1

Context-Sensitive Auto-Sanitization In Web Templating Languages

Using Type Qualifiers

Prateek SaxenaUC Berkeley

Mike SamuelGoogle

Dawn SongUC Berkeley

2

Script Injection Vulnerabilities

• OWASP Top Ten Vulnerabilities– 2nd in 2010 & 2011

• Today Affects–Major Web Services– Client-side Libraries– Browser Extensions– Devices & Smartphones

3

Predominant Defense Practice

• Why Does it Fail?– Developers forget to Sanitize [Pixy’06, PhpTaint’06,Cqual’04, Merlin’09,Securifly’05,

PhpAspis’11]– Pick the wrong sanitizer [CCS’11]

String Div.Render () {

print(“<div>”);print(userimg);print(“</div>”);

}

String Div.Render () {

print(“<div>”); print(Sanitize(userimg));

print(“</div>”);}

SanitizerLibrary

4

Vision

• Eliminate Scripting Attacks–Make Applications Secure by Construction

Developer

Code

Application

Code

5

Contributions

• A New "Push-Button" Defense Primitive– "Security By Construction" Approach

• Context-Sensitive Auto-Sanitization (CSAS)– New Challenge: Which Sanitizers To Place Where?– Targets Existing Web Templating Frameworks

• It is Practical

• Deployed Commercially– Google Closure Templates powers Google+

FastAuditab

leCompatibl

eSecure

<script>var o = new soy.StringBuilder(); imgRender({O: o, imglink: $_GET(‘extlink’), name: [$_GET(‘name’)] })); document.write(o);</script>

Web Templating Frameworks

Tem plating

Fram ew ork

Com piler

Templating

Framework

Compiler

Java JS

Application

calls

Target Language Code

Template

Application Code

template imgRender($imgLink, $name) { print (“<img src=\“”); print ($imglink); print “\”/>” . $name. “<br>”; return; }

Template Code

Template Language does not have complex constructs

6

Explicitly Separates Untrusted Inputs

7

Talk Outline

• System Architecture & Features• Challenges• The CSAS Engine Design• Implementation• Evaluation & Deployment

8

CSAS

System Architecture

Compiler Compil

er

Java

JS JS

Application

calls

Instrumented Auto-Sanitization

Template

Sanitizer

Library

Static Error

9

CSAS

Auditability & Compatibility

Compiler Compil

er

Java

JS JS

Instrumented Auto-Sanitization

Sanitizer

Library

Static Error

• Easily Auditable• Compatibility– No Developer

Involvement– Minimize Static Errors

• Security• Performance

10

HtmlSanitizer

URLSanitizer

template ImgRender($imgLink, $name) {……………}

Security & Correctness (I)

• Property CSAN: Context-Sensitive Sanitization

<img src=" /img?f= "/> <br>$name $imgLink $name

HTML Tag

Context

URI START Context

URI PATH Context

URI QUERYParameter

Context

HTMLTag

Context

Attacks Vary By Contexts!

11

Security & Correctness (II)

• Property NOS: No Over Sanitization

<img src=" / /img?f= "/> <br>$name $imgLink $name

Sanitize Only Untrusted DataNot Constant Strings

Security Assumptions

• Canonical HTML Parser – Flexible to recognize browser differences [GWT,

CTemplates]

• Correct Sanitizers– Extensive Community Effort [OWASP, HtmlPurify, GWT,

Django]

– Research on Secure Sanitization Primitives [Bek’11, Hampi’09,Min’06]

– Already Used in Many Frameworks

13

Challenges

• Easily Auditable• Compatibility• Security• Performance

Security

Performance Compatibility

14

Approach #1:Context-Insensitive Sanitization

template ImgRender($imgLink, $name) { print (“<img src=”); x := $imgLink; print ($x); print “/>” . $name. “<br>”; return; }

template ImgRender($imgLink, $name) { print (“<img src=‘”); x := HtmlEncode($imgLink); print ($x); print “’/>” . HtmlEncode($name). “<br>”; return; }

javascript: bad();

Security

Performance Compatibility

False Sense of Security!

15

Approach #2: Context-Sensitive Runtime Parsing (CSRP)

URI START Context

URI ParamContext

template ImgRender($imgLink, $name) {……………}

<img src=" /img?f=$name $imgLink

URLSanitizer

URLParamSanitizer

Security

Performance Compatibility

16

Rich Language Features

<img src=' / /img?f= '/> <br>$name $imgLink $name

template ImgRender($imgLink, $name) { print (“<img src='”); x := “/” . $name. “/img?f=”. $imgLink;

print ($x); print “'/>” . $name. “<br>”; return; }

17

template ImgRender($imgLink, $name) { print (“<img src='”); if ($name != “”) then x := “/” . $name. “/img?f=”. $imgLink; else x:= $imgLink; fi print ($x); print “'/>” . $name. “<br>”; return; }

Rich Language Features:Control Flow

<img src=' / /img?f= '/> <br>$name $imgLink $name

Usage Contexts Statically Ambiguous:Sanitization Requirements vary by path!

18

Our Approach

Type Inference

Well-TypedIR

UntypedTemplat

e

CompilationCompile

dCode

• CSAS Engine– Context Type Qualifiers

Context Type Qualifiers

• Context Type Qualifier: – "Which contexts is a string safe to be

rendered in"

x:=“<img src='” . $imgLink;

<img src='

$imgLink

y:= UrlAttribSsanitize($imgLink)

𝐻𝑇𝑀𝐿𝑆𝑇𝐴𝑅𝑇𝑈𝑅𝐼𝑆𝑇𝐴𝑅𝑇

𝑈𝑅𝐼𝑆𝑇𝐴𝑅𝑇𝑈𝑅𝐼

x:=“<img src='” . y; 𝐻𝑇𝑀𝐿𝑆𝑇𝐴𝑅𝑇𝑈𝑅𝐼

TERMS TYPES

19

Type Inference: Where To Place Sanitizers?

21

Implementation & Evaluation

• Google Closure Templates– Powers several Google products– 3045 LOC Java

• Evaluation Benchmarks:– 1035 templates from production Google code– Rich Features

• 2997 calls• 1224 print/sink statements using 600 untrusted

input variables

22

Evaluation: Compatibility

• All 1035 templates auto-sanitized!– No Developer Involvement– No Static Errors

• Compared to original sanitization– 21 cases differ out of 1224 – CSAS engine inferred a more accurate

sanitizer

23

Evaluation: Security

escapeHtml

escapeHtmlAttribute

filterNormalizeURI, escapeHtml

escapeJsValue

filterCSSValue

escapeJsString

escapeUri

escapeHtmlRcdata

escapeHtmlAttributeNospace

filterHtmlIdent

filternormalizeURI

0 100 200 300 400 500 600 700

602380

231393327

1510731

Context-Insensitive Approach Fails on 28% prints

UNSAFE

24

Java

JavaScript

Evaluation: Performance Overhead

CI CSRP CSAS

Chrome 9

3.0% 78.8% 3.0%

FF 3.6 9.6% 425% 9.6%

Safari 5 2.5% 189% 3.1%

CI CSRP CSAS

Java 0% 72% 0%

Order Of Magnitude Faster Than CSRP

• Benchmarks– Templates Only, No Other Application

Logic

• Base: No Sanitization

Practical Performance: Upto 9.6%

25

Conclusion

• CSAS: A New "Push-Button" Defense Primitive– Fast, Secure, Compatible and Auditable– Increasing Commercially Adoption

• Other Frameworks

July Today0

1000

2000

3000

4000

5000

6000

26

Thanks

http://code.google.com/closure/templates/docs/security.html

Questions?