S CRIPT G ARD Automatic Context-Sensitive Sanitization for Large-Scale Legacy Web Applications...
24
SCRIPTGARD Automatic Context-Sensitive Sanitization for Large-Scale Legacy Web Applications Prateek Saxena UC Berkeley David Molnar Microsoft Research Ben Livshits Microsoft Research
-
date post
19-Dec-2015 -
Category
Documents
-
view
216 -
download
0
Transcript of S CRIPT G ARD Automatic Context-Sensitive Sanitization for Large-Scale Legacy Web Applications...
SCRIPTGARDAutomatic Context-Sensitive Sanitization for Large-Scale Legacy Web Applications
Prateek SaxenaUC Berkeley
David MolnarMicrosoft Research
Ben LivshitsMicrosoft Research
2
Large-Scale Legacy Applications
• Step-up in Scale– Half a Million LOC – Shared Development by teams of 100+
• What’s The Difference?– Shifting Platforms isn’t practical– Long Program Paths, Many sanitizers
Applied
How to SecureLegacy Apps?
3
XSS in Large-Scale Applications
Small-Scale Apps
• Buggy Sanitizer• Missing Sanitization
– [Pixy’06, PhpTaint’06,Cqual’04,
Merlin’09,Securifly’05, PhpAspis’11, Saner’08, Bek’11]
Large-Scale Applications
String Img.RenderControl() {
Write(userimg);}
String Img.RenderControl() { Write(Sanitize(userimg));}
• New Sanitization Errors– [CCS’11]
• SCRIPTGARD
4
Contributions
• Does Sanitization Defense Fail In Practice?– 7 Commercial Applications, 400 KLOC
• 2 New Classes of Errors in Sanitizer Use– How Often & Why
• SCRIPTGARD: Automated Sanitizer Use Analysis
Legacy.NET
Minimal
Specs
ConcreteTest
CasesCan Auto-Correct Sanitization During
Deployment
5
Error #1: Context-Mismatched Sanitization(CMS)
<img src="sunset.gif" height="right">
<a href=“javascript: document.write(‘…’);”> Diapers
</a>
<script> var name=‘Stewie’;
</script> JS String Context
HtmlEncode JSStringEncode
Which Sanitizer To Apply Where?
\r\n; alert(document.cookie);
HTML Tag Context
23904
1207
1,207 (4.7%) are CMS errors!
6
Why Does Context-Mismatch Happen?
Output Sink
San Context is a Global
Path-Sensitive Property
But, developers select Sanitizers Locally
7
Error #2: Inconsistent Multiple Sanitization(IMS)
Output Sink
San 1
San 2
Attack Input
Safe? Safe?
San 1
San 2
Does the Order Matter?
8
Inconsistent Multiple Sanitization(IMS):Does it Really Happen?
Attack Input
HtmlEncode
JSStringEncode
HtmlEncode
JSStringEncode
21964
2960
285
285 (8%) of multiple sanitizations are errors!
Why Does IMS Happen?
9
Output Sink
<script>
document.write (‘ ’);</script>
<a href="
userlink
"></a>
SERVER - SIDEOUTPUT
Why Does IMS Happen: Nested Contexts
10
<script>
document.write (‘ ’);</script>
<a href="
userlink
JS StringContext
"></a>
URL AttributeContext JS Parser
HTML Parser
JS UnicodeDecode \u0022 "
Html-Entity
Decode " "
Why Does IMS Happen: Nested Contexts
11
JS Parser
HTML Parser
JS UnicodeDecode
Html-Entity
Decode
\u0022 \u0026quot;
""
Correct Sanitizer
Order
Wrong Sanitizer
Order
"
Nested Contexts Cause Developer Confusion!
12
How Common Are Nested Contexts?
16949
2948
1093 104
1234
Nesting Depth: Up to 4
13
Take-Aways…
Small-Scale Apps
• Buggy Sanitizer• Missing Sanitization
– [Pixy’06, PhpTaint’06,Cqual’04,
Merlin’09,Securifly’05, PhpAspis’11, Saner’08, Bek’11]
Large-Scale Applications
• Shared Paths lead to…• CMS & IMS• Developers apply
correct sanitizers wrongly
14
How Do We Find Sanitization Errors In Legacy Applications
At Scale?
SCRIPTGARD Analysis
15
SCRIPTGARDHTTPRequests
Inconsistently Sanitized
Test Cases
Instrumented Server-side
DLLs
Legacy.NET
SanitizerSpecificati
on
BrowserModel
SCRIPTGARD Analysis: Key Ideas
Path 1 Path 2 Path 3 Path 4
Path-Sensitive
PositiveTaint-
Tracking
DetermineContexts
17
SCRIPTGARD Analysis: Key Ideas
Trusted? + - + -
Sanitizer Sequence
HtmlAttributeEncode,JSStringEncode
HtmlEncode,JSStringEncode
HtmlAttributeEncode JSStringEncode,HtmlEncode
CMS
IMS
Path 1 Path 2 Path 3 Path 4
Path-Sensitive
PositiveTaint-
Tracking
DetermineContexts
18
Precise Context Determination:Browser Parser Model
TContexts
19
How Can We Correct Sanitization Errors
Automatically?
20
SCRIPTGARD: Can We Auto-Patch Sanitization Errors?
• The Bad News: Large slowdown• Observation: Less than 10% paths
problematic
• Yes!– Preferential Path Profiling [POPL’06]– Negligible Overhead
Can We Detect When A Problematic Path Is Executed?
21
SCRIPTGARD Auto-Correction
SCRIPTGARD
Pre-Release Analysis
Sanitization Cache
Sanitizer Patch
DeploymentPreferenti
alPath
Profiler
Server Code With Light-weight
Instrumentation
SanitizerPatch
22
Conclusions
• 2 New Patterns of Errors in Sanitizer Use
• SCRIPTGARD – Effective Analysis Tool– Auto-Correction with Negligible Overhead
23717
285 1207Inconsis-
tentMultiple Sanitiza-
tion
Context-Mis-
matchedSanitiza-
tion
23
You have been a wonderful audience…you stayed…
Prateek Saxenahttp://www.cs.berkeley.edu/~prateeks/
24
Sanitizer Correction is Challenging
Output Sink
San
San
HtmlEncode
Can We Just Replace HtmlEncode with another Sanitizer?Contexts Vary By Path Executed
