SilverLine: Preventing Data Leaks from Compromised Web Applications Yogesh Mundada Anirudh Ramachandran Nick Feamster Georgia Tech 1 Appeared in Annual Computer Security Applications Conference (ACSAC) 2013
Data Breach Incidents Sony Data Breach (SQL Injection, 2011) Citibank (Web application vulnerability, 2012) Twitter (2013) Adobe (2013) 90% of the data leakages occur at server. 95% of those leaks are from external attacks. 2
Common Server-Side Vulnerabilities Injection Attacks Broken Authentication and Session Management Insecure Direct Object References Security Misconfiguration Vulnerable Components and Libraries (Open Web Application Security Project) 3
Current Protection Mechanisms Penetration testing Automated code review Application firewalls Data loss prevention devices Shortcomings No protection against zero day attacks Once compromised, can’t stop data theft Focus on protecting data, rather than the underlying system 4
Design Goals Security: Decouple data protection from the application Deployment: Minimize changes to existing applications Performance: Minimize overhead 5
SilverLine Design Non-Goals Kernel-level vulnerabilities Covert channels Malicious software on the database Inside threats Data modification attacks 6
SilverLine Overview 7 Step #1: Tag Sensitive Data Step #2: Associate User with SessionStep #3: Retrieve Data with TaintsStep #4: Track DataStep #5: Declassify Response
SilverLine Components Authentication Module Database Proxy Information Flow Monitor Declassifier 8
9 Process Information Flow Tracking Kernel Webserver Process SilverLine Architecture 1. User sends Login request 2. Authenticate User Trusted Realm Untrusted Realm Database Table User-Sessions Table Connection- Capabilities Table User Authentication Module User-Auth Table 3. Authenticate 4. Cookies 5. 5-tuple taints 6. Execute query 12. Query Results Database Proxy Process Query Parser Process Query RegEx Table Web Application Database Send Response 15. Check Session Permissions 16. Return Response Process Database Node Authentication Node Firewall Server
Step #1: Initial Configuration Indentify and mark sensitive tables Find unique user key Find foreign keys Find table groups Find tables to monitor for insert query Create taint-storage tables in each group 10
User-IDNameTransact-ID 1John Smith100 2Jane Doe200 Step #1: Configuration Example User Table Transact-IDTransact-noItem 20037DVD 20038PHONE 10089BRUSH Transaction Table User-IDTaint 1‘A’ 2‘B’ User-Taint Table SELECT Name FROM User WHERE User-ID = ‘2’ SELECT Name, Taint FROM User u, User-Taint ut WHERE User-ID = ‘2’ AND u.User-ID = ut.User-ID SELECT Item FROM Transaction WHERE Transact-ID = ‘200’ and Transact-no=‘37’ Transact-Taint Table Transact-IDTaint 100‘A’ 200‘B’ SELECT Item, Taint FROM Transaction t, Transact-Taint tt WHERE Transact-ID = ‘200’ and Transact-no=‘37’ and t.Transact-ID = tt.Transact-ID 11
Step #2a: Authenticate User 12 Declassifier Process Information Flow Tracking Kernel Webserver Process 1. User sends Login request 2. Authenticate User Trusted Realm Untrusted Realm Database Table User-Sessions Table Connection- Capabilities Table User Authentication Module User-Auth Table Database Proxy Process Query Parser Process Query RegEx Table Web Application Database Process Database Node Authentication Node Firewall Server
Step #2b: Decide Session Capability 13 User- Sessions Table Connection- Capabilities Table User Authentication Module User-Auth Table Trusted Realm Process Database Tables 2. Authenticate {username, password} 3. Verify & Authenticate 4. Store {Cookie1, User1} 5. Store {SIP:SP-DIP:DP-Prot, Taint1} 4. Verify Cookie Authentication Node
Step #3: Retrieve Taints with Data 14 Declassifier Process Information Flow Tracking Kernel Webserver Process 1. User sends Login request 2. Authenticate User Trusted Realm Untrusted Realm Database Table User-Sessions Table Connection- Capabilities Table User Authentication Module User-Auth Table 3. Authenticate 4. Cookies 5. 5-tuple taints 6. Execute query Database Proxy Process Query Parser Process Query RegEx Table Web Application Database Process Database Node Authentication Node Firewall Server
Step #3: DB Proxy Operation Database Proxy Process Query Parser Process Query RegEx Table Web Application Database Connection Taints Table 6. Execute query from Webserver 7. Match Regular Expression 8. Parse Query And generate Regular expressions 9. Store Query, Taint Query 10. Execute Data + Taint Retrieval Query 11. Store {5-tuple, Taint} 12. Return results To Webserver Trusted RealmProcessDatabase Tables 15
Database Server Database Proxy UserIDUsernameSSN 1Alice Bob UserIDTaint 10xABCDEF 20x user table user_taints table “SELECT name from user WHERE UserID=1” 1Alice Taint applied to network connection 0xABCDEF Data Query “SELECT name, taint from user u, user- taints ut WHERE UserID=1 and u.UserID=ut.UserID” 1Alice Modified Query by Proxy Query Results 16 Step #3: Apply Taint to Connection
Step #4: Track Data 17 Declassifier Process Information Flow Tracking Kernel Webserver Process 1. User sends Login request 2. Authenticate User Trusted Realm Untrusted Realm Database Table User-Sessions Table Connection- Capabilities Table User Authentication Module User-Auth Table 3. Authenticate 4. Cookies 5. 5-tuple taints 6. Execute query 12. Query Results Database Proxy Process Query Parser Process Query RegEx Table Web Application Database Process Database Node Authentication Node Firewall Server
Step #4: Information Flow Tracking Per-process taint records Monitors system calls – IPC {send, shmat, kill}, – File/Device operations {read, unlink}, – Process management {fork, execve}, – Memory {mmap}, – Kernel configuration{sysctl} Taint transfer with information exchange Network database “connection-taints” to transfer taints across machines 18
Step #5: Declassification 19 Declassifier Process Information Flow Tracking Kernel Webserver Process 1. User sends Login request 2. Authenticate User Trusted Realm Untrusted Realm Database Table User-Sessions Table Connection- Capabilities Table User Authentication Module User-Auth Table 3. Authenticate 4. Cookies 5. 5-tuple taints 6. Execute query 12. Query Results Database Proxy Process Query Parser Process Query RegEx Table Web Application Database Send Response 15. Check Session Permissions 16. Return Response Process Database Node Authentication Node Firewall Server
Implementation 60 lines in OSCommerce Information Flow Control – 8,000 lines of ‘C’ Linux kernel code – Redis key-value store User-Session Connection-Capabilities Connection-Taints Taint-Policy Database proxy – 350 lines of Lua code 20
Implementation Configuration – Identify primary keys – Table groups – Foreign key relationship – Insert query monitoring for each group 21 In OSCommerce application: Out of 50 tables, 15 were sensitive Tables were grouped in sets of 9, 5 and 1 In all we needed 3 taint-storage tables
Evaluation File fetch (small: 7%, large: 1%) Scalability: – Login slowdown (21%) – User session slowdown (30%) 22
Related Work Data Isolation – CLAMP, Nemesis – CryptDB Information Flow Control – HiStar, Dstar, Asbestos, Flume Language-level Taint Tracking – RESIN, Guardrails, PHPAspis, DBTaint Full-system Taint Tracking – TaintDroid, Neon, Panorama 23
Limitations Misconfiguration False positives and false negatives Data integrity Partial deployment Social networking applications Integration with SDN controllers 24
Conclusion Prevent exfiltration of sensitive data, even if the application is compromised Information flow: associate data with taints, only allow authorized user sessions to access Very little modification to existing applications Overhead is about 20–30% over unmodified applications 25 SilverLine: Protect data, rather than the application