context-sensitive auto-sanitization in web templating languages using type qualifiers prateek saxena...
TRANSCRIPT
1
Context-Sensitive Auto-Sanitization In Web Templating Languages
Using Type Qualifiers
Prateek SaxenaUC Berkeley
Mike SamuelGoogle
Dawn SongUC Berkeley
2
Script Injection Vulnerabilities
• OWASP Top Ten Vulnerabilities– 2nd in 2010 & 2011
• Today Affects–Major Web Services– Client-side Libraries– Browser Extensions– Devices & Smartphones
3
Predominant Defense Practice
• Why Does it Fail?– Developers forget to Sanitize [Pixy’06, PhpTaint’06,Cqual’04, Merlin’09,Securifly’05,
PhpAspis’11]– Pick the wrong sanitizer [CCS’11]
String Div.Render () {
print(“<div>”);print(userimg);print(“</div>”);
}
String Div.Render () {
print(“<div>”); print(Sanitize(userimg));
print(“</div>”);}
SanitizerLibrary
4
Vision
• Eliminate Scripting Attacks–Make Applications Secure by Construction
Developer
Code
Application
Code
5
Contributions
• A New "Push-Button" Defense Primitive– "Security By Construction" Approach
• Context-Sensitive Auto-Sanitization (CSAS)– New Challenge: Which Sanitizers To Place Where?– Targets Existing Web Templating Frameworks
• It is Practical
• Deployed Commercially– Google Closure Templates powers Google+
FastAuditab
leCompatibl
eSecure
<script>var o = new soy.StringBuilder(); imgRender({O: o, imglink: $_GET(‘extlink’), name: [$_GET(‘name’)] })); document.write(o);</script>
Web Templating Frameworks
Tem plating
Fram ew ork
Com piler
Templating
Framework
Compiler
Java JS
Application
calls
Target Language Code
Template
Application Code
template imgRender($imgLink, $name) { print (“<img src=\“”); print ($imglink); print “\”/>” . $name. “<br>”; return; }
Template Code
Template Language does not have complex constructs
6
Explicitly Separates Untrusted Inputs
7
Talk Outline
• System Architecture & Features• Challenges• The CSAS Engine Design• Implementation• Evaluation & Deployment
8
CSAS
System Architecture
Compiler Compil
er
Java
JS JS
Application
calls
Instrumented Auto-Sanitization
Template
Sanitizer
Library
Static Error
9
CSAS
Auditability & Compatibility
Compiler Compil
er
Java
JS JS
Instrumented Auto-Sanitization
Sanitizer
Library
Static Error
• Easily Auditable• Compatibility– No Developer
Involvement– Minimize Static Errors
• Security• Performance
10
HtmlSanitizer
URLSanitizer
template ImgRender($imgLink, $name) {……………}
Security & Correctness (I)
• Property CSAN: Context-Sensitive Sanitization
<img src=" /img?f= "/> <br>$name $imgLink $name
HTML Tag
Context
URI START Context
URI PATH Context
URI QUERYParameter
Context
HTMLTag
Context
Attacks Vary By Contexts!
11
Security & Correctness (II)
• Property NOS: No Over Sanitization
<img src=" / /img?f= "/> <br>$name $imgLink $name
Sanitize Only Untrusted DataNot Constant Strings
Security Assumptions
• Canonical HTML Parser – Flexible to recognize browser differences [GWT,
CTemplates]
• Correct Sanitizers– Extensive Community Effort [OWASP, HtmlPurify, GWT,
Django]
– Research on Secure Sanitization Primitives [Bek’11, Hampi’09,Min’06]
– Already Used in Many Frameworks
13
Challenges
• Easily Auditable• Compatibility• Security• Performance
Security
Performance Compatibility
14
Approach #1:Context-Insensitive Sanitization
template ImgRender($imgLink, $name) { print (“<img src=”); x := $imgLink; print ($x); print “/>” . $name. “<br>”; return; }
template ImgRender($imgLink, $name) { print (“<img src=‘”); x := HtmlEncode($imgLink); print ($x); print “’/>” . HtmlEncode($name). “<br>”; return; }
javascript: bad();
Security
Performance Compatibility
False Sense of Security!
15
Approach #2: Context-Sensitive Runtime Parsing (CSRP)
URI START Context
URI ParamContext
template ImgRender($imgLink, $name) {……………}
<img src=" /img?f=$name $imgLink
URLSanitizer
URLParamSanitizer
Security
Performance Compatibility
16
Rich Language Features
<img src=' / /img?f= '/> <br>$name $imgLink $name
template ImgRender($imgLink, $name) { print (“<img src='”); x := “/” . $name. “/img?f=”. $imgLink;
print ($x); print “'/>” . $name. “<br>”; return; }
17
template ImgRender($imgLink, $name) { print (“<img src='”); if ($name != “”) then x := “/” . $name. “/img?f=”. $imgLink; else x:= $imgLink; fi print ($x); print “'/>” . $name. “<br>”; return; }
Rich Language Features:Control Flow
<img src=' / /img?f= '/> <br>$name $imgLink $name
Usage Contexts Statically Ambiguous:Sanitization Requirements vary by path!
18
Our Approach
Type Inference
Well-TypedIR
UntypedTemplat
e
CompilationCompile
dCode
• CSAS Engine– Context Type Qualifiers
Context Type Qualifiers
• Context Type Qualifier: – "Which contexts is a string safe to be
rendered in"
x:=“<img src='” . $imgLink;
<img src='
$imgLink
y:= UrlAttribSsanitize($imgLink)
𝐻𝑇𝑀𝐿𝑆𝑇𝐴𝑅𝑇𝑈𝑅𝐼𝑆𝑇𝐴𝑅𝑇
𝑈𝑅𝐼𝑆𝑇𝐴𝑅𝑇𝑈𝑅𝐼
x:=“<img src='” . y; 𝐻𝑇𝑀𝐿𝑆𝑇𝐴𝑅𝑇𝑈𝑅𝐼
TERMS TYPES
19
Type Inference: Where To Place Sanitizers?
21
Implementation & Evaluation
• Google Closure Templates– Powers several Google products– 3045 LOC Java
• Evaluation Benchmarks:– 1035 templates from production Google code– Rich Features
• 2997 calls• 1224 print/sink statements using 600 untrusted
input variables
22
Evaluation: Compatibility
• All 1035 templates auto-sanitized!– No Developer Involvement– No Static Errors
• Compared to original sanitization– 21 cases differ out of 1224 – CSAS engine inferred a more accurate
sanitizer
23
Evaluation: Security
escapeHtml
escapeHtmlAttribute
filterNormalizeURI, escapeHtml
escapeJsValue
filterCSSValue
escapeJsString
escapeUri
escapeHtmlRcdata
escapeHtmlAttributeNospace
filterHtmlIdent
filternormalizeURI
0 100 200 300 400 500 600 700
602380
231393327
1510731
Context-Insensitive Approach Fails on 28% prints
UNSAFE
24
Java
JavaScript
Evaluation: Performance Overhead
CI CSRP CSAS
Chrome 9
3.0% 78.8% 3.0%
FF 3.6 9.6% 425% 9.6%
Safari 5 2.5% 189% 3.1%
CI CSRP CSAS
Java 0% 72% 0%
Order Of Magnitude Faster Than CSRP
• Benchmarks– Templates Only, No Other Application
Logic
• Base: No Sanitization
Practical Performance: Upto 9.6%
25
Conclusion
• CSAS: A New "Push-Button" Defense Primitive– Fast, Secure, Compatible and Auditable– Increasing Commercially Adoption
• Other Frameworks
July Today0
1000
2000
3000
4000
5000
6000
26
Thanks
http://code.google.com/closure/templates/docs/security.html
Questions?