Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 14th ACM Conference on Computer and Communications Security, Alexandria, VA Shuo Chen †, David Ross ‡, Yi-Min Wang † † Internet Services Research Center.

Published byBetty Weaver Modified over 9 years ago

Similar presentations

Presentation on theme: "1 14th ACM Conference on Computer and Communications Security, Alexandria, VA Shuo Chen †, David Ross ‡, Yi-Min Wang † † Internet Services Research Center."— Presentation transcript:

1 1 14th ACM Conference on Computer and Communications Security, Alexandria, VA Shuo Chen †, David Ross ‡, Yi-Min Wang † † Internet Services Research Center Microsoft Research ‡ Microsoft Security Technology Unit October 30 th, 2007

2 2 14th ACM Conference on Computer and Communications Security, Alexandria, VA A browser can visit pages from benign and malicious websites at the same time. Browser needs to provide an isolation mechanism so that pages from different domains cannot access each other. The policy of such a mechanism is commonly referred to as the same-origin policy (SOP) Otherwise, a foo.com page can do almost anything to a bank.com page Info leak: steal the user’s personal information in myBank.com Request forgery: transfer the user’s money to other places.

3 3 14th ACM Conference on Computer and Communications Security, Alexandria, VA Some SOPs are not clearly defined. The industry still needs to define some specific SOPs. However, even for well-defined SOPs, the current implementations of the isolation mechanisms are surprisingly error-prone. IE, Firefox, Netscape, Opera all had bugs in their implementations. Demos: attacks against IE 6 (on WinXP)

4 4 14th ACM Conference on Computer and Communications Security, Alexandria, VA Keep patching? Not a real solution, not effective for future bugs. Perform a thorough code review of the browser code base? Not realistic. The code base is huge, bugs are much trickier than buffer overruns. What kind of solution do we want? Comprehensive: solve this class of bugs Transparent: no need to change web applications Light-weight: low performance overhead Self-contained correctness: can be implemented correctly with only limited understanding of existing browser code base

5 5 14th ACM Conference on Computer and Communications Security, Alexandria, VA In human languages, accent is essentially an identifier of a person’s origin that is carried in communications Script accenting Each domain is associated with an “accent key”. Scripts and HTML object names are represented in their accented forms at the interface between the script engine and the HTML engine. Two frames cannot interfere if they have different accent keys (no need for an explicit check for the domain IDs)

6 6 14th ACM Conference on Computer and Communications Security, Alexandria, VA

7 7 Frame A’s domain is x, frame B’s domain is y. Isn’t it easy to simply check x==y? No, it’s much more complicated than this There are unexpected execution paths in the system to bypass the check or feed incorrect domain IDs to the check. Exploit scenarios take advantage of many complex mechanisms in the browser. Surprisingly smart ways of exploits!

8 8 14th ACM Conference on Computer and Communications Security, Alexandria, VA Frame2 = open(“http://payroll”, “frame2”); open(“file: javascript: doEvil”, “frame2”) Frame1: URL=http://evil file: javascript: doEvil javascript: doEvil Windows Shell Address Parser Frame2: URL=http://payroll Salary=$1234 Direct deposit settings … Window Shell IE

9 9 14th ACM Conference on Computer and Communications Security, Alexandria, VA Frame1: URL=http://evil Frame2: URL=http://evil After 1 second, execute: “location.assign(‘ javascript:doEvil’)” (1) Set a timer in Frame2 to execute a statement after 1 second (2) Frame2.location.assign =window.location.assign (3) Navigate Frame1 to http://payroll Frame1: URL=http://payroll

10 10 14th ACM Conference on Computer and Communications Security, Alexandria, VA Frame1: URL=http://payroll Frame2: URL=http://payroll Frame0: URL=http://evil Frame0 executes a statement: Frame2.open(“javascript:doEvil”,Frame1)

11 11 14th ACM Conference on Computer and Communications Security, Alexandria, VA Frame1: URL=http://payroll Frame0: URL=http://evil document.body.setCapture() onClick() { reference to the document in Frame1 by event.srcElement }

12 12 14th ACM Conference on Computer and Communications Security, Alexandria, VA The causes The SOP check is bypassed in some attack scenarios (the check may not be triggered) The SOP check is a single-point check buried deep in the call stack At the time of check, there are confusions of the domain-IDs. Developers cannot anticipate all these scenarios. Involving too many modules, too complex logic combinations

13 13 14th ACM Conference on Computer and Communications Security, Alexandria, VA

14 14 14th ACM Conference on Computer and Communications Security, Alexandria, VA Each domain D is assigned a random number as its accent key K D The current implementation uses  (i.e., XOR) To accent script S in domain D: S  K D Two basic and easy rules in the implementation Rule of script ownership A script is owned by the frame that supplies the source code of the script, and should be accented at the time when its source code is supplied. Rule of object ownership Every object is owned by the frame that hosts the DOM tree of the object, and is always referenced by its accented name.

15 15 14th ACM Conference on Computer and Communications Security, Alexandria, VA

16 16 14th ACM Conference on Computer and Communications Security, Alexandria, VA

17 17 14th ACM Conference on Computer and Communications Security, Alexandria, VA

18 18 14th ACM Conference on Computer and Communications Security, Alexandria, VA javascript Filename, not a javascript Frame2 = open(“http://payroll”, “frame2”); open(“file: javascript: doEvil”, “frame2”) Frame1: URL=http://evil file: javascript: doEvil javascript: doEvil Windows Shell Address Parser Frame2: URL=http://payroll Window Shell IE Unrecognizable script code

19 19 14th ACM Conference on Computer and Communications Security, Alexandria, VA Frame1: URL=http://evil Frame2: URL=http://evil After 1 second, execute: “location.assign(‘ javascript:doEvil’)” (1) Set a timer in Frame2 to execute a statement after 1 second (2) Frame2.location.assign =window.location.assign (3) Navigate Frame1 to http://payroll Frame1: URL=http://payroll The script is accented using evil’s key, but deaccented using payroll’s key

20 20 14th ACM Conference on Computer and Communications Security, Alexandria, VA Frame1: URL=http://payroll Frame2: URL=http://payroll Frame0: URL=http://evil Frame0 executes a statement: Frame2.open(“javascript:doEvil”,Frame1) The script is accented using evil’s key (Frame0), but deaccented using payroll’s key (Frame1)

21 21 14th ACM Conference on Computer and Communications Security, Alexandria, VA Frame1: URL=http://payroll Frame0: URL=http://evil document.body.setCapture() onClick() { reference to event.srcElement } Names of objects under srcElement are deaccented using payroll’s key.

22 22 14th ACM Conference on Computer and Communications Security, Alexandria, VA Compatibility Existing web applications do not need any changes. They can run normally without knowing the existence of the accenting mechanism. Performance The measurement about end-to-end browsing time did not show any noticeable slowdown. (despite a 3.16% worst-case performance overhead)

23 23 14th ACM Conference on Computer and Communications Security, Alexandria, VA We studied previous browser-isolation bugs, and identified key challenges in eliminating these bugs. We proposed the script accenting approach Easy to reason about its correctness without understanding the complex logic of existing browser code base. Evaluations show its comprehensive protection, compatibility with existing applications, and very small performance overhead.

Download ppt "1 14th ACM Conference on Computer and Communications Security, Alexandria, VA Shuo Chen †, David Ross ‡, Yi-Min Wang † † Internet Services Research Center."

Similar presentations

1 EuroSys 2010, Paris, France Shuo Chen, Hong Chen, Manuel Caballero Microsoft Corporation Purdue University Redmond, WA, USA West Lafayette, IN, USA April.

1 EuroSys 2010, Paris, France Shuo Chen, Hong Chen, Manuel Caballero Microsoft Corporation Purdue University Redmond, WA, USA West Lafayette, IN, USA April.
Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.

Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.
ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.

ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.
Chapter 17: WEB COMPONENTS

Chapter 17: WEB COMPONENTS
Automated Web Patrol with Strider Honey Monkeys: Finding Web Sites That Exploit Browser Vulnerabilities AUTHORS: Yi-Min Wang, Doug Beck, Xuxian Jiang,

Automated Web Patrol with Strider Honey Monkeys: Finding Web Sites That Exploit Browser Vulnerabilities AUTHORS: Yi-Min Wang, Doug Beck, Xuxian Jiang,
An Evaluation of the Google Chrome Extension Security Architecture

An Evaluation of the Google Chrome Extension Security Architecture
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
20065817 Su Yong Kim. Contents Domain Isolation Real-World Attacks Script Accenting Mechanism Attack Scenarios Revisited Performance Conclusion 2.

Su Yong Kim. Contents Domain Isolation Real-World Attacks Script Accenting Mechanism Attack Scenarios Revisited Performance Conclusion 2.
IIS Technologies.

IIS Technologies.
The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology.

The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology.
Privacy and Security on the Web Part 1. Agenda Questions? Stories? Questions? Stories? IRB: I will review and hopefully send tomorrow. IRB: I will review.

Privacy and Security on the Web Part 1. Agenda Questions? Stories? Questions? Stories? IRB: I will review and hopefully send tomorrow. IRB: I will review.
1 Shuo Chen ISRC, MSR March 2008. 2 Browser security is still very broad. I usually differentiate three types of issues – their causes and potential solutions.

1 Shuo Chen ISRC, MSR March Browser security is still very broad. I usually differentiate three types of issues – their causes and potential solutions.
HTML Recall that HTML is static in that it describes how a page is to be displayed, but it doesn’t provide for interaction or animation. A page created.

HTML Recall that HTML is static in that it describes how a page is to be displayed, but it doesn’t provide for interaction or animation. A page created.
CP476 Internet Computing Browser and Web Server 1 Web Browsers A client software program that allows you to access and view Web pages on the Internet –Examples.

CP476 Internet Computing Browser and Web Server 1 Web Browsers A client software program that allows you to access and view Web pages on the Internet –Examples.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
1 Subspace: Secure Cross Domain Communication for Web Mashups Collin Jackson and Helen J. Wang Mamadou H. Diallo.

1 Subspace: Secure Cross Domain Communication for Web Mashups Collin Jackson and Helen J. Wang Mamadou H. Diallo.
Subspace: Secure Cross-Domain Communication for Web Mashups Collin Jackson Stanford University Helen J. Wang Microsoft Research ACM WWW, May, 2007 Presenter:

Subspace: Secure Cross-Domain Communication for Web Mashups Collin Jackson Stanford University Helen J. Wang Microsoft Research ACM WWW, May, 2007 Presenter:
Describe the application and limits of procedural, object orientated and event driven programming. 

Describe the application and limits of procedural, object orientated and event driven programming. 
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
FLOWFOX A WEB BROWSER WITH FLEXIBLE AND PRECISE INFORMATION CONTROL.

FLOWFOX A WEB BROWSER WITH FLEXIBLE AND PRECISE INFORMATION CONTROL.

Similar presentations

Ads by Google