1 14th ACM Conference on Computer and Communications Security, Alexandria, VA Shuo Chen †, David Ross ‡, Yi-Min Wang † † Internet Services Research Center.

Slides:

Advertisements

Similar presentations

1 EuroSys 2010, Paris, France Shuo Chen, Hong Chen, Manuel Caballero Microsoft Corporation Purdue University Redmond, WA, USA West Lafayette, IN, USA April.

Advertisements

Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.

ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.

Chapter 17: WEB COMPONENTS

Automated Web Patrol with Strider Honey Monkeys: Finding Web Sites That Exploit Browser Vulnerabilities AUTHORS: Yi-Min Wang, Doug Beck, Xuxian Jiang,

An Evaluation of the Google Chrome Extension Security Architecture

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

Su Yong Kim. Contents Domain Isolation Real-World Attacks Script Accenting Mechanism Attack Scenarios Revisited Performance Conclusion 2.

IIS Technologies.

The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology.

Privacy and Security on the Web Part 1. Agenda Questions? Stories? Questions? Stories? IRB: I will review and hopefully send tomorrow. IRB: I will review.

1 Shuo Chen ISRC, MSR March Browser security is still very broad. I usually differentiate three types of issues – their causes and potential solutions.

HTML Recall that HTML is static in that it describes how a page is to be displayed, but it doesn’t provide for interaction or animation. A page created.

CP476 Internet Computing Browser and Web Server 1 Web Browsers A client software program that allows you to access and view Web pages on the Internet –Examples.

Computer Security and Penetration Testing

1 Subspace: Secure Cross Domain Communication for Web Mashups Collin Jackson and Helen J. Wang Mamadou H. Diallo.

Subspace: Secure Cross-Domain Communication for Web Mashups Collin Jackson Stanford University Helen J. Wang Microsoft Research ACM WWW, May, 2007 Presenter:

Describe the application and limits of procedural, object orientated and event driven programming. 

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

FLOWFOX A WEB BROWSER WITH FLEXIBLE AND PRECISE INFORMATION CONTROL.

Basic Web Design. Technology is a tool  FIRST, understand how people actually interact with each other and with the information in their lives, in all.

HTML5 Group 3: Dongyang Zhang, Wei Liu, Weizhou He, Yutong Wei, Yuxin Zhu.

1 Modular Software/ Component Software 2 Modular Software Code developed in modules. Modules can then be linked together to produce finished product/program.

Copyright © cs-tutorial.com. Introduction to Web Development In 1990 and 1991,Tim Berners-Lee created the World Wide Web at the European Laboratory for.

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

CSCI 6962: Server-side Design and Programming Secure Web Programming.

Ku-Yaw Chang Assistant Professor, Department of Computer Science and Information Engineering Da-Yeh University.

IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 1 Active Man in the Middle Attacks The.

Lesson 19. JavaScript errors Since JavaScript is an interpreted language, syntax errors will usually cause the script to fail. Both browsers will provide.

Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.

1 Internet Browsing Vulnerabilities and Security ECE4112 Final Lab Ye Yan Frank Park Scott Kim Neil Joshi.

Extending HTML CPSC 120 Principles of Computer Science April 9, 2012.

Let’s Stop Beating Dead Horses, and Start Beating Trojan Horses! David Evans INFOSEC Malicious Code Workshop San Antonio, 13.

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 1 RubyJax Brent Morris/

Course code: ABI 204 Introduction to E-Commerce Chapter 5: Security Threats to Electronic Commerce AMA University 1.

Client-based Application Attacks Adli Abdul Wahid Dept. of Comp. Science, IIUM

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

SMash : Secure Component Model for Cross- Domain Mashups on Unmodified Browsers WWW 2008 Frederik De Keukelaere et al. Presenter : SJ Park.

CE Operating Systems Lecture 21 Operating Systems Protection with examples from Linux & Windows.

INTRODUCTION TO WEB APPLICATION Chapter 1. In this chapter, you will learn about:  The evolution of the Internet  The beginning of the World Wide Web,

JavaScript Tutorial 1 - Introduction to JavaScript1 Tutorial 1 Introduction to JavaScript Section A – Programming, HTML, and JavaScript.

Module 2 – User Safety Privacy Attacks on end users Browser vulnerabilities.

RUBRIC IP1 Ruben Botero Web Design III. The different approaches to accessing data in a database through client-side scripting languages. – On the client.

Lecture 16 Page 1 CS 236 Online Web Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

M. Alexander Helen J. Wang Yunxin Liu Microsoft Research 1 Presented by Zhaoliang Duan.

Vaibhav Rastogi and Yi Yang.  SOP is outdated  Netscape introduced this policy when most content on the Internet was static  Differences amongst different.

Operating Systems Security

Protecting Browsers from Extension Vulnerabilities Paper by: Adam Barth, Adrienne Porter Felt, Prateek Saxena at University of California, Berkeley and.

COMP9321 Web Application Engineering Semester 2, 2015 Dr. Amin Beheshti Service Oriented Computing Group, CSE, UNSW Australia Week 9 1COMP9321, 15s2, Week.

Chapter 12: How Private are Web Interactions?. Why we care? How much of your personal info was released to the Internet each time you view a Web page?

1 Isolating Web Programs in Modern Browser Architectures CS6204: Cloud Environment Spring 2011.

Introduction Program File Authorization Security Theorem Active Code Authorization Authorization Logic Implementation considerations Conclusion.

Trevor Jim Nikhil Swamy Michael Hicks Defeating Script Injection Attacks with Browser-Enforced Embedded Policies Jason FroehlichSeptember 24, 2008.

ASP. ASP is a powerful tool for making dynamic and interactive Web pages An ASP file can contain text, HTML tags and scripts. Scripts in an ASP file are.

Computer Security By Duncan Hall.

Chapter 1 Introduction to JavaScript JavaScript, Third Edition.

1 Figure 9-3: Webserver and E-Commerce Security Browser Attacks  Take over a client via the browser Interesting information on the client Can use browser.

Lect 8 Tahani al jehain. Types of attack Remote code execution: occurs when an attacker exploits a software and runs a program that the user does not.

A Systematic Approach to Uncover Security Flaws in GUI Logic Distributed Multimedia Computing Lab. Minjae Cho

By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,

Website Design and Construction Services and Standards.

Shuo Chen Microsoft Research One Microsoft Way David Ross Security Technology Unit, Microsoft One Microsoft Way Yi-Min Wang Microsoft Research One Microsoft.

Distributed Control and Measurement via the Internet

Information Security and Algorithms Tae Kyu Lee

SQL Injection Attacks Many web servers have backing databases

BrowserShield: Vulnerability-Driven Filtering of Dynamic HTML

Web Page Concept and Design :

CS5123 Software Validation and Quality Assurance

An Introduction to JavaScript

Web Servers (IIS and Apache)

Presentation transcript:

1 14th ACM Conference on Computer and Communications Security, Alexandria, VA Shuo Chen †, David Ross ‡, Yi-Min Wang † † Internet Services Research Center Microsoft Research ‡ Microsoft Security Technology Unit October 30 th, 2007

2 14th ACM Conference on Computer and Communications Security, Alexandria, VA A browser can visit pages from benign and malicious websites at the same time. Browser needs to provide an isolation mechanism so that pages from different domains cannot access each other. The policy of such a mechanism is commonly referred to as the same-origin policy (SOP) Otherwise, a foo.com page can do almost anything to a bank.com page Info leak: steal the user’s personal information in myBank.com Request forgery: transfer the user’s money to other places.

3 14th ACM Conference on Computer and Communications Security, Alexandria, VA Some SOPs are not clearly defined. The industry still needs to define some specific SOPs. However, even for well-defined SOPs, the current implementations of the isolation mechanisms are surprisingly error-prone. IE, Firefox, Netscape, Opera all had bugs in their implementations. Demos: attacks against IE 6 (on WinXP)

4 14th ACM Conference on Computer and Communications Security, Alexandria, VA Keep patching? Not a real solution, not effective for future bugs. Perform a thorough code review of the browser code base? Not realistic. The code base is huge, bugs are much trickier than buffer overruns. What kind of solution do we want? Comprehensive: solve this class of bugs Transparent: no need to change web applications Light-weight: low performance overhead Self-contained correctness: can be implemented correctly with only limited understanding of existing browser code base

5 14th ACM Conference on Computer and Communications Security, Alexandria, VA In human languages, accent is essentially an identifier of a person’s origin that is carried in communications Script accenting Each domain is associated with an “accent key”. Scripts and HTML object names are represented in their accented forms at the interface between the script engine and the HTML engine. Two frames cannot interfere if they have different accent keys (no need for an explicit check for the domain IDs)

6 14th ACM Conference on Computer and Communications Security, Alexandria, VA

7 Frame A’s domain is x, frame B’s domain is y. Isn’t it easy to simply check x==y? No, it’s much more complicated than this There are unexpected execution paths in the system to bypass the check or feed incorrect domain IDs to the check. Exploit scenarios take advantage of many complex mechanisms in the browser. Surprisingly smart ways of exploits!

8 14th ACM Conference on Computer and Communications Security, Alexandria, VA Frame2 = open(“ “frame2”); open(“file: javascript: doEvil”, “frame2”) Frame1: URL= file: javascript: doEvil javascript: doEvil Windows Shell Address Parser Frame2: URL= Salary=$1234 Direct deposit settings … Window Shell IE

9 14th ACM Conference on Computer and Communications Security, Alexandria, VA Frame1: URL= Frame2: URL= After 1 second, execute: “location.assign(‘ javascript:doEvil’)” (1) Set a timer in Frame2 to execute a statement after 1 second (2) Frame2.location.assign =window.location.assign (3) Navigate Frame1 to Frame1: URL=

10 14th ACM Conference on Computer and Communications Security, Alexandria, VA Frame1: URL= Frame2: URL= Frame0: URL= Frame0 executes a statement: Frame2.open(“javascript:doEvil”,Frame1)

11 14th ACM Conference on Computer and Communications Security, Alexandria, VA Frame1: URL= Frame0: URL= document.body.setCapture() onClick() { reference to the document in Frame1 by event.srcElement }

12 14th ACM Conference on Computer and Communications Security, Alexandria, VA The causes The SOP check is bypassed in some attack scenarios (the check may not be triggered) The SOP check is a single-point check buried deep in the call stack At the time of check, there are confusions of the domain-IDs. Developers cannot anticipate all these scenarios. Involving too many modules, too complex logic combinations

13 14th ACM Conference on Computer and Communications Security, Alexandria, VA

14 14th ACM Conference on Computer and Communications Security, Alexandria, VA Each domain D is assigned a random number as its accent key K D The current implementation uses  (i.e., XOR) To accent script S in domain D: S  K D Two basic and easy rules in the implementation Rule of script ownership A script is owned by the frame that supplies the source code of the script, and should be accented at the time when its source code is supplied. Rule of object ownership Every object is owned by the frame that hosts the DOM tree of the object, and is always referenced by its accented name.

15 14th ACM Conference on Computer and Communications Security, Alexandria, VA

16 14th ACM Conference on Computer and Communications Security, Alexandria, VA

17 14th ACM Conference on Computer and Communications Security, Alexandria, VA

18 14th ACM Conference on Computer and Communications Security, Alexandria, VA javascript Filename, not a javascript Frame2 = open(“ “frame2”); open(“file: javascript: doEvil”, “frame2”) Frame1: URL= file: javascript: doEvil javascript: doEvil Windows Shell Address Parser Frame2: URL= Window Shell IE Unrecognizable script code

19 14th ACM Conference on Computer and Communications Security, Alexandria, VA Frame1: URL= Frame2: URL= After 1 second, execute: “location.assign(‘ javascript:doEvil’)” (1) Set a timer in Frame2 to execute a statement after 1 second (2) Frame2.location.assign =window.location.assign (3) Navigate Frame1 to Frame1: URL= The script is accented using evil’s key, but deaccented using payroll’s key

20 14th ACM Conference on Computer and Communications Security, Alexandria, VA Frame1: URL= Frame2: URL= Frame0: URL= Frame0 executes a statement: Frame2.open(“javascript:doEvil”,Frame1) The script is accented using evil’s key (Frame0), but deaccented using payroll’s key (Frame1)

21 14th ACM Conference on Computer and Communications Security, Alexandria, VA Frame1: URL= Frame0: URL= document.body.setCapture() onClick() { reference to event.srcElement } Names of objects under srcElement are deaccented using payroll’s key.

22 14th ACM Conference on Computer and Communications Security, Alexandria, VA Compatibility Existing web applications do not need any changes. They can run normally without knowing the existence of the accenting mechanism. Performance The measurement about end-to-end browsing time did not show any noticeable slowdown. (despite a 3.16% worst-case performance overhead)

23 14th ACM Conference on Computer and Communications Security, Alexandria, VA We studied previous browser-isolation bugs, and identified key challenges in eliminating these bugs. We proposed the script accenting approach Easy to reason about its correctness without understanding the complex logic of existing browser code base. Evaluations show its comprehensive protection, compatibility with existing applications, and very small performance overhead.