MULTI-REPRESENTATIONAL SECURITY ANALYSIS

Similar documents
A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith

SSOScan: Automated Testing of Web Applications for Single Sign-On vulnerabilities

JVA-122. Secure Java Web Development

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Developing ASP.NET MVC 4 Web Applications Course 20486A; 5 Days, Instructor-led

OAuth: Where are we going?

Gateway Apps - Security Summary SECURITY SUMMARY

Criteria for web application security check. Version

Developing ASP.NET MVC 4 Web Applications MOC 20486

SESSION IDENTIFIER ARE FOR NOW, PASSWORDS ARE FOREVER

Secure Coding SSL, SOAP and REST. Astha Singhal Product Security Engineer salesforce.com

OAuth2 and UMA for ACE draft-maler-ace-oauth-uma-00.txt. Eve Maler, Erik Wahlström, Samuel Erdtman, Hannes Tschofenig

Where every interaction matters.

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Next Generation Clickjacking

Application Layer Encryption: Protecting against Application Logic and Session Theft Attacks. Whitepaper

Onegini Token server / Web API Platform

MANAGED SECURITY TESTING

Developing ASP.NET MVC 4 Web Applications

Magento Security and Vulnerabilities. Roman Stepanov

elearning for Secure Application Development

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

What is Web Security? Motivation

PCI Compliance Updates

Automatic Analysis of Browser-based Security Protocols

SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG)

(WAPT) Web Application Penetration Testing

Application Security Testing. Generic Test Strategy

Network Security Essentials Chapter 5

OAuth. Network Security. Online Services and Private Data. A real-life example. Material and Credits. OAuth. OAuth

Common Criteria Web Application Security Scoring CCWAPSS

The Top Web Application Attacks: Are you vulnerable?

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Mobile Security. Policies, Standards, Frameworks, Guidelines

Dell One Identity Cloud Access Manager How to Develop OpenID Connect Apps

Single Sign On. SSO & ID Management for Web and Mobile Applications

The Devil is Phishing: Rethinking Web Single Sign On Systems Security. Chuan Yue USENIX Workshop on Large Scale Exploits

SCAS: AN IMPROVED SINGLE SIGN-ON MODEL BASE ON CAS

Rational AppScan & Ounce Products

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

itds OAuth Integration Paterva itds OAuth Integration Building and re-using OAuth providers within Maltego 2014/09/22

Introduction to Automated Testing

Cloud Security Through Threat Modeling. Robert M. Zigweid Director of Services for IOActive

Axway API Gateway. Version 7.4.1

BASELINE SECURITY TEST PLAN FOR EDUCATIONAL WEB AND MOBILE APPLICATIONS

Identity Implementation Guide

Webmail Using the Hush Encryption Engine

Workday Mobile Security FAQ

Hack Proof Your Webapps

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Chapter 7 Transport-Level Security

Web Application Attacks and Countermeasures: Case Studies from Financial Systems

The increasing popularity of mobile devices is rapidly changing how and where we

i. Node Y Represented by a block or part. SysML::Block,

Dashlane Security Whitepaper

Web application security

05.0 Application Development

An Insight into Cookie Security

Web Application Security Assessment and Vulnerability Mitigation Tests

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

Secure Programming Lecture 12: Web Application Security III

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

SAML AS AN SSO STANDARD FOR CUSTOMER IDENTITY MANAGEMENT. How to Create a Frictionless, Secure Customer Identity Management Strategy

Revision 1.0. September ICS Learning Group

OWASP Top Ten Tools and Tactics

IBM WebSphere Application Server

How To Manage Web Content Management System (Wcm)

Copyright: WhosOnLocation Limited

OpenID Connect 1.0 for Enterprise

Authentication Integration

D. Best Practices D.1. Assurance The 5 th A

Login with Amazon. Developer Guide for Websites

A Study of What Really Breaks SSL HITB Amsterdam 2011

Introduction to SAML

FileCloud Security FAQ

Title Page. Hosted Payment Page Guide ACI Commerce Gateway

SECURITY AND REGULATORY COMPLIANCE OVERVIEW

Chap 1. Introduction to Software Architecture

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair

SAML and OAUTH comparison

Advanced Administration for Citrix NetScaler 9.0 Platinum Edition

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

PRIVACY AWARE ACCESS CONTROL FOR CLOUD-BASED DATA PLATFORMS

INTEGRATION GUIDE. DIGIPASS Authentication for Google Apps using IDENTIKEY Federation Server

OpenID Single Sign On and OAuth Data Access for Google Apps. Ryan Dave Primmer May 2010

Mashery OAuth 2.0 Implementation Guide

WHITE PAPER Usher Mobile Identity Platform

Sage Integration Cloud Technology Whitepaper

RTC-Web Security Considerations

Implementation Vulnerabilities in SSL/TLS

Password Power 8 Plug-In for Lotus Domino Single Sign-On via Kerberos

Cleaning Encrypted Traffic

Oracle Fusion Middleware Oracle API Gateway OAuth User Guide 11g Release 2 ( )

Transcription:

MULTI-REPRESENTATIONAL SECURITY ANALYSIS Eunsuk Kang MIT CSAIL ExCAPE Webinar April 30, 2015

Third-Party Authentication OAuth protocol Widely adapted, support from major vendors Analyzed formally using verification tools

Empirical study of OAuth providers [Sun & Beznosov, CCS12] Majority of them vulnerable (Google, Facebook,...)

Provably Secure, Practically Vulnerable? Protocol analysis at the abstract level Agents, messages, and rules at each protocol step RFC OAuth 2.0, Internet Engineering Task Force

Provably Secure, Practically Vulnerable? Protocol analysis at the abstract level Agents, messages, and rules at each protocol step Attacks exploiting details absent from model Unanticipated behavior from browser features e.g. HTTP redirects, hidden forms Design flaws, not just bugs in code Blame protocol designers? Can t predict all manners in which protocol will be used!

Abstractions in System Design Customer authentication Shopping cart interaction Payment workflow Delivery processing Deployment on HTTP Mobile app API Most systems too complex Decompose into overlapping aspects

Abstraction vs Security Customer authentication Shopping cart interaction Payment workflow Delivery processing Deployment on HTTP Mobile app API System designer One system view/abstraction at a time Exclude details in other views

Abstraction vs Security Customer authentication Shopping cart interaction Payment workflow Delivery processing Deployment on HTTP Mobile app API System designer One system view/abstraction at a time Exclude details in other views

Abstraction vs Security Customer authentication Shopping cart interaction Payment workflow Delivery processing Deployment on HTTP Mobile app API Attacker Jump between abstractions & combine details Property held over one view might be violated in another!

Poirot A framework for incremental reasoning of security properties across multiple abstraction boundaries

Standard Verification Framework Property P Verification Engine Analysis Result System Model M S M S P?

Our Framework: Poirot Property Verification Engine Analysis Result System Model Composition Operator Mapping Domain Model Library

Our Framework: Poirot Property P Verification Engine Analysis Result M S M S P? System Model Composition Operator Start with & analyze an initial model MS Mapping Domain Model Library

Our Framework Property Verification Engine Analysis Result System Model Composition Operator Mapping M D Domain Model Library Generic, reusable models e.g., browser, protocols

Our Framework Property Verification Engine Analysis Result System Model M S Composition Operator Elaboration of MS with knowledge in MD Mapping M' K M D Domain Model Library M' = Compose(M S,M D,K)

Our Framework Property P Verification Engine Analysis Result M' M' P? System Model Composition Operator Re-analyze P & repeat Mapping Domain Model Library

Key Features Increment, iterative analysis Start with an initial model, elaborate, analyze & repeat Find & fix simple attacks first, complex ones later Explore impact of design alternatives Reusing domain knowledge Encoded by domain experts Reusable across multiple systems Details hidden from user

System Model Property Verification Engine Analysis Result System Model Composition Operator Mapping Domain Model Library

Modeling Approach Inspirations Architectural description languages Process algebras (CSP) Structure Components with input/output channels End-to-end dataflow through channels Behavior Trace-based semantics (event traces) Declarative constraints for specifying behavior

Structure Model Components (C), operations (O), datatypes (D) AddItem Customer ShowCart MyStore D = {CustomerID, ItemID, Cart, Credential, Order}

Structure Component Input & output channels Each channel typed to an operation Connection between channels with the same type AddItem Customer X 1 X 2 Y 1 Y 2 ShowCart MyStore

Structure Component states Encoded as relations Updated by operations AddItem ShowCart MyStore creds CustomerID x Credential cart CustomerID x ItemID orders CustomerID x Order

Behavior Behavior as traces A stream of events generated through each channel Behavior of a component set of all possible traces beh: C P(T) AddItem Y 1 ShowCart Y 2 MyStore

Behavior Interaction Parallel composition, synchronized on shared operation AddItem Customer X 1 X 2 Y 1 Y 2 ShowCart MyStore additem1, additem2, showcart1 beh(customer MyStore)

Behavior Restricting behavior Each channel associated with a guard condition Specified as a declarative constraint AddItem(cust: CustomerID, item: ItemID, cred: Credential) Customer X 1 X 2 Y 1 Y 2 ShowCart MyStore creds CustomerID x Credential Guard on Y1: e E (e.cust, e.cred) p.creds

Dataflow Model Inter-component data flow Transmitted as arguments of an operation v hasaccess(c, t) if c has access to value v after trace t hasaccess: (C x T) P(V) Assumptions c has access to value v if (1) it initially knows v or (2) it has received an event with v as argument Can send an event only if it has access to all arguments

Verification Property Verification Engine Analysis Result System Model Composition Operator Mapping Domain Model Library

Analysis Encoding in Alloy Modeling language based on first-order relational logic Translation to a SAT formula; solve(m P) Bounded verification (trace length, data values) Properties Confidentiality & integrity More broadly, safety properties Customer should be able to access only its own orders t T, o: Order, s: MyStore, c: Customer o hasaccess(c, t) (c.id, o) s.orders(t)

Domain Model Library Property Verification Engine Analysis Result System Model Composition Operator Mapping Domain Model Library

Domain Model Library Web-related domain models Category Models Component Browser, HTTP server, network endpoint Feature Protocol Encryption, scripting, same-origin policy, crosssite origin requests (CORS), PostMessage SSL, OAuth, OpenID Benefits Amortized cost; built once, reused multiple times Expertise not required of user

Composition Operator Property Verification Engine Analysis Result System Model Composition Operator Mapping Domain Model Library

Composing Models Problem Two partial models, describing different viewpoints With distinct vocabularies But potentially overlapping in reality AddItem M1: Store model Customer ShowCart MyStore Relate? M2: HTTP model Browser HttpReq Server

Representations Representation relation (R) Informally, represented as deployed as, implemented as, encoded as S 1 S 2 (S1, S2) R Formally, every instance of S1 is also an instance of S2 Introduced between a pair of components, operations, datatypes i.e., R = (RC, RO, RD)

Relating Elements Representation as a way of describing overlaps HttpReq AddItem HttpReq = AddItem' M1 M2 M (AddItem, HttpReq) R i.e. AddItem is implemented as a kind of HTTP requests

Mapping Elements Describe how members of the two sets are mapped AddItem(customer: CustomerID, item: ItemID, cred: Credential) HttpReq AddItem HttpReq = AddItem' HttpReq(method: Method, url: URL, headers: set Header) Mapping as a concretization relation Corresponds to design decisions!

Complex Mapping MyStore OAuth Client Server = MyStore' OAuthClient Server i.e. MyStore is deployed as HTTP server and also participates in OAuth protocol

Behavior Expansion Effects of composition Possible introduction of behavior into the system Previously verified properties may no longer hold! Types of expansion Channel Addition Dataflow Expansion Alphabet Expansion AddItem Customer ShowCart MyStore Browser HttpReq Server

Channel Addition AddItem Customer MyStore AddItem Customer Browser Customer [Browser] MyStore HttpReq Server Component obtains channels & generates new events Customer interacts with other HTTP servers Allows attacks where attacker sets up malicious pages

Dataflow Expansion AddItem Customer MyStore AddItem(CustomerID, ItemID, Cred) Customer Browser Cred Header Customer [Browser] MyStore HttpReq(Method, URL, set Header) Server New types of data flow into component Server may now receive credentials as headers

Alphabet Expansion AddItem Customer Customer Browser AddItem [HttpReq] MyStore MyStore [Server] MyStore Server AddItem HttpReq Component generates new event types Any HTTP client can invoke AddItem operation Can t assume how AddItem will be invoked Common mistake among web developers!

Composition Operator Composition function M = compose(m1, M2, K) with mappings K = (KC, KO, KD) Two-step procedure For each pair (S1, S2) appearing in K: 1. Merge Introduce representation relation between S1 & S2 2. Refine Constrain members of S1 & S2 according to K

Merge 1. Introduce representation relation between S1 & S2 Construct S1 that obtains characteristics (channels, arguments, fields) of S1 & S2 AddItem Customer MyStore MyStore Server Customer Browser AddItem [HttpReq] AddItem HttpReq Customer [Browser] MyStore [Server] In resulting model M : (MyStore, Server) RC (Customer, Browser) RC Browser HttpReq Server (AddItem, HttpReq) RO

Refine 2. Constrain members of S1 & S2 according to K Specified as a declarative constraint AddItem HttpReq AddItem(customer: CustomerID, item: ItemID, cred: Credential) HttpReq(method: Method, url: URL, headers: set Header) {a: AddItem, c: HttpReq c.method = POST a.customer c.url.query a.item c.url.query a.cred c.headers } KO

Partial Mappings Mapping can be partially specified AddItem HttpReq {a: AddItem, c: HttpReq c.method = POST } KO Analyzer generates mapping that leads to attack! User can leave some design decisions unknown & interactively explore alternative mappings

Case Studies Two publicly deployed sites IFTTT End-user service composition HandMe.In Personal item tracking with QR code

Case Studies Two publicly deployed sites IFTTT & HandMe.In Methodology Start with an abstract workflow model Elaborate with domain models & re-analyze Replay attacks on the concrete system Results Previously unknown attacks on both sites Confirmed with the developers Analysis times < 15 seconds Modeling effort: 1~2 weeks

Attack on IFTTT Authentication on IFTTT User creates a recipe with trigger & action IFTTT must be given third-party access to both (OAuth)

Attack on IFTTT Confidentiality Property User s private data is not accessible to attacker

Attack on IFTTT Login CSRF Attacker tricks user into signing in under its credentials Relatively minor; may see history of user s actions But in combination with IFTTT Security consequences far greater! Can leak private data through IFTTT channels Complex interaction Between IFTTT, OAuth, browser models

Attack on IFTTT Login Authorize Blogger [Server] CreateBlog User [Browser] Req Server (Evil) PostPhoto Create Recipe IFTTT [Server] Facebook [Server] Notify

Attack on IFTTT Login Authorize Google Blogger [Server] CreateBlog User [Browser] Create Recipe IFTTT [Server] Notify 1. User visits a page hosted by evil server Req PostPhoto Server (Evil) Facebook [Server]

Attack on IFTTT Login Blogger Google [Server] CreateBlog Authorize 2. User gets logged User [Browser] Create Recipe IFTTT [Server] Notify onto Blogger under attacker s credential Req Server (Evil) PostPhoto Facebook [Server]

Attack on IFTTT Login Authorize Blogger Google [Server] CreateBlog User [Browser] Create Recipe IFTTT [Server] Notify 3. User creates a new recipe on IFTTT Req PostPhoto Server (Evil) Facebook [Server]

Attack on IFTTT Login Authorize Blogger Google [Server] CreateBlog 4. Blogger authorizes User [Browser] Create Recipe IFTTT [Server] Notify IFTTT to perform action, but under the attacker s account! Req PostPhoto Server (Evil) Facebook [Server]

Attack on IFTTT Login Authorize Blogger Google [Server] CreateBlog User [Browser] Create Recipe IFTTT [Server] Notify 5. User posts a photo on Facebook Req PostPhoto Server (Evil) Facebook [Server]

Attack on IFTTT Login Authorize Blogger Google [Server] CreateBlog User [Browser] Create Recipe IFTTT [Server] Notify 6. IFTTT is notified of the trigger Req PostPhoto Server (Evil) Facebook [Server]

Attack on IFTTT Login Blogger Google [Server] CreateBlog Authorize 7. IFTTT creates a User [Browser] Create Recipe IFTTT [Server] Notify new blog on the attacker s account, with the user s photo! Req Server (Evil) PostPhoto Facebook [Server]

Internet of Things Security (Collaboration with Hamid Bagheri)

Looking Ahead Property P Verification Engine Analysis Result M' M' P? System Model M S M' Composition Operator M D Mapping K Domain Model Library Synthesis: Construct K that satisfies P

Looking Ahead Property Verification Engine Analysis Result System Model Composition Operator Mapping Domain Model Library Model Extraction: Mine specs from domain sources (e.g. CVE)

Poirot A framework for incremental analysis of security properties across multiple system abstractions Any questions?

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information