Copyright by Martin Hristov Georgiev 2015

Copyright by Martin Hristov Georgiev 2015 The Dissertation Committee for Martin Hristov Georgiev certiﬁes that this is the approved version of the following dissertation:

On the (In)security of Service APIs

Committee:

Vitaly Shmatikov, Supervisor

Brent Waters

Emmett Witchel

Lili Qiu

XiaoFeng Wang On the (In)security of Service APIs

Martin Hristov Georgiev, B.S., M.S.C.S.

DISSERTATION Presented to the Faculty of the Graduate School of The University of Texas at Austin in Partial Fulﬁllment of the Requirements for the Degree of

DOCTOR OF PHILOSOPHY

THE UNIVERSITY OF TEXAS AT AUSTIN August 2015 Dedicated to my parents. Acknowledgments

I would like to thank my family for their continuous support and encourage- ment throughout the years. My father taught me how to identify good opportunities in life and how to evaluate and prioritize my goals. My mother instilled persever- ance in me and taught me to always strive for the best. My brother taught me time management and organizational skills.

I am also forever indebted to my adviser, Vitaly Shmatikov, for his invalu- able help and guidance throughout my PhD. He taught me how to identify important research problems and design novel solutions for them. He also taught me the art of presenting my work to both experts in my ﬁeld of research and a general audience. Outside of research and academia, I have also learned numerous life skills from him. Thus, I consider myself very fortunate to have him as my PhD adviser.

I very much appreciate my dissertation committee members for taking the time to evaluate my research and provide me with comprehensive feedback. Thanks to their thoughtful comments, I greatly improved the quality of my dissertation.

Special thanks go to Brent Waters for bringing up the inherent insecurities in short URLs. This idea was one of the prerequisites that empowered the research described in the last chapter of my dissertation.

v I want to thank Nona Sirakova for being my emotional support in the tough- est times of my PhD. In addition to being an excellent inspirational character for me, she also taught me mindfulness.

I thank Suman Jana for introducing me into computer security research in my ﬁrst semester of graduate school. I am also grateful to my fellows at The Univer- sity of Texas at Austin: Hongkun Yang, Chad Brubaker, Amir Houmansadr, Reza Shokri, Yuanzhong Xu, Tyler Hunt and Jianyong Meng for our discussions about research, the life of a PhD student, etc.

I would like to thank Sanford Miller, Bogdan Petrenko and Sandeep Mitra for guiding my interests in Mathematics and Computer Science throughout my college years. The trio also inspired me to pursue a PhD degree.

Finally, I want to say big thank you to my Mathematics teachers: Daniela Zhekova and Stefka Stoilkova for spending countless hours teaching me problem solving skills. I owe it to them that I managed to get the maximum score on many university entrance exams and thus have the opportunity to choose the direction of my personal and professional development.

vi On the (In)security of Service APIs

Martin Hristov Georgiev, Ph.D. The University of Texas at Austin, 2015

Supervisor: Vitaly Shmatikov

Today’s systems abstract the implementation details of common services such as secure client-server communication, access to native device resources (e.g. camera), access to cloud-stored ﬁles and folders, etc. by exposing a set of application programming interfaces (service APIs) to applications and software packages.

In this dissertation, we analyze service APIs exposed by modern systems across all layers of the software stack and demonstrate that they are too complex for developers to understand and use correctly. Instead of providing high-level abstractions such as authorization and authentication, they provide low-level details such as callbacks, options and ﬂags. As a result, service APIs used in security- critical software often end up being misconﬁgured and exposing sensitive users’ data to botnet, Web and network attackers.

To demonstrate the pervasiveness of the problem, we perform the ﬁrst sys- tematic analysis of insecure usage of service APIs in modern software developed and maintained by both individual developers and large software companies.

vii First, we analyze the perils and pitfalls of low-level service APIs for estab- lishing secure network channels. SSL/TLS (Secure Sockets Layer/Transport Layer Security) is currently the de facto standard for secure Internet communication; its security against active network attackers depends on properly validating server certiﬁcates at connection establishment. Unfortunately, our analysis shows that SSL/TLS APIs are often poorly understood and used. As a consequence, server certiﬁcate validation is completely broken in many security-critical applications and libraries, and thus exposes users’ data to network attackers.

Second, we study the software stack employed by modern hybrid applications. Hybrid apps combine the features of Web apps and “native” apps. Like Web apps, they are implemented in platform-independent languages such as HTML5 and JavaScript. Like native apps, they have direct access to local device resources such as ﬁle system and camera. We demonstrate that the frameworks on top of which hybrid apps are developed do not properly compose the access-control policies governing the Web half and the local half of the app. The Web half runs in a browser instance, created by the framework at application initialization time, and is conﬁned by the browser’s same origin policy. The local half is governed by the access-control policy of the operating system. Unfortunately, improper composi- tion of the two types of access-control policies at the framework layer effectively subjects the applications to “fracking” attacks—foreign-origin Web content (e.g., ads) included into hybrid apps can drill through the layers of the software stack and steal user’s contacts list, text messages, photos, etc.

viii Third, we analyze service APIs exposed by today’s Web-based application platforms. This new class of platforms provide browser-like runtime environments to support Web-based applications. Such apps run outside the traditional Web browser and enjoy direct access to native objects such as ﬁles and GPS. However, unlike the service APIs exposed by hybrid frameworks, this category of service APIs is exposed by the platforms themselves, effectively eroding the distinction be- tween desktop, mobile, and Web-based software. Unfortunately, we demonstrate that the access-control models used by Web-based application platforms are inade- quate. As a result, when applications request access to sensitive resources for their own code, they unintentionally enable it for untrusted third-party code, too.

Fourth, we study server-side service APIs exposed by some of today’s cloud services and demonstrate that many of them are vulnerable to scanning and thus leak users’ data. For example, we show that cloud storage providers that allow users to share ﬁles and folders via short URLs and support APIs for easy account traversal end up exposing their users to large-scale privacy and security breaches.

To address the vulnerabilities plaguing today’s service APIs, we suggest that new principled service APIs be designed, implemented and deployed at all levels of the software stack. Unlike the old APIs, the new service APIs must provide sim- ple interfaces through which developers can easily specify their high-level security objectives such as conﬁdentiality and authentication.

In this dissertation, we implement two new principled mechanisms for enforcing security in service APIs used by Web code of modern hybrid and Web-based

ix apps. We also provide recommendations for improving the security of SSL/TLS APIs and APIs for managing cloud-stored ﬁles.

Our ﬁrst prototype system is called NOFRAK. It introduces a new technique for protecting native-access APIs in hybrid apps from “fracking” attacks. NOFRAK is platform-independent and requires no changes to the code of existing apps.

Our second system is POWERGATE. In its core, POWERGATE is a new access-control mechanism for protecting APIs to native objects in Web-based applications from unauthorized access. POWERGATE enables application developers to write well-deﬁned access-control policies with explicit principals such as “application’s own local code” and “third-party Web code”.

x Table of Contents

Acknowledgments v

Abstract vii

List of Tables xvi

List of Figures xvii

List of Snippets xix

List of Algorithms xxi

Chapter 1. Introduction 1 1.1 Threat Model ...... 3 1.2 Architecture of modern software applications ...... 6 1.2.1 Client-side service APIs ...... 7 1.2.1.1 Low-level service APIs ...... 8 1.2.1.2 Service APIs in the middleware ...... 10 1.2.1.3 Service APIs in the application layer ...... 12 1.2.2 Server-side service APIs ...... 15 1.3 Towards principled service APIs ...... 18 1.3.1 Design ...... 19 1.3.2 Implementation ...... 20 1.3.3 Testing ...... 21 1.3.4 Backward compatibility ...... 22 1.4 Contributions and impact ...... 23

xi Chapter 2. Validating SSL Certificates in Non-Browser Software 27 2.1 Introduction ...... 27 2.2 Overview of our results ...... 30 2.3 Overview of SSL ...... 34 2.3.1 Threat model ...... 34 2.3.2 SSL certificate validation ...... 34 2.4 SSL abstractions ...... 37 2.4.1 SSL libraries ...... 38 2.4.2 Data-transport libraries ...... 44 2.5 SSL in non-browser software ...... 47 2.6 Experimental testbed ...... 51 2.7 Misunderstanding the SSL API ...... 53 2.7.1 Amazon Flexible Payments Service (PHP) ...... 53 2.7.2 PayPal Payments Standard and PayPal Invoicing (PHP) . . . 54 2.7.3 PayPal IPN in Zen Cart ...... 55 2.7.4 Lynx ...... 56 2.7.5 Apache HttpClient ...... 57 2.7.6 Trillian ...... 59 2.7.7 Rackspace ...... 60 2.7.8 TextSecure ...... 61 2.8 Using insecure middleware ...... 61 2.8.1 Apache Axis, Axis 2, Codehaus XFire ...... 62 2.8.2 Pusher ...... 63 2.9 Using insecure SSL libraries ...... 64 2.10 Breaking or disabling certificate validation ...... 65 2.10.1 Chase mobile banking ...... 66 2.10.2 Apache Libcloud ...... 67 2.10.3 Amazon Elastic Load Balancing API Tools ...... 68 2.10.4 Shopping carts ...... 69 2.10.5 AdMob ...... 70 2.10.6 Android apps ...... 70 2.10.7 AIM ...... 70

xii 2.10.8 FilesAnywhere ...... 71 2.11 Our recommendations ...... 71 2.11.1 For application developers ...... 71 2.11.2 For SSL library developers ...... 72 2.12 Related work ...... 74 2.13 Conclusion ...... 76

Chapter 3. Breaking and Fixing Origin-Based Access Control in Hybrid Web/Mobile Application Frameworks 77 3.1 Introduction ...... 77 3.2 Hybrid apps and frameworks ...... 81 3.2.1 Hybrid application frameworks ...... 82 3.2.2 Hybrid software stack ...... 85 3.3 Security models ...... 87 3.3.1 Web security ...... 87 3.3.2 Local security ...... 88 3.3.3 Hybrid security ...... 89 3.4 Bridges ...... 90 3.4.1 Web-to-local bridges ...... 91 3.4.2 Local-to-Web bridges ...... 94 3.4.3 Custom cross-origin communication ...... 96 3.5 Fracking ...... 96 3.5.1 Conceptual overview ...... 97 3.5.2 Technical details ...... 99 3.6 Fracking in the wild ...... 102 3.7 Existing defenses ...... 106 3.7.1 Relying on the browser ...... 106 3.7.2 Whitelisting authorized domains ...... 106 3.7.3 Enforcing NoLoad ...... 107 3.7.4 Inadequacy of NoLoad ...... 109 3.7.5 Enforcing NoBridge ...... 111 3.7.6 Relying on local privilege separation ...... 113 3.8 NOFRAK ...... 115

xiii 3.8.1 Design ...... 115 3.8.2 Implementation ...... 118 3.8.3 Evaluation ...... 123 3.9 Related work ...... 124 3.10 Conclusion ...... 128

Chapter 4. Rethinking Security of Web-Based System Applications 130 4.1 Introduction ..