Swift: Secure Web Applications via Automatic
Partitioning
Stephen Chong, Jed Liu, Andrew C. Myers,Xin Qi, K. Vikram, Lantian Zheng, Xin ZhengCornell UniversitySOSP 2007 (October 15)Speaker: K. Vikram
Splitting Webapps via Information Flow Types
• Ubiquitous, important, yet insecure– 61% of Internet vulnerabilities affect webapps*– Cross-site scripting, SQL injection, Information Leakage, etc.
• Development methods lack security reasoning– Distributed system in multiple languages
• Client: CSS, XHTML, JavaScript, Flash• Server: PHP, ASP, Ruby, SQL
– Ajax/Web 2.0: Complex JavaScript UIs generating HTTP requests
*Symantec Internet Security Threat Report 2007
Can we make web applications secure?
Swift*
• Make interactive web applications secure and easier to write
*Splitting Webapps via Information Flow Types
• Easier to Write– One program (in one general
purpose language) automatically split by the compiler
• Security by construction– Rich security policies as
declarative annotations• Interactivity
– Finding an optimal split for performance
Swiftsourcecode
Compiler
Partitioner
Javascriptclientcode
Javaservercode
K.Vikram Swift Cornell University
The Guess-the-Number Game
Secret Number: 7
Tries: 3
Take a Guess!
(You have 3 chances)
Random number between 1 and 10
K.Vikram Swift Cornell University
The Guess-the-Number Game
Secret Number: 7
Tries: 3
Take a Guess!
(You have 3 chances)
6
Try Again
12
Out of range
4
Try Again
7
You win $500
Tries: 2Tries: 1
(You have 2 chances)(You have 1 chance)You win $500
Bounds Check
Compare Guess
Tries: 0
K.Vikram Swift Cornell University
The Guess-the-Number Game
Secret Number: 7
Tries: 3
Take a Guess!
(You have 3 chances)
7
You win $500
Confidentiality Requirement
Tries: 10
1234567
Integrity Requirement
I win $500
Integrity Requirement
Bounds Check
Compare Guess
Buggy or malicious Trusted
K.Vikram Swift Cornell University
The Guess-the-Number Game
Secret Number: 7
Tries: 3
Take a Guess!
(You have 3 chances)
Tries: 3
Compare Guess
Bounds Check
A secure optimal
split
Bounds Check
K.Vikram Swift Cornell University
Input Validation
CheckFails
Called from a Listener
Guess-the-number in Swift
{
if (guess >= 1 && guess <= 10) {
int secret;int tries;
} else { message.setText("Out of range:" + guess);
} }
void makeGuess (int guess)…
K.Vikram Swift Cornell University
Compare with stored secret
Successful Guess
Guess-the-number in Swift…
{
if (guess >= 1 && guess <= 10) {
} else { message.setText("Out of range:" + guess);
} }
if (tries > 0 && correct) { finishApp("You win $500!");
}
boolean correct = guess == secret;
void makeGuess (int guess)
int secret;int tries;
K.Vikram Swift Cornell University
Compare with stored secret
Guess-the-number in Swift…
{
if (guess >= 1 && guess <= 10) {
} else { message.setText("Out of range:" + guess);
} }
if (tries > 0 && correct) { finishApp("You win $500!");
} else {
boolean correct = guess == secret;
void makeGuess (int guess)
int secret;int tries;
tries--; if (tries > 0)
elsemessage.setText("Try again");
finishApp("Game over");
Unsuccessful Guess
}
K.Vikram Swift Cornell University
…
{
if (guess >= 1 && guess <= 10) {
} else { message.setText("Out of range:" + guess);
} }
if (tries > 0 && correct) { finishApp("You win $500!");
} else {
boolean correct = guess == secret;
void makeGuess (int guess)
int secret;int tries;
tries--; if (tries > 0)
elsemessage.setText("Try again");
finishApp("Game over"); }
K.Vikram Swift Cornell University
…
{
if (guess >= 1 && guess <= 10) {
} else { message.setText("Out of range:" + guess);
} }
if (tries > 0 && correct) { finishApp("You win $500!");
} else {
boolean correct = guess == secret;
void makeGuess (int guess)
int secret;int tries;
tries--; if (tries > 0)
elsemessage.setText("Try again");
finishApp("Game over"); }
…
{
if (guess >= 1 && guess <= 10) {
} else { message.setText("Out of range:" + guess);
} }
if (tries > 0 && correct) { finishApp("You win $500!");
} else {
boolean correct = guess == secret;
void makeGuess (int guess)
int secret;int tries;
tries--; if (tries > 0)
elsemessage.setText("Try again");
finishApp("Game over"); }
K.Vikram Swift Cornell University
Writing security labels in Swift • A label denotes the security policy enforced on
data (using the Decentralized Label Model[ML97])
int{server→server; server←server} secret;int{server→client; server←server} tries;
Alice Bob Alice permits Bob to read
Alice Bob Alice permits Bob to write
• The compiler allows only those information flows that conform to security policies (Jif[ML99])
int{server→client} display;
display = secret;
server→serverserver→client
server←serverserver←server
K.Vikram Swift Cornell University
…
{
if (guess >= 1 && guess <= 10) {
int{server→server; server←server} secret;int{server→client; server←server} tries;
Guess-the-number in Swift
} } else {
message.setText("Out of range:" + guess); }
}
{server→server} to {server→client}); if (tries > 0 && correct) {
finishApp("You win $500!"); } else {
tries--; if (tries > 0)
elsemessage.setText("Try again");
boolean correct = declassify (guess == secret,
finishApp("Game over");
endorse (guess, {server←client} to {server←server}) If guess is within bounds the server is prepared to trust it
Client is allowed to learn if guess is correct
boolean correct = guess == secret;
The Swift
Architecture
Jifsourcecode
WebILcode
LocatedWebIL code
label projection
partitioning
Confidentiality/Integrity labels
Server/ClientPlacement
HTTP
Javaservlet
framework
Swiftserver
runtime
Javaservercode
Web Server
Java client code
GWTSwiftclient
runtime
GWTruntimelibrary
Javascriptclientcode
Web Browser
Swiftserver
runtime
Javaservlet
framework
GWTruntimelibrary
Swiftclient
runtime
Javaservercode
Javascriptclientcode
The Swift
Architecture WebIL
code
LocatedWebIL code
partitioning
HTTP
Web Server
Java client code
GWT
Web Browser
Jifsourcecode
label projection
K.Vikram Swift Cornell University
Placement Constraints from Labels
{Alice→Bob; Alice←Bob}
{Chuck→Alice,Bob;Alice←Chuck}
{Alice→Bob, Dave}
{Chuck←Chuck, Alice}
{Chuck←Chuck, Alice}
{Chuck←Bob, Alice}
{Alice→Bob, Dave}
{Fiona→Bob, Eve, Alice; Bob←Fiona}
{Eve←Chuck, Alice}
{George→Bob, Dave; Fiona→Bob; George←Alice,Dave}
{Dave→Bob, Heather}
{}
{Alice→Bob, Dave; w}
{*l}
{x}
{p←p}
{Irina→Bob; Heather←Dave,Bob,Irina}
{p→Bob, q; n}
{Alice→Bob, Dave}
client cannot read
client can read
clientcanwrite
clientcannotwrite
(low confidentiality)
(high confidentiality)
(low integrity) (high integrity)
client orserverS?C?
server andmaybeclientShC?
serveronly
S
serveronlySh
K.Vikram Swift Cornell University
Placement Constraints from Labels
client cannot read
client can read
clientcanwrite
clientcannotwrite
(low confidentiality)
(high confidentiality)
(low integrity) (high integrity)
S Sh
S?C? ShC?
K.Vikram Swift Cornell University
C
Security ConstraintsS?C?
S Sh
Architectural Constraints
SDatabaselibrary calls
UI Widgetcalls
Placement Constraints from Labels
ShC?
K.Vikram Swift Cornell University
S?C?:
S?C?:
int secret;int tries;…void makeGuess (int guess) {
if (guess >= 1 && guess <= 10) {
} else { message.setText("Out of range:" + guess);
} }
finishApp("You win $500!");
} } else {
tries--; if (tries > 0)
else finishApp("Game over"); }
Guess-the-number in WebIL
Sh:ShC?:
ShC?:Sh:
ShC?:
message.setText("Try again");S?C?:
C:
C:
Comparison only on server
Calls to UI methods on
client
if (tries > 0 && correct) {boolean correct = guess == secret;
Sh:
K.Vikram Swift Cornell University
WebILcode
LocatedWebIL code
partitioning
Swiftserver
runtime
Javaservlet
framework
GWTruntimelibrary
Swiftclient
runtime
Javaservercode
Javascriptclientcode
The Swift
Architecture
Jifsourcecode
label projection
HTTP
Web Server
Java client code
GWT
Web Browser
K.Vikram Swift Cornell University
• Minimize number of network messages– Network latency has biggest impact on responsiveness– Control transfer might require a network message
• Modeling the run-time behavior of the program by a weighted control flow graph – Interprocedural dataflow analysis
• Construct an instance of the min-cut problem• Min-cut/Max-flow algorithm runs in O(n3) time
Performance Optimization
S
CC
S
SS
C
C
S
S
S C10
10
10
10
10
5
7.515
57.5
7.5
7.5101010
10
10
5
7.5
15
5
7.5
7.5
7.5
K.Vikram Swift Cornell University
Guess-the-numberwith placements
C:
C:
int secret;int tries;…void makeGuess (int guess) {
if (guess >= 1 && guess <= 10) {
} else { message.setText("Out of range:" + guess);
} }
finishApp("You win $500!");
} } else {
tries--; if (tries > 0)
else finishApp("Game over"); }
Sh:ShC:
Sh:
ShC:
message.setText("Try again");C:C:
C:
if (tries > 0 && correct) {boolean correct = guess == secret;
Sh:
ShC:
Each statement/field is given one of five possible annotations: {C, S, SC, Sh, ShC}
Input validation code replicated
K.Vikram Swift Cornell University
The Swift
Architecture
LocatedWebIL code
HTTP
Javaservlet
framework
Swiftserver
runtime
Javaservercode
Web Server
Java client code
GWTSwiftclient
runtime
GWTruntimelibrary
Javascriptclientcode
Web Browser
Jifsourcecode
WebILcode
label projection
partitioning
guess=6 if (guess >= 1 && guess <= 10) {
void makeGuess (int guess) {…
if (guess >= 1 && guess <= 10) {
} else { message.setText("Out of range:" + guess);
} }
if (tries > 0 && correct) { finishApp("You win $500!");
} else { tries--; if (tries > 0)
else finishApp("Game over"); }
message.setText("Try again");
int secret;int tries;…void makeGuess (int guess) {
} else { message.setText("Out of range:" + guess);
} }
if (tries > 0 && correct) { finishApp("You win $500!");
} else { tries--; if (tries > 0)
else finishApp("Game over"); }
message.setText("Try again");
int secret;int tries;
[Code to execute, Local Variable Values]
boolean correct = guess == secret; boolean correct = guess == secret;
if (tries > 0 && correct) {boolean correct = guess == secret;
int secret;int tries;…void makeGuess (int guess) {
} else { message.setText("Out of range:" + guess);
} }
if (tries > 0 && correct) { finishApp("You win $500!");
} else { tries--; if (tries > 0)
else finishApp("Game over"); }
message.setText("Try again");
int secret;int tries;…void makeGuess (int guess) {
} else { message.setText("Out of range:" + guess);
} }
finishApp("You win $500!");
} else { tries--; if (tries > 0)
else finishApp("Game over"); }
message.setText("Try again");
[Code to execute, Local variable values]
updates to locals
if (guess >= 1 && guess <= 10) { if (guess >= 1 && guess <= 10) {boolean correct = guess == secret;
int secret;int tries;…void makeGuess (int guess) {
} else { message.setText("Out of range:" + guess);
} }
if (tries > 0 && correct) { finishApp("You win $500!");
} else { tries--; if (tries > 0)
else finishApp("Game over"); }
message.setText("Try again");
int secret;int tries;…void makeGuess (int guess) {
} else { message.setText("Out of range:" + guess);
} }
if (tries > 0 && correct) { finishApp("You win $500!");
} else { tries--; if (tries > 0)
else finishApp("Game over"); }
message.setText("Try again");
boolean correct = guess == secret; if (guess >= 1 && guess <= 10) { if (guess >= 1 && guess <= 10) {
boolean correct = guess == secret;
K.Vikram Swift Cornell University
• Client could cheat and request execution of arbitrary server code– Server keeps enough state about expected control
flow• Client could corrupt local variables
– Server does not accept updates for high integrity variables
• Client cannot – Violate data integrity– Influence execution of high integrity code– Learn confidential values
[Code to execute, Local variable values]Code to execute Local variable values
Evaluation: Code size measurements
Guess-the-Number142 lines
Poll113 lines
Secret Keeper324 lines
Treasure Hunt92 lines
Auction502 lines
Shop1094 lines
K.Vikram Swift Cornell University
Evaluation: Network message counts
Example TaskActual Optimal
Server! Client Client! Server Server! Client Client! Server
Guess-the-Number
guessing a number 1 2 1 1
Shop adding an item 0 0 0 0
Poll casting a vote 1 1 0 1
Secret Keeper
viewing the secret 1 1 1 1
Treasure Hunt
exploring a cell 1 2 1 1
Auction bidding 1 1 1 1
K.Vikram Swift Cornell University
Related Work• Unified Programming
Models– Links [CLWY 06] – Hop [SGL 06] – Hilda [YGQDGS 07,YSRG 06]
• Web Application Security– Static Analysis
[HYHTLK 04, XA 06, JKK 06]– Dynamic Taint Tracking
[HO 05, NGGE 05, XBS 06, CVM 07]
• Security by construction– Jif/Split [ZZNM 02, ZCMZ 03]– Fairplay [MNPS 04]– SMCL [NS 07]
- Tracking over multiple requests- Client side computation- Confidentiality
- Security- Replication for responsiveness- Automated, fine-grained
optimization
Swift
- Bigger, more practical applications- Web application security
K.Vikram Swift Cornell University
Conclusions/Questions?
• Web applications are critical and handle sensitive data
• Secure web applications are hard to write• The Swift programming system provides
– Greater security assurance– A responsive interface– Cleaner programming model
• http://www.cs.cornell.edu/jif/swift/
Top Related