CS 152: Programming Language Paradigms

Prof. Tom Austin San José State University

Dynamic Code Evaluation & Taint Analysis

Parsing JSON (in-class)

Review: additional Ruby eval methods

• instance_eval evaluates code within the body of an object.

• class_eval evaluates code within the body of a class.

• These methods can take a string or (more safely) a block of code.

class_eval example

(in class)

The mind of a developer

What does my code

need to do? Stupid documentation

Hmm… I wonder if my code is secure

Web Security in the News

How do companies/developers cope?

• Train/shame developers to follow best practices.

• Hire security experts • Use analysis tools • Hush up mistakes • Budget to handle emergencies • Bury their heads in the sand.

Secure By Architecture

Developers make mistakes.

Can we design tools to create secure systems, despite developer mistakes?

Success story: memory-safe languages

•  Buffer overflows were once ubiquitous •  Memory-safe languages manage

memory automatically – Developer focus on functionality – Security-critical bugs are eliminated

•  Buffer overflows have virtually disappeared – Except in your OS, web browser, etc.

Three Security Mechanisms

• Taint analysis: – protect critical fields from

"dirty" data • Information flow analysis:

– Prevent secrets from leaking.

Taint Analysis: Protecting against dirty data

Taint analysis

• Taint analysis focuses on integrity: – does "dirty" data corrupt trusted data?

•  Integrated into Perl and Ruby • Handles explicit flows only

– direct assignment – passing parameters

Attacks preventable by taint analysis

• Data under the control of the user may pose a security risk – SQL injection – cross-site scripting (XSS) – cross-site request forgery (CSRF)

• Taint tracking tracks untrusted variables and prevents then from being used in unsafe operations

Taint Tracking History

•  1989 – Perl 3 support for a taint mode •  1996 – Netscape included support for a

taint mode in server-side JavaScript – Later abandoned

•  Ruby later implemented a taint mode; we'll review in more depth.

Taint Mode in Ruby

•  Protect against integrity attacks. – E.g. Data pulled from an HTML form

cannot be passed to eval. • Cannot taint booleans or ints. • Multiple ways to run in safe mode:

– Use –T command line flag. – Include $SAFE variable in code.

$SAFE levels in Ruby

•  0 – No checking (default) •  1

– Tainted data cannot be passed to eval – Cannot load/require new files

•  2 – Can't change, make, or remove directories •  3

– New strings/objects are automatically tainted – Cannot untaint tainted values

•  4 – Safe objects become immutable

s = "puts 4-3".taint $SAFE = 1 # Can't eval tainted data s.untaint # Removes taint from data puts s.tainted? eval s $SAFE = 3 s2 = "puts 2 * 7" # Tainted s2.untaint # Won't work now eval s2 eval s # this is OK

# Data from web s = "Robert'); DROP TABLE " + "STUDENTS;--" s.taint exec_query("SELECT *" + " FROM STUDENTS" + " WHERE NAME='" + s + "';"

class Record def exec_query(query_str)

if query_str.tainted? puts "Err: tainted string"

else # Perform the query ...

end end end

Information Flow Analysis

Here be dragons…

Information Flow Analysis

• Related to taint analysis •  Focuses on confidentiality:

– does secret data leak to public channels? • Assumes attacker controls some code • Must consider implicit flows

– can the attacker deduce secrets?

Developer

Sensitive Data

Challenge of Securing Information

Private Channel

Public Channel

Policy: Keep location of the spray paint can from leaking to public channels.

Developer

Sensitive Data

Private Channel

Public Channel

if (chan.police){ write(chan, spraycanLocation); }

if (chan.police){ write(chan, spraycanLocation); }

Challenge of Securing Information

Developer

Sensitive Data

Private Channel

Public Channel

if (chan.police){ write(chan, spraycanLocation); }

if (chan.police){ write(chan, spraycanLocation); }

New Developers

write(chan, spraycanLocation);

New System Requirements

Information Leaked

Applications often make use of 3rd party libraries of questionable quality...

Additional Information Flow Challenges

…or have vulnerabilities to code injection attacks...

…so we must assume that the attacker is able to inject code into our system.

Sensitive Data

Public Data

Private Channel

Public Channel

Information Flow Analysis in Action

Private Channel

Public Channel

Sensitive Data

Public Data

Information Flow Analysis in Action

Sensitive Data

Public Data

Private Channel

Public Channel

Public outputs do not depend on private inputs

Termination-Insensitive Non-Interference

Explicit and Implicit Flows

spraycanLocation = "Kwik-E-Mart"police;

Location is only visible to the police. x = spraycanLocation;

Explicit flow from spraycanLocation to x.

if (x.charAt(0) < 'N') {

firstCharMax = 12;

}

Implicit flow from x to firstCharMax.

write(chan, spraycanLocation);

Developer

Core Functionality Security Expert

Business Domain Expert

Label Data

Attach label police to spraycanLocation

Enforcement Mechanism

label: police chan: police

write(chan, spraycanLocation);

Developer

Core Functionality Security Expert

Business Domain Expert

Label Data

Attach label police to spraycanLocation

Enforcement Mechanism

label: police chan: public

DENIED

Denning-style Static Analysis

• Certification process, perhaps integrated into a compiler.

• Data can flow down the lattice • Programs can be guaranteed

to be secure before the program is ever executed.

Static Analysis Certification var secret = truebank; var y = true; if (secret) y = false; var leak = true;

if (y)

leak = false;

•  Analysis ensures that private data does not affect public data.

•  In this example, y's final value depends on x.

•  [Denning 1976]

Purely Dynamic Info Flow Controls

•  Instrument interpreter with runtime controls

•  Implicit flows can be handled by: – Ignoring unsafe updates – Crashing on unsafe updates – Leaking some data (not satisfying

noninterference)

A Tainting Approach

One obvious strategy: if a public variable is updated in a private context, make it private as well. var secret = truebank; var y = true;

if (secret)

y = false; Set y=falsebank

Challenges With Implicit Flows var secret = truebank; var y = true; if (secret) y = false; var leak = true;

if (y)

leak = false;

y=falsebank

leak=true

y=true

leak=false

secret=falsebank

Dynamic Monitors Reject Executions var secret = truebank; var y = true; if (secret) y = false;

Execution terminates to protect the value of secret.

Zdancewic 2002

Secure Multi-Execution

Executes program multiple: •  High execution

– Sees all information – Only writes to authorized channels

•  Low execution – Only sees public data – Writes to public channels – Confidential data replaced with default

values.

var pass = mkSecret("scytale"); if (pass[0]==("s")) write(chan,"s");

var pass=""; if (pass[0]

==("s"))

write(chan,

"s");

Low Execution Program

var pass="scytale"; if (pass[0]

==("s")){

write(chan,

"s");

High Execution Program

Original Program

Secure Multi-Execution

High execution

Low execution

Private inputs

Public inputs

Dummy Values

Private outputs

Public outputs

Lab: Taint tracking

Today's lab explores taint tracking in Ruby. Starter code is available on the course website. Details in Canvas.