Nemesis: Preventing Authentication & [and] Access Control Vulnerabilities in Web Applications
Author(s)
Dalton, Michael; Kozyrakis, Christos; Zeldovich, Nickolai
DownloadZeldovich_Nemesis preventing.pdf (442.6Kb)
OPEN_ACCESS_POLICY
Open Access Policy
Creative Commons Attribution-Noncommercial-Share Alike
Terms of use
Metadata
Show full item recordAbstract
This paper presents Nemesis, a novel methodology for
mitigating authentication bypass and access control vulnerabilities
in existing web applications. Authentication
attacks occur when a web application authenticates users
unsafely, granting access to web clients that lack the appropriate
credentials. Access control attacks occur when
an access control check in the web application is incorrect
or missing, allowing users unauthorized access to
privileged resources such as databases and files. Such
attacks are becoming increasingly common, and have occurred
in many high-profile applications, such as IIS [10]
and WordPress [31], as well as 14% of surveyed web
sites [30]. Nevertheless, none of the currently available
tools can fully mitigate these attacks.
Nemesis automatically determines when an application
safely and correctly authenticates users, by using Dynamic
Information Flow Tracking (DIFT) techniques to
track the flow of user credentials through the application’s
language runtime. Nemesis combines authentication information
with programmer-supplied access control rules
on files and database entries to automatically ensure that
only properly authenticated users are granted access to
any privileged resources or data. A study of seven popular
web applications demonstrates that a prototype of
Nemesis is effective at mitigating attacks, requires little
programmer effort, and imposes minimal runtime overhead.
Finally, we show that Nemesis can also improve the
precision of existing security tools, such as DIFT analyses
for SQL injection prevention, by providing runtime
information about user authentication.
Date issued
2009-08Department
Massachusetts Institute of Technology. Computer Science and Artificial Intelligence Laboratory; Massachusetts Institute of Technology. Department of Electrical Engineering and Computer ScienceJournal
USENIX UNIX Security Symposium
Publisher
USENIX Association
Citation
Dalton, Michael, Christos Kozyrakis, and Nickolai Zeldovich. "Nemesis: Preventing Authentication & Access Control Vulnerabilities in Web Applications" USENIX UNIX Security Symposium, 2009.
Version: Author's final manuscript