Presentation is loading. Please wait.

Presentation is loading. Please wait.

Michael Dalton, Christos Kozyrakis, and Nickolai Zeldovich MIT, Stanford University USENIX 09’ Nemesis: Preventing Authentication & Access Control Vulnerabilities.

Published byEleanore Mosley Modified over 8 years ago

Similar presentations

Presentation on theme: "Michael Dalton, Christos Kozyrakis, and Nickolai Zeldovich MIT, Stanford University USENIX 09’ Nemesis: Preventing Authentication & Access Control Vulnerabilities."— Presentation transcript:

1 Michael Dalton, Christos Kozyrakis, and Nickolai Zeldovich MIT, Stanford University USENIX 09’ Nemesis: Preventing Authentication & Access Control Vulnerabilities in Web Applications 1

2 2 Outline 1. Introduction 2. Web Application Security Architecture 3. Authentication Inference 4. Authorization Enforcement 5. Implementation 6. Experimental Results 7. Conclusion 2

3 3 1. Introduction web application deploys its own authentication & access control FS & DB layers perform operations with the privileges of the web application –Not user no defensive tools exist to automatically prevent 3

4 4 Nemesis modify library and interpreter –shadow authentication –taint, track the flow & string compare & IO do not require the behavior of the application to be modified 4

5 5 2. Web Application Security Architecture Authentication: –user input –performs an authentication check, ensure –validated, creates a login session for the user Access Control attacks: execute server side operations which might not be authorized to perform 5

6 6 6

7 7 3. Authentication Inference infer when authentication has occurred shadow authentication system –ensure the authentication steps require developer to provide “annotation” –where pass and name stored –external function 7

8 8 Dynamic Information Flow Tracking DIFT tag each data –“credential” taint bit –“user input” taint bit perform taint propagation in the language interpreter –source operand tainted, destination tainted 8

9 9 2 taint tag bits “credential” taint bit: data item represents a known-good password or other credential “user input” taint bit: data item was supplied by the user as part of the HTTP request Nemesis propagates both taint 9

10 10

11 11 Nemesis ACL Enforce: –Intercept I/O operations to enforce file ACLs –Intercept, rewrite SQL queries to enforce DB ACLs DIFT: –2 tag bits per object to track credentials and taint Tag propagation on all operations –Automatic inference of authentication checks 11

12 12 Creating a New Login Session data tagged as “user input” compare to data tagged as “credentials” using string (in)equality operators User input password matches the one stored in the password DB infer user authentication auth function 12

13 13 keep Login Session use an entirely separate session management framework shadow cookie: private key 13

14 14 4. Authorization Enforcement access control rules (ACL) developer supply ACL for file, dir, & DB ACL check : current shadow authenticated user is permitted to execute the operation 14

15 15 Restrict the access of file, directory or DB Little programmer effort required Intercept the IO operation 15

16 16 Against SQL injection (to..) Rewrite the SQL query & add the 3 rd bit in zval denote user input that may be interpreted as a SQL keyword or operator SQL quoting functions clear this tag bit –mysql_real_escape_string() 16

17 17 5. Implementation implement a prototype of Nemesis by modifying the PHP interpreter zval Due to alignment restrictions, the zval structure has a few unused bits 17

18 18 Tag Initialization Any input is tainted with the ’user input’ bit set a global variable to store the candidate username associated with the password shadow authentication system uses this candidate username to initialize the shadow cookie setcookie() 18

19 19 Password Comparison Authentication Inference performed by modifying the PHP interpreter’s string comparison operators perform a check to see if the two string operands were determined to be equal equal & A:“credential”, B:”user input”  succeed 19

20 20 Authentication check check the global variable that indicates the current shadow authenticated user not set: check if shadow authentication information is stored in the current session file Check shadow authentication cookie (extract) 20

21 21 Access control check checking the current authenticated user against a list of accessible files on each file access manually inserted these checks into applications based on the ACL 21

22 22 6. Experimental Results 22

23 23 authentication bypass: shadow authentication is not affected installation script will reset the administrator password: restricted by ACL 23

24 24 7. Conclusion novel methodology for preventing authentication & access control bypass shadow authentication system: track user authentication state by an additional HTTP cookie Programmers can specify ACL lists Little effort( < 100 LoC) 24

Download ppt "Michael Dalton, Christos Kozyrakis, and Nickolai Zeldovich MIT, Stanford University USENIX 09’ Nemesis: Preventing Authentication & Access Control Vulnerabilities."

Similar presentations

Type-based Taint Analysis for Java Web Applications Wei Huang, Yao Dong and Ana Milanova Rensselaer Polytechnic Institute 1.

Type-based Taint Analysis for Java Web Applications Wei Huang, Yao Dong and Ana Milanova Rensselaer Polytechnic Institute 1.
Attacking Authentication and Authorization CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

Attacking Authentication and Authorization CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
Yip, X. Wang, N. Zeldovich, M. F. Kaashoek MIT CSAIL Reading Group by Theo 06 Oct 2009.

Yip, X. Wang, N. Zeldovich, M. F. Kaashoek MIT CSAIL Reading Group by Theo 06 Oct 2009.
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Aaron Blankstein and Michael J. Freedman Princeton University Tuan Tran.

Aaron Blankstein and Michael J. Freedman Princeton University Tuan Tran.
1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.

1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.
SQL-Injection attacks Damir Lizdek & Dan Rundlöf Language-based security.

SQL-Injection attacks Damir Lizdek & Dan Rundlöf Language-based security.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
 2004 Prentice Hall, Inc. All rights reserved. Chapter 25 – Perl and CGI (Common Gateway Interface) Outline 25.1 Introduction 25.2 Perl 25.3 String Processing.

 2004 Prentice Hall, Inc. All rights reserved. Chapter 25 – Perl and CGI (Common Gateway Interface) Outline 25.1 Introduction 25.2 Perl 25.3 String Processing.
D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.

D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.
W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.

W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.
PHP Security.

PHP Security.
Session 5: Working with MySQL iNET Academy Open Source Web Development.

Session 5: Working with MySQL iNET Academy Open Source Web Development.
Cookies Set a cookie – setcookie() Extract data from a cookie - $_COOKIE Augment user authentication script with a cookie.

Cookies Set a cookie – setcookie() Extract data from a cookie - $_COOKIE Augment user authentication script with a cookie.
Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.

Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.
SQL INJECTION COUNTERMEASURES &

SQL INJECTION COUNTERMEASURES &

Similar presentations

Ads by Google