240 likes | 380 Views
S CRIPT G ARD Automatic Context-Sensitive Sanitization for Large-Scale Legacy Web Applications. Prateek Saxena UC Berkeley. David Molnar Microsoft Research. Ben Livshits Microsoft Research. Large-Scale Legacy Applications. How to Secure Legacy Apps?. Step-up in Scale
E N D
SCRIPTGARDAutomatic Context-Sensitive Sanitization for Large-Scale Legacy Web Applications Prateek Saxena UC Berkeley David Molnar Microsoft Research Ben Livshits Microsoft Research
Large-Scale Legacy Applications How to Secure Legacy Apps? • Step-up in Scale • Half a Million LOC • Shared Development by teams of 100+ • What’s The Difference? • Shifting Platforms isn’t practical • Long Program Paths, Many sanitizers Applied
XSS in Large-Scale Applications String Img.RenderControl() { Write(userimg); } String Img.RenderControl() { Write(Sanitize(userimg)); } Small-Scale Apps Large-Scale Applications • Buggy Sanitizer • Missing Sanitization • [Pixy’06, PhpTaint’06,Cqual’04, Merlin’09,Securifly’05, PhpAspis’11,Saner’08, Bek’11] • New Sanitization Errors • [CCS’11] • SCRIPTGARD
Contributions • Does Sanitization Defense Fail In Practice? • 7 Commercial Applications, 400 KLOC • 2 New Classes of Errors in Sanitizer Use • How Often & Why • SCRIPTGARD: Automated Sanitizer Use Analysis Legacy .NET Minimal Specs Concrete Test Cases Can Auto-Correct Sanitization During Deployment
Error #1: Context-Mismatched Sanitization(CMS) <imgsrc="sunset.gif" height="right"> <ahref=“javascript: document.write(‘…’);”> Diapers </a> <script> var name=‘Stewie’; </script> HTML Tag Context HtmlEncode JSStringEncode JS String Context \r\n; alert(document.cookie); 1,207 (4.7%) are CMS errors! Which Sanitizer To Apply Where?
Why Does Context-Mismatch Happen? San Context is a Global Path-Sensitive Property But, developers select Sanitizers Locally Output Sink
Error #2: Inconsistent Multiple Sanitization(IMS) Attack Input San 1 Does the Order Matter? San 1 San 2 San 2 Safe? Safe? Output Sink
Inconsistent Multiple Sanitization(IMS):Does it Really Happen? Attack Input 285(8%) of multiple sanitizations are errors! HtmlEncode JSStringEncode JSStringEncode HtmlEncode
Why Does IMS Happen? userlink <script> document.write (‘ ’); </script> <a href=" "></a> SERVER - SIDE OUTPUT Output Sink
Why Does IMS Happen: Nested Contexts userlink <script> document.write (‘ ’); </script> <a href=" "></a> JS String Context URL Attribute Context JS Parser JS Unicode Decode \u0022 " HTML Parser Html-Entity Decode " "
Why Does IMS Happen: Nested Contexts " Wrong Sanitizer Order Correct Sanitizer Order Nested Contexts Cause Developer Confusion! \u0026quot; \u0022 JS Parser JS Unicode Decode " " HTML Parser Html-Entity Decode
How Common Are Nested Contexts? Nesting Depth: Up to 4
Take-Aways… Small-Scale Apps Large-Scale Applications • Buggy Sanitizer • Missing Sanitization • [Pixy’06, PhpTaint’06,Cqual’04, Merlin’09,Securifly’05, PhpAspis’11,Saner’08, Bek’11] • Shared Paths lead to… • CMS & IMS • Developers apply correct sanitizers wrongly
How Do We Find Sanitization Errors In Legacy Applications At Scale?
SCRIPTGARDAnalysis Legacy .NET SCRIPTGARD Sanitizer Specification HTTP Requests Instrumented Server-side DLLs Inconsistently Sanitized Test Cases
SCRIPTGARDAnalysis: Key Ideas Path-Sensitive Positive Taint-Tracking Determine Contexts Path 1 Path 2 Path 3 Path 4 Browser Model
SCRIPTGARDAnalysis: Key Ideas Path-Sensitive Positive Taint-Tracking Determine Contexts Path 1 Path 2 Path 3 Path 4
Precise Context Determination:Browser Parser Model T Contexts
How Can We Correct Sanitization Errors Automatically?
SCRIPTGARD: Can We Auto-Patch Sanitization Errors? • The Bad News: Large slowdown • Observation: Less than 10% paths problematic • Yes! • Preferential Path Profiling [POPL’06] • Negligible Overhead Can We Detect When A Problematic Path Is Executed?
SCRIPTGARD Auto-Correction SCRIPTGARD Pre-Release Analysis Sanitization Cache Sanitizer Patch Deployment Preferential Path Profiler Sanitizer Patch Server Code With Light-weight Instrumentation
Conclusions • 2 New Patterns of Errors in Sanitizer Use • SCRIPTGARD • Effective Analysis Tool • Auto-Correction with Negligible Overhead
You have been a wonderful audience …you stayed… PrateekSaxena http://www.cs.berkeley.edu/~prateeks/
Sanitizer Correction is Challenging San HtmlEncode Can We Just Replace HtmlEncode with another Sanitizer? Contexts Vary By Path Executed San Output Sink