1 / 24

S CRIPT G ARD Automatic Context-Sensitive Sanitization for Large-Scale Legacy Web Applications

S CRIPT G ARD Automatic Context-Sensitive Sanitization for Large-Scale Legacy Web Applications. Prateek Saxena UC Berkeley. David Molnar Microsoft Research. Ben Livshits Microsoft Research. Large-Scale Legacy Applications. How to Secure Legacy Apps?. Step-up in Scale

euphemia
Download Presentation

S CRIPT G ARD Automatic Context-Sensitive Sanitization for Large-Scale Legacy Web Applications

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SCRIPTGARDAutomatic Context-Sensitive Sanitization for Large-Scale Legacy Web Applications Prateek Saxena UC Berkeley David Molnar Microsoft Research Ben Livshits Microsoft Research

  2. Large-Scale Legacy Applications How to Secure Legacy Apps? • Step-up in Scale • Half a Million LOC • Shared Development by teams of 100+ • What’s The Difference? • Shifting Platforms isn’t practical • Long Program Paths, Many sanitizers Applied

  3. XSS in Large-Scale Applications String Img.RenderControl() { Write(userimg); } String Img.RenderControl() { Write(Sanitize(userimg)); } Small-Scale Apps Large-Scale Applications • Buggy Sanitizer • Missing Sanitization • [Pixy’06, PhpTaint’06,Cqual’04, Merlin’09,Securifly’05, PhpAspis’11,Saner’08, Bek’11] • New Sanitization Errors • [CCS’11] • SCRIPTGARD

  4. Contributions • Does Sanitization Defense Fail In Practice? • 7 Commercial Applications, 400 KLOC • 2 New Classes of Errors in Sanitizer Use • How Often & Why • SCRIPTGARD: Automated Sanitizer Use Analysis Legacy .NET Minimal Specs Concrete Test Cases Can Auto-Correct Sanitization During Deployment

  5. Error #1: Context-Mismatched Sanitization(CMS) <imgsrc="sunset.gif" height="right"> <ahref=“javascript: document.write(‘…’);”> Diapers </a> <script> var name=‘Stewie’; </script> HTML Tag Context HtmlEncode JSStringEncode JS String Context \r\n; alert(document.cookie); 1,207 (4.7%) are CMS errors! Which Sanitizer To Apply Where?

  6. Why Does Context-Mismatch Happen? San Context is a Global Path-Sensitive Property But, developers select Sanitizers Locally Output Sink

  7. Error #2: Inconsistent Multiple Sanitization(IMS) Attack Input San 1 Does the Order Matter? San 1 San 2 San 2 Safe? Safe? Output Sink

  8. Inconsistent Multiple Sanitization(IMS):Does it Really Happen? Attack Input 285(8%) of multiple sanitizations are errors! HtmlEncode JSStringEncode JSStringEncode HtmlEncode

  9. Why Does IMS Happen? userlink <script> document.write (‘ ’); </script> <a href=" "></a> SERVER - SIDE OUTPUT Output Sink

  10. Why Does IMS Happen: Nested Contexts userlink <script> document.write (‘ ’); </script> <a href=" "></a> JS String Context URL Attribute Context JS Parser JS Unicode Decode \u0022 " HTML Parser Html-Entity Decode &quot; "

  11. Why Does IMS Happen: Nested Contexts " Wrong Sanitizer Order Correct Sanitizer Order Nested Contexts Cause Developer Confusion! \u0026quot; \u0022 JS Parser JS Unicode Decode &quot; " HTML Parser Html-Entity Decode

  12. How Common Are Nested Contexts? Nesting Depth: Up to 4

  13. Take-Aways… Small-Scale Apps Large-Scale Applications • Buggy Sanitizer • Missing Sanitization • [Pixy’06, PhpTaint’06,Cqual’04, Merlin’09,Securifly’05, PhpAspis’11,Saner’08, Bek’11] • Shared Paths lead to… • CMS & IMS • Developers apply correct sanitizers wrongly

  14. How Do We Find Sanitization Errors In Legacy Applications At Scale?

  15. SCRIPTGARDAnalysis Legacy .NET SCRIPTGARD Sanitizer Specification HTTP Requests Instrumented Server-side DLLs Inconsistently Sanitized Test Cases

  16. SCRIPTGARDAnalysis: Key Ideas Path-Sensitive Positive Taint-Tracking Determine Contexts Path 1 Path 2 Path 3 Path 4 Browser Model

  17. SCRIPTGARDAnalysis: Key Ideas Path-Sensitive Positive Taint-Tracking Determine Contexts Path 1 Path 2 Path 3 Path 4

  18. Precise Context Determination:Browser Parser Model T Contexts

  19. How Can We Correct Sanitization Errors Automatically?

  20. SCRIPTGARD: Can We Auto-Patch Sanitization Errors? • The Bad News: Large slowdown • Observation: Less than 10% paths problematic • Yes! • Preferential Path Profiling [POPL’06] • Negligible Overhead Can We Detect When A Problematic Path Is Executed?

  21. SCRIPTGARD Auto-Correction SCRIPTGARD Pre-Release Analysis Sanitization Cache Sanitizer Patch Deployment Preferential Path Profiler Sanitizer Patch Server Code With Light-weight Instrumentation

  22. Conclusions • 2 New Patterns of Errors in Sanitizer Use • SCRIPTGARD • Effective Analysis Tool • Auto-Correction with Negligible Overhead

  23. You have been a wonderful audience …you stayed… PrateekSaxena http://www.cs.berkeley.edu/~prateeks/

  24. Sanitizer Correction is Challenging San HtmlEncode Can We Just Replace HtmlEncode with another Sanitizer? Contexts Vary By Path Executed San Output Sink

More Related