Presentation is loading. Please wait.

Presentation is loading. Please wait.

Michael Dalton, Christos Kozyrakis, and Nickolai Zeldovich MIT, Stanford University USENIX 09’ Nemesis: Preventing Authentication & Access Control Vulnerabilities.

Similar presentations


Presentation on theme: "Michael Dalton, Christos Kozyrakis, and Nickolai Zeldovich MIT, Stanford University USENIX 09’ Nemesis: Preventing Authentication & Access Control Vulnerabilities."— Presentation transcript:

1 Michael Dalton, Christos Kozyrakis, and Nickolai Zeldovich MIT, Stanford University USENIX 09’ Nemesis: Preventing Authentication & Access Control Vulnerabilities in Web Applications 1

2 2 Outline 1. Introduction 2. Web Application Security Architecture 3. Authentication Inference 4. Authorization Enforcement 5. Implementation 6. Experimental Results 7. Conclusion 2

3 3 1. Introduction web application deploys its own authentication & access control FS & DB layers perform operations with the privileges of the web application –Not user no defensive tools exist to automatically prevent 3

4 4 Nemesis modify library and interpreter –shadow authentication –taint, track the flow & string compare & IO do not require the behavior of the application to be modified 4

5 5 2. Web Application Security Architecture Authentication: –user input –performs an authentication check, ensure –validated, creates a login session for the user Access Control attacks: execute server side operations which might not be authorized to perform 5

6 6 6

7 7 3. Authentication Inference infer when authentication has occurred shadow authentication system –ensure the authentication steps require developer to provide “annotation” –where pass and name stored –external function 7

8 8 Dynamic Information Flow Tracking DIFT tag each data –“credential” taint bit –“user input” taint bit perform taint propagation in the language interpreter –source operand tainted, destination tainted 8

9 9 2 taint tag bits “credential” taint bit: data item represents a known-good password or other credential “user input” taint bit: data item was supplied by the user as part of the HTTP request Nemesis propagates both taint 9

10 10

11 11 Nemesis ACL Enforce: –Intercept I/O operations to enforce file ACLs –Intercept, rewrite SQL queries to enforce DB ACLs DIFT: –2 tag bits per object to track credentials and taint Tag propagation on all operations –Automatic inference of authentication checks 11

12 12 Creating a New Login Session data tagged as “user input” compare to data tagged as “credentials” using string (in)equality operators User input password matches the one stored in the password DB infer user authentication auth function 12

13 13 keep Login Session use an entirely separate session management framework shadow cookie: private key 13

14 14 4. Authorization Enforcement access control rules (ACL) developer supply ACL for file, dir, & DB ACL check : current shadow authenticated user is permitted to execute the operation 14

15 15 Restrict the access of file, directory or DB Little programmer effort required Intercept the IO operation 15

16 16 Against SQL injection (to..) Rewrite the SQL query & add the 3 rd bit in zval denote user input that may be interpreted as a SQL keyword or operator SQL quoting functions clear this tag bit –mysql_real_escape_string() 16

17 17 5. Implementation implement a prototype of Nemesis by modifying the PHP interpreter zval Due to alignment restrictions, the zval structure has a few unused bits 17

18 18 Tag Initialization Any input is tainted with the ’user input’ bit set a global variable to store the candidate username associated with the password shadow authentication system uses this candidate username to initialize the shadow cookie setcookie() 18

19 19 Password Comparison Authentication Inference performed by modifying the PHP interpreter’s string comparison operators perform a check to see if the two string operands were determined to be equal equal & A:“credential”, B:”user input”  succeed 19

20 20 Authentication check check the global variable that indicates the current shadow authenticated user not set: check if shadow authentication information is stored in the current session file Check shadow authentication cookie (extract) 20

21 21 Access control check checking the current authenticated user against a list of accessible files on each file access manually inserted these checks into applications based on the ACL 21

22 22 6. Experimental Results 22

23 23 authentication bypass: shadow authentication is not affected installation script will reset the administrator password: restricted by ACL 23

24 24 7. Conclusion novel methodology for preventing authentication & access control bypass shadow authentication system: track user authentication state by an additional HTTP cookie Programmers can specify ACL lists Little effort( < 100 LoC) 24


Download ppt "Michael Dalton, Christos Kozyrakis, and Nickolai Zeldovich MIT, Stanford University USENIX 09’ Nemesis: Preventing Authentication & Access Control Vulnerabilities."

Similar presentations


Ads by Google