Presentation is loading. Please wait.

Presentation is loading. Please wait.

Yip, X. Wang, N. Zeldovich, M. F. Kaashoek MIT CSAIL Reading Group by Theo 06 Oct 2009.

Published byAmaya Case Modified over 9 years ago

Similar presentations

Presentation on theme: "Yip, X. Wang, N. Zeldovich, M. F. Kaashoek MIT CSAIL Reading Group by Theo 06 Oct 2009."— Presentation transcript:

1 Yip, X. Wang, N. Zeldovich, M. F. Kaashoek MIT CSAIL Reading Group by Theo 06 Oct 2009

2  High level vulnerabilities quite common  Simple solution: insert necessary checks everywhere they’re needed  Not as easy as it seems: very hard for programmer to correctly identify where each check needs to be

3  HotCRP password leakage ◦ Password reminder email option ◦ Simple rule: password must be sent to owner only ◦ But, you have email preview mode  Cross-site scripting ◦ Server should never send unsanitized user-supplied input as response; input must not contain valid JavaScript ◦ Simple logic: sanitize all user input  You did remember to check the whois response, right? ◦ PHPMyAdmin must check input in 1,409 locations

4  Data are automatically assigned policy objects (metadata) ◦ E.g., trusted, user-supplied, private  Policy objects are automatically propagated according to specified rules (propagation handlers)  Prior to leaving the system, policy objects must pass through filter objects (syscall handlers) ◦ E.g., going to SQL, user, disk ◦ Exception thrown on disallowed actions

5  Motivation  Resin ◦ Policy Objects ◦ Filter Objects ◦ Persistent Policies  Evaluation ◦ Vulnerabilities Detected ◦ Microkernel Overheads

6  DIFT tool running inside high-level interpreted languages ◦ PHP, Python e.t.c. ◦ The interpreter, server, O/S are trusted  Resin cannot protect against attacks targeting O/S etc.  Consider Resin an object-oriented lifeguard platform ◦ Metadata are classes that carry methods on how to be propagated and checked ◦ Resin defines the interface and default actions

7 Senmail pipe to user u HTTP conn. to user w Context Type: email Email: u@foo.com Context Type: HTTP http: user w Language Runtime Bounds Password Policy email:u@foo.com SecretPass Your password is: Password Policy email:u@foo.com SecretPass From SQL Associated with password characters only

8  Policy Objects ◦ Marks data as private, secure, user-input etc  Filter Objects ◦ Associated with runtime border objects  Pipes, connections, etc ◦ Can have at function borders ◦ Automatically associated with context  What kind of connection  To whom Password Policy email:u@foo.com Context Type: email Email: u@foo.com

9  Associated with primitive data ◦ int, char, …, but not String, int [], … ◦ A datum may be associated with multiple Policies  Implement export_check (context) ◦ Called automatically by filter object which provides context ◦ Usually do nothing (approve) or throw exception (block) Password Policy email:u@foo.com

10 class PasswordPolicy extends Policy { private $email; function __construct($email) { $this->email = $email; } function export_check($context) { if ($context[’type’] == ’email’ && $context[’email’] == $this->email) return; throw new Exception(’unauthorized disclosure’); } policy_add($password, new PasswordPolicy(’u@foo.com’));

11  What happens if at least one input of binop has a policy object?  Default action union  Policy that wants to change it must implement merge(policySet) ◦ Automatically called, if implemented, for each assoc. policy of each source operand ◦ Input: all the policies of the other source operand ◦ Returns the desired new policy set or throws exception ◦ Final set = union of all returns from all merges  Example: trusted iff all inputs trusted (intersection)

12  Automatically at runtime boundaries ◦ Pipes to SQL or Sendmail, HTTP to users  Manually at specific functions ◦ E.g. before signer to remove Secret policy from signature  Default behavior: call every export_check it sees ◦ Pass this filter’s context ◦ If no export_check, approve data flow  Default behavior override ◦ Block flow of data not associated with TrustedByRootPolicy  Prevents server-side scripting Context Type: email Email: u@foo.com

13 class DefaultFilter(Filter): def __init__(self): self.context = {} def filter_write(self, buf): for p in policy_get(buf): if hasattr(p, ’export_check’): p.export_check(self.context) return buf

14  Persistent I/O rewritten on-the-fly by filter objects ◦ Disk, SQL ◦ Disk I/O automatically reads/writes policies in file’s extended attributes ◦ SQL queries rewritten to query/update policies  Modified: create table, select, update, etc  Resin only stores names of policies and private data, not binary implementation ◦ Implementation can change easily

15

16  Motivation  Resin ◦ Policy Objects ◦ Filter Objects ◦ Persistent Policies  Evaluation ◦ Vulnerabilities Detected ◦ Microkernel Overheads

17  PHP prototype: ~6000 lines of code ◦ 2600 for SQL stuff ◦ 1100 core structures ◦ 2200 propagation and merge int  Added Resin to real-life apps to catch known and unknown bugs  Run microkernels to get overhead  Performance numbers for HotCRP (conference management app) ◦ 33% overhead (but runs in PHP interpreter, not directly C) ◦ 88ms to display a page instead of 66ms

18

19 Byte Level Policy Merging Policies Overhead due to (de)serializing policy objects Rewriting SQL queries to add/get policies Delete just drops the line

Download ppt "Yip, X. Wang, N. Zeldovich, M. F. Kaashoek MIT CSAIL Reading Group by Theo 06 Oct 2009."

Similar presentations

JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.

JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
Microsoft VB 2005: Reloaded, Advanced Chapter 5 Input Validation, Error Handling, and Exception Handling.

Microsoft VB 2005: Reloaded, Advanced Chapter 5 Input Validation, Error Handling, and Exception Handling.
Introduction The concept of “SQL Injection”

Introduction The concept of “SQL Injection”
Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.

Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.
1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.

1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.
Computer Science 101 Web Access to Databases Overview of Web Access to Databases.

Computer Science 101 Web Access to Databases Overview of Web Access to Databases.
Creating Web Page Forms

Creating Web Page Forms
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Form Handling, Validation and Functions. Form Handling Forms are a graphical user interfaces (GUIs) that enables the interaction between users and servers.

Form Handling, Validation and Functions. Form Handling Forms are a graphical user interfaces (GUIs) that enables the interaction between users and servers.
Chapter 9 Collecting Data with Forms. A form on a web page consists of form objects such as text boxes or radio buttons into which users type information.

Chapter 9 Collecting Data with Forms. A form on a web page consists of form objects such as text boxes or radio buttons into which users type information.
Chapter Seven Advanced Shell Programming. 2 Lesson A Developing a Fully Featured Program.

Chapter Seven Advanced Shell Programming. 2 Lesson A Developing a Fully Featured Program.
CSCI 6962: Server-side Design and Programming Course Introduction and Overview.

CSCI 6962: Server-side Design and Programming Course Introduction and Overview.
Session 5: Working with MySQL iNET Academy Open Source Web Development.

Session 5: Working with MySQL iNET Academy Open Source Web Development.
Chapter 5 Java Script And Forms JavaScript, Third Edition.

Chapter 5 Java Script And Forms JavaScript, Third Edition.
Server-side Scripting Powering the webs favourite services.

Server-side Scripting Powering the webs favourite services.
CSCI 6962: Server-side Design and Programming Secure Web Programming.

CSCI 6962: Server-side Design and Programming Secure Web Programming.
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.

Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
1 PHP and MySQL. 2 Topics  Querying Data with PHP  User-Driven Querying  Writing Data with PHP and MySQL PHP and MySQL.

1 PHP and MySQL. 2 Topics  Querying Data with PHP  User-Driven Querying  Writing Data with PHP and MySQL PHP and MySQL.

Similar presentations

Ads by Google