Protection Models for Web Applications
Total Page:16
File Type:pdf, Size:1020Kb
Syracuse University SURFACE Electrical Engineering and Computer Science - Dissertations College of Engineering and Computer Science 2011 Protection Models for Web Applications Karthick Jayaraman Syracuse University Follow this and additional works at: https://surface.syr.edu/eecs_etd Part of the Computer Engineering Commons Recommended Citation Jayaraman, Karthick, "Protection Models for Web Applications" (2011). Electrical Engineering and Computer Science - Dissertations. 297. https://surface.syr.edu/eecs_etd/297 This Dissertation is brought to you for free and open access by the College of Engineering and Computer Science at SURFACE. It has been accepted for inclusion in Electrical Engineering and Computer Science - Dissertations by an authorized administrator of SURFACE. For more information, please contact [email protected]. Abstract Early web applications were a set of static web pages connected to one an- other. In contrast, modern applications are full-featured programs that are nearly equivalent to desktop applications in functionality. However, web servers and web browsers, which were initially designed for static web pages, have not up- dated their protection models to deal with the security consequences of these full- featured programs. This mismatch has been the source of several security prob- lems in web applications. This dissertation proposes new protection models for web applications. The de- sign and implementation of prototypes of these protection models in a web server and a web browser are also described. Experiments are used to demonstrate the improvements in security and performance from using these protection models. Finally, this dissertation also describes systematic design methods to support the security of web applications. Protection Models for Web Applications by Karthick Jayaraman M.E, Anna University, 2004 B.E, Bharathiar University, 2001 DISSERTATION A dissertation submitted in partial fulfillment of the requirements for the de- gree of Doctor of Philosophy in Computer Engineering to the Graduate School of Syracuse University July 2011 Approved by: Prof. Steve J. Chapin, Advisor Prof. Wenliang Du, Co Advisor c 2011 Karthick Jayaraman ALL RIGHTS RESERVED Table of Contents Contents iv List of Tables viii List of Figures ix 1 Introduction1 1.1 Thesis and Contributions..........................5 1.2 Dissertation Organization.........................6 2 Related Work7 2.1 Foundational Systems Work........................7 2.1.1 Classic Security Principles.....................7 2.1.2 Classical Security Policies.....................9 2.1.3 Access-Control Lists and Capabilities.............. 14 2.1.4 System Security........................... 15 2.2 Web Application Security......................... 18 2.2.1 New Browser Architectures.................... 18 2.2.2 Language-based Information Flow................ 19 2.2.3 Mashup Solutions......................... 20 2.2.4 Mitigation Methods........................ 20 2.2.5 Anomaly Detection......................... 25 iv 3 Enforcing Request Integrity 27 3.1 Anatomy of Web Applications....................... 30 3.2 Request Integrity (RI) Attacks....................... 33 3.3 BAYAWAK ................................... 37 3.3.1 Behavior-preserving Diversification............... 37 3.3.2 Architecture............................. 39 3.3.3 Avoiding RI Attacks........................ 45 3.4 Experimental Evaluation.......................... 47 3.4.1 Resistance to RI Attacks....................... 48 3.4.2 Performance Overhead...................... 50 3.5 Discussion.................................. 51 3.5.1 Usability Considerations...................... 52 3.5.2 Attacks Against BAYAWAK .................... 54 3.6 Summary................................... 55 4 A Protection Model for Web Browsers 57 4.1 Protection Requirements for Web Applications............. 61 4.1.1 Principals and Objects....................... 61 4.1.2 The Same-Origin Policy...................... 64 4.1.3 Protection Needs.......................... 66 4.2 The ESCUDO Access-Control Model................... 67 4.2.1 Rings, Ring Assignment, and ACL................ 69 4.2.2 The ESCUDO MAC Policy..................... 73 4.2.3 An Example............................. 74 4.3 Implementation............................... 75 4.3.1 Lobo Architecture......................... 76 4.3.2 ESCUDO Implementation..................... 77 v 4.4 Enforcing Policy Integrity in Escudo................... 84 4.4.1 Policy Manipulation Threats................... 84 4.4.2 ESCUDO Countermeasures.................... 88 4.5 Evaluation.................................. 90 4.5.1 Building ESCUDO-based Web Applications........... 90 4.5.2 Compatibility with Legacy Applications............ 95 4.5.3 Defense Effectiveness....................... 95 4.5.4 Performance Overhead...................... 96 4.5.5 Applications of ESCUDO ...................... 97 4.6 Summary................................... 98 5 Designing Secure Web Applications 99 5.1 The Web DFA Model............................ 102 5.2 Design Principles.............................. 107 5.2.1 Non-sensitive GET/ Sensitive POST............... 109 5.2.2 Secret Token Validation...................... 113 5.2.3 Intent Verification.......................... 115 5.2.4 Guarded Workflow......................... 118 5.2.5 Defense in Depth.......................... 121 5.3 Case Study.................................. 122 5.3.1 Building INFBB........................... 122 5.3.2 Modeling Legacy Web Applications............... 126 5.4 Summary................................... 128 6 Conclusion and Future Work 129 6.1 Future Work................................. 130 6.1.1 Future Directions in Request Integrity.............. 130 vi 6.1.2 Future Directions in Web-browser Access Control....... 133 6.1.3 Complementing Research Directions............... 135 BIBLIOGRAPHY 138 vii List of Tables 2.1 Access-control matrix............................ 14 3.1 RI attacks on example applications.................... 49 3.2 Performance overhead from using BAYAWAK instances........ 51 4.1 Principals and objects inside the web browser.............. 61 4.2 Security requirements for phpBB web application............ 91 4.3 ESCUDO policy configuration for phpBB................. 91 4.4 Security requirements for PHP-Calendar................. 93 4.5 ESCUDO policy for PHP-Calendar..................... 93 5.1 Design patterns to prevent web request forgery attacks........ 108 viii List of Figures 2.1 The Bell-La Padula Model......................... 11 2.2 The Biba Model............................... 12 2.3 Hierarchical protection rings (HPR)................... 13 3.1 RFG for an online message board..................... 32 3.2 Cross-site-request forgeries........................ 35 3.3 A workflow violation in a purchase transaction: Using a workflow attack, an attacker skips the third step and completes the order with- out paying.................................. 36 3.4 Behavior-preserving diversification of the request-flow graph.... 37 3.5 Bayawak Architecture........................... 39 3.6 Flowchart for request processing in BAYAWAK ............. 43 4.1 ESCUDO protection model......................... 68 4.2 Ring assignment using div tags....................... 71 4.3 Assigning cookies to rings......................... 72 4.4 Example: Assigning DOM elements to rings............... 75 4.5 Architecture of the Lobo web browser.................. 76 4.6 ESCUDO reference monitor (ERM).................... 81 4.7 A JavaScript program that accesses a list of DOM elements...... 81 4.8 Tag boundary confusion.......................... 85 4.9 Attribute boundary confusion....................... 85 4.10 JavaScript program that modifies the scope of ESCUDO policies... 86 4.11 JavaScript program that modifies the ESCUDO policy of existing DOM elements................................... 87 ix 4.12 JavaScript program that adds new DOM elements in ring 0...... 87 4.13 Div tag with nounces............................ 88 4.14 Div regions with empty comment tags.................. 89 4.15 Performance overhead in parsing and rendering (in 8 different sce- narios)..................................... 96 5.1 A Web DFA model for an online shopping cart application....... 104 5.2 Web DFA for our shopping application with appropriate request type 111 5.3 A checkout workflow annotated with required preconditions and postconditions................................ 120 5.4 INFBB DFA labeled with sensitive/ non-sensitive states and proper request type................................. 123 5.5 Implementing secret-token validation.................. 124 5.6 INFBB workflow annotated with preconditions and postconditions. 125 5.7 Possible CSRF attack on punBB bulletin board system......... 127 x Acknowledgments I am beholden to several people, without whose support I would not have com- pleted my PhD. First and foremost, I would like to thank my advisor, Prof. Steve J. Chapin. I am a fan of his teaching and writing style. The lessons he taught me go beyond academic life. Effective thinking, execution, and communication skills are some examples. Brainstorming with him was always fun—in several instances he helped me transform problems into opportunities. Finally, I also thank him for the wonderful parties he hosted for all his advisees. He made me feel at home during my entire stay in Syracuse. I also thank my co-advisor, Prof. Wenliang Du, for his guidance on my dissertation, perspectives, and illuminating discussions. I thank Prof. Shiu-Kai Chin, Prof. Susan