scispace - formally typeset
Search or ask a question
Proceedings ArticleDOI

Diesel: applying privilege separation to database access

TL;DR: A system called Diesel is constructed, which implements data separation by intercepting database queries and applying modules' restrictions to the queries, and is evaluated on three widely-used applications: Drupal, JForum, and WordPress.
Abstract: Database-backed applications typically grant complete database access to every part of the application. In this scenario, a flaw in one module can expose data that the module never uses for legitimate purposes. Drawing parallels to traditional privilege separation, we argue that database data should be subject to limitations such that each section of code receives access to only the data it needs. We call this data separation. Data separation defends against SQL-based errors including buggy queries and SQL injection attacks and facilitates code review, since a module's policy makes the extent of its database access explicit to programmers and code reviewers. We construct a system called Diesel, which implements data separation by intercepting database queries and applying modules' restrictions to the queries. We evaluate Diesel on three widely-used applications: Drupal, JForum, and WordPress.

Content maybe subject to copyright    Report

Citations
More filters
Proceedings ArticleDOI
08 Oct 2012
TL;DR: A new web framework, Hails, is presented that adds mandatory access control and a declarative policy language to the familiar MVC architecture and is demonstrated through GitStar.com, a code-hosting website that enforces robust privacy policies on user data even while allowing untrusted apps to deliver extended features to users.
Abstract: Modern extensible web platforms like Facebook and Yammer depend on third-party software to offer a rich experience to their users. Unfortunately, users running a third-party "app" have little control over what it does with their private data. Today's platforms offer only ad-hoc constraints on app behavior, leaving users an unfortunate trade-off between convenience and privacy. A principled approach to code confinement could allow the integration of untrusted codewhile enforcing flexible, end-to-end policies on data access. This paper presents a new web framework, Hails, that adds mandatory access control and a declarative policy language to the familiar MVC architecture. We demonstrate the flexibility of Hails through GitStar.com, a code-hosting website that enforces robust privacy policies on user data even while allowing untrusted apps to deliver extended features to users.

146 citations


Cites background from "Diesel: applying privilege separati..."

  • ...OKWS [46], Diesel [29], and Radiatus [13] are web frameworks that use...

    [...]

Proceedings Article
08 Aug 2012
TL;DR: A security review of 100 Chrome extensions finds that banning HTTP scripts and inline scripts would prevent 47 of the 50 most severe vulnerabilities with only modest impact on developers.
Abstract: Vulnerabilities in browser extensions put users at risk by providing a way for website and network attackers to gain access to users' private data and credentials. Extensions can also introduce vulnerabilities into the websites that they modify. In 2009, Google Chrome introduced a new extension platform with several features intended to prevent and mitigate extension vulnerabilities: strong isolation between websites and extensions, privilege separation within an extension, and an extension permission system. We performed a security review of 100 Chrome extensions and found 70 vulnerabilities across 40 extensions. Given these vulnerabilities, we evaluate how well each of the security mechanisms defends against extension vulnerabilities. We find that the mechanisms mostly succeed at preventing direct web attacks on extensions, but new security mechanisms are needed to protect users from network attacks on extensions, website metadata attacks on extensions, and vulnerabilities that extensions add to websites. We propose and evaluate additional defenses, and we conclude that banning HTTP scripts and inline scripts would prevent 47 of the 50 most severe vulnerabilities with only modest impact on developers.

92 citations

Proceedings ArticleDOI
03 Nov 2014
TL;DR: MACE is the first tool reported in the literature to identify a new class of web application vulnerabilities called Horizontal Privilege Escalation (HPE) vulnerabilities, and works on large codebases, and discovers serious, previously unknown, vulnerabilities in 5 out of 7 web applications tested.
Abstract: We explore the problem of identifying unauthorized privilege escalation instances in a web application. These vulnerabilities are typically caused by missing or incorrect authorizations in the server side code of a web application. The problem of identifying these vulnerabilities is compounded by the lack of an access control policy specification in a typical web application, where the only supplied documentation is in fact its source code. This makes it challenging to infer missing checks that protect a web application's sensitive resources. To address this challenge, we develop a notion of authorization context consistency, which is satisfied when a web application consistently enforces its authorization checks across the code. We then present an approach based on program analysis to check for authorization state consistency in a web application. Our approach is implemented in a tool called MACE that uncovers vulnerabilities that could be exploited in the form of privilege escalation attacks. In particular, MACE is the first tool reported in the literature to identify a new class of web application vulnerabilities called Horizontal Privilege Escalation (HPE) vulnerabilities. MACE works on large codebases, and discovers serious, previously unknown, vulnerabilities in 5 out of 7 web applications tested. Without MACE, a comparable human-driven security audit would require weeks of effort in code inspection and testing.

42 citations

Proceedings Article
Aastha Mehta1, Eslam Elnikety1, Katura Harvey1, Deepak Garg1, Peter Druschel1 
01 Jan 2017
TL;DR: Qapla provides an alternate approach to policy enforcement that neither depends on application correctness, nor on specialized database support, and is evaluated by enforcing applicable policies in the HotCRP conference management system and a system for managing academic job applications.
Abstract: Many database-backed systems store confidential data that is accessed on behalf of users with different privileges. Policies governing access are often fine-grained, being specific to users, time, accessed columns and rows, values in the database (e.g., user roles), and operators used in queries (e.g., aggregators, group by, and join). Today, applications are often relied upon to issue policy compliant queries or filter the results of non-compliant queries, which is vulnerable to application errors. Qapla provides an alternate approach to policy enforcement that neither depends on application correctness, nor on specialized database support. In Qapla, policies are specific to rows and columns and may additionally refer to the querier’s identity and time, are specified in SQL, and stored in the database itself. We prototype Qapla in a database adapter, and evaluate it by enforcing applicable policies in the HotCRP conference management system and a system for managing academic job applications.

37 citations


Cites background or methods from "Diesel: applying privilege separati..."

  • ...Diesel [24] is a framework for applying the principle of least privilege on relational databases....

    [...]

  • ...To provide guarantees against a malicious application, we can also isolate the reference monitor in a separate process [15, 24], or co-locate it with the DB servers....

    [...]

Journal ArticleDOI
TL;DR: A novel scheme that automatically transforms web applications, rendering them safe against SQL injection attacks, which dynamically analyzes the developer-intended query result size for any input, and detects attacks by comparing this against the result of the actual query.

34 citations

References
More filters
Journal ArticleDOI
TL;DR: In this paper, the authors clarified some misconceptions about capability-based systems such as KeyKOS and showed that they support mandatory and discretionary security policies without identifying the source of every request.
Abstract: Capability-based systems such as KeyKOS support mandatory and discretionary security policies without identifying the source of every request. Some misconceptions about such systems are clarified.

24 citations

Proceedings ArticleDOI
02 Nov 2007
TL;DR: This paper investigates an extension of redundant authentication in which higher tiers are required to provide evidence of the authentication of principals when they make requests of lower tiers, enabling lower tiers to provide security guarantees that improve significantly over current least privilege strategies.
Abstract: Multi-tier web server systems are used in many important contexts and their security is a major cause of concern. Such systems can exploit strategies like least privilege to make lower tiers more secure in the presence of compromised higher tiers. In this paper, we investigate an extension of this technique in which higher tiers are required to provide evidence of the authentication of principals when they make requests of lower tiers. This concept, which we call redundant authentication, enables lower tiers to provide security guarantees that improve significantly over current least privilege strategies. We validate this technique by applying it to a practical Building Automation System (BAS) application, where we explore the use of redundant authentication in conjunction with an authentication proxy to enable interoperation with existing enterprise authentication services.

10 citations