Скачать презентацию CS 380 S Web Browser Security Vitaly Shmatikov Скачать презентацию CS 380 S Web Browser Security Vitaly Shmatikov

232859250805ab990e06dab1b3305a25.ppt

  • Количество слайдов: 60

CS 380 S Web Browser Security Vitaly Shmatikov (most slides from the Stanford Web CS 380 S Web Browser Security Vitaly Shmatikov (most slides from the Stanford Web security group) slide 1

Reading Assignment u. Jackson and Barth. “Beware of Finer-Grained Origins” (W 2 SP 2008). Reading Assignment u. Jackson and Barth. “Beware of Finer-Grained Origins” (W 2 SP 2008). u. Chen et al. “Pretty-Bad-Proxy: An Overlooked Adversary in Browsers’ HTTPS Deployments” (Oakland 2009). u. Optional: Barth et al. “Securing Frame Communication in Browsers” (Usenix Security 2008 and CACM). u. Optional: Barth et al. “Cross-Origin Java. Script Capability Leaks” (Usenix Security 2009). slide 2

Java. Script Security Model (Redux) u. Same-origin policy • Frame can only read properties Java. Script Security Model (Redux) u. Same-origin policy • Frame can only read properties of documents and windows from same place: server, protocol, port u. Does not apply to scripts loaded in enclosing frame from arbitrary site • This script runs as if it were loaded from the site that provided the page! slide 3

OS vs. Browser Analogies (Redux) Operating system u Primitives • System calls • Processes OS vs. Browser Analogies (Redux) Operating system u Primitives • System calls • Processes • Disk u Principals: Users • Discretionary access control u Vulnerabilities • Buffer overflow • Root exploit Web browser u Primitives • Document object model • Frames • Cookies / local. Storage u Principals: “Origins” • Mandatory access control u Vulnerabilities • Cross-site scripting • Universal scripting slide 4

Java. Script Contexts Java. Script context 1 Java. Script context 2 Java. Script context Java. Script Contexts Java. Script context 1 Java. Script context 2 Java. Script context 3 slide 5

DOM and Access Control [Barth et al. ] Java. Script Context Is accessing context DOM and Access Control [Barth et al. ] Java. Script Context Is accessing context allowed to handle the object? Access? DOM Reference Monitor Object Granted: give reference to object to Java. Script slide 6

DOM vs. Java. Script Engine [Barth et al. ] u. DOM: performs access control DOM vs. Java. Script Engine [Barth et al. ] u. DOM: performs access control checks • When a DOM object is initially accessed, check if it’s Ok to give out a reference to this object u. Java. Script engine: uses references as if they were capabilities • If context has a reference to an object, can use it without any access control checks u… but these are the same DOM objects! u. What if a reference to an object leaks from one Java. Script context to another? slide 7

Cross-Context References [Barth et al. ] Window 1 Global Object document DOM reference monitor Cross-Context References [Barth et al. ] Window 1 Global Object document DOM reference monitor prevents bar() from acquiring these references via global object function foo() Each window & frame has one Window 2 Global Object document function bar() If bar() somehow managed to acquire direct references, no access checks would be performed on them! slide 8

Detecting Reference Leaks [Barth et al. ] u. Instrument Web. Kit’s Java. Script engine Detecting Reference Leaks [Barth et al. ] u. Instrument Web. Kit’s Java. Script engine with calls to heap analysis library • On object creation, reference, and destruction u. Goal: detect references between two contexts u. Sample heap graphs Empty page google. com (not much JS there) slide 9

Heap Graph Statistics [Barth et al. ] u. Empty page • 82 nodes, 170 Heap Graph Statistics [Barth et al. ] u. Empty page • 82 nodes, 170 edges ugoogle. com • 384 nodes, 733 edges ustore. apple. com/us • 5332 nodes, 11691 edges ugmail. com • 55106 nodes, 133567 edges slide 10

Computing Java. Script Contexts [Barth et al. ] Global Object Prototype __proto__ Object Context Computing Java. Script Contexts [Barth et al. ] Global Object Prototype __proto__ Object Context is defined by its global object (new context: create new global object) Ultimate parent of all objects in prototype class hierarchy When an object is created, there is a path to prototype via __proto__ property (direct or indirect) Context is the transitive closure of __proto__ references Signal a problem if ever see a reference between non-global objects of different contexts slide 11

Example Vulnerability in Web. Kit [Barth et al. ] If the location object was Example Vulnerability in Web. Kit [Barth et al. ] If the location object was created during the execution of another context, it would be created with the wrong Object prototype. Attacker’s object can then redefine the behavior of functions, such as to. String, that apply to all Objects created in the other context, so that they execute arbitrary Java. Script. slide 12

Solution u. Add access control to Java. Script references • get and put: check Solution u. Add access control to Java. Script references • get and put: check that context matches u 2% overhead • Inline caching helps: when a property is looked up for the first time, look up in hash table and record offset; subsequent accesses use recorded offset directly – If offset is available, no need for access control checks (why? ) • 10% overhead without caching u. See “Cross-Origin Java. Script Capability Leaks” for details slide 13

Web Browser: the New OS u. Origins are similar to processes • One origin Web Browser: the New OS u. Origins are similar to processes • One origin should not interfere with another u. Sites often want and need to communicate • Google Ad. Sense – • Active network attacker can now hijack any session u. Better way to include content: • Served over the same protocol as embedding page slide 45

Mixed Content Issues u. All browsers fail to account for can. Script • One Mixed Content Issues u. All browsers fail to account for can. Script • One fix: Safelock browser extension revokes the ability to dispay the lock icon from all documents in the same origin as an insecure document u. Lots of other bugs • Fail to detect insecure SWF movies (IE, Firefox) • Navigation forgets mixed content (Firefox) • Firefox architecture make detection difficult slide 46

Example of a Vulnerability Chase used a SWF movie served over HTTP to perform Example of a Vulnerability Chase used a SWF movie served over HTTP to perform authentication on the banking login page – active network attacker can steal password! slide 47

Origin Contamination slide 48 Origin Contamination slide 48

Picture-in-Picture Attacks Trained users are more likely to fall victim to this! slide 49 Picture-in-Picture Attacks Trained users are more likely to fall victim to this! slide 49

SSL/TLS and Its Adversary Model [Chen et al. ] u. HTTPS: end-to-end secure protocol SSL/TLS and Its Adversary Model [Chen et al. ] u. HTTPS: end-to-end secure protocol for Web u. Designed to be secure against man-in-the-middle (MITM) attacks browser proxy Internet HTTPS server SSL tunnel u. HTTPS provides encryption and integrity checking slide 50

PBP: Pretty-Bad-Proxy [Chen et al. ] u. Bad proxy can exploit browser bugs to PBP: Pretty-Bad-Proxy [Chen et al. ] u. Bad proxy can exploit browser bugs to render unencrypted, potentially malicious content in the context of an HTTPS session! Rendering modules HTTP/HTTPS TCP/IP HTTP/HTTPS Unencrypted SSL tunnel, encrypted TCP/IP slide 51

Attack #1: Error Response [Chen et al. ] u. Proxy error page: 502, other Attack #1: Error Response [Chen et al. ] u. Proxy error page: 502, other 4 xx/5 xx response u. Script in error page runs in HTTPS context! browser PBP https: //bank. com 502: Server not found