secure web applications via automatic partitioning stephen chong, jed liu, andrew c. meyers, xin qi,...
TRANSCRIPT
Secure Web Applications via Automatic Partitioning
Stephen Chong, Jed Liu, Andrew C. Meyers, Xin Qi, K. Vikram, Lantian
Zheng, Xin Zheng.Cornell University
Outline
Introduction Swift Architecture Writing Swift Applications WebIL Swift Runtime Evaluation Conclusion
Introduction
Web applications are a critical part of today’s infrastructure
Introduction
Web applications account for 69% of internet vulnerabilities
Developer dilemma Performance vs security
Introduction Guess a number game
Confidentiality requirement Client cannot see number
Integrity requirement Client cannot affect number of guesses Only server can decide if guess is correct
Client side only implementation Best performance Client can cheat
Swift
Building web applications that are secure by construction
Automatic partitioning of code and data
Security critical code/data placed on server side only
Code/data placed on client side for performance
Swift Architecture
Jif Source Code WebIL WebIL Optimization Splitting Code JavaScript and Java Output Partitioning and Replication
Swift Architecture
Writing Swift Applications Extensions of Jif programming language Security policies expressed using labels
Confidentiality and Integrity policies Labels refer to principals
*(server) and client principals Compiler statically checks that
information flow is consistent with policies
Trust model Un trusted client Trusted server
Sample Policies
Guess a number Application
WebIL Concerned with placement of code
and data Replace Jif labels with placement
annotations Placements chosen to optimize
responsiveness without sacrificing security
Partitioning solved as Integer programming problem
Placement Annotations
9 placement annotations
Guess-a-Number in WebIL
Partitioning Algorithm
Represent control flow as weighted directed graph Graph nodes are statements Edge weights are exec. frequencies
Integer programming problem Reduce to instance of max flow problem
Solution is placements of code/data
Partioning of Guess-a-Number
Swift Runtime Controls synchronization and
communication JavaScript runs on Client Java code runs on server
Asymmetric trust model Execution blocks Closures Activation Records
Execution Block
Methods divided into execution blocks Single entry Multiple exits Unique ids
Control transfer message Branch to block executing on different
host
Execution Blocks of Guess-a-Number
Activation Records
Execution blocks run in context of activation records
Client/server have different views of same activation record
Activation record updates forwarding between hosts
Security restrictions of forwarding
Closures
Next execution block id and activation record id
Stack of closures Correct simulation of method
calls/exceptions Integrity of control flow
Clients invoke high integrity closures in controlled way
Evaluation
Swift Compiler Jif compiler + 20K LOC Runtime system = 2.6K LOC
Six web applications implemented
Generated code size
Network messages
Conclusion
Constructing secure web applications
Automatic partitioning of functionality
Enforcement of information security policies
Programmer effort to add annotations