Secure Compilation of a Multi-tier Web Language

Transcription

1 Secure Compilation of a Multi-tier Web Language Ioannis G. Baltopoulos (ioannis.baltopoulos@cl.cam.ac.uk) The Rise and Rise of the Declarative Datacentre (R2D2) Tuesday, May 13, 2008 Joint work with Andrew D. Gordon Ioannis G. Baltopoulos (University of Cambridge) Secure Compilation of a Multi-tier Web Language 1 / 10

2 Overview LINKS is a strict, typed, declarative language that enables the creation of web applications by partitioning a single source file and placing the data either on the client-tier or in the database-tier [Cooper et al.(2006)]. Motivation In programming languages that implement continuations on the client side using either cookies or hidden fields, the continuations are open to client manipulation. Objective Allow security reasoning about multi-tier programs at the source level. Ioannis G. Baltopoulos (University of Cambridge) Secure Compilation of a Multi-tier Web Language 2 / 10

3 Security for TINYLINKS programs Assumptions: The LINKS source code is not known to the attacker No state is stored on the server (effect-free language fragment) All functions reside on the server We are using SSL/TLS to protect against a 3rd party Attacker: We are protecting the server against a rogue client. An attacker can be represented at the source level as a surrounding LINKS context within which we place the program. Threats: 1 The client may learn secret data held in a closure embedded in a webpage. 2 A rogue client may break the integrity of server data by modifying a closure embedded in a webpage. 3 The client may change the control flow of the program. Ioannis G. Baltopoulos (University of Cambridge) Secure Compilation of a Multi-tier Web Language 3 / 10

4 Example 1 fun buy(value, dbpass) server { 2 inttoxml(value) # omitting actual call to the database 3 } 4 5 fun sellat(price) server { 6 var dbpass = "secret"; 7 <form l:onsubmit="{buy(price,dbpass)}" method="post"> 8 <button type="submit">buy</button> 9 </form> 10 } sellat(42) Ioannis G. Baltopoulos (University of Cambridge) Secure Compilation of a Multi-tier Web Language 4 / 10

5 Example 1 fun buy(value, dbpass) server { 2 inttoxml(value) # omitting actual call to the database 3 } 4 5 fun sellat(price) server { 6 var dbpass = "secret"; 7 <form l:onsubmit="{buy(price,dbpass)}" method="post"> 8 <button type="submit">buy</button> 9 </form> 10 } sellat(42) Source level intuition: The function buy can only be called with the arguments 42 and secret Ioannis G. Baltopoulos (University of Cambridge) Secure Compilation of a Multi-tier Web Language 4 / 10

6 What can go wrong? The expressions that are to be evaluated as a result of clicking buttons in forms or links are encoded, along with their necessary environment, into a continuation string. For example, from the expression E = buy(price, dbpass), the LINKS interpreter generates a hash value h E and an environment Γ E = {price 42, dbpass "secret"} 1 <form onsubmit="#" method="post"> 2 <input type="hidden" name=" k" value="b64(h E,Γ E )" /> 3 <button type="submit">buy</button> 4 </form> Ioannis G. Baltopoulos (University of Cambridge) Secure Compilation of a Multi-tier Web Language 5 / 10

7 What can go wrong? The expressions that are to be evaluated as a result of clicking buttons in forms or links are encoded, along with their necessary environment, into a continuation string. For example, from the expression E = buy(price, dbpass), the LINKS interpreter generates a hash value h E and an environment Γ E = {price 42, dbpass "secret"} 1 <form onsubmit="#" method="post"> 2 <input type="hidden" name=" k" value="b64(h E,Γ E )" /> 3 <button type="submit">buy</button> 4 </form> Immediate problems: 1 (Secrecy violation) The value of dbpass has been revealed to the client. 2 (Integrity violation) A client could modify the price in the environment and make a counterfeit request. Ioannis G. Baltopoulos (University of Cambridge) Secure Compilation of a Multi-tier Web Language 5 / 10

8 Protecting against the attacks We use authenticated encryption on the hashed expressions and their environments. 1 fun buy(value, dbpass) server { 2 inttoxml(value) # omitting actual call to the database 3 } 4 5 fun sellat(price) server { 6 var dbpass = "secret"; 7 <form l:onsubmit="{enc(k s,(h E,Γ E ))}" method="post"> 8 <button type="submit">buy</button> 9 </form> 10 } sellat(42) Ioannis G. Baltopoulos (University of Cambridge) Secure Compilation of a Multi-tier Web Language 6 / 10

9 Multi-tier language based security reasoning We formalise the programmer s intuitions using assertions. 1 fun buy(value, dbpass) server { 2 assert Sell(value); 3 inttoxml(value) # omitting actual call to the database 4 } 5 6 fun sellat(price) server { 7 event Sell(price); 8 var dbpass = "secret"; 9 <form l:onsubmit="{buy(price,dbpass)}" method="post"> 10 <button type="submit">buy</button> 11 </form> 12 } sellat(42) Then we generate Proverif scripts [Blanchet(2001)] and analyse correspondence assertions [Woo and Lam(1993)] for specific programs. Ioannis G. Baltopoulos (University of Cambridge) Secure Compilation of a Multi-tier Web Language 7 / 10

10 A secure LINKS compiler Safety: For any run of the program E url the assertions are true. Robust Safety: For any opponent, the program E url is safe. Theorem: If E url is provably Robustly Safe in the source level, then [[E url ]] is provably Robustly Safe in the target level. Translate to a λ-calculus equipped with refinement types to express pre- and post-conditions within first order logic [Bengtson et al.(2008)]. Ioannis G. Baltopoulos (University of Cambridge) Secure Compilation of a Multi-tier Web Language 8 / 10

11 Conclusion & Future work Conclusion We have proposed a secure compilation strategy that can guarantee integrity of web continuations and secrecy of the data stored in them. Future Work Extend the threat model by relaxing some of our assumptions. Tackle a larger fragment of LINKS Ioannis G. Baltopoulos (University of Cambridge) Secure Compilation of a Multi-tier Web Language 9 / 10

12 Bibliography Jesper Bengtson, Karthikeyan Bhargavan, Cédric Fournet, Andrew D. Gordon, and Sergio Maffeis. Refinement types for secure implementations. IEEE Computer Society, Bruno Blanchet. An Efficient Cryptographic Protocol Verifier Based on Prolog Rules. In 14th IEEE Computer Security Foundations Workshop (CSFW-14), pages 82 96, Cape Breton, Nova Scotia, Canada, June IEEE Computer Society. Ezra Cooper, Sam Lindley, Philip Wadler, and Jeremy Yallop. Links: Web programming without tiers. In FMCO: Proceedings of 5th International Symposium on Formal Methods for Components and Objects, Lecture Notes in Computer Science. Springer-Verlag, T.Y.C. Woo and S.S. Lam. A semantic model for authentication protocols. In IEEE Symposium on Security and Privacy, pages , Ioannis G. Baltopoulos (University of Cambridge) Secure Compilation of a Multi-tier Web Language 10 / 10