context-sensitive auto-sanitization in web templating languages using type qualifiers prateek saxena...
TRANSCRIPT
![Page 1: Context-Sensitive Auto-Sanitization In Web Templating Languages Using Type Qualifiers Prateek Saxena UC Berkeley Mike Samuel Google Dawn Song UC Berkeley](https://reader036.vdocument.in/reader036/viewer/2022081516/5516b26c550346f6208b52dd/html5/thumbnails/1.jpg)
1
Context-Sensitive Auto-Sanitization In Web Templating Languages
Using Type Qualifiers
Prateek SaxenaUC Berkeley
Mike SamuelGoogle
Dawn SongUC Berkeley
![Page 2: Context-Sensitive Auto-Sanitization In Web Templating Languages Using Type Qualifiers Prateek Saxena UC Berkeley Mike Samuel Google Dawn Song UC Berkeley](https://reader036.vdocument.in/reader036/viewer/2022081516/5516b26c550346f6208b52dd/html5/thumbnails/2.jpg)
2
Script Injection Vulnerabilities
• OWASP Top Ten Vulnerabilities– 2nd in 2010 & 2011
• Today Affects–Major Web Services– Client-side Libraries– Browser Extensions– Devices & Smartphones
![Page 3: Context-Sensitive Auto-Sanitization In Web Templating Languages Using Type Qualifiers Prateek Saxena UC Berkeley Mike Samuel Google Dawn Song UC Berkeley](https://reader036.vdocument.in/reader036/viewer/2022081516/5516b26c550346f6208b52dd/html5/thumbnails/3.jpg)
3
Predominant Defense Practice
• Why Does it Fail?– Developers forget to Sanitize [Pixy’06, PhpTaint’06,Cqual’04, Merlin’09,Securifly’05,
PhpAspis’11]– Pick the wrong sanitizer [CCS’11]
String Div.Render () {
print(“<div>”);print(userimg);print(“</div>”);
}
String Div.Render () {
print(“<div>”); print(Sanitize(userimg));
print(“</div>”);}
SanitizerLibrary
![Page 4: Context-Sensitive Auto-Sanitization In Web Templating Languages Using Type Qualifiers Prateek Saxena UC Berkeley Mike Samuel Google Dawn Song UC Berkeley](https://reader036.vdocument.in/reader036/viewer/2022081516/5516b26c550346f6208b52dd/html5/thumbnails/4.jpg)
4
Vision
• Eliminate Scripting Attacks–Make Applications Secure by Construction
Developer
Code
Application
Code
![Page 5: Context-Sensitive Auto-Sanitization In Web Templating Languages Using Type Qualifiers Prateek Saxena UC Berkeley Mike Samuel Google Dawn Song UC Berkeley](https://reader036.vdocument.in/reader036/viewer/2022081516/5516b26c550346f6208b52dd/html5/thumbnails/5.jpg)
5
Contributions
• A New "Push-Button" Defense Primitive– "Security By Construction" Approach
• Context-Sensitive Auto-Sanitization (CSAS)– New Challenge: Which Sanitizers To Place Where?– Targets Existing Web Templating Frameworks
• It is Practical
• Deployed Commercially– Google Closure Templates powers Google+
FastAuditab
leCompatibl
eSecure
![Page 6: Context-Sensitive Auto-Sanitization In Web Templating Languages Using Type Qualifiers Prateek Saxena UC Berkeley Mike Samuel Google Dawn Song UC Berkeley](https://reader036.vdocument.in/reader036/viewer/2022081516/5516b26c550346f6208b52dd/html5/thumbnails/6.jpg)
<script>var o = new soy.StringBuilder(); imgRender({O: o, imglink: $_GET(‘extlink’), name: [$_GET(‘name’)] })); document.write(o);</script>
Web Templating Frameworks
Tem plating
Fram ew ork
Com piler
Templating
Framework
Compiler
Java JS
Application
calls
Target Language Code
Template
Application Code
template imgRender($imgLink, $name) { print (“<img src=\“”); print ($imglink); print “\”/>” . $name. “<br>”; return; }
Template Code
Template Language does not have complex constructs
6
Explicitly Separates Untrusted Inputs
![Page 7: Context-Sensitive Auto-Sanitization In Web Templating Languages Using Type Qualifiers Prateek Saxena UC Berkeley Mike Samuel Google Dawn Song UC Berkeley](https://reader036.vdocument.in/reader036/viewer/2022081516/5516b26c550346f6208b52dd/html5/thumbnails/7.jpg)
7
Talk Outline
• System Architecture & Features• Challenges• The CSAS Engine Design• Implementation• Evaluation & Deployment
![Page 8: Context-Sensitive Auto-Sanitization In Web Templating Languages Using Type Qualifiers Prateek Saxena UC Berkeley Mike Samuel Google Dawn Song UC Berkeley](https://reader036.vdocument.in/reader036/viewer/2022081516/5516b26c550346f6208b52dd/html5/thumbnails/8.jpg)
8
CSAS
System Architecture
Compiler Compil
er
Java
JS JS
Application
calls
Instrumented Auto-Sanitization
Template
Sanitizer
Library
Static Error
![Page 9: Context-Sensitive Auto-Sanitization In Web Templating Languages Using Type Qualifiers Prateek Saxena UC Berkeley Mike Samuel Google Dawn Song UC Berkeley](https://reader036.vdocument.in/reader036/viewer/2022081516/5516b26c550346f6208b52dd/html5/thumbnails/9.jpg)
9
CSAS
Auditability & Compatibility
Compiler Compil
er
Java
JS JS
Instrumented Auto-Sanitization
Sanitizer
Library
Static Error
• Easily Auditable• Compatibility– No Developer
Involvement– Minimize Static Errors
• Security• Performance
![Page 10: Context-Sensitive Auto-Sanitization In Web Templating Languages Using Type Qualifiers Prateek Saxena UC Berkeley Mike Samuel Google Dawn Song UC Berkeley](https://reader036.vdocument.in/reader036/viewer/2022081516/5516b26c550346f6208b52dd/html5/thumbnails/10.jpg)
10
HtmlSanitizer
URLSanitizer
template ImgRender($imgLink, $name) {……………}
Security & Correctness (I)
• Property CSAN: Context-Sensitive Sanitization
<img src=" /img?f= "/> <br>$name $imgLink $name
HTML Tag
Context
URI START Context
URI PATH Context
URI QUERYParameter
Context
HTMLTag
Context
Attacks Vary By Contexts!
![Page 11: Context-Sensitive Auto-Sanitization In Web Templating Languages Using Type Qualifiers Prateek Saxena UC Berkeley Mike Samuel Google Dawn Song UC Berkeley](https://reader036.vdocument.in/reader036/viewer/2022081516/5516b26c550346f6208b52dd/html5/thumbnails/11.jpg)
11
Security & Correctness (II)
• Property NOS: No Over Sanitization
<img src=" / /img?f= "/> <br>$name $imgLink $name
Sanitize Only Untrusted DataNot Constant Strings
![Page 12: Context-Sensitive Auto-Sanitization In Web Templating Languages Using Type Qualifiers Prateek Saxena UC Berkeley Mike Samuel Google Dawn Song UC Berkeley](https://reader036.vdocument.in/reader036/viewer/2022081516/5516b26c550346f6208b52dd/html5/thumbnails/12.jpg)
Security Assumptions
• Canonical HTML Parser – Flexible to recognize browser differences [GWT,
CTemplates]
• Correct Sanitizers– Extensive Community Effort [OWASP, HtmlPurify, GWT,
Django]
– Research on Secure Sanitization Primitives [Bek’11, Hampi’09,Min’06]
– Already Used in Many Frameworks
![Page 13: Context-Sensitive Auto-Sanitization In Web Templating Languages Using Type Qualifiers Prateek Saxena UC Berkeley Mike Samuel Google Dawn Song UC Berkeley](https://reader036.vdocument.in/reader036/viewer/2022081516/5516b26c550346f6208b52dd/html5/thumbnails/13.jpg)
13
Challenges
• Easily Auditable• Compatibility• Security• Performance
Security
Performance Compatibility
![Page 14: Context-Sensitive Auto-Sanitization In Web Templating Languages Using Type Qualifiers Prateek Saxena UC Berkeley Mike Samuel Google Dawn Song UC Berkeley](https://reader036.vdocument.in/reader036/viewer/2022081516/5516b26c550346f6208b52dd/html5/thumbnails/14.jpg)
14
Approach #1:Context-Insensitive Sanitization
template ImgRender($imgLink, $name) { print (“<img src=”); x := $imgLink; print ($x); print “/>” . $name. “<br>”; return; }
template ImgRender($imgLink, $name) { print (“<img src=‘”); x := HtmlEncode($imgLink); print ($x); print “’/>” . HtmlEncode($name). “<br>”; return; }
javascript: bad();
Security
Performance Compatibility
False Sense of Security!
![Page 15: Context-Sensitive Auto-Sanitization In Web Templating Languages Using Type Qualifiers Prateek Saxena UC Berkeley Mike Samuel Google Dawn Song UC Berkeley](https://reader036.vdocument.in/reader036/viewer/2022081516/5516b26c550346f6208b52dd/html5/thumbnails/15.jpg)
15
Approach #2: Context-Sensitive Runtime Parsing (CSRP)
URI START Context
URI ParamContext
template ImgRender($imgLink, $name) {……………}
<img src=" /img?f=$name $imgLink
URLSanitizer
URLParamSanitizer
Security
Performance Compatibility
![Page 16: Context-Sensitive Auto-Sanitization In Web Templating Languages Using Type Qualifiers Prateek Saxena UC Berkeley Mike Samuel Google Dawn Song UC Berkeley](https://reader036.vdocument.in/reader036/viewer/2022081516/5516b26c550346f6208b52dd/html5/thumbnails/16.jpg)
16
Rich Language Features
<img src=' / /img?f= '/> <br>$name $imgLink $name
template ImgRender($imgLink, $name) { print (“<img src='”); x := “/” . $name. “/img?f=”. $imgLink;
print ($x); print “'/>” . $name. “<br>”; return; }
![Page 17: Context-Sensitive Auto-Sanitization In Web Templating Languages Using Type Qualifiers Prateek Saxena UC Berkeley Mike Samuel Google Dawn Song UC Berkeley](https://reader036.vdocument.in/reader036/viewer/2022081516/5516b26c550346f6208b52dd/html5/thumbnails/17.jpg)
17
template ImgRender($imgLink, $name) { print (“<img src='”); if ($name != “”) then x := “/” . $name. “/img?f=”. $imgLink; else x:= $imgLink; fi print ($x); print “'/>” . $name. “<br>”; return; }
Rich Language Features:Control Flow
<img src=' / /img?f= '/> <br>$name $imgLink $name
Usage Contexts Statically Ambiguous:Sanitization Requirements vary by path!
![Page 18: Context-Sensitive Auto-Sanitization In Web Templating Languages Using Type Qualifiers Prateek Saxena UC Berkeley Mike Samuel Google Dawn Song UC Berkeley](https://reader036.vdocument.in/reader036/viewer/2022081516/5516b26c550346f6208b52dd/html5/thumbnails/18.jpg)
18
Our Approach
Type Inference
Well-TypedIR
UntypedTemplat
e
CompilationCompile
dCode
• CSAS Engine– Context Type Qualifiers
![Page 19: Context-Sensitive Auto-Sanitization In Web Templating Languages Using Type Qualifiers Prateek Saxena UC Berkeley Mike Samuel Google Dawn Song UC Berkeley](https://reader036.vdocument.in/reader036/viewer/2022081516/5516b26c550346f6208b52dd/html5/thumbnails/19.jpg)
Context Type Qualifiers
• Context Type Qualifier: – "Which contexts is a string safe to be
rendered in"
x:=“<img src='” . $imgLink;
<img src='
$imgLink
y:= UrlAttribSsanitize($imgLink)
𝐻𝑇𝑀𝐿𝑆𝑇𝐴𝑅𝑇𝑈𝑅𝐼𝑆𝑇𝐴𝑅𝑇
𝑈𝑅𝐼𝑆𝑇𝐴𝑅𝑇𝑈𝑅𝐼
x:=“<img src='” . y; 𝐻𝑇𝑀𝐿𝑆𝑇𝐴𝑅𝑇𝑈𝑅𝐼
TERMS TYPES
19
Type Inference: Where To Place Sanitizers?
![Page 20: Context-Sensitive Auto-Sanitization In Web Templating Languages Using Type Qualifiers Prateek Saxena UC Berkeley Mike Samuel Google Dawn Song UC Berkeley](https://reader036.vdocument.in/reader036/viewer/2022081516/5516b26c550346f6208b52dd/html5/thumbnails/20.jpg)
21
Implementation & Evaluation
• Google Closure Templates– Powers several Google products– 3045 LOC Java
• Evaluation Benchmarks:– 1035 templates from production Google code– Rich Features
• 2997 calls• 1224 print/sink statements using 600 untrusted
input variables
![Page 21: Context-Sensitive Auto-Sanitization In Web Templating Languages Using Type Qualifiers Prateek Saxena UC Berkeley Mike Samuel Google Dawn Song UC Berkeley](https://reader036.vdocument.in/reader036/viewer/2022081516/5516b26c550346f6208b52dd/html5/thumbnails/21.jpg)
22
Evaluation: Compatibility
• All 1035 templates auto-sanitized!– No Developer Involvement– No Static Errors
• Compared to original sanitization– 21 cases differ out of 1224 – CSAS engine inferred a more accurate
sanitizer
![Page 22: Context-Sensitive Auto-Sanitization In Web Templating Languages Using Type Qualifiers Prateek Saxena UC Berkeley Mike Samuel Google Dawn Song UC Berkeley](https://reader036.vdocument.in/reader036/viewer/2022081516/5516b26c550346f6208b52dd/html5/thumbnails/22.jpg)
23
Evaluation: Security
escapeHtml
escapeHtmlAttribute
filterNormalizeURI, escapeHtml
escapeJsValue
filterCSSValue
escapeJsString
escapeUri
escapeHtmlRcdata
escapeHtmlAttributeNospace
filterHtmlIdent
filternormalizeURI
0 100 200 300 400 500 600 700
602380
231393327
1510731
Context-Insensitive Approach Fails on 28% prints
UNSAFE
![Page 23: Context-Sensitive Auto-Sanitization In Web Templating Languages Using Type Qualifiers Prateek Saxena UC Berkeley Mike Samuel Google Dawn Song UC Berkeley](https://reader036.vdocument.in/reader036/viewer/2022081516/5516b26c550346f6208b52dd/html5/thumbnails/23.jpg)
24
Java
JavaScript
Evaluation: Performance Overhead
CI CSRP CSAS
Chrome 9
3.0% 78.8% 3.0%
FF 3.6 9.6% 425% 9.6%
Safari 5 2.5% 189% 3.1%
CI CSRP CSAS
Java 0% 72% 0%
Order Of Magnitude Faster Than CSRP
• Benchmarks– Templates Only, No Other Application
Logic
• Base: No Sanitization
Practical Performance: Upto 9.6%
![Page 24: Context-Sensitive Auto-Sanitization In Web Templating Languages Using Type Qualifiers Prateek Saxena UC Berkeley Mike Samuel Google Dawn Song UC Berkeley](https://reader036.vdocument.in/reader036/viewer/2022081516/5516b26c550346f6208b52dd/html5/thumbnails/24.jpg)
25
Conclusion
• CSAS: A New "Push-Button" Defense Primitive– Fast, Secure, Compatible and Auditable– Increasing Commercially Adoption
• Other Frameworks
July Today0
1000
2000
3000
4000
5000
6000
![Page 25: Context-Sensitive Auto-Sanitization In Web Templating Languages Using Type Qualifiers Prateek Saxena UC Berkeley Mike Samuel Google Dawn Song UC Berkeley](https://reader036.vdocument.in/reader036/viewer/2022081516/5516b26c550346f6208b52dd/html5/thumbnails/25.jpg)
26
Thanks
http://code.google.com/closure/templates/docs/security.html
Questions?