TY - GEN
T1 - Automating isolation and least privilege in web services
AU - Blankstein, Aaron
AU - Freedman, Michael J.
N1 - Publisher Copyright:
© 2014 IEEE.
PY - 2014/11/13
Y1 - 2014/11/13
N2 - In many client-facing applications, a vulnerability in any part can compromise the entire application. This paper describes the design and implementation of Passe, a system that protects a data store from unintended data leaks and unauthorized writes even in the face of application compromise. Passe automatically splits (previously shared-memory-space) applications into sandboxed processes. Passe limits communication between those components and the types of accesses each component can make to shared storage, such as a backend database. In order to limit components to their least privilege, Passe uses dynamic analysis on developer-supplied end-to-end test cases to learn data and control-flow relationships between database queries and previous query results, and it then strongly enforces those relationships. Our prototype of Passe acts as a drop-in replacement for the Django web framework. By running eleven unmodified, off-the-shelf applications in Passe, we demonstrate its ability to provide strong security guarantees-Passe correctly enforced 96% of the applications' policies-with little additional overhead. Additionally, in the web-specific setting of the prototype, we also mitigate the cross-component effects of cross-site scripting (XSS) attacks by combining browser HTML5 sandboxing techniques with our automatic component separation.
AB - In many client-facing applications, a vulnerability in any part can compromise the entire application. This paper describes the design and implementation of Passe, a system that protects a data store from unintended data leaks and unauthorized writes even in the face of application compromise. Passe automatically splits (previously shared-memory-space) applications into sandboxed processes. Passe limits communication between those components and the types of accesses each component can make to shared storage, such as a backend database. In order to limit components to their least privilege, Passe uses dynamic analysis on developer-supplied end-to-end test cases to learn data and control-flow relationships between database queries and previous query results, and it then strongly enforces those relationships. Our prototype of Passe acts as a drop-in replacement for the Django web framework. By running eleven unmodified, off-the-shelf applications in Passe, we demonstrate its ability to provide strong security guarantees-Passe correctly enforced 96% of the applications' policies-with little additional overhead. Additionally, in the web-specific setting of the prototype, we also mitigate the cross-component effects of cross-site scripting (XSS) attacks by combining browser HTML5 sandboxing techniques with our automatic component separation.
KW - capabilities
KW - isolation
KW - principle of least privilege
KW - security policy inference
KW - web security
UR - http://www.scopus.com/inward/record.url?scp=84914173937&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84914173937&partnerID=8YFLogxK
U2 - 10.1109/SP.2014.16
DO - 10.1109/SP.2014.16
M3 - Conference contribution
AN - SCOPUS:84914173937
T3 - Proceedings - IEEE Symposium on Security and Privacy
SP - 133
EP - 148
BT - Proceedings - IEEE Symposium on Security and Privacy
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 35th IEEE Symposium on Security and Privacy, SP 2014
Y2 - 18 May 2014 through 21 May 2014
ER -