Swift: Secure Web Applications via Automatic Partitioning

1
Swift Secure Web Applications via Automatic
Partitioning

• Stephen Chong, Jed Liu, Andrew C. Myers,
• Xin Qi, K. Vikram, Lantian Zheng, Xin Zheng
• Cornell University
• SOSP 2007 (October 15)
• Speaker K. Vikram

Splitting Webapps via Information Flow Types
2
Can we make web applications secure?

• Ubiquitous, important, yet insecure
• 61 of Internet vulnerabilities affect webapps
• Cross-site scripting, SQL injection, Information
  Leakage, etc.
• Development methods lack security reasoning
• Distributed system in multiple languages
• Client CSS, XHTML, JavaScript, Flash
• Server PHP, ASP, Ruby, SQL
• Ajax/Web 2.0 Complex JavaScript UIs generating
  HTTP requests

Symantec Internet Security Threat Report 2007
3
Swift

• Make interactive web applications secure and
  easier to write

• Easier to Write
• One program (in one general purpose language)
  automatically split by the compiler
• Security by construction
• Rich security policies as declarative annotations
• Interactivity
• Finding an optimal split for performance

Java server code
Splitting Webapps via Information Flow Types
4
The Guess-the-Number Game
Random number between 1 and 10
Secret Number 7
Tries 3
5
The Guess-the-Number Game
Bounds Check
Compare Guess
Secret Number 7
6
Tries 3
Tries 2
Tries 1
Tries 0
Try Again
12
Out of range
4
Take a Guess!
Try Again
7
(You have 3 chances)
(You have 2 chances)
(You have 1 chance)
You win 500
You win 500
6
The Guess-the-Number Game
Confidentiality Requirement
Secret Number 7
Tries 3
Tries 10
Integrity Requirement
Buggy or malicious
Trusted
I win 500
Take a Guess!
7
1
2
3
4
5
6
7
Integrity Requirement
(You have 3 chances)
You win 500
7
The Guess-the-Number Game
Bounds Check
Bounds Check
Compare Guess
Secret Number 7
A secure optimal split
Tries 3
Tries 3
Take a Guess!
(You have 3 chances)
8
int secret
int tries

Called from a Listener
void makeGuess (int guess)

if (guess gt 1 guess lt 10)
Input Validation
Check Fails
else
message.setText("Out of range" guess)


9
int secret
int tries

void makeGuess (int guess)

if (guess gt 1 guess lt 10)
boolean correct guess secret
Compare with stored secret
if (tries gt 0 correct)
finishApp("You win 500!")

Successful Guess
else
message.setText("Out of range" guess)


10
int secret
int tries

void makeGuess (int guess)

if (guess gt 1 guess lt 10)
boolean correct guess secret
Compare with stored secret
if (tries gt 0 correct)
finishApp("You win 500!")
else
Unsuccessful Guess
tries--
if (tries gt 0)
message.setText("Try again")
else
finishApp("Game over")

else
message.setText("Out of range" guess)


11
int secret
int tries

void makeGuess (int guess)

if (guess gt 1 guess lt 10)
boolean correct guess secret
if (tries gt 0 correct)
finishApp("You win 500!")
else
tries--
if (tries gt 0)
message.setText("Try again")
else
finishApp("Game over")

else
message.setText("Out of range" guess)


12
(No Transcript)
13
Writing security labels in Swift

• A label denotes the security policy enforced on
  data (using the Decentralized Label ModelML97)

server?server
server?server
intserver?server server?server secret
intserver?client server?server tries
server?server
server?client

• The compiler allows only those information flows
  that conform to security policies (JifML99)

intserver?client display
display secret
14
intserver?server server?server secret
intserver?client server?server tries


If guess is within bounds the server is prepared
to trust it
endorse (guess, server?client to
server?server)
if (guess gt 1 guess lt 10)
boolean correct declassify (guess secret,
boolean correct guess secret
server?server to server?client)
if (tries gt 0 correct)
finishApp("You win 500!")
else
Client is allowed to learn if guess is correct
tries--
if (tries gt 0)
message.setText("Try again")
else
finishApp("Game over")

else
message.setText("Out of range" guess)


15
The Swift Architecture
Jif source code
Confidentiality/ Integrity labels
label projection
WebIL code
partitioning
Server/Client Placement
Located WebIL code
GWT
Web Browser
Web Server
16
The Swift Architecture
Jif source code
label projection
WebIL code
partitioning
Located WebIL code
Java client code
Java servlet framework
Swift server runtime
Java server code
GWT runtime library
Swift client runtime
Javascript client code
GWT
HTTP
Web Browser
Web Server
17
Placement Constraints from Labels
server and maybe client ShC?
client or server S?C?
server only Sh
server only S
18
Placement Constraints from Labels
S?C?
ShC?
S
Sh
19
Placement Constraints from Labels
Security Constraints
S?C?
ShC?
Architectural Constraints
C
S
Sh
S
UI Widget calls
Database library calls
20
Guess-the-number in WebIL
int secret
Sh
int tries
ShC?

void makeGuess (int guess)

if (guess gt 1 guess lt 10)
ShC?
Comparison only on server
Sh
boolean correct guess secret
Sh
if (tries gt 0 correct)
S?C?
finishApp("You win 500!")

else
tries--
ShC?
Calls to UI methods on client
if (tries gt 0)
S?C?
C
message.setText("Try again")
S?C?
else finishApp("Game over")

else
message.setText("Out of range" guess)
C


21
The Swift Architecture
Jif source code
label projection
WebIL code
partitioning
Located WebIL code
Java client code
Java servlet framework
Swift server runtime
Java server code
GWT runtime library
Swift client runtime
Javascript client code
GWT
HTTP
Web Browser
Web Server
22
Performance Optimization

• Minimize number of network messages
• Network latency has biggest impact on
  responsiveness
• Control transfer might require a network message
• Modeling the run-time behavior of the program by
  a weighted control flow graph
• Interprocedural dataflow analysis
• Construct an instance of the min-cut problem
• Min-cut/Max-flow algorithm runs in O(n3) time

S
C
23
Guess-the-number with placements
int secret
Sh
int tries
ShC

void makeGuess (int guess)

Input validation code replicated
if (guess gt 1 guess lt 10)
ShC
Sh
boolean correct guess secret
Sh
if (tries gt 0 correct)
C
finishApp("You win 500!")
Each statement/field is given one of five
possible annotations C, S, SC, Sh, ShC

else
tries--
ShC
if (tries gt 0)
C
C
message.setText("Try again")
C
else finishApp("Game over")

else
message.setText("Out of range" guess)
C


24
The Swift Architecture
Jif source code
label projection
WebIL code
partitioning
Located WebIL code
GWT
Web Browser
Web Server
25
Code to execute, Local Variable Values
int secret
int secret
int tries
int tries


guess6
void makeGuess (int guess)
void makeGuess (int guess)
if (guess gt 1 guess lt 10)
if (guess gt 1 guess lt 10)
boolean correct guess secret
boolean correct guess secret
if (tries gt 0 correct)
if (tries gt 0 correct)
finishApp("You win 500!")
finishApp("You win 500!")
else
else
tries--
tries--
if (tries gt 0)
if (tries gt 0)
message.setText("Try again")
message.setText("Try again")
else finishApp("Game over")
else finishApp("Game over")


else
else
message.setText("Out of range" guess)
message.setText("Out of range" guess)




26
Code to execute, Local variable values
int secret
int secret
int tries
int tries


void makeGuess (int guess)
void makeGuess (int guess)
if (guess gt 1 guess lt 10)
if (guess gt 1 guess lt 10)
boolean correct guess secret
boolean correct guess secret
if (tries gt 0 correct)
if (tries gt 0 correct)
finishApp("You win 500!")
finishApp("You win 500!")
else
else
updates to locals
tries--
tries--
if (tries gt 0)
if (tries gt 0)
message.setText("Try again")
message.setText("Try again")
else finishApp("Game over")
else finishApp("Game over")


else
else
message.setText("Out of range" guess)
message.setText("Out of range" guess)




27
int secret
int secret
int tries
int tries


void makeGuess (int guess)
void makeGuess (int guess)
if (guess gt 1 guess lt 10)
if (guess gt 1 guess lt 10)
boolean correct guess secret
boolean correct guess secret
if (tries gt 0 correct)
if (tries gt 0 correct)
finishApp("You win 500!")
finishApp("You win 500!")
else
else
tries--
tries--
if (tries gt 0)
if (tries gt 0)
message.setText("Try again")
message.setText("Try again")
else finishApp("Game over")
else finishApp("Game over")


else
else
message.setText("Out of range" guess)
message.setText("Out of range" guess)




28
Code to execute, Local variable values
Code to execute
Local variable values

• Client could cheat and request execution of
  arbitrary server code
• Server keeps enough state about expected control
  flow
• Client could corrupt local variables
• Server does not accept updates for high integrity
  variables
• Client cannot
• Violate data integrity
• Influence execution of high integrity code
• Learn confidential values

29
Evaluation Code size measurements
Secret Keeper 324 lines
Guess-the-Number 142 lines
Poll 113 lines
Shop 1094 lines
Auction 502 lines
Treasure Hunt 92 lines
30
Evaluation Network message counts
Example Task Actual Actual Optimal Optimal
Example Task Server! Client Client! Server Server! Client Client! Server
Guess-the-Number guessing a number 1 2 1 1
Shop adding an item 0 0 0 0
Poll casting a vote 1 1 0 1
Secret Keeper viewing the secret 1 1 1 1
Treasure Hunt exploring a cell 1 2 1 1
Auction bidding 1 1 1 1
31
Related Work
Swift

• Unified Programming Models
• Links CLWY 06
• Hop SGL 06
• Hilda YGQDGS 07,YSRG 06
• Web Application Security
• Static Analysis
• HYHTLK 04, XA 06, JKK 06
• Dynamic Taint Tracking
• HO 05, NGGE 05, XBS 06,
• CVM 07
• Security by construction
• Jif/Split ZZNM 02, ZCMZ 03
• Fairplay MNPS 04
• SMCL NS 07

- Security - Replication for responsiveness -
Automated, fine-grained optimization
- Tracking over multiple requests - Client side
computation - Confidentiality
- Bigger, more practical applications - Web
application security
32
Conclusions/Questions?

• Web applications are critical and handle
  sensitive data
• Secure web applications are hard to write
• The Swift programming system provides
• Greater security assurance
• A responsive interface
• Cleaner programming model
• http//www.cs.cornell.edu/jif/swift/