Nemesis: Preventing Authentication & [and] Access Control Vulnerabilities in Web Applications

Author(s)
Dalton, MichaelKozyrakis, ChristosZeldovich, Nickolai
Thumbnail
DownloadZeldovich_Nemesis preventing.pdf (442.6Kb)
OPEN_ACCESS_POLICY
Terms of use
Creative Commons Attribution-Noncommercial-Share Alike 3.0 http://creativecommons.org/licenses/by-nc-sa/3.0/
Metadata
Show full item record
Abstract
This paper presents Nemesis, a novel methodology for mitigating authentication bypass and access control vulnerabilities in existing web applications. Authentication attacks occur when a web application authenticates users unsafely, granting access to web clients that lack the appropriate credentials. Access control attacks occur when an access control check in the web application is incorrect or missing, allowing users unauthorized access to privileged resources such as databases and files. Such attacks are becoming increasingly common, and have occurred in many high-profile applications, such as IIS [10] and WordPress [31], as well as 14% of surveyed web sites [30]. Nevertheless, none of the currently available tools can fully mitigate these attacks. Nemesis automatically determines when an application safely and correctly authenticates users, by using Dynamic Information Flow Tracking (DIFT) techniques to track the flow of user credentials through the application’s language runtime. Nemesis combines authentication information with programmer-supplied access control rules on files and database entries to automatically ensure that only properly authenticated users are granted access to any privileged resources or data. A study of seven popular web applications demonstrates that a prototype of Nemesis is effective at mitigating attacks, requires little programmer effort, and imposes minimal runtime overhead. Finally, we show that Nemesis can also improve the precision of existing security tools, such as DIFT analyses for SQL injection prevention, by providing runtime information about user authentication.
Date issued
2009-08
URI
http://hdl.handle.net/1721.1/62182
Department
Massachusetts Institute of Technology. Computer Science and Artificial Intelligence LaboratoryMassachusetts Institute of Technology. Department of Electrical Engineering and Computer Science
Journal
USENIX UNIX Security Symposium
Publisher
USENIX Association
Citation
Dalton, Michael, Christos Kozyrakis, and Nickolai Zeldovich. "Nemesis: Preventing Authentication & Access Control Vulnerabilities in Web Applications" USENIX UNIX Security Symposium, 2009.
Version: Author's final manuscript
Collections