Presentation is loading. Please wait.

Presentation is loading. Please wait.

5/21/2007 IEEE Symposium on Security and Privacy, Oakland, CA A Systematic Approach to Uncover Security Flaws in GUI Logic Shuo Chen †, José Meseguer ‡,

Published byBlaise Warner Modified over 8 years ago

Similar presentations

Presentation on theme: "5/21/2007 IEEE Symposium on Security and Privacy, Oakland, CA A Systematic Approach to Uncover Security Flaws in GUI Logic Shuo Chen †, José Meseguer ‡,"— Presentation transcript:

1 5/21/2007 IEEE Symposium on Security and Privacy, Oakland, CA A Systematic Approach to Uncover Security Flaws in GUI Logic Shuo Chen †, José Meseguer ‡, Ralf Sasse † ‡, Helen J. Wang †, Yi-Min Wang † † Systems and Networking Group Microsoft Research ‡ Dept. of Computer Science University of Illinois at Urbana-Champaign

2 5/21/2007 IEEE Symposium on Security and Privacy, Oakland, CA Slide: 2 Visual Spoofing: A Serious Security Problem A simple equation 1000 miles × trusted + 20 inches × untrusted = untrusted Examples: status bar spoofing and address bar spoofing IE, Firefox and Netscape all have security flaws in GUI. 1000 miles, trusted Web server 20 inches, Untrusted

3 5/21/2007 IEEE Symposium on Security and Privacy, Oakland, CA Slide: 3 Research motivation and goal GUI behaviors are driven by complex logic E.g., how to handle mouse messages and update the status bar, how to update the address bar during navigations Need a systematic approach to examine its correctness Goal: to apply formal methods to reason about GUI logic in order to proactively uncover browser spoofing bugs.

4 5/21/2007 IEEE Symposium on Security and Privacy, Oakland, CA Slide: 4 Overview of Our Approach Execution context System state Program Logic (pseudo code) The modeled system User’s action sequence Program invariant Reasoning Engine (The Maude System: a rewriting logic engine) Visual invariant Source code of browser GUI violation Potential spoofing scenarios Real spoofing scenarios Real world Formal world (d) (e) (c) (a) (b) (f)

5 5/21/2007 IEEE Symposium on Security and Privacy, Oakland, CA Slide: 5 Case study: status bar spoofing: basic concepts status bar <a><a> Page My button Toward the user Document Object Tree (DOM Tree) Page layout Element stacks

6 5/21/2007 IEEE Symposium on Security and Privacy, Oakland, CA Slide: 6 Case Study: status bar spoofing: mouse handling logic In status bar spoofing, only three raw mouse messages are relevant MouseMove, LeftButtonDown, LeftButtonUp Each HTML element has three virtual methods HandleMessage, DoClick, ClickAction Pseudo code in the paper Every element has different behavior about updating the status bar ( SetStatusText ) and navigating to the target URL ( FollowHyperlink ). Message bubbling (passing the mouse message to the parent element) Every element can decide whether to continue the bubbling or cancel the bubbling We used Maude to model the source code of the mouse handling logic

7 5/21/2007 IEEE Symposium on Security and Privacy, Oakland, CA Slide: 7 Case Study: status bar spoofing: finding attacks System state: status bar URL, user memorized URL User action sequence: MouseMove, MouseMove, Inspection, LeftButtonDown, LeftButtonUp (only need two MouseMoves because status bar is memoryless, a sequence of MouseMoves is equivalent to one MouseMove) (canonicalized) Execution context: DOM tree structures (canonicalized) (at most two branches, corresponding to two MouseMoves) Program invariant: at the time of the function call FollowHyperlink(targetURL), targetURL = user memorized URL Use Maude to search for spoofing scenarios

8 5/21/2007 IEEE Symposium on Security and Privacy, Oakland, CA Slide: 8 Examples of Status Bar Spoofs All because of unexpected combinations of element behaviors input field anchor form paypal.com form target = foo.com anchor target = paypal.com image button form paypal.com form target = foo.com image target = paypal.com Element stack Element layouts label anchor label’s target = foo.com anchor’s target = paypal.com image label img’s target = paypal.com label’s target = foo.com

9 5/21/2007 IEEE Symposium on Security and Privacy, Oakland, CA Slide: 9 Case Study: address bar spoofing: basic concepts (browser, renderer, frame, markup) Renderer Frame1 from PayPal Browser. http://MySite.com Current Markup Pending Markup PrimaryFrame from MySite.com Frame2 from MSN

10 5/21/2007 IEEE Symposium on Security and Privacy, Oakland, CA Slide: 10 Case Study: Address Bar Spoofing Program invariant: The address bar should display the URL of the current markup of the primary frame. User action sequence: Page loading, history traveling and window opening Execution context: A set of Boolean conditions affecting the execution path System state: PrimaryFrame, other frames, current markups, pending markups, address bar URL...

11 5/21/2007 IEEE Symposium on Security and Privacy, Oakland, CA Slide: 11 Pseudo code model: loading a new page FollowHyperlink start navigation ready PostParser Event queue Markup::SetInteractive NavigationComplete SetAddressBar Frame::SwitchMarkup onPaint View::EnsureView View::RenderView Posting an event Calling a function ensure Invoking a handler

12 5/21/2007 IEEE Symposium on Security and Privacy, Oakland, CA Slide: 12 Pseudo code model: history travel start navigation ready PostParser Event queue Markup::SetInteractive NavigationComplete SetAddressBar Frame::SwitchMarkup onPaint View::EnsureView View::RenderView ensure History_Back Travel LoadHistory Posting an event Calling a function Invoking a handler

13 5/21/2007 IEEE Symposium on Security and Privacy, Oakland, CA Slide: 13 Pseudo code model: opening a page in a new window CreatePending DocObject start-loading LoadDocument Event queue Load CreateMarkup SetAddressBar LoadFromInfo FollowHyperlink onPaint PostParser View::RenderView download- content InitNew SetClientSite InitDocHost SwitchMarkup

14 5/21/2007 IEEE Symposium on Security and Privacy, Oakland, CA Slide: 14 Discovered Address Bar Spoof (An Atomicity Bug) https://evil.com#xxxxx...xxxxxxx https://paypal.com

15 5/21/2007 IEEE Symposium on Security and Privacy, Oakland, CA Slide: 15 Discovered address bar spoof (a race condition) https://evil.com https://paypal.com c:\windows\system32\shdoclc.dl l?http History back Load a new page

16 5/21/2007 IEEE Symposium on Security and Privacy, Oakland, CA Slide: 16 Summary of bug reporting for IE 7 Found many new scenarios for the status bar spoofing, filed them as 9 bugs against IE. All fixed before IE7 RC 1 (release candidate 1). 4 new scenarios of the address bar spoofing Non-atomic update of the address bar (2 bugs) Non-atomic update of the content area Race condition: multiple frames compete to be the primary IE team has fixed two, and proposed the fixes for the other 2 to go into the next version.

17 5/21/2007 IEEE Symposium on Security and Privacy, Oakland, CA Slide: 17 Conclusions Formulated GUI logic correctness as a new research problem Proposed a systematic approach to proactively uncover security flaws in browser GUI Demonstrated the benefit of the systematic approach to the GUI implementation. The approach is not IE specific. Other browsers (e.g., Firefox, Opera, Netscape, etc) Non-browser applications (e.g., Outlook, Outlook Express)

18 5/21/2007 IEEE Symposium on Security and Privacy, Oakland, CA Slide: 18 Discussions Are there spoofing bugs that are not logic flaws? Picture-in-picture, pop-up covering, chromeless window, symbol similarities (“vv” vs.“w”, “l” vs. “|”, etc) Should we rely on users’ security awareness for anti-phishing? Ideally, no. An ideal security infrastructure should be transparent! Many users ignore security warnings. [Dhamija-CHI-06][Wu-CHI-06][Schechter-S&P-07] In reality, people have not found a satisfactory way for transparent security White-listing? Sacrifice the openness of the web. Does not scale. Black-listing or intrusion detection? The signature precision and timeliness Anti-phishing will remain a joint effort between browser vendors and users for many years IE 7 has made many the efforts to make the GUI authentic. “Seat belts” are effective only when you “buckle up”! (Not ideal, but … )

Download ppt "5/21/2007 IEEE Symposium on Security and Privacy, Oakland, CA A Systematic Approach to Uncover Security Flaws in GUI Logic Shuo Chen †, José Meseguer ‡,"

Similar presentations

4/11/2007 and 4/12/2007 Purdue University and University of Illinois at Urbana-Champaign Browser Security: A New Research Territory Shuo Chen Cybersecurity.

4/11/2007 and 4/12/2007 Purdue University and University of Illinois at Urbana-Champaign Browser Security: A New Research Territory Shuo Chen Cybersecurity.
1 IEEE Symposium on Security and Privacy, May 2009 Shuo Chen, Ziqing Mao, Yi-Min Wang, Ming Zhang Microsoft Research Purdue University May 20 th, 2009.

1 IEEE Symposium on Security and Privacy, May 2009 Shuo Chen, Ziqing Mao, Yi-Min Wang, Ming Zhang Microsoft Research Purdue University May 20 th, 2009.
Chapter 11 Creating Framed Layouts Principles of Web Design, 4 th Edition.

Chapter 11 Creating Framed Layouts Principles of Web Design, 4 th Edition.
JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.

JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.
Copyright © 2012 Certification Partners, LLC -- All Rights Reserved Lesson 4: Web Browsing.

Copyright © 2012 Certification Partners, LLC -- All Rights Reserved Lesson 4: Web Browsing.
The Web Warrior Guide to Web Design Technologies

The Web Warrior Guide to Web Design Technologies
1 14th ACM Conference on Computer and Communications Security, Alexandria, VA Shuo Chen †, David Ross ‡, Yi-Min Wang † † Internet Services Research Center.

1 14th ACM Conference on Computer and Communications Security, Alexandria, VA Shuo Chen †, David Ross ‡, Yi-Min Wang † † Internet Services Research Center.
Lesson 4: Web Browsing.

Lesson 4: Web Browsing.
User Centered Web Site Engineering Part 2. Iterative Process of User-Centered Web Engineering Prototype Evaluate Discovery Maintenance Implementation.

User Centered Web Site Engineering Part 2. Iterative Process of User-Centered Web Engineering Prototype Evaluate Discovery Maintenance Implementation.
1 Shuo Chen ISRC, MSR March 2008. 2 Browser security is still very broad. I usually differentiate three types of issues – their causes and potential solutions.

1 Shuo Chen ISRC, MSR March Browser security is still very broad. I usually differentiate three types of issues – their causes and potential solutions.
JavaScript, Third Edition

JavaScript, Third Edition
Chapter 9 Introduction to the Document Object Model (DOM) JavaScript, Third Edition.

Chapter 9 Introduction to the Document Object Model (DOM) JavaScript, Third Edition.
User Centered Web Site Engineering Part 2. Developing Site Structure & Content Content View Addressing content Outlining content Creating a content delivery.

User Centered Web Site Engineering Part 2. Developing Site Structure & Content Content View Addressing content Outlining content Creating a content delivery.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 13 Slide 1 Application architectures.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 13 Slide 1 Application architectures.
4.1 JavaScript Introduction

4.1 JavaScript Introduction
_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications1.

_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications1.
GONE PHISHING ECE 4112 Final Lab Project Group #19 Enid Brown & Linda Larmore.

GONE PHISHING ECE 4112 Final Lab Project Group #19 Enid Brown & Linda Larmore.
JavaScript and The Document Object Model MMIS 656 Web Design Technologies Acknowledgements: 1.Notes from David Shrader, NSU GSCIS 2.Some material adapted.

JavaScript and The Document Object Model MMIS 656 Web Design Technologies Acknowledgements: 1.Notes from David Shrader, NSU GSCIS 2.Some material adapted.
Samuvel Johnson 1286120 2 nd MCA B. Contents  Introduction to Real-time systems  Two main types of system  Testing real-time software  Difficulties.

Samuvel Johnson nd MCA B. Contents  Introduction to Real-time systems  Two main types of system  Testing real-time software  Difficulties.
Prevent Cross-Site Scripting (XSS) attack

Prevent Cross-Site Scripting (XSS) attack

Similar presentations

Ads by Google