43



Adopt notion of backwards-compatibility

[Chin, Wagner 09]

43 

MAX

{(5 1) (5 0)} (5 ?)

{(5, 1), (5, 0)} = (5, ?)

untainted tainted

(23)



MAX

{5 5} 5

{5, 5} = 5

45 45 

MAX

{5 5} 5

{5, 5} = 5

OR

(24)



MAX

{(5 1) (5 0)} (5 ?)

{(5, 1), (5, 0)} = (5, ?)

OR

47 47 

MAX

{(5 1) (5 0)} (5 0)

{(5, 1), (5, 0)} = (5, 0)

(25)

DB Interface Database Table Id Status 19 ‘closed’ 27 ‘open’ 32 ‘ di ’ 49 49 WebApp 32 ‘pending’

DB Interface Database Table

x = DB.get(id=27) Id₁₉ Status_‘closed’

27 ‘open’

32 ‘ di ’

WebApp

(26)

DB Interface Database Table x = DB.get(id=27) Id₁₉ Status_‘closed’

27 ‘open’ 32 ‘ di ’ 51 51 WebApp 32 ‘pending’

(27)

DB Interface Database Table x = “open” Id Status 19 ‘closed’ 27 ‘open’ 32 ‘ di ’ 53 53 WebApp 32 ‘pending’ DBTaint

Id Status (19, 0) (‘closed’, 1) (27, 0) (‘open’, 1) (32 0) (‘pending 1) DBTaint WebApp (32, 0) (‘pending, 1)

(28)

DBTaint Database Table Id Status (19, 0) (‘closed’, 1) (27, 0) (‘open’, 1) (32 0) (‘pending 1) x = DB.get(id=27) DB Interface DBTaint 55 55 WebApp (32, 0) (‘pending, 1) DBTaint Database Table

Rewritten query Id Status

(19, 0) (‘closed’, 1) DB Interface

(29)

DBTaint

Database Table

Result tuples Id Status

(19, 0) (‘closed’, 1) (27, 0) (‘open’, 1) (32 0) (‘pending 1) DB Interface DBTaint 57 57 WebApp (32, 0) (‘pending, 1) DBTaint Database Table Id Status (19, 0) (‘closed’, 1) (27, 0) (‘open’, 1) (32 0) (‘pending 1) DB Interface DBTaint Collapse tuples and taint appropriatel y WebApp (32, 0) (‘pending, 1) y

(30)

DBTaint Database Table x = “open” // x is tainted Id Status (19, 0) (‘closed’, 1) (27, 0) (‘open’, 1) (32 0) (‘pending 1) DB Interface DBTaint 59 59 WebApp (32, 0) (‘pending, 1)



Account for composite types in SQL queries



Collapse and taint result tuples as needed

Co apse a d ta t esu t tup es as eeded



These changes are:

◦

_{Transparent to web application}

◦

_{High-level, portable}

(31)



Parameterized queries



Prepare:

epa e

◦

_{INSERT … (id, status) VALUES (?, ?)}

◦

_Execute

◦

_{(27, ‘open’)}

61 61 

Parameterized queries



Prepare:

epa e

◦

_{INSERT … (id, status) VALUES (?, ?)}

◦

_{// with DBTaint:}

(32)



Parameterized queries



Prepare:

epa e

◦

_{INSERT … (id, status) VALUES (?, ?)}

◦

_{// with DBTaint:}

◦

_{INSERT … (id, status) VALUES (}

_{ROW(?, ?)}

_,

_{ROW(?, ?)}

₎

◦

_Execute

(27 ‘

’) // 27 i

t i t d ‘

’ i t i t d

63

◦

_{(27, ‘open’) // 27 is untainted, ‘open’ is tainted}

◦

_{// with DBTaint:}

◦

_(27,

₀

_{, ‘open’,}

₁

₎



Prepare phase:

◦

_{Queries are passed with placeholders for data}



Execute phase:

◦

_{Data values are passed separately, independently}



Taint tracking engine requirement:

(33)



Leverage existing single-application

information flow tracking systems

g y



No changes to Web application

DBTaint 65 65 DB Interface Web Application Single-application information flow 