MULTI-REPRESENTATIONAL SECURITY ANALYSIS

Transcription

1 MULTI-REPRESENTATIONAL SECURITY ANALYSIS Eunsuk Kang MIT CSAIL ExCAPE Webinar April 30, 2015

2 Third-Party Authentication OAuth protocol Widely adapted, support from major vendors Analyzed formally using verification tools

3 Empirical study of OAuth providers [Sun & Beznosov, CCS12] Majority of them vulnerable (Google, Facebook,...)

4 Provably Secure, Practically Vulnerable? Protocol analysis at the abstract level Agents, messages, and rules at each protocol step RFC OAuth 2.0, Internet Engineering Task Force

5 Provably Secure, Practically Vulnerable? Protocol analysis at the abstract level Agents, messages, and rules at each protocol step Attacks exploiting details absent from model Unanticipated behavior from browser features e.g. HTTP redirects, hidden forms Design flaws, not just bugs in code Blame protocol designers? Can t predict all manners in which protocol will be used!

6 Abstractions in System Design Customer authentication Shopping cart interaction Payment workflow Delivery processing Deployment on HTTP Mobile app API Most systems too complex Decompose into overlapping aspects

7 Abstraction vs Security Customer authentication Shopping cart interaction Payment workflow Delivery processing Deployment on HTTP Mobile app API System designer One system view/abstraction at a time Exclude details in other views

8 Abstraction vs Security Customer authentication Shopping cart interaction Payment workflow Delivery processing Deployment on HTTP Mobile app API System designer One system view/abstraction at a time Exclude details in other views

9 Abstraction vs Security Customer authentication Shopping cart interaction Payment workflow Delivery processing Deployment on HTTP Mobile app API Attacker Jump between abstractions & combine details Property held over one view might be violated in another!

10 Poirot A framework for incremental reasoning of security properties across multiple abstraction boundaries

11 Standard Verification Framework Property P Verification Engine Analysis Result System Model M S M S P?

12 Our Framework: Poirot Property Verification Engine Analysis Result System Model Composition Operator Mapping Domain Model Library

13 Our Framework: Poirot Property P Verification Engine Analysis Result M S M S P? System Model Composition Operator Start with & analyze an initial model MS Mapping Domain Model Library

14 Our Framework Property Verification Engine Analysis Result System Model Composition Operator Mapping M D Domain Model Library Generic, reusable models e.g., browser, protocols

15 Our Framework Property Verification Engine Analysis Result System Model M S Composition Operator Elaboration of MS with knowledge in MD Mapping M' K M D Domain Model Library M' = Compose(M S,M D,K)

16 Our Framework Property P Verification Engine Analysis Result M' M' P? System Model Composition Operator Re-analyze P & repeat Mapping Domain Model Library

17 Key Features Increment, iterative analysis Start with an initial model, elaborate, analyze & repeat Find & fix simple attacks first, complex ones later Explore impact of design alternatives Reusing domain knowledge Encoded by domain experts Reusable across multiple systems Details hidden from user

18 System Model Property Verification Engine Analysis Result System Model Composition Operator Mapping Domain Model Library

19 Modeling Approach Inspirations Architectural description languages Process algebras (CSP) Structure Components with input/output channels End-to-end dataflow through channels Behavior Trace-based semantics (event traces) Declarative constraints for specifying behavior

20 Structure Model Components (C), operations (O), datatypes (D) AddItem Customer ShowCart MyStore D = {CustomerID, ItemID, Cart, Credential, Order}

21 Structure Component Input & output channels Each channel typed to an operation Connection between channels with the same type AddItem Customer X 1 X 2 Y 1 Y 2 ShowCart MyStore

22 Structure Component states Encoded as relations Updated by operations AddItem ShowCart MyStore creds CustomerID x Credential cart CustomerID x ItemID orders CustomerID x Order

23 Behavior Behavior as traces A stream of events generated through each channel Behavior of a component set of all possible traces beh: C P(T) AddItem Y 1 ShowCart Y 2 MyStore

24 Behavior Interaction Parallel composition, synchronized on shared operation AddItem Customer X 1 X 2 Y 1 Y 2 ShowCart MyStore additem1, additem2, showcart1 beh(customer MyStore)

25 Behavior Restricting behavior Each channel associated with a guard condition Specified as a declarative constraint AddItem(cust: CustomerID, item: ItemID, cred: Credential) Customer X 1 X 2 Y 1 Y 2 ShowCart MyStore creds CustomerID x Credential Guard on Y1: e E (e.cust, e.cred) p.creds

26 Dataflow Model Inter-component data flow Transmitted as arguments of an operation v hasaccess(c, t) if c has access to value v after trace t hasaccess: (C x T) P(V) Assumptions c has access to value v if (1) it initially knows v or (2) it has received an event with v as argument Can send an event only if it has access to all arguments

27 Verification Property Verification Engine Analysis Result System Model Composition Operator Mapping Domain Model Library

28 Analysis Encoding in Alloy Modeling language based on first-order relational logic Translation to a SAT formula; solve(m P) Bounded verification (trace length, data values) Properties Confidentiality & integrity More broadly, safety properties Customer should be able to access only its own orders t T, o: Order, s: MyStore, c: Customer o hasaccess(c, t) (c.id, o) s.orders(t)

29 Domain Model Library Property Verification Engine Analysis Result System Model Composition Operator Mapping Domain Model Library

30 Domain Model Library Web-related domain models Category Models Component Browser, HTTP server, network endpoint Feature Protocol Encryption, scripting, same-origin policy, crosssite origin requests (CORS), PostMessage SSL, OAuth, OpenID Benefits Amortized cost; built once, reused multiple times Expertise not required of user

31 Composition Operator Property Verification Engine Analysis Result System Model Composition Operator Mapping Domain Model Library

32 Composing Models Problem Two partial models, describing different viewpoints With distinct vocabularies But potentially overlapping in reality AddItem M1: Store model Customer ShowCart MyStore Relate? M2: HTTP model Browser HttpReq Server

33 Representations Representation relation (R) Informally, represented as deployed as, implemented as, encoded as S 1 S 2 (S1, S2) R Formally, every instance of S1 is also an instance of S2 Introduced between a pair of components, operations, datatypes i.e., R = (RC, RO, RD)

34 Relating Elements Representation as a way of describing overlaps HttpReq AddItem HttpReq = AddItem' M1 M2 M (AddItem, HttpReq) R i.e. AddItem is implemented as a kind of HTTP requests

35 Mapping Elements Describe how members of the two sets are mapped AddItem(customer: CustomerID, item: ItemID, cred: Credential) HttpReq AddItem HttpReq = AddItem' HttpReq(method: Method, url: URL, headers: set Header) Mapping as a concretization relation Corresponds to design decisions!

36 Complex Mapping MyStore OAuth Client Server = MyStore' OAuthClient Server i.e. MyStore is deployed as HTTP server and also participates in OAuth protocol

37 Behavior Expansion Effects of composition Possible introduction of behavior into the system Previously verified properties may no longer hold! Types of expansion Channel Addition Dataflow Expansion Alphabet Expansion AddItem Customer ShowCart MyStore Browser HttpReq Server

38 Channel Addition AddItem Customer MyStore AddItem Customer Browser Customer [Browser] MyStore HttpReq Server Component obtains channels & generates new events Customer interacts with other HTTP servers Allows attacks where attacker sets up malicious pages

39 Dataflow Expansion AddItem Customer MyStore AddItem(CustomerID, ItemID, Cred) Customer Browser Cred Header Customer [Browser] MyStore HttpReq(Method, URL, set Header) Server New types of data flow into component Server may now receive credentials as headers

40 Alphabet Expansion AddItem Customer Customer Browser AddItem [HttpReq] MyStore MyStore [Server] MyStore Server AddItem HttpReq Component generates new event types Any HTTP client can invoke AddItem operation Can t assume how AddItem will be invoked Common mistake among web developers!

41 Composition Operator Composition function M = compose(m1, M2, K) with mappings K = (KC, KO, KD) Two-step procedure For each pair (S1, S2) appearing in K: 1. Merge Introduce representation relation between S1 & S2 2. Refine Constrain members of S1 & S2 according to K

42 Merge 1. Introduce representation relation between S1 & S2 Construct S1 that obtains characteristics (channels, arguments, fields) of S1 & S2 AddItem Customer MyStore MyStore Server Customer Browser AddItem [HttpReq] AddItem HttpReq Customer [Browser] MyStore [Server] In resulting model M : (MyStore, Server) RC (Customer, Browser) RC Browser HttpReq Server (AddItem, HttpReq) RO

43 Refine 2. Constrain members of S1 & S2 according to K Specified as a declarative constraint AddItem HttpReq AddItem(customer: CustomerID, item: ItemID, cred: Credential) HttpReq(method: Method, url: URL, headers: set Header) {a: AddItem, c: HttpReq c.method = POST a.customer c.url.query a.item c.url.query a.cred c.headers } KO

44 Partial Mappings Mapping can be partially specified AddItem HttpReq {a: AddItem, c: HttpReq c.method = POST } KO Analyzer generates mapping that leads to attack! User can leave some design decisions unknown & interactively explore alternative mappings

45 Case Studies Two publicly deployed sites IFTTT End-user service composition HandMe.In Personal item tracking with QR code

46 Case Studies Two publicly deployed sites IFTTT & HandMe.In Methodology Start with an abstract workflow model Elaborate with domain models & re-analyze Replay attacks on the concrete system Results Previously unknown attacks on both sites Confirmed with the developers Analysis times < 15 seconds Modeling effort: 1~2 weeks

47 Attack on IFTTT Authentication on IFTTT User creates a recipe with trigger & action IFTTT must be given third-party access to both (OAuth)

48 Attack on IFTTT Confidentiality Property User s private data is not accessible to attacker

49 Attack on IFTTT Login CSRF Attacker tricks user into signing in under its credentials Relatively minor; may see history of user s actions But in combination with IFTTT Security consequences far greater! Can leak private data through IFTTT channels Complex interaction Between IFTTT, OAuth, browser models

50 Attack on IFTTT Login Authorize Blogger [Server] CreateBlog User [Browser] Req Server (Evil) PostPhoto Create Recipe IFTTT [Server] Facebook [Server] Notify

51 Attack on IFTTT Login Authorize Google Blogger [Server] CreateBlog User [Browser] Create Recipe IFTTT [Server] Notify 1. User visits a page hosted by evil server Req PostPhoto Server (Evil) Facebook [Server]

52 Attack on IFTTT Login Blogger Google [Server] CreateBlog Authorize 2. User gets logged User [Browser] Create Recipe IFTTT [Server] Notify onto Blogger under attacker s credential Req Server (Evil) PostPhoto Facebook [Server]

53 Attack on IFTTT Login Authorize Blogger Google [Server] CreateBlog User [Browser] Create Recipe IFTTT [Server] Notify 3. User creates a new recipe on IFTTT Req PostPhoto Server (Evil) Facebook [Server]

54 Attack on IFTTT Login Authorize Blogger Google [Server] CreateBlog 4. Blogger authorizes User [Browser] Create Recipe IFTTT [Server] Notify IFTTT to perform action, but under the attacker s account! Req PostPhoto Server (Evil) Facebook [Server]

55 Attack on IFTTT Login Authorize Blogger Google [Server] CreateBlog User [Browser] Create Recipe IFTTT [Server] Notify 5. User posts a photo on Facebook Req PostPhoto Server (Evil) Facebook [Server]

56 Attack on IFTTT Login Authorize Blogger Google [Server] CreateBlog User [Browser] Create Recipe IFTTT [Server] Notify 6. IFTTT is notified of the trigger Req PostPhoto Server (Evil) Facebook [Server]

57 Attack on IFTTT Login Blogger Google [Server] CreateBlog Authorize 7. IFTTT creates a User [Browser] Create Recipe IFTTT [Server] Notify new blog on the attacker s account, with the user s photo! Req Server (Evil) PostPhoto Facebook [Server]

58 Internet of Things Security (Collaboration with Hamid Bagheri)

59 Looking Ahead Property P Verification Engine Analysis Result M' M' P? System Model M S M' Composition Operator M D Mapping K Domain Model Library Synthesis: Construct K that satisfies P

60 Looking Ahead Property Verification Engine Analysis Result System Model Composition Operator Mapping Domain Model Library Model Extraction: Mine specs from domain sources (e.g. CVE)

61 Poirot A framework for incremental analysis of security properties across multiple system abstractions Any questions?