Presentation is loading. Please wait.

Presentation is loading. Please wait.

Summary on S CRIPT G ARD Automatic Context-Sensitive Sanitization for Large-Scale Legacy Web Applications William Ng Northwestern University Modified slides.

Published byBathsheba Bishop Modified over 9 years ago

Similar presentations

Presentation on theme: "Summary on S CRIPT G ARD Automatic Context-Sensitive Sanitization for Large-Scale Legacy Web Applications William Ng Northwestern University Modified slides."— Presentation transcript:

1 Summary on S CRIPT G ARD Automatic Context-Sensitive Sanitization for Large-Scale Legacy Web Applications William Ng Northwestern University Modified slides from presentation of Prateek Saxena UC Berkeley

2 Sanitization in WebApplication Small-Scale Apps Buggy Sanitizer Missing Sanitization – [ Pixy’06, PhpTaint’06,Cqual’04, Merlin’09,Securifly’05, PhpAspis’11, Saner’08, Bek’11 ] Large-Scale Applications 2 String Img.RenderControl() { Write(userimg); } String Img.RenderControl() { Write(Sanitize(userimg)); } New Sanitization Errors – [ CCS’11 ] S CRIPT G ARD

3 Error #1: Context-Mismatched Sanitization(CMS) 3

4 4

5 Why Does Context-Mismatch Happen? 5 Output Sink San Context is a Global Path-Sensitive Property But, developers select Sanitizers Locally

6 6 1,207 (4.7%) are CMS errors! Error #1: Context-Mismatched Sanitization(CMS)

7 Error #2: Inconsistent Multiple Sanitization(IMS) 7 Output Sink San 1 San 2 Attack Input Safe? San 1 San 2

8 Inconsistent Multiple Sanitization(IMS): How does it happen? 8 EcmaScriptStringEncode – transforms all characters that can break out of JavaScript string literals (like the “ character) to Unicode encoding \u0022 for “) HtmlAttribEncode - encodes characters (" for “)

9 Inconsistent Multiple Sanitization(IMS): How does it happen? 9 Document.write(“ ”) Document.write(" ")

10 Inconsistent Multiple Sanitization(IMS): How does it happen? 10 Document.write(" ") Big problem if xyz is);Onclick… Document.write(“ ’)

11 11 285 (8%) of multiple sanitizations are errors! Inconsistent Multiple Sanitization(IMS): Does it Really Happen?

12 S CRIPT G ARD Architecture 12

13 S CRIPT G ARD Analysis 13 1.Trace dynamic execution of application on test inputs 2.Identify all untrusted data embedded in application’s output 3.Map application trace to static program path 4.Map untrusted trace to the correct sequence of sanitizer to apply 5.Find out which part of string needs to be sanitized through positive taint analysis 6.If sequence doesn’t match, it add the correct sequence to sanitization cache

14 S CRIPT G ARD Analysis 14 1.Trace dynamic execution of application on test inputs 2.Identify all untrusted data embedded in application’s output 3.Map application trace to static program path 4.Map untrusted trace to the correct sequence of sanitizer to apply 5.Find out which part of string needs to be sanitized through positive taint analysis 6.If sequence doesn’t match, it add the correct sequence to sanitization cache

15 Positive Taint analysis 15 X = Untrusted input Z = unknown source A = safe input Y = X cZ = sanitize (Z) Write(X,Y,Z,A,cZ) Normal taint analysis kept track how the untrusted variable is used in the program, e.g. X, Y Positive taint analysis kept track of the safe data, e.g. A and cZ ScriptGard marks portion of server output which is not positively tainted e.g. X, Y, Z ScriptGard also records sequence of propagator and sanitizer applied

16 S CRIPT G ARD Runtime Auto-Correction 16 1.Apply the correct sanitizer sequence from the cache if analysis is done on the path 2.Administrator choice if analysis is not done on the path yet

17 S CRIPT G ARD : Performance Time to load first byte from URL increase by more than 100 times. Preferential path profiling can slightly reduce the overhead. 17

18 Questions? 18

Download ppt "Summary on S CRIPT G ARD Automatic Context-Sensitive Sanitization for Large-Scale Legacy Web Applications William Ng Northwestern University Modified slides."

Similar presentations

Chapter 6 Server-side Programming: Java Servlets

Chapter 6 Server-side Programming: Java Servlets
Context-Sensitive Auto-Sanitization In Web Templating Languages Using Type Qualifiers Prateek Saxena UC Berkeley Mike Samuel Google Dawn Song UC Berkeley.

Context-Sensitive Auto-Sanitization In Web Templating Languages Using Type Qualifiers Prateek Saxena UC Berkeley Mike Samuel Google Dawn Song UC Berkeley.
PHP Hypertext Preprocessor Information Systems 337 Prof. Harry Plantinga.

PHP Hypertext Preprocessor Information Systems 337 Prof. Harry Plantinga.
THE BROKEN WEB A Systematic Analysis of XSS Sanitization in Web Application Frameworks.

THE BROKEN WEB A Systematic Analysis of XSS Sanitization in Web Application Frameworks.
Part 2 Authors: Marco Cova, et al. Presented by Brett Parker.

Part 2 Authors: Marco Cova, et al. Presented by Brett Parker.
Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec. 5 2007.

Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec
Bookshelf.EXE - BX A dynamic version of Bookshelf –Automatic submission of algorithm implementations, data and benchmarks into database Distributed computing.

Bookshelf.EXE - BX A dynamic version of Bookshelf –Automatic submission of algorithm implementations, data and benchmarks into database Distributed computing.
CSC1016 Coursework Clarification Derek Mortimer March 2010.

CSC1016 Coursework Clarification Derek Mortimer March 2010.
S CRIPT G ARD Automatic Context-Sensitive Sanitization for Large-Scale Legacy Web Applications Prateek Saxena UC Berkeley David Molnar Microsoft Research.

S CRIPT G ARD Automatic Context-Sensitive Sanitization for Large-Scale Legacy Web Applications Prateek Saxena UC Berkeley David Molnar Microsoft Research.
ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.

ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.
1 Document Structure Integrity: A Robust Basis for Cross-Site Scripting Defense Prateek Saxena UC Berkeley Yacin Nadji Illinois Institute Of Technology.

1 Document Structure Integrity: A Robust Basis for Cross-Site Scripting Defense Prateek Saxena UC Berkeley Yacin Nadji Illinois Institute Of Technology.
Python and Web Programming

Python and Web Programming
Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Gary Wassermann and Zhendong Su UC Davis Slides from

Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Gary Wassermann and Zhendong Su UC Davis Slides from
Escaping Characters document.write(). Learning Objectives By the end of this lecture, you should be able to: – Recognize some of the characters that can.

Escaping Characters document.write(). Learning Objectives By the end of this lecture, you should be able to: – Recognize some of the characters that can.
From legacy desktop application to Single Page Application By Jens Munk Freelance consultant.

From legacy desktop application to Single Page Application By Jens Munk Freelance consultant.
Aaron Blankstein and Michael J. Freedman Princeton University Tuan Tran.

Aaron Blankstein and Michael J. Freedman Princeton University Tuan Tran.
Streams, Files. 2 Stream Stream is a sequence of bytes Input stream In input operations, the bytes are transferred from a device to the main memory Output.

Streams, Files. 2 Stream Stream is a sequence of bytes Input stream In input operations, the bytes are transferred from a device to the main memory Output.
Automatic Creation of SQL Injection and Cross-Site Scripting Attacks 2nd-order XSS attacks 1st-order XSS attacks SQLI attacks Adam Kiezun, Philip J. Guo,

Automatic Creation of SQL Injection and Cross-Site Scripting Attacks 2nd-order XSS attacks 1st-order XSS attacks SQLI attacks Adam Kiezun, Philip J. Guo,
Sophia Antipolis, September 2006 Multilinguality, localization and internationalization Miruna Bădescu Finsiel Romania.

Sophia Antipolis, September 2006 Multilinguality, localization and internationalization Miruna Bădescu Finsiel Romania.
8 Chapter Eight Server-side Scripts. 8 Chapter Objectives Create dynamic Web pages that retrieve and display database data using Active Server Pages Process.

8 Chapter Eight Server-side Scripts. 8 Chapter Objectives Create dynamic Web pages that retrieve and display database data using Active Server Pages Process.

Similar presentations

Ads by Google