Michael Dalton, Christos Kozyrakis, and Nickolai Zeldovich

MIT, Stanford UniversityUSENIX 09’

Nemesis: Preventing Authentication & Access

Control Vulnerabilities in Web Applications

1

2

Outline1. Introduction

2. Web Application Security Architecture

3. Authentication Inference

4. Authorization Enforcement

5. Implementation

6. Experimental Results

7. Conclusion2

3

1. Introduction• web application deploys its own

authentication & access control

• FS & DB layers perform operations with the privileges of the web application– Not user

• no defensive tools exist to automatically prevent

3

4

• Nemesis

• modify library and interpreter– shadow authentication– taint, track the flow & string compare & IO

• do not require the behavior of the application to be modified

4

5

2. Web Application Security Architecture

• Authentication:– user input– performs an authentication check, ensure– validated, creates a login session for the user

• Access Control attacks: execute server side operations which might not be authorized to perform

5

6 6

7

3. Authentication Inference

• infer when authentication has occurred

• shadow authentication system– ensure the authentication steps

• require developer to provide “annotation”– where pass and name stored– external function

7

8

Dynamic Information Flow Tracking

• DIFT tag each data– “credential” taint bit– “user input” taint bit

• perform taint propagation in the language interpreter – source operand tainted, destination tainted

8

9

2 taint tag bits

• “credential” taint bit: data item represents a known-good password or other credential

• “user input” taint bit: data item was supplied by the user as part of the HTTP request

• Nemesis propagates both taint9

10 10

11

Nemesis

• ACL Enforce:– Intercept I/O operations to enforce file ACLs – Intercept, rewrite SQL queries to enforce DB

ACLs

• DIFT:– 2 tag bits per object to track credentials and

taint Tag propagation on all operations– Automatic inference of authentication checks

11

12

Creating a New Login Session

• data tagged as “user input” compare to data tagged as “credentials”

• using string (in)equality operators • User input password matches the one stored

in the password DB

• infer user authentication• auth function

12

13

keep Login Session

• use an entirely separate session management framework

• shadow cookie: private key

13

14

4. Authorization Enforcement

• access control rules (ACL)

• developer supply ACL for file, dir, & DB

• ACL check : current shadow authenticated user is permitted to execute the operation

14

15

• Restrict the access of file, directory or DB

• Little programmer effort required

• Intercept the IO operation

15

16

Against SQL injection (to..)

• Rewrite the SQL query & add the 3rd bit in zval

• denote user input that may be interpreted as a SQL keyword or operator

• SQL quoting functions clear this tag bit– mysql_real_escape_string()

16

17

5. Implementation

• implement a prototype of Nemesis by modifying the PHP interpreter

• zval

• Due to alignment restrictions, the zval structure has a few unused bits

17

18

Tag Initialization

• Any input is tainted with the ’user input’ bit

• set a global variable to store the candidate username associated with the password

• shadow authentication system uses this candidate username to initialize the shadow cookie

• setcookie()

18

19

Password Comparison Authentication Inference

• performed by modifying the PHP interpreter’s string comparison operators

• perform a check to see if the two string operands were determined to be equal

• equal & A:“credential”, B:”user input”

succeed19

20

Authentication check

• check the global variable that indicates the current shadow authenticated user

• not set: check if shadow authentication information is stored in the current session file

• Check shadow authentication cookie (extract)

20

21

Access control check

• checking the current authenticated user against a list of accessible files on each file access

• manually inserted these checks into applications based on the ACL

21

22

6. Experimental Results

22

23

• authentication bypass: shadow authentication is not affected

• installation script will reset the administrator password: restricted by ACL

23

24

7. Conclusion

• novel methodology for preventing authentication & access control bypass

• shadow authentication system: track user authentication state by an additional HTTP cookie

• Programmers can specify ACL lists

• Little effort( < 100 LoC)

24