s cript g ard automatic context-sensitive sanitization for large-scale legacy web applications...

SCRIPTGARDAutomatic Context-Sensitive Sanitization for Large-Scale Legacy Web Applications

Prateek SaxenaUC Berkeley

David MolnarMicrosoft Research

Ben LivshitsMicrosoft Research

2

Large-Scale Legacy Applications

• Step-up in Scale– Half a Million LOC – Shared Development by teams of 100+

• What’s The Difference?– Shifting Platforms isn’t practical– Long Program Paths, Many sanitizers

Applied

How to SecureLegacy Apps?

3

XSS in Large-Scale Applications

Small-Scale Apps

• Buggy Sanitizer• Missing Sanitization

– [Pixy’06, PhpTaint’06,Cqual’04,

Merlin’09,Securifly’05, PhpAspis’11, Saner’08, Bek’11]

Large-Scale Applications

String Img.RenderControl() {

Write(userimg);}

String Img.RenderControl() { Write(Sanitize(userimg));}

• New Sanitization Errors– [CCS’11]

• SCRIPTGARD

4

Contributions

• Does Sanitization Defense Fail In Practice?– 7 Commercial Applications, 400 KLOC

• 2 New Classes of Errors in Sanitizer Use– How Often & Why

• SCRIPTGARD: Automated Sanitizer Use Analysis

Legacy.NET

Minimal

Specs

ConcreteTest

CasesCan Auto-Correct Sanitization During

Deployment

5

Error #1: Context-Mismatched Sanitization(CMS)

<img src="sunset.gif" height="right">

<a href=“javascript: document.write(‘…’);”> Diapers

</a>

<script> var name=‘Stewie’;

</script> JS String Context

HtmlEncode JSStringEncode

Which Sanitizer To Apply Where?

\r\n; alert(document.cookie);

HTML Tag Context

23904

1207

1,207 (4.7%) are CMS errors!

6

Why Does Context-Mismatch Happen?

Output Sink

San Context is a Global

Path-Sensitive Property

But, developers select Sanitizers Locally

7

Error #2: Inconsistent Multiple Sanitization(IMS)

Output Sink

San 1

San 2

Attack Input

Safe? Safe?

San 1

San 2

Does the Order Matter?

8

Inconsistent Multiple Sanitization(IMS):Does it Really Happen?

Attack Input

HtmlEncode

JSStringEncode

HtmlEncode

JSStringEncode

21964

2960

285

285 (8%) of multiple sanitizations are errors!

Why Does IMS Happen?

9

Output Sink

<script>

document.write (‘ ’);</script>

<a href="

userlink

"></a>

SERVER - SIDEOUTPUT

Why Does IMS Happen: Nested Contexts

10

<script>

document.write (‘ ’);</script>

<a href="

userlink

JS StringContext

"></a>

URL AttributeContext JS Parser

HTML Parser

JS UnicodeDecode \u0022 "

Html-Entity

Decode &quot; "

Why Does IMS Happen: Nested Contexts

11

JS Parser

HTML Parser

JS UnicodeDecode

Html-Entity

Decode

\u0022 \u0026quot;

&quot;"

Correct Sanitizer

Order

Wrong Sanitizer

Order

"

Nested Contexts Cause Developer Confusion!

12

How Common Are Nested Contexts?

16949

2948

1093 104

1234

Nesting Depth: Up to 4

13

Take-Aways…

Small-Scale Apps

• Buggy Sanitizer• Missing Sanitization

– [Pixy’06, PhpTaint’06,Cqual’04,

Merlin’09,Securifly’05, PhpAspis’11, Saner’08, Bek’11]

Large-Scale Applications

• Shared Paths lead to…• CMS & IMS• Developers apply

correct sanitizers wrongly

14

How Do We Find Sanitization Errors In Legacy Applications

At Scale?

SCRIPTGARD Analysis

15

SCRIPTGARDHTTPRequests

Inconsistently Sanitized

Test Cases

Instrumented Server-side

DLLs

Legacy.NET

SanitizerSpecificati

on

BrowserModel

SCRIPTGARD Analysis: Key Ideas

Path 1 Path 2 Path 3 Path 4

Path-Sensitive

PositiveTaint-

Tracking

DetermineContexts

17

SCRIPTGARD Analysis: Key Ideas

Trusted? + - + -

Sanitizer Sequence

HtmlAttributeEncode,JSStringEncode

HtmlEncode,JSStringEncode

HtmlAttributeEncode JSStringEncode,HtmlEncode

CMS

IMS

Path 1 Path 2 Path 3 Path 4

Path-Sensitive

PositiveTaint-

Tracking

DetermineContexts

18

Precise Context Determination:Browser Parser Model

TContexts

19

How Can We Correct Sanitization Errors

Automatically?

20

SCRIPTGARD: Can We Auto-Patch Sanitization Errors?

• The Bad News: Large slowdown• Observation: Less than 10% paths

problematic

• Yes!– Preferential Path Profiling [POPL’06]– Negligible Overhead

Can We Detect When A Problematic Path Is Executed?

21

SCRIPTGARD Auto-Correction

SCRIPTGARD

Pre-Release Analysis

Sanitization Cache

Sanitizer Patch

DeploymentPreferenti

alPath

Profiler

Server Code With Light-weight

Instrumentation

SanitizerPatch

22

Conclusions

• 2 New Patterns of Errors in Sanitizer Use

• SCRIPTGARD – Effective Analysis Tool– Auto-Correction with Negligible Overhead

23717

285 1207Inconsis-

tentMultiple Sanitiza-

tion

Context-Mis-

matchedSanitiza-

tion

23

You have been a wonderful audience…you stayed…

Prateek Saxenahttp://www.cs.berkeley.edu/~prateeks/

24

Sanitizer Correction is Challenging

Output Sink

San

San

HtmlEncode

Can We Just Replace HtmlEncode with another Sanitizer?Contexts Vary By Path Executed