5/21/2007 IEEE Symposium on Security and Privacy, Oakland, CA A Systematic Approach to Uncover Security Flaws in GUI Logic Shuo Chen †, José Meseguer ‡, Ralf Sasse † ‡, Helen J. Wang †, Yi-Min Wang † † Systems and Networking Group Microsoft Research ‡ Dept. of Computer Science University of Illinois at Urbana-Champaign
5/21/2007 IEEE Symposium on Security and Privacy, Oakland, CA Slide: 2 Visual Spoofing: A Serious Security Problem A simple equation 1000 miles × trusted + 20 inches × untrusted = untrusted Examples: status bar spoofing and address bar spoofing IE, Firefox and Netscape all have security flaws in GUI miles, trusted Web server 20 inches, Untrusted
5/21/2007 IEEE Symposium on Security and Privacy, Oakland, CA Slide: 3 Research motivation and goal GUI behaviors are driven by complex logic E.g., how to handle mouse messages and update the status bar, how to update the address bar during navigations Need a systematic approach to examine its correctness Goal: to apply formal methods to reason about GUI logic in order to proactively uncover browser spoofing bugs.
5/21/2007 IEEE Symposium on Security and Privacy, Oakland, CA Slide: 4 Overview of Our Approach Execution context System state Program Logic (pseudo code) The modeled system User’s action sequence Program invariant Reasoning Engine (The Maude System: a rewriting logic engine) Visual invariant Source code of browser GUI violation Potential spoofing scenarios Real spoofing scenarios Real world Formal world (d) (e) (c) (a) (b) (f)
5/21/2007 IEEE Symposium on Security and Privacy, Oakland, CA Slide: 5 Case study: status bar spoofing: basic concepts status bar <a><a> Page My button Toward the user Document Object Tree (DOM Tree) Page layout Element stacks
5/21/2007 IEEE Symposium on Security and Privacy, Oakland, CA Slide: 6 Case Study: status bar spoofing: mouse handling logic In status bar spoofing, only three raw mouse messages are relevant MouseMove, LeftButtonDown, LeftButtonUp Each HTML element has three virtual methods HandleMessage, DoClick, ClickAction Pseudo code in the paper Every element has different behavior about updating the status bar ( SetStatusText ) and navigating to the target URL ( FollowHyperlink ). Message bubbling (passing the mouse message to the parent element) Every element can decide whether to continue the bubbling or cancel the bubbling We used Maude to model the source code of the mouse handling logic
5/21/2007 IEEE Symposium on Security and Privacy, Oakland, CA Slide: 7 Case Study: status bar spoofing: finding attacks System state: status bar URL, user memorized URL User action sequence: MouseMove, MouseMove, Inspection, LeftButtonDown, LeftButtonUp (only need two MouseMoves because status bar is memoryless, a sequence of MouseMoves is equivalent to one MouseMove) (canonicalized) Execution context: DOM tree structures (canonicalized) (at most two branches, corresponding to two MouseMoves) Program invariant: at the time of the function call FollowHyperlink(targetURL), targetURL = user memorized URL Use Maude to search for spoofing scenarios
5/21/2007 IEEE Symposium on Security and Privacy, Oakland, CA Slide: 8 Examples of Status Bar Spoofs All because of unexpected combinations of element behaviors input field anchor form paypal.com form target = foo.com anchor target = paypal.com image button form paypal.com form target = foo.com image target = paypal.com Element stack Element layouts label anchor label’s target = foo.com anchor’s target = paypal.com image label img’s target = paypal.com label’s target = foo.com
5/21/2007 IEEE Symposium on Security and Privacy, Oakland, CA Slide: 9 Case Study: address bar spoofing: basic concepts (browser, renderer, frame, markup) Renderer Frame1 from PayPal Browser. Current Markup Pending Markup PrimaryFrame from MySite.com Frame2 from MSN
5/21/2007 IEEE Symposium on Security and Privacy, Oakland, CA Slide: 10 Case Study: Address Bar Spoofing Program invariant: The address bar should display the URL of the current markup of the primary frame. User action sequence: Page loading, history traveling and window opening Execution context: A set of Boolean conditions affecting the execution path System state: PrimaryFrame, other frames, current markups, pending markups, address bar URL...
5/21/2007 IEEE Symposium on Security and Privacy, Oakland, CA Slide: 11 Pseudo code model: loading a new page FollowHyperlink start navigation ready PostParser Event queue Markup::SetInteractive NavigationComplete SetAddressBar Frame::SwitchMarkup onPaint View::EnsureView View::RenderView Posting an event Calling a function ensure Invoking a handler
5/21/2007 IEEE Symposium on Security and Privacy, Oakland, CA Slide: 12 Pseudo code model: history travel start navigation ready PostParser Event queue Markup::SetInteractive NavigationComplete SetAddressBar Frame::SwitchMarkup onPaint View::EnsureView View::RenderView ensure History_Back Travel LoadHistory Posting an event Calling a function Invoking a handler
5/21/2007 IEEE Symposium on Security and Privacy, Oakland, CA Slide: 13 Pseudo code model: opening a page in a new window CreatePending DocObject start-loading LoadDocument Event queue Load CreateMarkup SetAddressBar LoadFromInfo FollowHyperlink onPaint PostParser View::RenderView download- content InitNew SetClientSite InitDocHost SwitchMarkup
5/21/2007 IEEE Symposium on Security and Privacy, Oakland, CA Slide: 14 Discovered Address Bar Spoof (An Atomicity Bug)
5/21/2007 IEEE Symposium on Security and Privacy, Oakland, CA Slide: 15 Discovered address bar spoof (a race condition) c:\windows\system32\shdoclc.dl l?http History back Load a new page
5/21/2007 IEEE Symposium on Security and Privacy, Oakland, CA Slide: 16 Summary of bug reporting for IE 7 Found many new scenarios for the status bar spoofing, filed them as 9 bugs against IE. All fixed before IE7 RC 1 (release candidate 1). 4 new scenarios of the address bar spoofing Non-atomic update of the address bar (2 bugs) Non-atomic update of the content area Race condition: multiple frames compete to be the primary IE team has fixed two, and proposed the fixes for the other 2 to go into the next version.
5/21/2007 IEEE Symposium on Security and Privacy, Oakland, CA Slide: 17 Conclusions Formulated GUI logic correctness as a new research problem Proposed a systematic approach to proactively uncover security flaws in browser GUI Demonstrated the benefit of the systematic approach to the GUI implementation. The approach is not IE specific. Other browsers (e.g., Firefox, Opera, Netscape, etc) Non-browser applications (e.g., Outlook, Outlook Express)
5/21/2007 IEEE Symposium on Security and Privacy, Oakland, CA Slide: 18 Discussions Are there spoofing bugs that are not logic flaws? Picture-in-picture, pop-up covering, chromeless window, symbol similarities (“vv” vs.“w”, “l” vs. “|”, etc) Should we rely on users’ security awareness for anti-phishing? Ideally, no. An ideal security infrastructure should be transparent! Many users ignore security warnings. [Dhamija-CHI-06][Wu-CHI-06][Schechter-S&P-07] In reality, people have not found a satisfactory way for transparent security White-listing? Sacrifice the openness of the web. Does not scale. Black-listing or intrusion detection? The signature precision and timeliness Anti-phishing will remain a joint effort between browser vendors and users for many years IE 7 has made many the efforts to make the GUI authentic. “Seat belts” are effective only when you “buckle up”! (Not ideal, but … )