Dynamic Code Evaluation & Taint Analysisaustin/cs152-fall16/slides/CS152... · – Tainted data...
Transcript of Dynamic Code Evaluation & Taint Analysisaustin/cs152-fall16/slides/CS152... · – Tainted data...
CS 152: Programming Language Paradigms
Prof. Tom Austin San José State University
Dynamic Code Evaluation & Taint Analysis
Parsing JSON (in-class)
Review: additional Ruby eval methods
• instance_eval evaluates code within the body of an object.
• class_eval evaluates code within the body of a class.
• These methods can take a string or (more safely) a block of code.
class_eval example
(in class)
The mind of a developer
What does my code
need to do? Stupid documentation
Hmm… I wonder if my code is secure
Web Security in the News
How do companies/developers cope?
• Train/shame developers to follow best practices.
• Hire security experts • Use analysis tools • Hush up mistakes • Budget to handle emergencies • Bury their heads in the sand.
Secure By Architecture
Developers make mistakes.
Can we design tools to create secure systems, despite developer mistakes?
Success story: memory-safe languages
• Buffer overflows were once ubiquitous • Memory-safe languages manage
memory automatically – Developer focus on functionality – Security-critical bugs are eliminated
• Buffer overflows have virtually disappeared – Except in your OS, web browser, etc.
Three Security Mechanisms
• Taint analysis: – protect critical fields from
"dirty" data • Information flow analysis:
– Prevent secrets from leaking.
Taint Analysis: Protecting against dirty data
Taint analysis
• Taint analysis focuses on integrity: – does "dirty" data corrupt trusted data?
• Integrated into Perl and Ruby • Handles explicit flows only
– direct assignment – passing parameters
Attacks preventable by taint analysis
• Data under the control of the user may pose a security risk – SQL injection – cross-site scripting (XSS) – cross-site request forgery (CSRF)
• Taint tracking tracks untrusted variables and prevents then from being used in unsafe operations
Taint Tracking History
• 1989 – Perl 3 support for a taint mode • 1996 – Netscape included support for a
taint mode in server-side JavaScript – Later abandoned
• Ruby later implemented a taint mode; we'll review in more depth.
Taint Mode in Ruby
• Protect against integrity attacks. – E.g. Data pulled from an HTML form
cannot be passed to eval. • Cannot taint booleans or ints. • Multiple ways to run in safe mode:
– Use –T command line flag. – Include $SAFE variable in code.
$SAFE levels in Ruby
• 0 – No checking (default) • 1
– Tainted data cannot be passed to eval – Cannot load/require new files
• 2 – Can't change, make, or remove directories • 3
– New strings/objects are automatically tainted – Cannot untaint tainted values
• 4 – Safe objects become immutable
s = "puts 4-3".taint $SAFE = 1 # Can't eval tainted data s.untaint # Removes taint from data puts s.tainted? eval s $SAFE = 3 s2 = "puts 2 * 7" # Tainted s2.untaint # Won't work now eval s2 eval s # this is OK
# Data from web s = "Robert'); DROP TABLE " + "STUDENTS;--" s.taint exec_query("SELECT *" + " FROM STUDENTS" + " WHERE NAME='" + s + "';"
class Record def exec_query(query_str)
if query_str.tainted? puts "Err: tainted string"
else # Perform the query ...
end end end
Information Flow Analysis
Here be dragons…
Information Flow Analysis
• Related to taint analysis • Focuses on confidentiality:
– does secret data leak to public channels? • Assumes attacker controls some code • Must consider implicit flows
– can the attacker deduce secrets?
Developer
Sensitive Data
Challenge of Securing Information
Private Channel
Public Channel
Policy: Keep location of the spray paint can from leaking to public channels.
Developer
Sensitive Data
Private Channel
Public Channel
if (chan.police){ write(chan, spraycanLocation); }
if (chan.police){ write(chan, spraycanLocation); }
Challenge of Securing Information
Developer
Sensitive Data
Private Channel
Public Channel
if (chan.police){ write(chan, spraycanLocation); }
if (chan.police){ write(chan, spraycanLocation); }
New Developers
write(chan, spraycanLocation);
New System Requirements
Information Leaked
Applications often make use of 3rd party libraries of questionable quality...
Additional Information Flow Challenges
…or have vulnerabilities to code injection attacks...
…so we must assume that the attacker is able to inject code into our system.
Sensitive Data
Public Data
Private Channel
Public Channel
Information Flow Analysis in Action
Private Channel
Public Channel
Sensitive Data
Public Data
Information Flow Analysis in Action
Sensitive Data
Public Data
Private Channel
Public Channel
Public outputs do not depend on private inputs
Termination-Insensitive Non-Interference
Explicit and Implicit Flows
spraycanLocation = "Kwik-E-Mart"police;
Location is only visible to the police. x = spraycanLocation;
Explicit flow from spraycanLocation to x.
if (x.charAt(0) < 'N') {
firstCharMax = 12;
}
Implicit flow from x to firstCharMax.
write(chan, spraycanLocation);
Developer
Core Functionality Security Expert
Business Domain Expert
Label Data
Attach label police to spraycanLocation
Enforcement Mechanism
label: police chan: police
write(chan, spraycanLocation);
Developer
Core Functionality Security Expert
Business Domain Expert
Label Data
Attach label police to spraycanLocation
Enforcement Mechanism
label: police chan: public
DENIED
Denning-style Static Analysis
• Certification process, perhaps integrated into a compiler.
• Data can flow down the lattice • Programs can be guaranteed
to be secure before the program is ever executed.
Static Analysis Certification var secret = truebank; var y = true; if (secret) y = false; var leak = true;
if (y)
leak = false;
• Analysis ensures that private data does not affect public data.
• In this example, y's final value depends on x.
• [Denning 1976]
Purely Dynamic Info Flow Controls
• Instrument interpreter with runtime controls
• Implicit flows can be handled by: – Ignoring unsafe updates – Crashing on unsafe updates – Leaking some data (not satisfying
noninterference)
A Tainting Approach
One obvious strategy: if a public variable is updated in a private context, make it private as well. var secret = truebank; var y = true;
if (secret)
y = false; Set y=falsebank
Challenges With Implicit Flows var secret = truebank; var y = true; if (secret) y = false; var leak = true;
if (y)
leak = false;
y=falsebank
leak=true
y=true
leak=false
secret=falsebank
Dynamic Monitors Reject Executions var secret = truebank; var y = true; if (secret) y = false;
Execution terminates to protect the value of secret.
Zdancewic 2002
Secure Multi-Execution
Executes program multiple: • High execution
– Sees all information – Only writes to authorized channels
• Low execution – Only sees public data – Writes to public channels – Confidential data replaced with default
values.
var pass = mkSecret("scytale"); if (pass[0]==("s")) write(chan,"s");
var pass=""; if (pass[0]
==("s"))
write(chan,
"s");
Low Execution Program
var pass="scytale"; if (pass[0]
==("s")){
write(chan,
"s");
High Execution Program
Original Program
Secure Multi-Execution
High execution
Low execution
Private inputs
Public inputs
Dummy Values
Private outputs
Public outputs
Lab: Taint tracking
Today's lab explores taint tracking in Ruby. Starter code is available on the course website. Details in Canvas.