Diesel: applying privilege separation to database access
22 Mar 2011-pp 416-422
TL;DR: A system called Diesel is constructed, which implements data separation by intercepting database queries and applying modules' restrictions to the queries, and is evaluated on three widely-used applications: Drupal, JForum, and WordPress.
Abstract: Database-backed applications typically grant complete database access to every part of the application. In this scenario, a flaw in one module can expose data that the module never uses for legitimate purposes. Drawing parallels to traditional privilege separation, we argue that database data should be subject to limitations such that each section of code receives access to only the data it needs. We call this data separation. Data separation defends against SQL-based errors including buggy queries and SQL injection attacks and facilitates code review, since a module's policy makes the extent of its database access explicit to programmers and code reviewers. We construct a system called Diesel, which implements data separation by intercepting database queries and applying modules' restrictions to the queries. We evaluate Diesel on three widely-used applications: Drupal, JForum, and WordPress.
Citations
More filters
17 Sep 2014
TL;DR: This paper establishes the first explicit notion of user sub-origins to defeat attempts to kidnap users inside a web application, and proposes a new solution called UserPath to establish an end-to-end trusted path between web application users and web servers.
Abstract: Once a web application authenticates a user, it loosely associates all resources owned by the user to the web session established. Consequently, any scripts injected into the victim web session attain unfettered access to user-owned resources, including scripts that commit malicious activities inside a web application. In this paper, we establish the first explicit notion of user sub-origins to defeat such attempts. Based on this notion, we propose a new solution called UserPath to establish an end-to-end trusted path between web application users and web servers. To evaluate our solution, we implement a prototype in Chromium, and retrofit it to 20 popular web applications. UserPath reduces the size of client-side TCB that has access to user-owned resources by 8x to 264x, with small developer effort.
8 citations
Proceedings Article•
01 Jan 2017TL;DR: SafeD is created as a practical access control solution, which uses the phantom extraction technique, a technique, which enforces per user access control policies on all database update queries, and is evaluated on two popular databases for open source web applications, MySQL and Postgres.
Abstract: Database-backed applications rely on access control policies based on views to protect sensitive data from unauthorized parties. Current techniques assume that the application’s database tables contain a column that enables mapping a user to rows in the table. This assumption allows database views or similar mechanisms to enforce per-user access controls. However, not all database tables contain sufficient information to map a user to rows in the table, as a result of database normalization, and thus, require the joining of multiple tables. In a survey of 10 popular open-source web applications, on average, 21% of the database tables require a join. This means that current techniques cannot enforce security policies on all update queries for these applications, due to a well-known view update problem. In this paper, we propose phantom extraction, a technique, which enforces per user access control policies on all database update queries. Phantom extraction does not make the same assumptions as previous work, and, more importantly, does not use database views as a core enforcement mechanism. Therefore, it does not fall victim to the view update problem. We have created SafeD as a practical access control solution, which uses our phantom extraction technique. SafeD uses a declarative language for defining security policies, while retaining the simplicity of database views. We evaluated our system on two popular databases for open source web applications, MySQL and Postgres. On MySQL, which has no built-in access control, we observe a 6% increase in transaction latency. On Postgres, SafeD outperforms the built-in access control by an order of magnitude when security policies involved joins.
3 citations
Cites background from "Diesel: applying privilege separati..."
...Diesel [39] x x CLAMP [43] x Nemesis [36] x Oracle [13] x x Postgres [23] x x SafeD...
[...]
..., by duplicating all the modules for each connected user), they also acknowledge that their solution would not scale [39] and suggest using database access control in conjunction....
[...]
...Previous work has largely ignored the view update problem by assuming that any table on which a security policy is defined contains the user id, thus joins are not required to map a user to rows in the table [36, 39, 43]....
[...]
...These solutions restrict each application user to a portion of the database [39, 43, 36]....
[...]
...Diesel [39] implements module-based access control, whereby an application is broken into a series of code...
[...]
01 Jan 2012
TL;DR: It is argued that permissions are a valuable addition to a platform, and the study results support continued work on permission systems, however, current permission warnings fail to inform the majority of users about the risks of applications.
Abstract: How can we, as platform designers, protect computer users from the threats associated with malicious, privacy-invasive, and vulnerable applications? Modern platforms have turned away from the traditional user-based permission model and begun adopting application permission systems in an attempt to shield users from these threats. This dissertation evaluates modern permission systems with the goal of improving the security of future platforms.
In platforms with application permission systems, applications are unprivileged by default and must request permissions in order to access sensitive API calls. Developers specify the permissions that their applications need, and users approve the granting of permissions. Permissions are intended to provide defense in depth by restricting the scope of vulnerabilities and user consent by allowing users to control whether third parties have access to their resources.
In this dissertation we investigate whether permission systems are effective at providing defense in depth and user consent. First, we perform two studies to evaluate whether permissions provide defense in depth: we analyze applications to determine whether developers request minimal sets of permissions, and we quantify the impact of permissions on real-world vulnerabilities. Next, we evaluate whether permissions obtain the user's informed consent by surveying and interviewing users. We use the Android application and Google Chrome extension platforms for our studies; at present, they are popular platforms with extensive permission systems.
Our goal is to inform the design of future platforms with our findings. We argue that permissions are a valuable addition to a platform, and our study results support continued work on permission systems. However, current permission warnings fail to inform the majority of users about the risks of applications. We propose a set of guidelines to aid in the design of more user-friendly permissions, based on our user research and relevant literature.
3 citations
01 Dec 2020
TL;DR: Zhang et al. as mentioned in this paper proposed a framework PDA (PLP over Data source Access) to automatically enforce the principle of least privilege over data source access based on application-driven privilege separation.
Abstract: The state-of-the-art database-backed web applications usually assign full privileges to connections between applications and data sources. This phenomenon, which would enable a malicious attacker to easily compromise the applications through arbitrarily manipulating the data sources without the restriction of privileges, seriously breaks the principle of least privilege (PLP), a fundamental law of system security. Motivated to counter this problem, we propose a framework PDA (PLP over Data source Access) to automatically enforce this principle over data source access based on application-driven privilege separation. Our proposed PDA contributes from the following aspects: i) PDA achieves the privilege separation by intercepting database queries and enforcing privileged connections to database for each database query; ii) PDA can effectively defend against SQL-based vulnerabilities including buggy queries and SQL injection attacks. Lastly, we evaluate PDA on a widely used application platform, JForum, to demonstrate the effectiveness of PDA with a promising performance overhead of 8.13%.
2 citations
Dissertation•
22 Jan 2014
2 citations
Cites methods from "Diesel: applying privilege separati..."
...applied to build several tools and frameworks for modern web apps [78, 110, 142, 143, 161]....
[...]
References
More filters
01 Sep 1975
TL;DR: In this article, the authors explore the mechanics of protecting computer-stored information from unauthorized use or modification, focusing on those architectural structures-whether hardware or software-that are necessary to support information protection.
Abstract: This tutorial paper explores the mechanics of protecting computer-stored information from unauthorized use or modification. It concentrates on those architectural structures-whether hardware or software-that are necessary to support information protection. The paper develops in three main sections. Section I describes desired functions, design principles, and examples of elementary protection and authentication mechanisms. Any reader familiar with computers should find the first section to be reasonably accessible. Section II requires some familiarity with descriptor-based computer architecture. It examines in depth the principles of modern protection architectures and the relation between capability systems and access control list systems, and ends with a brief analysts of protected subsystems and protected objects. The reader who is dismayed by either the prerequisites or the level of detail in the second section may wish to skip to Section III, which reviews the state of the art and current research projects and provides suggestions for further reading.
2,063 citations
01 Jan 2006
TL;DR: An extensive review of the different types of SQL injection attacks known to date is presented, including descriptions and examples of how attacks of that type could be performed and existing detection and prevention techniques against SQL injections.
Abstract: SQL injection attacks pose a serious security threat to Web applications: they allow attackers to obtain unrestricted access to the databases underlying the applications and to the potentially sensitive information these databases contain. Although researchers and practitioners have proposed various methods to address the SQL injection problem, current approaches either fail to address the full scope of the problem or have limitations that prevent their use and adoption. Many researchers and practitioners are familiar with only a subset of the wide range of techniques available to attackers who are trying to take advantage of SQL injection vulnerabilities. As a consequence, many solutions proposed in the literature address only some of the issues related to SQL injection. To address this problem, we present an extensive review of the different types of SQL injection attacks known to date. For each type of attack, we provide descriptions and examples of how attacks of that type could be performed. We also present and analyze existing detection and prevention techniques against SQL injection attacks. For each technique, we discuss its strengths and weaknesses in addressing the entire range of SQL injection attacks.
606 citations
07 Nov 2005
TL;DR: A new technique using a model-based approach to detect illegal queries before they are executed on the database and was able to stop all of the attempted attacks without generating any false positives.
Abstract: The use of web applications has become increasingly popular in our routine activities, such as reading the news, paying bills, and shopping on-line. As the availability of these services grows, we are witnessing an increase in the number and sophistication of attacks that target them. In particular, SQL injection, a class of code-injection attacks in which specially crafted input strings result in illegal queries to a database, has become one of the most serious threats to web applications. In this paper we present and evaluate a new technique for detecting and preventing SQL injection attacks. Our technique uses a model-based approach to detect illegal queries before they are executed on the database. In its static part, the technique uses program analysis to automatically build a model of the legitimate queries that could be generated by the application. In its dynamic part, the technique uses runtime monitoring to inspect the dynamically-generated queries and check them against the statically-built model. We developed a tool, AMNESIA, that implements our technique and used the tool to evaluate the technique on seven web applications. In the evaluation we targeted the subject applications with a large number of both legitimate and malicious inputs and measured how many attacks our technique detected and prevented. The results of the study show that our technique was able to stop all of the attempted attacks without generating any false positives.
590 citations
TL;DR: HiStar is a new operating system designed to minimize the amount of code that must be trusted, which allows users to specify precise data security policies without unduly limiting the structure of applications.
Abstract: HiStar is a new operating system designed to minimize the amount of code that must be trusted. HiStar provides strict information flow control, which allows users to specify precise data security policies without unduly limiting the structure of applications. HiStar's security features make it possible to implement a Unix-like environment with acceptable performance almost entirely in an untrusted user-level library. The system has no notion of superuser and no fully trusted code other than the kernel. HiStar's features permit several novel applications, including privacy-preserving, untrusted virus scanners and a dynamic Web server with only a few thousand lines of trusted code.
535 citations
"Diesel: applying privilege separati..." refers background in this paper
...Operating systems Asbestos [30] and HiStar [32] are operating systems designed according to the principle of least privilege....
[...]