DATS — Programmability and Security by Design for Web Applications Casen Hunger1 Llu´ıs Vilanova1 Charalampos Papamanthou University of Texas at Austin Technion — Israel Institute of Tech. University of Maryland (UMD) [email protected] [email protected] [email protected] Yoav Etsion Mohit Tiwari Technion – Israel Institute of Technology University of Texas at Austin [email protected] [email protected] Abstract 1. Introduction Using data-centric containers for isolation is a very effective Web applications have to implement a wide array of security way to give users control of their data and avoid information features, such as input sanitizing, authorization, and access leaks from untrusted applications. However, they are hard control checks [13]. However, developers often implement to program for and lead to inefficiencies, since they require these features incorrectly [8, 18] and do not update all li- replicating an application inside each container. braries promptly [19]. Web applications are vulnerable to We propose DATS — a system to run web applications “zero-day” vulnerabilities [5]. A compromised web applica- that retains application usability and efficiency through a tion can then exfiltrate data to unauthorized users and cause mix of hardware capability enhanced containers and the large data breaches. Worse, the threat of exploits forces con- introduction of two new primitives modeled after the popular siderable penetration-testing and compliance-certification model-view-controller (MVC) pattern. (1) DATS introduces work that slows down application development. a templating language to create views that compose data Ideally, users and enterprises would store their data on across data containers. (2) DATS uses authenticated storage storage platforms (e.g., Google Drive or electronic medical and confinement to enable an untrusted storage service such record (EMR) systems), use untrusted web applications that as memcached and deduplication to operate on plain-text integrate with these storage platforms, and yet protect their data across containers. These two primitives act as robust data from being breached — i.e., enforcing mandatory ac- declassifiers that allow DATS to enforce non-interference cess control (MAC) over the untrusted applications. Figure 1 across containers, taking large applications out of the trusted shows a simplified setting where a doctor (Dave) shares fold- computing base (TCB). ers with patients Alice, Bob, and Eve, and uses untrusted We showcase various web applications including gitlab applications for messaging and scheduling. and a Slack-like chat (eight in total), significantly improve A natural strategy is to use data containers: run an entire the worst-case overheads due to application replication, and application instance within the context of each data object, demonstrate usable performance for common-case usage. with each instance isolated into a separate container[35, 44, 69, 77]. The access control rules will hold by definition even CCS Concepts Security and privacy Authentica- if an application instance is compromised or malicious (no tion; Access control• ; Authorization; Web! application se- information can be transferred across containers for different curity; Operating systems security; Information flow control data objects). One could use language-level information flow 1 Equal contributors. control (IFC) to achieve the same goals (e.g., Hails [39] provides a Haskell framework that attaches labels to data in database models), but this compromises programmability. Developers rely on a large body of existing frameworks Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and languages, and we cannot therefore limit them to only and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to using vetted options. The advantage of most OS container lists, requires prior specific permission and/or a fee. Request permissions from [email protected]. ASPLOS ’18, March 24–28, 2018, Williamsburg, VA, USA technologies is that they can isolate unmodified code. c 2018 Copyright held by the owner/author(s). Publication rights licensed to ACM. Data containers thus raise two new challenges. Usability: ISBN 978-1-4503-4911-6/18/03. $15.00 DOI: https://doi.org/10.1145/3173162.3173213 for example, a calendar application cannot aggregate into a Application-centric (i.e., “get(keyx)”) to ensure that it only returns the value from the most recent “put(keyx, val)” operation on the Users Dave Alice Bob Eve same data object – interestingly, we use this to ensure that storage does not leak information across data objects. Labels / folders Fracture'13 Fever'14 Flu'15 Container technologies are available in production sys- tems, but replicating an application instance on each of them has intrinsic inefficiencies known as multi-execution [26]. Apps Messaging Scheduling Performance is largely secondary for enterprises (they have far fewer users than internet-scale services), but multi- Msg@ Msg@ Msg@ Event@ Event@ Event@ execution can become a problem when operating across a Storage Fracture'13 Fever'14 Flu'15 Fracture'13 Fever'14 Flu'15 large number of data objects (e.g., search). We therefore Data-centric also explored using harwdare-assisted thread containers to Users avoid multi-execution. Dave Alice Bob Eve DATS and the client browser are the only components that reside in the trusted computing base (TCB), while ensur- Labels / Fracture'13 Fever'14 Flu'15 ing applications remain programmable, usable and efficient. folders IFC efforts like Hails [39] and Jeeves [74] are instead a great Messaging Messaging Messaging fit to the trusted developers of DATS’s TCB. Enterprises can Apps+ Scheduling Scheduling Scheduling Msg@ Msg@ Msg@ Event@ Event@ Event@ Storage Fracture'13 Fever'14 Flu'15 then leverage the vast space of existing and untrusted web Fracture'13 Fever'14 Flu'15 applications, frameworks, languages and developers, and at Figure 1: Current systems have application-centric access the same time avoid costly application code audits. We make controls (top) and cannot prevent data leaks; e.g., a compro- the following contributions: mised or malicious “Scheduling” application can leak Al- • We design and implement the DATS system ( 3 and4). ice’s events to Eve (from “Fracture'13 ” to “Flu'15 ”). xx Data-centric access controls (bottom) enforce users’s ACLs • We evaluate programmability and security by developing 4 applications and porting 4 existing ones ( 5 and6). on all applications: data is confined to its respective label. xx • We evaluate performance with existing OS-level contain- ers [10, 61] and a HW-capability architecture [32, 66] single page the information from the appointments in differ- ( 7). ent data objects. Efficiency: applications cannot use a single x storage services like deduplication across data objects. In this paper we present the DATS system, which refac- 2. Motivation tors authentication and access controls outside of untrusted Many enterprises use web-based applications for security- web applications. DATS couples data containers in a novel sensitive data (e.g., a hospital). Currently, the TCB includes way to trivially enforce access controls at the container every application since an application-level exploit can put level, together with two new mechanisms to robustly declas- all data at risk. Such applications are thus built, certified, sify [76] information from multiple data objects. It lever- and audited for security first, with performance being a sec- ages the model-view-controller (MVC) pattern common in ondary concern [9]. This accrues large costs from highly many web applications, while maintaining application pro- skilled security-aware programmers, and long and costly grammability by presenting a familiar programming model penetration-testing and compliance-certification work be- to developers and supporting several existing web applica- fore the smallest changes can be pushed into production. tion frameworks and languages. This is clearly at odds with rapid application development First, DATS recovers usability by securely composing and deployment cycles and cost-efficiency; one cannot em- views from multiple data objects. Applications can provide ploy the vast majority of existing web developers, who are an untrusted view template to a trusted template processor not security-savvy, nor leverage existing applications and to aggregate information from each per-data object container development frameworks. We therefore want a systematic into a single page, like in many existing view templating lan- approach to provide security and cost-efficiency for such guages [16]. The declassifier transparently applies language security-sensitive applications. level IFC to prevent information leaks across data objects. Figure 1 shows a simplified setting where a doctor (Dave) Second, DATS improves efficiency by securely sharing shares folders (i.e., access control domains or security la- untrusted storage services across data objects. Applications bels) with patients Alice, Bob, and Eve, and uses untrusted can use a trusted storage declassifier that interposes between applications like “Messaging” and “Scheduling”. Access