Preventing Data Leaks from Compromised Web Applications Yogesh Mundada Anirudh Ramachandran Nick Feamster Georgia Tech 1 Appeared in Annual Computer Security Applications Conference ACSAC 2013 ID: 418925
Download Presentation The PPT/PDF document "SilverLine:" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
SilverLine: Preventing Data Leaks fromCompromised Web Applications
Yogesh Mundada Anirudh RamachandranNick FeamsterGeorgia Tech
1
Appeared in Annual Computer Security Applications Conference (ACSAC) 2013Slide2
Data Breach Incidents
Sony Data Breach (SQL Injection, 2011)Citibank (Web application vulnerability, 2012)Twitter (2013)Adobe (2013)90% of the data leakages occur at server.95% of those leaks are from external attacks.2Slide3
Common Server-Side Vulnerabilities
Injection AttacksBroken Authentication and Session ManagementInsecure Direct Object ReferencesSecurity MisconfigurationVulnerable Components and Libraries(Open Web Application Security Project)3Slide4
Current Protection Mechanisms
Penetration testingAutomated code
review
Application firewalls
Data loss
prevention
devices
Shortcomings
No protection against zero day attacks
Once compromised, can’t stop data theft
Focus on protecting data,
rather than the underlying system
4Slide5
Design Goals
Security:
Decouple data protection from the application
Deployment:
Minimize changes to existing applications
Performance:
Minimize overhead
5Slide6
SilverLine Design Non-Goals
Kernel
-
level vulnerabilities
C
overt channels
Malicious software on the database
Inside
threats
Data
modification attacks
6Slide7
SilverLine Overview
7Step #1: Tag Sensitive Data
Step #2: Associate User with Session
Step #3: Retrieve Data with Taints
Step #4: Track Data
Step #5: Declassify ResponseSlide8
SilverLine Components
Authentication Module
Database Proxy
Information Flow Monitor
Declassifier
8Slide9
9
DeclassifierProcess
Information Flow
Tracking Kernel
Webserver
Process
SilverLine
Architecture
1. User sends
Login request
2. Authenticate
User
Trusted RealmUntrusted RealmDatabase Table
User-Sessions
Table
Connection-Capabilities
Table
User Authentication Module
User-Auth
Table
3. Authenticate
4. Cookies
5. 5-tuple
taints
6. Execute
query
12. Query
Results
Database
Proxy
Process
Query
Parser
Process
Query
RegEx
Table
Web Application
Database
7
8
9
10
14. Send
Response
15. Check Session
Permissions
16. Return
Response
Process
Database Node
Authentication Node
Firewall
ServerSlide10
Step #1: Initial Configuration
Indentify and mark sensitive tablesFind unique user keyFind foreign keysFind table groupsFind tables to monitor for insert queryCreate taint-storage tables in each group10Slide11
User-IDNameTransact-ID1
John Smith1002Jane Doe200Step #1: Configuration Example
User Table
Transact-ID
Transact-no
Item
200
37
DVD
200
38
PHONE
10089BRUSHTransaction TableUser-IDTaint1‘A’2‘B’User-Taint TableSELECT Name FROM User WHERE User-ID = ‘2’SELECT Name, Taint FROM User u, User-Taint ut WHERE User-ID = ‘2’ AND u.User-ID = ut.User-ID
SELECT Item FROM Transaction WHERE
Transact-ID = ‘200’ and Transact-no=‘37’
Transact-Taint Table
Transact-ID
Taint
100
‘A’
200
‘B’
SELECT Item, Taint FROM Transaction t,
Transact-Taint
tt
WHERE Transact-ID = ‘200’ and Transact-no=‘37’
and
t.Transact
-ID =
tt.Transact
-ID
11Slide12
Step #2a: Authenticate User
12DeclassifierProcess
Information Flow
Tracking Kernel
Webserver
Process
1. User sends
Login request
2. Authenticate
User
Trusted Realm
Untrusted
RealmDatabase Table
User-Sessions
Table
Connection-Capabilities
Table
User Authentication Module
User-Auth
Table
Database
Proxy
Process
Query
Parser
Process
Query
RegEx
Table
Web Application
Database
Process
Database Node
Authentication Node
Firewall
ServerSlide13
Step #2b: Decide Session Capability
13User-SessionsTable
Connection-Capabilities
Table
User Authentication Module
User-Auth
Table
Trusted Realm
Process
Database Tables
2. Authenticate
{username, password}
3. Verify &
Authenticate
4. Store
{Cookie1, User1}
5. Store
{SIP:SP-DIP:DP-Prot,
Taint1}
4. Verify
Cookie
Authentication NodeSlide14
Step #3: Retrieve Taints with Data
14DeclassifierProcess
Information Flow
Tracking Kernel
Webserver
Process
1. User sends
Login request
2. Authenticate
User
Trusted Realm
Untrusted
RealmDatabase Table
User-Sessions
Table
Connection-Capabilities
Table
User Authentication Module
User-Auth
Table
3. Authenticate
4. Cookies
5. 5-tuple
taints
6. Execute
query
Database
Proxy
Process
Query
Parser
Process
Query
RegEx
Table
Web Application
Database
Process
Database Node
Authentication Node
Firewall
ServerSlide15
Step #3: DB Proxy Operation
DatabaseProxyProcess
Query
Parser
Process
Query
RegEx
Table
Web Application
Database
ConnectionTaints
Table
6. Execute query from
Webserver
7. Match
Regular
Expression
8. Parse Query
And generate
Regular
expressions
9. Store
Query, Taint Query
10. Execute Data + Taint
Retrieval Query
11. Store
{5-tuple,
Taint}
12. Return results
To
Webserver
Trusted Realm
Process
Database Tables
15Slide16
Database
ServerDatabaseProxy
UserIDUsername
SSN
1
Alice
999-99-9999
2
Bob
888-88-8888
UserID
Taint
10xABCDEF20x123456user tableuser_taints table“SELECT name from user WHERE UserID=1” 1Alice999-99-9999Taint applied to network connection
0xABCDEF
Data Query
“
SELECT
name, taint from user u, user-taints
ut
WHERE
UserID
=1 and
u.UserID
=
ut.UserID
”
1
Alice
999-99-9999
Modified Query by Proxy
Query Results
16
Step #3: Apply Taint to ConnectionSlide17
Step #4: Track Data
17DeclassifierProcess
Information Flow
Tracking Kernel
Webserver
Process
1. User sends
Login request
2. Authenticate
User
Trusted Realm
Untrusted
RealmDatabase Table
User-Sessions
Table
Connection-Capabilities
Table
User Authentication Module
User-Auth
Table
3. Authenticate
4. Cookies
5. 5-tuple
taints
6. Execute
query
12. Query
Results
Database
Proxy
Process
Query
Parser
Process
Query
RegEx
Table
Web Application
Database
7
8
9
10
Process
Database Node
Authentication Node
Firewall
ServerSlide18
Step #4: Information Flow Tracking
Per-process taint recordsMonitors system calls IPC {send, shmat, kill}, File/Device operations {read, unlink}, Process management {fork, execve}, Memory {mmap}, Kernel configuration{sysctl}Taint transfer with information exchangeNetwork database “connection-taints” to transfer taints across machines18Slide19
Step #5: Declassification
19DeclassifierProcess
Information Flow
Tracking Kernel
Webserver
Process
1. User sends
Login request
2. Authenticate
User
Trusted Realm
Untrusted
RealmDatabase Table
User-Sessions
Table
Connection-Capabilities
Table
User Authentication Module
User-Auth
Table
3. Authenticate
4. Cookies
5. 5-tuple
taints
6. Execute
query
12. Query
Results
Database
Proxy
Process
Query
Parser
Process
Query
RegEx
Table
Web Application
Database
7
8
9
10
14. Send
Response
15. Check Session
Permissions
16. Return
Response
Process
Database Node
Authentication Node
Firewall
ServerSlide20
Implementation
60 lines in OSCommerceInformation Flow Control 8,000 lines of ‘C’ Linux kernel codeRedis key-value storeUser-SessionConnection-CapabilitiesConnection-TaintsTaint-PolicyDatabase proxy350 lines of Lua code20Slide21
Implementation
ConfigurationIdentify primary keysTable groupsForeign key relationshipInsert query monitoring for each group21In OSCommerce application: Out of 50 tables, 15 were sensitive Tables were grouped in sets of 9, 5 and 1 In all we needed 3 taint-storage tablesSlide22
Evaluation
File fetch (small: 7%, large: 1%)Scalability:Login slowdown (21%)User session slowdown (30%)22Slide23
Related Work
Data IsolationCLAMP, NemesisCryptDBInformation Flow ControlHiStar, Dstar, Asbestos, FlumeLanguage-level Taint TrackingRESIN, Guardrails, PHPAspis, DBTaintFull-system Taint TrackingTaintDroid, Neon, Panorama23Slide24
Limitations
MisconfigurationFalse positives and false negativesData integrityPartial deploymentSocial networking applicationsIntegration with SDN controllers24Slide25
Conclusion
Prevent exfiltration of sensitive data, even if the application is compromisedInformation flow: associate data with taints, only allow authorized user sessions to accessVery little modification to existing applicationsOverhead is about 20–30% over unmodified applications25SilverLine: Protect data, rather than the application