michael dalton, christos kozyrakis, and nickolai zeldovich mit, stanford university usenix 09’...
TRANSCRIPT
![Page 1: Michael Dalton, Christos Kozyrakis, and Nickolai Zeldovich MIT, Stanford University USENIX 09’ Nemesis: Preventing Authentication & Access Control Vulnerabilities](https://reader035.vdocuments.net/reader035/viewer/2022070413/5697bfe91a28abf838cb6b07/html5/thumbnails/1.jpg)
Michael Dalton, Christos Kozyrakis, and Nickolai Zeldovich
MIT, Stanford UniversityUSENIX 09’
Nemesis: Preventing Authentication & Access
Control Vulnerabilities in Web Applications
1
![Page 2: Michael Dalton, Christos Kozyrakis, and Nickolai Zeldovich MIT, Stanford University USENIX 09’ Nemesis: Preventing Authentication & Access Control Vulnerabilities](https://reader035.vdocuments.net/reader035/viewer/2022070413/5697bfe91a28abf838cb6b07/html5/thumbnails/2.jpg)
2
Outline1. Introduction
2. Web Application Security Architecture
3. Authentication Inference
4. Authorization Enforcement
5. Implementation
6. Experimental Results
7. Conclusion2
![Page 3: Michael Dalton, Christos Kozyrakis, and Nickolai Zeldovich MIT, Stanford University USENIX 09’ Nemesis: Preventing Authentication & Access Control Vulnerabilities](https://reader035.vdocuments.net/reader035/viewer/2022070413/5697bfe91a28abf838cb6b07/html5/thumbnails/3.jpg)
3
1. Introduction• web application deploys its own
authentication & access control
• FS & DB layers perform operations with the privileges of the web application– Not user
• no defensive tools exist to automatically prevent
3
![Page 4: Michael Dalton, Christos Kozyrakis, and Nickolai Zeldovich MIT, Stanford University USENIX 09’ Nemesis: Preventing Authentication & Access Control Vulnerabilities](https://reader035.vdocuments.net/reader035/viewer/2022070413/5697bfe91a28abf838cb6b07/html5/thumbnails/4.jpg)
4
• Nemesis
• modify library and interpreter– shadow authentication– taint, track the flow & string compare & IO
• do not require the behavior of the application to be modified
4
![Page 5: Michael Dalton, Christos Kozyrakis, and Nickolai Zeldovich MIT, Stanford University USENIX 09’ Nemesis: Preventing Authentication & Access Control Vulnerabilities](https://reader035.vdocuments.net/reader035/viewer/2022070413/5697bfe91a28abf838cb6b07/html5/thumbnails/5.jpg)
5
2. Web Application Security Architecture
• Authentication:– user input– performs an authentication check, ensure– validated, creates a login session for the user
• Access Control attacks: execute server side operations which might not be authorized to perform
5
![Page 6: Michael Dalton, Christos Kozyrakis, and Nickolai Zeldovich MIT, Stanford University USENIX 09’ Nemesis: Preventing Authentication & Access Control Vulnerabilities](https://reader035.vdocuments.net/reader035/viewer/2022070413/5697bfe91a28abf838cb6b07/html5/thumbnails/6.jpg)
6 6
![Page 7: Michael Dalton, Christos Kozyrakis, and Nickolai Zeldovich MIT, Stanford University USENIX 09’ Nemesis: Preventing Authentication & Access Control Vulnerabilities](https://reader035.vdocuments.net/reader035/viewer/2022070413/5697bfe91a28abf838cb6b07/html5/thumbnails/7.jpg)
7
3. Authentication Inference
• infer when authentication has occurred
• shadow authentication system– ensure the authentication steps
• require developer to provide “annotation”– where pass and name stored– external function
7
![Page 8: Michael Dalton, Christos Kozyrakis, and Nickolai Zeldovich MIT, Stanford University USENIX 09’ Nemesis: Preventing Authentication & Access Control Vulnerabilities](https://reader035.vdocuments.net/reader035/viewer/2022070413/5697bfe91a28abf838cb6b07/html5/thumbnails/8.jpg)
8
Dynamic Information Flow Tracking
• DIFT tag each data– “credential” taint bit– “user input” taint bit
• perform taint propagation in the language interpreter – source operand tainted, destination tainted
8
![Page 9: Michael Dalton, Christos Kozyrakis, and Nickolai Zeldovich MIT, Stanford University USENIX 09’ Nemesis: Preventing Authentication & Access Control Vulnerabilities](https://reader035.vdocuments.net/reader035/viewer/2022070413/5697bfe91a28abf838cb6b07/html5/thumbnails/9.jpg)
9
2 taint tag bits
• “credential” taint bit: data item represents a known-good password or other credential
• “user input” taint bit: data item was supplied by the user as part of the HTTP request
• Nemesis propagates both taint9
![Page 10: Michael Dalton, Christos Kozyrakis, and Nickolai Zeldovich MIT, Stanford University USENIX 09’ Nemesis: Preventing Authentication & Access Control Vulnerabilities](https://reader035.vdocuments.net/reader035/viewer/2022070413/5697bfe91a28abf838cb6b07/html5/thumbnails/10.jpg)
10 10
![Page 11: Michael Dalton, Christos Kozyrakis, and Nickolai Zeldovich MIT, Stanford University USENIX 09’ Nemesis: Preventing Authentication & Access Control Vulnerabilities](https://reader035.vdocuments.net/reader035/viewer/2022070413/5697bfe91a28abf838cb6b07/html5/thumbnails/11.jpg)
11
Nemesis
• ACL Enforce:– Intercept I/O operations to enforce file ACLs – Intercept, rewrite SQL queries to enforce DB
ACLs
• DIFT:– 2 tag bits per object to track credentials and
taint Tag propagation on all operations– Automatic inference of authentication checks
11
![Page 12: Michael Dalton, Christos Kozyrakis, and Nickolai Zeldovich MIT, Stanford University USENIX 09’ Nemesis: Preventing Authentication & Access Control Vulnerabilities](https://reader035.vdocuments.net/reader035/viewer/2022070413/5697bfe91a28abf838cb6b07/html5/thumbnails/12.jpg)
12
Creating a New Login Session
• data tagged as “user input” compare to data tagged as “credentials”
• using string (in)equality operators • User input password matches the one stored
in the password DB
• infer user authentication• auth function
12
![Page 13: Michael Dalton, Christos Kozyrakis, and Nickolai Zeldovich MIT, Stanford University USENIX 09’ Nemesis: Preventing Authentication & Access Control Vulnerabilities](https://reader035.vdocuments.net/reader035/viewer/2022070413/5697bfe91a28abf838cb6b07/html5/thumbnails/13.jpg)
13
keep Login Session
• use an entirely separate session management framework
• shadow cookie: private key
13
![Page 14: Michael Dalton, Christos Kozyrakis, and Nickolai Zeldovich MIT, Stanford University USENIX 09’ Nemesis: Preventing Authentication & Access Control Vulnerabilities](https://reader035.vdocuments.net/reader035/viewer/2022070413/5697bfe91a28abf838cb6b07/html5/thumbnails/14.jpg)
14
4. Authorization Enforcement
• access control rules (ACL)
• developer supply ACL for file, dir, & DB
• ACL check : current shadow authenticated user is permitted to execute the operation
14
![Page 15: Michael Dalton, Christos Kozyrakis, and Nickolai Zeldovich MIT, Stanford University USENIX 09’ Nemesis: Preventing Authentication & Access Control Vulnerabilities](https://reader035.vdocuments.net/reader035/viewer/2022070413/5697bfe91a28abf838cb6b07/html5/thumbnails/15.jpg)
15
• Restrict the access of file, directory or DB
• Little programmer effort required
• Intercept the IO operation
15
![Page 16: Michael Dalton, Christos Kozyrakis, and Nickolai Zeldovich MIT, Stanford University USENIX 09’ Nemesis: Preventing Authentication & Access Control Vulnerabilities](https://reader035.vdocuments.net/reader035/viewer/2022070413/5697bfe91a28abf838cb6b07/html5/thumbnails/16.jpg)
16
Against SQL injection (to..)
• Rewrite the SQL query & add the 3rd bit in zval
• denote user input that may be interpreted as a SQL keyword or operator
• SQL quoting functions clear this tag bit– mysql_real_escape_string()
16
![Page 17: Michael Dalton, Christos Kozyrakis, and Nickolai Zeldovich MIT, Stanford University USENIX 09’ Nemesis: Preventing Authentication & Access Control Vulnerabilities](https://reader035.vdocuments.net/reader035/viewer/2022070413/5697bfe91a28abf838cb6b07/html5/thumbnails/17.jpg)
17
5. Implementation
• implement a prototype of Nemesis by modifying the PHP interpreter
• zval
• Due to alignment restrictions, the zval structure has a few unused bits
17
![Page 18: Michael Dalton, Christos Kozyrakis, and Nickolai Zeldovich MIT, Stanford University USENIX 09’ Nemesis: Preventing Authentication & Access Control Vulnerabilities](https://reader035.vdocuments.net/reader035/viewer/2022070413/5697bfe91a28abf838cb6b07/html5/thumbnails/18.jpg)
18
Tag Initialization
• Any input is tainted with the ’user input’ bit
• set a global variable to store the candidate username associated with the password
• shadow authentication system uses this candidate username to initialize the shadow cookie
• setcookie()
18
![Page 19: Michael Dalton, Christos Kozyrakis, and Nickolai Zeldovich MIT, Stanford University USENIX 09’ Nemesis: Preventing Authentication & Access Control Vulnerabilities](https://reader035.vdocuments.net/reader035/viewer/2022070413/5697bfe91a28abf838cb6b07/html5/thumbnails/19.jpg)
19
Password Comparison Authentication Inference
• performed by modifying the PHP interpreter’s string comparison operators
• perform a check to see if the two string operands were determined to be equal
• equal & A:“credential”, B:”user input”
succeed19
![Page 20: Michael Dalton, Christos Kozyrakis, and Nickolai Zeldovich MIT, Stanford University USENIX 09’ Nemesis: Preventing Authentication & Access Control Vulnerabilities](https://reader035.vdocuments.net/reader035/viewer/2022070413/5697bfe91a28abf838cb6b07/html5/thumbnails/20.jpg)
20
Authentication check
• check the global variable that indicates the current shadow authenticated user
• not set: check if shadow authentication information is stored in the current session file
• Check shadow authentication cookie (extract)
20
![Page 21: Michael Dalton, Christos Kozyrakis, and Nickolai Zeldovich MIT, Stanford University USENIX 09’ Nemesis: Preventing Authentication & Access Control Vulnerabilities](https://reader035.vdocuments.net/reader035/viewer/2022070413/5697bfe91a28abf838cb6b07/html5/thumbnails/21.jpg)
21
Access control check
• checking the current authenticated user against a list of accessible files on each file access
• manually inserted these checks into applications based on the ACL
21
![Page 22: Michael Dalton, Christos Kozyrakis, and Nickolai Zeldovich MIT, Stanford University USENIX 09’ Nemesis: Preventing Authentication & Access Control Vulnerabilities](https://reader035.vdocuments.net/reader035/viewer/2022070413/5697bfe91a28abf838cb6b07/html5/thumbnails/22.jpg)
22
6. Experimental Results
22
![Page 23: Michael Dalton, Christos Kozyrakis, and Nickolai Zeldovich MIT, Stanford University USENIX 09’ Nemesis: Preventing Authentication & Access Control Vulnerabilities](https://reader035.vdocuments.net/reader035/viewer/2022070413/5697bfe91a28abf838cb6b07/html5/thumbnails/23.jpg)
23
• authentication bypass: shadow authentication is not affected
• installation script will reset the administrator password: restricted by ACL
23
![Page 24: Michael Dalton, Christos Kozyrakis, and Nickolai Zeldovich MIT, Stanford University USENIX 09’ Nemesis: Preventing Authentication & Access Control Vulnerabilities](https://reader035.vdocuments.net/reader035/viewer/2022070413/5697bfe91a28abf838cb6b07/html5/thumbnails/24.jpg)
24
7. Conclusion
• novel methodology for preventing authentication & access control bypass
• shadow authentication system: track user authentication state by an additional HTTP cookie
• Programmers can specify ACL lists
• Little effort( < 100 LoC)
24