Secure Web Applications via Automatic Partitioning

Stephen Chong, Jed Liu, Andrew C. Meyers, Xin Qi, K. Vikram, Lantian

Zheng, Xin Zheng.Cornell University

Outline

Introduction Swift Architecture Writing Swift Applications WebIL Swift Runtime Evaluation Conclusion

Introduction

Web applications are a critical part of today’s infrastructure

Introduction

Web applications account for 69% of internet vulnerabilities

Developer dilemma Performance vs security

Introduction Guess a number game

Confidentiality requirement Client cannot see number

Integrity requirement Client cannot affect number of guesses Only server can decide if guess is correct

Client side only implementation Best performance Client can cheat

Swift

Building web applications that are secure by construction

Automatic partitioning of code and data

Security critical code/data placed on server side only

Code/data placed on client side for performance

Swift Architecture

Jif Source Code WebIL WebIL Optimization Splitting Code JavaScript and Java Output Partitioning and Replication

Swift Architecture

Writing Swift Applications Extensions of Jif programming language Security policies expressed using labels

Confidentiality and Integrity policies Labels refer to principals

*(server) and client principals Compiler statically checks that

information flow is consistent with policies

Trust model Un trusted client Trusted server

Sample Policies

Guess a number Application

WebIL Concerned with placement of code

and data Replace Jif labels with placement

annotations Placements chosen to optimize

responsiveness without sacrificing security

Partitioning solved as Integer programming problem

Placement Annotations

9 placement annotations

Guess-a-Number in WebIL

Partitioning Algorithm

Represent control flow as weighted directed graph Graph nodes are statements Edge weights are exec. frequencies

Integer programming problem Reduce to instance of max flow problem

Solution is placements of code/data

Partioning of Guess-a-Number

Swift Runtime Controls synchronization and

communication JavaScript runs on Client Java code runs on server

Asymmetric trust model Execution blocks Closures Activation Records

Execution Block

Methods divided into execution blocks Single entry Multiple exits Unique ids

Control transfer message Branch to block executing on different

host

Execution Blocks of Guess-a-Number

Activation Records

Execution blocks run in context of activation records

Client/server have different views of same activation record

Activation record updates forwarding between hosts

Security restrictions of forwarding

Closures

Next execution block id and activation record id

Stack of closures Correct simulation of method

calls/exceptions Integrity of control flow

Clients invoke high integrity closures in controlled way

Evaluation

Swift Compiler Jif compiler + 20K LOC Runtime system = 2.6K LOC

Six web applications implemented

Generated code size

Network messages

Conclusion

Constructing secure web applications

Automatic partitioning of functionality

Enforcement of information security policies

Programmer effort to add annotations