Presentation is loading. Please wait.

Presentation is loading. Please wait.

Context-Sensitive Auto-Sanitization In Web Templating Languages Using Type Qualifiers Prateek Saxena UC Berkeley Mike Samuel Google Dawn Song UC Berkeley.

Similar presentations


Presentation on theme: "Context-Sensitive Auto-Sanitization In Web Templating Languages Using Type Qualifiers Prateek Saxena UC Berkeley Mike Samuel Google Dawn Song UC Berkeley."— Presentation transcript:

1 Context-Sensitive Auto-Sanitization In Web Templating Languages Using Type Qualifiers Prateek Saxena UC Berkeley Mike Samuel Google Dawn Song UC Berkeley 1

2 Script Injection Vulnerabilities OWASP Top Ten Vulnerabilities – 2 nd in 2010 & 2011 Today Affects – Major Web Services – Client-side Libraries – Browser Extensions – Devices & Smartphones 2

3 Predominant Defense Practice Why Does it Fail? – Developers forget to Sanitize [ Pixy06, PhpTaint06,Cqual04, Merlin09,Securifly05, PhpAspis11 ] – Pick the wrong sanitizer [ CCS11 ] 3 String Div.Render () { print( ); print(userimg); print( ); } String Div.Render () { print( ); print(Sanitize(userimg)); print( ); } Sanitizer Library Sanitizer Library

4 Vision Eliminate Scripting Attacks – Make Applications Secure by Construction Developer Code Developer Code Application Code Application Code 4

5 Contributions A New "Push-Button" Defense Primitive – "Security By Construction" Approach Context-Sensitive Auto-Sanitization (CSAS) – New Challenge: Which Sanitizers To Place Where? – Targets Existing Web Templating Frameworks It is Practical Deployed Commercially – Google Closure Templates powers Google+ 5 FastAuditableCompatibleSecure

6 var o = new soy.StringBuilder(); imgRender({O: o, imglink: $_GET(extlink), name: [$_GET(name)] })); document.write(o); Web Templating Frameworks Templating Framework Compiler Java JS Application calls Target Language Code Template Application Code template imgRender($imgLink, $name) { print (. $name. ; return; } Template Code Template Language does not have complex constructs 6 Explicitly Separates Untrusted Inputs

7 Talk Outline System Architecture & Features Challenges The CSAS Engine Design Implementation Evaluation & Deployment 7

8 CSAS System Architecture Compiler Java JS Application calls Instrumented Auto-Sanitization Template Sanitizer Library Sanitizer Library Static Error 8

9 CSAS Auditability & Compatibility Compiler Java JS Instrumented Auto- Sanitization Sanitizer Library Sanitizer Library Static Error Easily Auditable Compatibility – No Developer Involvement – Minimize Static Errors Security Performance 9

10 HtmlSanitizer URLSanitizer template ImgRender($imgLink, $name) {……………} Security & Correctness (I) Property C SAN: Context-Sensitive Sanitization $name$imgLink$name HTML Tag Context URI START Context URI PATH Context URI QUERY Parameter Context HTML Tag Context Attacks Vary By Contexts! 10

11 Security & Correctness (II) Property N OS: No Over Sanitization $name$imgLink$name Sanitize Only Untrusted Data Not Constant Strings 11

12 Security Assumptions Canonical HTML Parser – Flexible to recognize browser differences [GWT, CTemplates] Correct Sanitizers – Extensive Community Effort [OWASP, HtmlPurify, GWT, Django] – Research on Secure Sanitization Primitives [Bek11, Hampi09,Min06] – Already Used in Many Frameworks

13 Challenges Easily Auditable Compatibility Security Performance Security PerformanceCompatibility 13

14 Approach #1: Context-Insensitive Sanitization template ImgRender($imgLink, $name) { print (. $name. ; return; } template ImgRender($imgLink, $name) { print (. HtmlEncode($name ). ; return; } javascript: bad(); Security PerformanceCompatibility False Sense of Security! 14

15 Approach #2: Context-Sensitive Runtime Parsing (CSRP) URI START Context URI Param Context template ImgRender($imgLink, $name) {……………} { "@context": "http://schema.org", "@type": "ImageObject", "contentUrl": "http://images.slideplayer.com/4/1458353/slides/slide_15.jpg", "name": "Approach #2: Context-Sensitive Runtime Parsing (CSRP) URI START Context URI Param Context template ImgRender($imgLink, $name) {……………}

16 Rich Language Features $name$imgLink$name 16 template ImgRender($imgLink, $name) { print (. $name. ; return; }

17 template ImgRender($imgLink, $name) { print (. $name. ; return; } Rich Language Features: Control Flow $name$imgLink$name Usage Contexts Statically Ambiguous: Sanitization Requirements vary by path! 17

18 Our Approach Type Inference Well-Typed IR Untyped Template Compilation Compiled Code 18 CSAS Engine – Context Type Qualifiers

19 Context Type Qualifiers Context Type Qualifier: – "Which contexts is a string safe to be rendered in" x:=-->


Similar presentations


Ads by Google