Warden: Multi-Layered Control Flow Integrity in Web ApplicationsPublic Deposited
Downloadable Contentopen in viewer
This research introduces Warden, a function-level control flow enforcement for web applications. The goal of Warden is to strengthen the security of the Single Use-Server model by detecting attacks such as code injection and remote code execution. Both of these attacks leverage vulnerabilities to allow a user to execute arbitrary code on a server through a public facing website. Due to the nature of this, the code executed can range from covert (such as cryptomining or leaking data) to overt (such as denial of service or ransomware). While SuS architecture could prevent or mitigate damage from leaking and ransoming data, an attacker with knowledge of the underlying system could craft code injection attacks that would not be caught such as cryptomining. In addition to added security, Warden aims to answer the question of whether an asynchronous and layered approach to control flow enforcement is viable. Traditionally, CFI enforcement software uses a graph of function calls and blocks each time a new function is called to ensure that it is valid (found in the underlying graph). Modern web applications often call thousands of functions from each interaction with the user, and blocking on each one adds significant latency. The unique design of Warden is intended to lessen this problem. Warden is able to detect remote code execution in all cases except that which the malicious code was named the same as a valid function, called on the same line, and only used functions that the overwritten function had, on the same lines. However, this added security also increases overhead on the original system, on average increasing utilized CPU by 20%, memory by 8%, and latency by 535%. Cursory optimizations were able to improve this overhead significantly and we believe that further work would be able to increase the efficiency of threading in the application to reduce the overhead much further.
- This report represents the work of one or more WPI undergraduate students submitted to the faculty as evidence of completion of a degree requirement. WPI routinely publishes these reports on its website without editorial or peer review.
- UN Sustainable Development Goals
- Date created
- Resource type
- Rights statement
- Last modified
- In Collection:
|Thumbnail||Title||Visibility||Embargo Release Date||Actions|
Permanent link to this page: https://digital.wpi.edu/show/9k41zh96s