Timothy L. Hinrichs

Practical declarative network management

We present Flow-based Management Language (FML), a declarative policy language for managing the configuration of enterprise networks. FML was designed to replace the many disparate configuration mechanisms traditionally used to enforce policies within the enterprise. These include ACLs, VLANs, NATs, policy-routing, and proprietary admission control systems. FML balances the desires to express policies naturally and enforce policies efficiently. We have implemented FML and have used it to manage multiple operational enterprise networks for over a year.

WAPTEC: whitebox analysis of web applications for parameter tampering exploit construction

Parameter tampering attacks are dangerous to a web application whose server fails to replicate the validation of user-supplied data that is performed by the client. Malicious users who circumvent the client can capitalize on the missing server validation. In this paper, we describe WAPTEC, a tool that is designed to automatically identify parameter tampering vulnerabilities and generate exploits by construction to demonstrate those vulnerabilities. WAPTEC involves a new approach to whitebox analysis of the servers code. We tested WAPTEC on six open source applications and found previously unknown vulnerabilities in every single one of them.

Application-Sensitive Access Control Evaluation Using Parameterized Expressiveness

Access control schemes come in all shapes and sizes, which makes choosing the right one for a particular application a challenge. Yet todays techniques for comparing access control schemes completely ignore the setting in which the scheme is to be deployed. In this paper, we present a formal framework for comparing access control schemes with respect to a particular application. The analysts main task is to evaluate an access control scheme in terms of how well it implements a given access control workload (a formalism that we introduce to represent an applications access control needs). One implementation is better than another if it has stronger security guarantees, and in this paper we introduce several such guarantees: correctness, homomorphism, AC-preservation, safety, administration-preservation, and compatibility. The scheme that admits the implementation with the strongest guarantees is deemed the best fit for the application. We demonstrate the use of our framework by evaluating two workloads on ten different access control schemes.

Adding AI to Web Services

The FX-Project consisted of members of the Stanford Logic Group industrial visitors from NEC and Intec Web & Genome working together to develop a new technologies based upon the combination of web services and techniques from artificial intelligence using our experience in AI-based software agents. This two-year project ran from April of 2001 until the end of March 2002 and explored the then emerging functionality of web services. This paper is a result of our findings.

Using Object-Oriented Constraint Satisfaction for Automated Configuration Generation

In this paper, we describe an approach for automatically generating configurations for complex applications. Automated generation of system configurations is required to allow large-scale deployment of custom applications within utility computing environments. Our approach models the configuration management problem as an Object-Oriented Constraint Satisfaction Problem (OOCSP) that can be solved efficiently using a resolution-based theorem-prover. We outline the approach and discuss both the benefits of the approach as well as its limitations, and highlight certain unresolved issues that require further work. We demonstrate the viability of this approach using an e-Commerce site as an example, and provide results on the complexity and time required to solve for the configuration of such an application.

TamperProof: a server-agnostic defense for parameter tampering attacks on web applications

Parameter tampering attacks are dangerous to a web application whose server performs weaker data sanitization than its client. This paper presents TamperProof, a methodology and tool that offers a novel and efficient mechanism to protect Web applications from parameter tampering attacks. TamperProof is an online defense deployed in a trusted environment between the client and server and requires no access to, or knowledge of, the server side codebase, making it effective for both new and legacy applications. The paper reports on experiments that demonstrate TamperProofs power in efficiently preventing all known parameter tampering vulnerabilities on ten different applications.

TBA: a hybrid of logic and extensional access control systems

Logical policy-based access control models are greatly expressive and thus provide the flexibility for administrators to represent a wide variety of authorization policies. Extensional access control models, on the other hand, utilize simple data structures to better enable a less trained and non-administrative workforce to participate in the day-to-day operations of the system. In this paper, we formally study a hybrid approach, tag-based authorization (TBA ), which combines the ease of use of extensional systems while still maintaining a meaningful degree of the expressiveness of logical systems. TBA employs an extensional data structure to represent metadata tags associated with subjects and objects, as well as a logical language for defining the access control policy in terms of those tags. We formally define TBA and introduce variants that include tag ontologies and delegation. We evaluate the resulting system by comparing to well-known extensional and logical access control models.

WAVES: Automatic Synthesis of Client-Side Validation Code for Web Applications

The current practice of Web application development treats the client and server components of the application as two separate pieces of software. Each component is written independently, usually in distinct programming languages and development platforms - a process known to be prone to errors when the client and server share application logic. When the client and server are out of sync, an âimpedance mismatchâ occurs, often leading to software vulnerabilities as demonstrated by recent work on parameter tampering. This paper outlines the groundwork for a new software development approach, WAVES, where developers author the server-side application logic and rely on tools to automatically synthesize the corresponding client-side application logic. WAVES employs program analysis techniques to extract a logical specification from the server, from which it synthesizes client code. WAVES also synthesizes interactive client interfaces that include asynchronous callbacks (AJAX) whose performance and coverage rival that of manually written clients while ensuring no new security vulnerabilities are introduced. The effectiveness of WAVES is demonstrated and evaluated on three real-world web applications.

The need for application-aware access control evaluation

Access control is an area where one size does not fit all. However, previous work in access control has focused solely on expressiveness as an absolute measure. Thus, we discuss and justify the need for a new type of evaluation framework for access control, one that is application-aware. To this end, we apply previous work in access control evaluation, as well as lessons learned from evaluation frameworks used in other domains. We describe the analysis components required by such a framework, the challenges involved in building it, and our preliminary work in realizing this ambitious goal. We then theorize about other areas within the security domain that display a similar absence of such evaluation tools, and consider ways in which we can adapt our framework to analyze these broader types of security workloads.

Plato: a compiler for interactive web forms

Modern web forms interact with the user in real-time by detecting errors and filling-in implied values, which in terms of automated reasoning amounts to SAT solving and theorem proving. This paper presents PLATO, a compiler that automatically generates web forms that detect errors and fill-in implied values from declarative web form descriptions. Instead of writing HTML and JavaScript directly, web developers write an ontology in classical logic that describes the relationships between web form fields, and PLATO automatically generates HTML to display the form and browser scripts to implement the requisite SAT solving and theorem proving. We discuss PLATOs design and implementation and evaluate PLATOs performance both analytically and empirically.