![Page 1: Secure Design: A Better Bug RepellentTypes to "Teleport" Assertions Type contract captures asserted predicate on value ∀ v: v instanceOf SafeHtml ⇒ safe_fx_html(v.toString()) Type](https://reader033.vdocument.in/reader033/viewer/2022053006/5f09b7017e708231d4282afa/html5/thumbnails/1.jpg)
Secure Design: A Better Bug RepellentChristoph Kern, IEEE SecDev '17
![Page 2: Secure Design: A Better Bug RepellentTypes to "Teleport" Assertions Type contract captures asserted predicate on value ∀ v: v instanceOf SafeHtml ⇒ safe_fx_html(v.toString()) Type](https://reader033.vdocument.in/reader033/viewer/2022053006/5f09b7017e708231d4282afa/html5/thumbnails/2.jpg)
Security Defects
![Page 3: Secure Design: A Better Bug RepellentTypes to "Teleport" Assertions Type contract captures asserted predicate on value ∀ v: v instanceOf SafeHtml ⇒ safe_fx_html(v.toString()) Type](https://reader033.vdocument.in/reader033/viewer/2022053006/5f09b7017e708231d4282afa/html5/thumbnails/3.jpg)
Implementation Bugs
Shallow & Localized
Patchable
Straightforward & Testable
Image credit: Vaniato/Shutterstock.com
![Page 4: Secure Design: A Better Bug RepellentTypes to "Teleport" Assertions Type contract captures asserted predicate on value ∀ v: v instanceOf SafeHtml ⇒ safe_fx_html(v.toString()) Type](https://reader033.vdocument.in/reader033/viewer/2022053006/5f09b7017e708231d4282afa/html5/thumbnails/4.jpg)
Design Flaws
Deep & Diffuse
Complex & Costly
Subtle
Image credit: Vaniato/Shutterstock.com
![Page 5: Secure Design: A Better Bug RepellentTypes to "Teleport" Assertions Type contract captures asserted predicate on value ∀ v: v instanceOf SafeHtml ⇒ safe_fx_html(v.toString()) Type](https://reader033.vdocument.in/reader033/viewer/2022053006/5f09b7017e708231d4282afa/html5/thumbnails/5.jpg)
Implementation Bugs
Shallow & Localized
Patchable
Straightforward & Testable
Design Flaws
Deep & Diffuse
Complex & Costly
Subtle
Ubiquitous & Recurrent Remediable
![Page 6: Secure Design: A Better Bug RepellentTypes to "Teleport" Assertions Type contract captures asserted predicate on value ∀ v: v instanceOf SafeHtml ⇒ safe_fx_html(v.toString()) Type](https://reader033.vdocument.in/reader033/viewer/2022053006/5f09b7017e708231d4282afa/html5/thumbnails/6.jpg)
Proprietary + Confidential
Assurance
![Page 7: Secure Design: A Better Bug RepellentTypes to "Teleport" Assertions Type contract captures asserted predicate on value ∀ v: v instanceOf SafeHtml ⇒ safe_fx_html(v.toString()) Type](https://reader033.vdocument.in/reader033/viewer/2022053006/5f09b7017e708231d4282afa/html5/thumbnails/7.jpg)
Essence of a Bug: Violated Precondition
● Potentially-vulnerable API or language primitive
● Precondition: Predicate on program state at call-site
● void *memcpy(void *dest, const void *src, size_t n)
requires valid_buf(dest, n) ∧ valid_buf(src, n) ∧ ¬overlaps(dest, src, n)
● *p
requires valid_buf(p, sizeof(*p))
● sql_query(db: DBConn, q: string) returns ResultSet
requires trusted_fx_sql(q)
● Element.setInnerHTML(s: string)
requires safe_fx_html(s)
![Page 8: Secure Design: A Better Bug RepellentTypes to "Teleport" Assertions Type contract captures asserted predicate on value ∀ v: v instanceOf SafeHtml ⇒ safe_fx_html(v.toString()) Type](https://reader033.vdocument.in/reader033/viewer/2022053006/5f09b7017e708231d4282afa/html5/thumbnails/8.jpg)
Absence of Evidence≠
Evidence of Absence
Image credit: Dave Montreuil/Shutterstock.com
![Page 9: Secure Design: A Better Bug RepellentTypes to "Teleport" Assertions Type contract captures asserted predicate on value ∀ v: v instanceOf SafeHtml ⇒ safe_fx_html(v.toString()) Type](https://reader033.vdocument.in/reader033/viewer/2022053006/5f09b7017e708231d4282afa/html5/thumbnails/9.jpg)
Demonstrating Absence of Bugs
To show: "For all call sites, for all reachable program states,precondition holds at call site"
✔ var byline = 'by <i>' + escape_html(user_nick) + '</i>'; assert safe_fx_html(byline); // precondition headerElem.innerHTML = byline;
var byline = 'by <a href=' + user_profile_url + '>' + user_nick + '</a>'; assert safe_fx_html(byline); // precondition headerElem.innerHTML = byline;
?
![Page 10: Secure Design: A Better Bug RepellentTypes to "Teleport" Assertions Type contract captures asserted predicate on value ∀ v: v instanceOf SafeHtml ⇒ safe_fx_html(v.toString()) Type](https://reader033.vdocument.in/reader033/viewer/2022053006/5f09b7017e708231d4282afa/html5/thumbnails/10.jpg)
Complex Whole-System Data Flows
function renderPost(p) { ... byEl.innerHTML = 'by <a href...>' + p.by + </a>';}
function onUpdate(posts) { ... renderPost(post) ;
}
function onXhrResp(rpc) { ... onUpdate( rpc.resp().posts()) ;
}
Abc buildAbc(Xyz xyz) { …}
Abc buildAbc(Xyz xyz) { …}
Xyz getXyz(...) { ... abcBackend.getXyz(rpc, p)}
Abc buildAbc(Xyz xyz) { …}
Abc buildAbc(Xyz xyz) { …}
func putXyz(...) err { ... err:=abcBe.putXyz(rpc, p)}
Abc buildAbc(Xyz xyz) { …}
Abc buildAbc(Xyz xyz) { …}
Status storeXyz(const Xyz& xyz) { ... db->write(...)}
![Page 11: Secure Design: A Better Bug RepellentTypes to "Teleport" Assertions Type contract captures asserted predicate on value ∀ v: v instanceOf SafeHtml ⇒ safe_fx_html(v.toString()) Type](https://reader033.vdocument.in/reader033/viewer/2022053006/5f09b7017e708231d4282afa/html5/thumbnails/11.jpg)
Non-Scaleable Process
● Large & complex relevant program/system slices
● Complex, non-automatable reasoning
safe_fx_html(s) ≅ "s, parsed and evaluated as HTML markup, only has safe (side) effects"
○ Exact meaning of safe?○ Undecidable post-conditions
● Moving target: The bugs just keep on coming!
Image credit: Leo Blanchette/Shutterstock.com
![Page 12: Secure Design: A Better Bug RepellentTypes to "Teleport" Assertions Type contract captures asserted predicate on value ∀ v: v instanceOf SafeHtml ⇒ safe_fx_html(v.toString()) Type](https://reader033.vdocument.in/reader033/viewer/2022053006/5f09b7017e708231d4282afa/html5/thumbnails/12.jpg)
ScaleableImplementation Security
![Page 13: Secure Design: A Better Bug RepellentTypes to "Teleport" Assertions Type contract captures asserted predicate on value ∀ v: v instanceOf SafeHtml ⇒ safe_fx_html(v.toString()) Type](https://reader033.vdocument.in/reader033/viewer/2022053006/5f09b7017e708231d4282afa/html5/thumbnails/13.jpg)
Design Goals
Local Reasoning: Preconditions established by surrounding code
Scalable & Mandatory Expert Review
● Avoid need for expert reasoning about preconditions all throughout application code● Confine security-relevant program slice to expert-owned/reviewed source
![Page 14: Secure Design: A Better Bug RepellentTypes to "Teleport" Assertions Type contract captures asserted predicate on value ∀ v: v instanceOf SafeHtml ⇒ safe_fx_html(v.toString()) Type](https://reader033.vdocument.in/reader033/viewer/2022053006/5f09b7017e708231d4282afa/html5/thumbnails/14.jpg)
● Public (wrapper) API without (security) preconditions
goog.dom.safe.setLocationHref = function(loc, url) { loc.href = isSafeSchemeOrRelativeUrl(url) ? url : 'about:invalid';}
● Disallow use of "raw" API via static checks / lint / presubmit-hook
Inherently-safe (Precondition-free) APIs
![Page 15: Secure Design: A Better Bug RepellentTypes to "Teleport" Assertions Type contract captures asserted predicate on value ∀ v: v instanceOf SafeHtml ⇒ safe_fx_html(v.toString()) Type](https://reader033.vdocument.in/reader033/viewer/2022053006/5f09b7017e708231d4282afa/html5/thumbnails/15.jpg)
Types to "Teleport" Assertions● Type contract captures asserted predicate on value
∀ v: v instanceOf SafeHtml ⇒ safe_fx_html(v.toString())
● Type contract ensured by public builders/c'tors
SafeHtml safeHtml = new SafeHtmlBuilder("div").escapeAndAppendContent(s).build()
SafeHtml safeHtml = htmlSanitizer.sanitize(untrustedHtml)
● APIs may rely on type contract
goog.dom.safe.setInnerHtml = function(el, html) { el.innerHTML = SafeHtml.unwrap(html);}
new SafeHtmlBuilder("div").appendContent(safeHtml)
![Page 16: Secure Design: A Better Bug RepellentTypes to "Teleport" Assertions Type contract captures asserted predicate on value ∀ v: v instanceOf SafeHtml ⇒ safe_fx_html(v.toString()) Type](https://reader033.vdocument.in/reader033/viewer/2022053006/5f09b7017e708231d4282afa/html5/thumbnails/16.jpg)
Global Propertiesfrom
Local Reasoning + Types
![Page 17: Secure Design: A Better Bug RepellentTypes to "Teleport" Assertions Type contract captures asserted predicate on value ∀ v: v instanceOf SafeHtml ⇒ safe_fx_html(v.toString()) Type](https://reader033.vdocument.in/reader033/viewer/2022053006/5f09b7017e708231d4282afa/html5/thumbnails/17.jpg)
Proprietary + Confidential
Application @Google
![Page 18: Secure Design: A Better Bug RepellentTypes to "Teleport" Assertions Type contract captures asserted predicate on value ∀ v: v instanceOf SafeHtml ⇒ safe_fx_html(v.toString()) Type](https://reader033.vdocument.in/reader033/viewer/2022053006/5f09b7017e708231d4282afa/html5/thumbnails/18.jpg)
Preventing SQL Injection Vulnerabilities
● TrustedSqlString type and builders TrustedSqlString ≅ compile-time-constants and concatenations thereof
● Compile-time-constant expressions constraint○ Go, C++: Natively expressible○ Java: custom static check (based on Error-prone framework [1])
public TrustedSqlStringBuilder append(@CompileTimeConstant final String sql)
● Query APIs (Spanner [2], F1 [3]) require TrustedSqlString
![Page 19: Secure Design: A Better Bug RepellentTypes to "Teleport" Assertions Type contract captures asserted predicate on value ∀ v: v instanceOf SafeHtml ⇒ safe_fx_html(v.toString()) Type](https://reader033.vdocument.in/reader033/viewer/2022053006/5f09b7017e708231d4282afa/html5/thumbnails/19.jpg)
Compile-Time Security
● API ensures: SQL queries have no data-flow dependency on untrusted input
● Encodes best practice ("always use bind parameters")
● Potential vulnerability → compilation error trSqlBuilder.append("WHERE thing_id = " + thingId));
→ java/com/google/.../Queries.java:194: error: [CompileTimeConstant] Non-compile-time constant expression passed to parameter with @CompileTimeConstant type annotation. "WHERE thing_id = " + thingId); ^
![Page 20: Secure Design: A Better Bug RepellentTypes to "Teleport" Assertions Type contract captures asserted predicate on value ∀ v: v instanceOf SafeHtml ⇒ safe_fx_html(v.toString()) Type](https://reader033.vdocument.in/reader033/viewer/2022053006/5f09b7017e708231d4282afa/html5/thumbnails/20.jpg)
Developer Ergonomics
// Ad-hoc, unsafe & vulnerable code
String sql = "SELECT ... FROM ...";sql += "WHERE A.sharee = @user_id";
if (req.getParam("rating") != null) { sql += " AND A.rating >= " + req.getParam("rating");}
Query q = db.createQuery(sql);q.setParameter("user_id", ...);
// Safe QueryBuilder
QueryBuilder qb = new QueryBuilder( "SELECT ... FROM ...");qb.append("WHERE A.sharee = @user_id");qb.setParameter("user_id", ...);
if (req.getParam("rating") != null) { qb.append(" AND A.rating >= @rating"); qb.setParameter("rating", ...);}
Query q = db.newQuery(qb);
![Page 21: Secure Design: A Better Bug RepellentTypes to "Teleport" Assertions Type contract captures asserted predicate on value ∀ v: v instanceOf SafeHtml ⇒ safe_fx_html(v.toString()) Type](https://reader033.vdocument.in/reader033/viewer/2022053006/5f09b7017e708231d4282afa/html5/thumbnails/21.jpg)
There are always exceptions...
● Command-line utilities, admin UIs, … ● Accommodating Exceptions:
○ "Unchecked conversion" from String to TrustedSqlString
○ Subject to security review
![Page 22: Secure Design: A Better Bug RepellentTypes to "Teleport" Assertions Type contract captures asserted predicate on value ∀ v: v instanceOf SafeHtml ⇒ safe_fx_html(v.toString()) Type](https://reader033.vdocument.in/reader033/viewer/2022053006/5f09b7017e708231d4282afa/html5/thumbnails/22.jpg)
Preventing XSS Vulnerabilities [4]
● Types: SafeHtml, SafeUrl, TrustedResourceUrl, …
● Builders & Factories: SafeHtml linkHtml = new SafeHtmlBuilder("a") .setTarget(TargetValue.BLANK) .setHref(SafeUrls.sanitize(profileUrl)) .escapeAndAppendContent(profileLinkText) .build()
● Strictly contextually Auto-escaping HTML Template Systems: Closure (aka Soy), Angular, Polymer (Resin), GWT, and proprietary frameworks
● Type-safe DOM API Wrappers (goog.dom.safe.setInnerHtml, setLocationHref, ...)
● Static check (JS Conformance) disallows XSS-prone DOM APIs (el.innerHTML = v)
![Page 23: Secure Design: A Better Bug RepellentTypes to "Teleport" Assertions Type contract captures asserted predicate on value ∀ v: v instanceOf SafeHtml ⇒ safe_fx_html(v.toString()) Type](https://reader033.vdocument.in/reader033/viewer/2022053006/5f09b7017e708231d4282afa/html5/thumbnails/23.jpg)
Eradicating(*) XSS
● Adopted by flagship Google projects (GMail, G+, Identity Frontends, …), and underlying frameworks
● Significant reduction in bugs (10s → ~0)● Reasonable effort
○ Legacy code: Significant one time refactoring effort○ New code: Straightforward/seamless
(*)almost...
![Page 24: Secure Design: A Better Bug RepellentTypes to "Teleport" Assertions Type contract captures asserted predicate on value ∀ v: v instanceOf SafeHtml ⇒ safe_fx_html(v.toString()) Type](https://reader033.vdocument.in/reader033/viewer/2022053006/5f09b7017e708231d4282afa/html5/thumbnails/24.jpg)
Experience & Observations
● Scalable process○ Team of ~5 security engineers/developers/maintainers ○ ~1 security engineer (weekly rotation) supporting … ○ … usage across entire Google codebase (100s if not 1000s devs)
● "Design for Reviewability"● Developer ergonomics● Toolchain integration
○ Type checker + few custom static checks○ Single source repo [5]○ Large-scale refactoring [6,7]
● Mandatory security reviews ("unchecked conversions")○ Bazel BUILD rule visibility
![Page 25: Secure Design: A Better Bug RepellentTypes to "Teleport" Assertions Type contract captures asserted predicate on value ∀ v: v instanceOf SafeHtml ⇒ safe_fx_html(v.toString()) Type](https://reader033.vdocument.in/reader033/viewer/2022053006/5f09b7017e708231d4282afa/html5/thumbnails/25.jpg)
Source: Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis non erat sem
Potential(*) for Security Bugsis a
Security Design Flaw
(*)Widespread, throughout application code
![Page 26: Secure Design: A Better Bug RepellentTypes to "Teleport" Assertions Type contract captures asserted predicate on value ∀ v: v instanceOf SafeHtml ⇒ safe_fx_html(v.toString()) Type](https://reader033.vdocument.in/reader033/viewer/2022053006/5f09b7017e708231d4282afa/html5/thumbnails/26.jpg)
Appendix
![Page 27: Secure Design: A Better Bug RepellentTypes to "Teleport" Assertions Type contract captures asserted predicate on value ∀ v: v instanceOf SafeHtml ⇒ safe_fx_html(v.toString()) Type](https://reader033.vdocument.in/reader033/viewer/2022053006/5f09b7017e708231d4282afa/html5/thumbnails/27.jpg)
Open Source
● Closure SafeHtml types & DOM wrappers● Closure Compiler Conformance● Closure Templates Strict Contextual Escaping● AngularJS Strict Contextual Escaping● Polymer Strict Contextual Escaping (aka Resin)● Safe HTML in Google Web Toolkit (GWT)● @CompileTimeConstant checker (part of Error Prone)● Java Safe HTML types● Bazel build system (supports rule visibility to constrain usage)
![Page 28: Secure Design: A Better Bug RepellentTypes to "Teleport" Assertions Type contract captures asserted predicate on value ∀ v: v instanceOf SafeHtml ⇒ safe_fx_html(v.toString()) Type](https://reader033.vdocument.in/reader033/viewer/2022053006/5f09b7017e708231d4282afa/html5/thumbnails/28.jpg)
[1] Aftandilian, E., Sauciuc, R., Priya, S. and Krishnan, S., 2012. Building useful program analysistools using an extensible Java compiler. In IEEE Source Code Analysis andManipulation (SCAM), 2012 (pp. 14-23).
[2] Corbett, J.C., et al, 2012. Spanner: Google’s globally distributed database. OSDI’12, pp.261-264.
[3] Shute, J., et al., 2013. F1: A distributed SQL database that scales.Proceedings VLDB'13, 6(11), pp.1068-1079.
[4] Kern, C., 2014. Securing the tangled web. Communications of the ACM, 57(9), pp.38-47.
[5] Potvin, R. and Levenberg, J., 2016. Why Google stores billions of lines of code in a singlerepository. Communications of the ACM, 59(7), pp.78-87.
[6] Wright, H.K., et al., 2013. Large-Scale Automated Refactoring Using ClangMR. ICSM (pp. 548-551).
[7] Wasserman, L., 2013. Scalable, example-based refactorings with refaster. Proceedings ofthe 2013 ACM workshop on refactoring tools (pp. 25-28). ACM.
References