A Data-Centric Web Application Security Framework

Jonathan Burket, Patrick Mutchler, Michael Weaver,

Muzzammil Zaveri, and David Evans

University of Virginia

http://guardrails.cs.virginia.edu

GuardRailsGuardRails

2

Web applications are easier to create

than ever!

3

Securing web applications is

not nearly as easy!

4

5 6

7

“><script>alert(document.cookie);</script>

8

9 10

11

Application

Page A

Page B

Page C

Page D

Data ObjectRead

12

Application

Page A

Page B

Page C

Page D

Data ObjectRead

Output HTML

Data

Object

13

Application

Page A

Page B

Page C

Page D

Data ObjectRead

Output HTML

Data

Object

14

Application

Page A

Page B

Page C

Page D

Data ObjectRead

Proxy that Enforces

Security Policies

15

Application

Page A

Page B

Page C

Page D

Data ObjectRead

Output HTML

Data

Object

Proxy that Enforces

Security Policies

Our Philosophy

16

Security policies should be

attached to the data

Security policies should be

enforced automatically

17

Annotated Ruby

on Rails Code

Secure Ruby on

Rails CodeGuardRails

Design Goals

Top Priority:

Automatically enforce security policies

Other Objectives:

Preserve application functionality

Easy for developers to use

Lesser Goals:

Minimize performance cost

18

19

Annotated Ruby

on Rails Code

Secure Ruby on

Rails CodeGuardRails

Access Control Policies

Fine Grained Taint-Tracking

20

Annotated Ruby

on Rails Code

Secure Ruby on

Rails CodeGuardRails

Access Control Policies

Fine Grained Taint-Tracking

21

if include_subprojects && !active_children.empty?

ids = [id] + active_children.collect {|c| c.id}

conditions = ["#{Project.table_name}.id IN

(#{ids.join(',')})"]

22

if include_subprojects && !active_children.empty?

ids = [id] + active_children.collect {|c| c.id}

conditions = ["#{Project.table_name}.id IN

(#{ids.join(',')})"]

23

if include_subprojects && !active_children.empty?

ids = [id] + active_children.collect {|c| c.id}

conditions = ["#{Project.table_name}.id IN

(#{ids.join(',')}) AND

#{Project.visible_by}"]

24

25

application_helper.rb

4 Checks

project.rb

2 Checks

projects_controller.rb

3 Checks

acts_as_searchable.rb

1 Checks

# @ :read, :self,

lambda{|user|self.is_public

or user.memberships.include? self.id}

# @ :read, lambda{|user| self.is_public

or user.memberships.include? self.id}

class Project < ActiveRecord::Base

# Project statuses

STATUS_ACTIVE = 1…

1 GuardRails Annotation

In Project model file:

Access Control Policy Annotations

# @ (policy_type, [target], [handler], mediator)

# @ :delete, :self, :admin

# @ :write, :password, lambda{|user|user.id == self.id }

# @ :append, :members, lambda{|user| user.belongs_to?(self)}

26

27

Annotated Ruby

on Rails Code

Secure Ruby on

Rails CodeGuardRails

Access Control Policies

Fine Grained Taint-Tracking

Dynamic Taint Tracking

Protects against injection attacks

28

“SELECT profile FROM users WHERE username=‘” + user_name + “’”

“User: <a href=‘profile_page’>” + user_name + “</a>”

Good: user_name = “jazzFan26”

Bad: user_name = “’; DROP TABLE users--”

Good: user_name = “DrKevinPhillips”

Bad: user_name = “<script language=‘javascript’>

alert(‘document.cookie’);</script>”

SQL Injection:

Cross-Site Scripting:

29 30

Application

Page A

Page B

Page C

Page D

Data ObjectRead

31

Application

Page A

Page B

Page C

Page D

Data ObjectRead

Output HTML

Data

Object

Taint Propagation

32

ModelController

Database

Data Taint

Status

View

URL Parameters

Form Data

Other User Input

Tainted HTML

SanitizationSafe HTML

Expressive Taint Status

“<a href=‘profile?id=184392’><evil>SoccerFan1985</evil></a>”

“<a href=“profile?id=184392”><evil>SoccerFan1985</evil></a>”

StringValue:

Taint:

Character

Index

29

51

55

<Transformer::Identity>

<Transformer::Default>

<Transformer::Identity>

Different

Chunks

33

Transformers

{:HTML => {

“//script” => NoDisplay,

:default => NoHTMLAllowed

},

:SQL => SQLSanitize,

:Ruby_eval => NoDisplay}

The Default Transformer

Use Context

Appropriate Sanitization Routine

34

Transformers

Raw String

Chunk 1Transformer 1

Raw String

Chunk 2Transformer 2

Raw String

Chunk 3Transformer 3

Use Context

Sanitized Chunk

Sanitized Chunk

Sanitized Chunk

Sanitized String

35

Transformer Annotations

36

# @ :taint, :username,

{:HTML => AlphaNumericOnly}

# @ :taint, :full_name,

{:HTML =>

{TitleTag => LettersAndSpacesOnly,

:default => NoHTML}}

# @ :taint, :profile,

{:HTML =>

{"//script” => Invisible,

:default => BoldItalicUnderlineOnly}}

# @ taint, target, transformer

37 38

39

Test Application Application Type

Image Gallery

(680 lines)

E-Commerce

(5556 lines)

Project Management

(30747 lines)

E-Commerce

(11561 lines)

40

Performance Notes

41

10.7

0

1

2

3

4

5

6

7

Onyx Redmine PaperTracks

Re

lati

ve

Tra

nsa

ctio

n T

ime

(N

orm

ali

zed

)

Original Application

Access Control Only

Taint Tracking Only

Full System

Try GuardRails

Alpha Release Now Available!

Our Web Page: http://guardrails.cs.virginia.edu

Full source code can be downloaded from GitHub

Contact Info: guardrails@cs.virginia.edu

42

Questions?

Alpha Release Now Available!

Our Web Page: http://guardrails.cs.virginia.edu

Full source code can be downloaded from GitHub

Contact Info: guardrails@cs.virginia.edu

43