2 Web applications are easier to create than ever! - презентация

1

2 2 Web applications are easier to create than ever!

3 3 Securing web applications is not nearly as easy!

4 4

5 5

6 6

7 7 > alert(document.cookie);

8 8

9 9

10 10

11 11 Application Page A Page B Page C Page D Data Object Write Append Read Write Read Delete Read

12 12 Application Page A Page B Page C Page D Data Object Write Append Read Write Read Delete Read Output HTML Data Object

13 13 Application Page A Page B Page C Page D Data Object Write Append Read Write Read Delete Read Output HTML Data Object

14 14 Application Page A Page B Page C Page D Data Object Write Append Read Write Read Delete Read Proxy that Enforces Security Policies

15 15 Application Page A Page B Page C Page D Data Object Write Append Read Write Read Delete Read Output HTML Data Object Proxy that Enforces Security Policies

16 Our Philosophy 16 Security policies should be attached to the data Security policies should be enforced automatically

17 17 Annotated Ruby on Rails Code Secure Ruby on Rails Code GuardRails Prevent Bugs and Security Vulnerabilities Improve Readability Easy to Use Access Control Policies Fine Grained Taint- Tracking

18 Design Goals Top Priority: Automatically enforce security policies Other Objectives: Preserve application functionality Easy for developers to use Lesser Goals: Minimize performance cost 18

19 19 Annotated Ruby on Rails Code Secure Ruby on Rails Code GuardRails Prevent Bugs and Security Vulnerabilities Improve Readability Easy to Use Access Control Policies Fine Grained Taint-Tracking

20 20 Annotated Ruby on Rails Code Secure Ruby on Rails Code GuardRails Prevent Bugs and Security Vulnerabilities Improve Readability Easy to Use Access Control Policies Fine Grained Taint-Tracking

21 21

22 if include_subprojects && !active_children.empty? ids = [id] + active_children.collect {|c| c.id} conditions = ["#{Project.table_name}.id IN (#{ids.join(',')})"] 22

23 if include_subprojects && !active_children.empty? ids = [id] + active_children.collect {|c| c.id} conditions = ["#{Project.table_name}.id IN (#{ids.join(',')})"] 23

24 if include_subprojects && !active_children.empty? ids = [id] + active_children.collect {|c| c.id} conditions = ["#{Project.table_name}.id IN (#{ids.join(',')}) AND #{Project.visible_by}"] 24

25 25 application_helper.rb 4 Checks project.rb 2 Checks projects_controller.rb 3 Checks acts_as_searchable.rb 1 Checks :read, :self, lambda{|user|self.is_public or user.memberships.include? self.id} :read, lambda{|user| self.is_public or user.memberships.include? self.id} class Project < ActiveRecord::Base # Project statuses STATUS_ACTIVE = 1… 1 GuardRails Annotation In Project model file:

26 Access Control Policy Annotations (policy_type, [target], [handler], mediator) :delete, :self, :admin :write, :password, lambda{|user|user.id == self.id } :append, :members, lambda{|user| user.belongs_to?(self)} 26

27 27 Annotated Ruby on Rails Code Secure Ruby on Rails Code GuardRails Access Control Policies Fine Grained Taint-Tracking

28 Dynamic Taint Tracking Protects against injection attacks 28 SELECT profile FROM users WHERE username= + user_name + User: + user_name + Good: user_name = jazzFan26 Bad: user_name = ; DROP TABLE users-- Good: user_name = DrKevinPhillips Bad: user_name = alert(document.cookie); SQL Injection: Cross-Site Scripting:

29 29

30 30 Application Page A Page B Page C Page D Data Object Write Append Read Write Read Delete Read

31 31 Application Page A Page B Page C Page D Data Object Write Append Read Write Read Delete Read Output HTML Data Object

32 Taint Propagation 32 Model Controller Database Data Taint Status View URL Parameters Form Data Other User Input Tainted HTML Sanitization Safe HTML

33 Expressive Taint Status SoccerFan1985 String Value: Taint: Character Index Different Chunks 33

34 Transformers {:HTML => { //script => NoDisplay, :default => NoHTMLAllowed }, :SQL => SQLSanitize, :Ruby_eval => NoDisplay} The Default Transformer Use Context Appropriate Sanitization Routine 34

35 Transformers Raw String Chunk 1 Transformer 1 Raw String Chunk 2 Transformer 2 Raw String Chunk 3 Transformer 3 Use Context Sanitized Chunk Sanitized String 35

36 Transformer Annotations 36 Different sanitization policies in different contexts Context specified with XPath :taint, :username, {:HTML => AlphaNumericOnly} :taint, :full_name, {:HTML => {TitleTag => LettersAndSpacesOnly, :default => NoHTML}} :taint, :profile, {:HTML => {"//script => Invisible, :default => BoldItalicUnderlineOnly}} taint, target, transformer Invisible, :default => BoldItalicUnderlineOnly}} # @ taint, target, transformer">

37 37

38 38

39 39

40 Test ApplicationApplication Type Image Gallery (680 lines) E-Commerce (5556 lines) Project Management (30747 lines) E-Commerce (11561 lines) 40

41 Performance Notes 41

42 Try GuardRails Alpha Release Now Available! Our Web Page: Full source code can be downloaded from GitHub Contact Info: 42

43 Questions? Alpha Release Now Available! Our Web Page: Full source code can be downloaded from GitHub Contact Info: 43