Maintaining Web security with Distributed Information Flow Control

The Computer Science Department of the University of Washington has just published a speech by Max Krohn (MIT) entitled "maintaining Web security with distributed information flow control ".

In his speech, Max explained that he had observed a revolution in the computing field, and was switching from desktop software to server-side software and cloud computing.

But he warned:

Web software is prone to errors and leakage, which can be found and used by attackers. As a result, technical data is stolen or destroyed.

Many people use dynamic languages that do not support static analysis and use third-party languages at will.CodePlug-ins ...... As you can say, we have made a lot of hasty efforts to make the website go online and run quickly.

He defined an interesting indicator to roughly measure the degree of software vulnerability-dividing the number of lines of code (LOC) by the number of installed machines. The more times software is installed, like Linux, the larger the chance of discovering and correcting defects, and the fewer defects. He used several pages of slides to list the loc and loc/installation numbers of Web applications, so as to clarify his point of view.

Max's research goal is to define a security model for new types of applications and architectures. Applications such as Facebook allow developers to insert code on the platform, and even allow third-party servers to provide functionality on the Facebook platform, which is becoming more serious.

To cope with the new challenges, Max and his colleagues developed the open-source Web Application Security Infrastructure flume Based on the decentralized information flow control (DIFC) model:

DIFC, a security means, enables applicationsProgramThe author can control how data flows between application components and the external world.

For private data, DIFC allows untrusted software to use private data, but the trusted security code controls whether to disclose the data. In terms of data integrity, DIFC protects untrusted software from the threat of accidental fake input by trusted code.

They treat the server as a black box and track data at the time of response construction. The entire security architecture consists of a security gateway and an operating system library. Web applications can use this operating system library to mark data. The core idea is to focus all security decisions on the gateway to prevent unwanted data access.

A typical flume application consists of two types of processes. Untrusted processes perform most of their work. They are restricted by DIFC control and may not know the existence of DIFC. On the other hand, trusted processes know that DIFC exists in the system. They set up privacy and data integrity control to restrict untrusted processes. Trusted processes also have privileges to selectively violate classic Information Flow Control-for example, private data can be decrypted (to be exported outside the system), or data integrity can be guaranteed.

The core of the system is based on a set of fairly simple data tracking rules, and uses tags (tags and labels) to track data.

Tag t itself does not have an internal meaning, but the process generally Associates each tag with a certain encryption or integrity category. For example, tag B may indicate Bob's private data. A label is a subset of a tag set.

If a label of flume PROCESS p is a subset of process Q, P can send data to process P. The flume model assumes that many processes run on the same machine and communicate with each other through messages or streams. The goal of the model is to track data streams by controlling the communication of processes and changes in the process label.

Figure 1. Communication rules

Max points out that this idea is not new, but has emerged since 1980s.

The gateway is a key element of the flume security architecture. First, web applications do not need to know any browser situation, because the gateway can develop policies. However, the gateway's central role requires us to introduce another new Abstraction: endpoint. Because the gateway needs to coordinate the interaction between multiple systems (browsers, authentication repositories, web applications ......), The same group of labels cannot be exposed to all processes. An endpoint helps define a special label combination that is used to implement communication between the gateway and a specific process.

The second part of the speech focuses on a moinmoin wiki-based use case. Max uses this case to demonstrate that flume can solve more than known defect types (buffer overflow, cross-site scripting, and SQL injection ). He demonstrated a security defect in the moinmoin wiki Calendar function. With this defect, the calendar entries of a specific user group should be visible only to all users. With only a standard policy, flume can block calendar content that should not be displayed.

Figure 2. System Call delegate

Max concluded that there is still a lot of work to be done. They want to make the system more flexible so that they can process third-party uploaded software in Web applications. They are also studying how to allow people to share data with the same principle. There are also plans to extend the tentacles to the browser layer and incorporate Javascript into the architecture. Max is expected to have many uses in the financial industry.

The development of networked systems increasingly requires end-to-end security solutions. In addition to application code, data access policies are enforced to prevent malicious access. What is your opinion? Have you ever encountered such security problems? What methods have you used to solve the problem?

View Original English text:Securing the web with decentralized information flow control