stanfordedu Adam Barth Stanford University abarthcsstanfordedu Abstract The security policy of browsers provides no isolation be tween documents from the same origin scheme host and port even if those documents have different security char acteristic ID: 38430
Download Pdf The PPT/PDF document "Beware of FinerGrained Origins Collin Ja..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Circumventedby Feature Sub-OriginPrivilege ContaminatedOrigin LibraryImport DataExport CookiePaths ReadCookie X WSKE ReadCookie X X X MixedContent ShowLock X N/A CerticateErrors(IE7) ShowLock X X X ExtendedValidation ShowOrganization X X X PetnameToolbar ShowPetname X X X Passpet ObtainPassword X X X SignedJARs InstallSoftware X X N/A LockedSOP ReadCookie X X IP-basedOrigins NetworkRequests X X Table1.Undesirableinteractionsbetweenbrowserfeaturesapproachharmonizesthenewsecurityfeaturewiththecurrentbrowsersecuritypolicy.2.Extend.ExtendURLstocontaintherelevantsecu-rityinformationandrenethebrowser'snotionofanorigintodistinguishURLsbasedonthisinformation.Thisapproachletsauthorsspecifytherelevantsecu-rityinformationwhenimportinglibrariesandexport-ingdata.3.Destroy.Preventthebrowserfromrenderingdocu-mentsthatwouldnotbegrantedtheprivilege.Thisap-proachpreventsdocumentsthatlacktheprivilegefromobtainingtheprivilegebecausethebrowseractsasifthosedocumentsdidnotexist.Organization.Therestofthispaperisorganizedasfol-lows.InSection2,weprovideexamplesoforigincontami-nation.InSection3,wedescribeexistingner-grainedori-ginproposalsandshowtheirlibraryimportanddataexportinteractions.InSection4,weshowhowtheseattackscanbeprevented.Section5concludes.2OriginContaminationTherearenumerousbrowsersecurityfeaturesthatgrantprivilegestoasubsetofdocumentsinanorigin.Manyofthesefeaturesfailtoaccountforthebrowser'sscriptingpol-icyandcontainthesamepoorinteraction:adocumentthatlackstheprivilegecanescalateitsprivilegesbyinjectingscriptintoadocumentthathastheprivilege.CookiePaths.Oneclassicexampleofasub-originprivilegeistheabilitytoreadcookieswithpathat-tributes.Inordertoreadsuchacookie,thepathofthedocument'sURLmustextendthepathofthecookie.However,theabilitytoreadthesecookiesleakstoalldocumentsintheoriginbecauseasame-origindoc-umentcaninjectscriptintoadocumentwiththeap-propriatepath(evena404notfounddocument)andreadthecookies.Thisvulnerabilityhasbeenknownforanumberofyears[10].Thisvulnerabilitywasxedbydeclaringthepathattributetobeaconve-niencefeatureratherthanasecurityfeature.WebServerKey-EnabledCookies.Amodernex-ampleofthesamephenomenonisWebServerKey-Enabled(WSKE)cookies[9].AWSKEcookiecanbereadonlybydocumentsretrievedoveranHTTPSses-sionthatusesthesamepublickeyasthesessionthatstoredthecookie.Thissub-originprivilege,theabilitytoreadaWSKEcookieforaspecickey,hasthesamevulnerabilityasthepathattribute.Adocumentfromthesameorigin(butretrievedusingadifferentkey)caninjectscriptintoadocumentwiththeappropriatekeyandreadthecookie[8].MixedContent.BrowserstypicallyindicatewhetheranHTTPSdocumentimportsscriptlibrariesoverHTTP.ThesescriptslacktheprotectionaffordedbyHTTPSandcanbereplacedbyanactivenetworkat-tacker.Browsers,however,failtoindicatethatotherdocumentsinthesameoriginarecontaminatedbymixedcontent,asshowninFigure1.OnceanHTTPSdocumenthasimportedamaliciousscript,thescriptcancaninjectmaliciousscriptsintoeveryreachable1documentinthesameorigin,includingthosecurrentlydisplayingalockicon.Thus,adocumentwithouttheprivilegetoshowalockiconcanobtainthatprivilegeduetoorigincontamination.CerticateErrors.InInternetExplorer7,documentsobtainedfromHTTPSconnectionswithcerticateer-rorsaredisplayedwitharedaddressbarandthetext 1AnattackercanreachadocumenteitherviaaJavaScriptpointerorbydesignatingthedocument'swindowbyname.2 Figure2.ExtendedValidationorigincontamination.Anactivenetworkattackercontaminatesthebank'sorigin.Whentheuservisitstherealbank,andtheattackerinjectsscriptintothebank'sdocumentwithoutdisturbingtheExtendedValidationindicator. owncontrol,butthebrowserresolvestheseURLsrelativetotheURLofthecurrentdocument.Iftheattackerhasal-teredtheURLofthedocument,forexamplebynamingtheservercontainingthedocumentevil.com,relativeURLsareresolvedtoanabsoluteURLsunderthecontroloftheattacker.LockedSame-OriginPolicy.Thelockedsame-originpolicy[8]augmentsWSKE[9]byreningoriginsforHTTPSdocumentstoincludetheserver'spublickey.Thegoalofthispolicyistopreventapharmingat-tacker(whocontrolsDNSandcantricktheuserintoclickingthroughcerticatewarnings)fromreadingtheSecurecookiesfromalegitimateHTTPSsession.Ifthelegitimatedocumentimportsalibrary,apharmingattackercancircumventthelockedsame-originpolicyandreadtheforbiddenSecurecookies.Insteadofin-terposingontheloadingofthedocument,thepharmerwaitsforthedocumenttoimportalibraryandthensuppliesamaliciousresponse.Themaliciouslibraryisexecutedwiththedocument'sprivilegesandcanreadtheSecurecookies.IP-basedOrigins.TheHTML5specicationpro-posesthatbrowsersreneoriginstoincludeIPad-dressesinordertopreventDNSrebindingattacks[7],preventingtheattacker'sscriptfromaccesssingcon-tenthostatthetarget'sIPaddress.InaDNSrebindingattack,theattacker'sDNSserverpointsevil.comtoboththeattacker'sserverandthevictim'sserver.Ifadocumenthostedbythevictimserverusesarela-tivepathtoimportalibrary,thebrowserwillresolvethepathrelativetoevil.com.Whenthebrowserre-trievesthelibrary,theattackercanrebindevil.comtotheattacker'sserver,replywithamaliciouslibrary,andrunscriptintheoriginforthevictim'sIPaddress,circumventingtheIP-basedrestrictions.Passpet.Passpet[11]isanextensionofthePetnameToolbarthatgeneratespasswordsbasedpetnames.Whentheuserclicksonhisorherpet,Passpetin-jectsthegeneratedpasswordintothesite'spasswordeld.Thegoalofthisfeatureistopreventphishingattacksbytraininguserstoclicktheirpetratherthanenteringpasswordsintowebpages.Iftheuseriswill-ingtoacceptacommonnamemismatch(andthebankexportsdatatoarelativeURL),aphishingattackercanstealtheuser'sbankpassword(seeFigure4):1.Whentheuservisitshttps://evil.com/,theattackerforwardseachpacketoftheHTTPSsessiontobank.com.2.IftheuserclicksthroughtheHTTPSwarningdi-alogbox,thebrowserestablishesaTLSsessionwiththerealbank,whorespondswithaloginformthatsubmitstoarelativepath,/login.ThePasspetindicatorconsidersonlythecerti-cateandshowsthebank'spetname,eventhoughthelocationbarreadshttps://evil.com.3.Theuserclickshisorherpettologin.Basedonthecerticate,Passpetinjectstheuser'sbankpasswordintothepasswordeld.4 Figure3.SignedJARorigincontamination.ThisYahoo!ImageSearchdocumentcontainsaframetoevil.com,whichishostingaJARsignedbyYahoo!.ClickingAllowletstheattackerinstallsoftwareontheuser'smachine.IftheuserhadpreviouslygrantedYahoo!thisprivilege,andcheckedRemembermydecision,thebrowserwouldlettheattackerinstallsoftwarewithoutprompting. 4.Whentheusersubmitstheloginform,theat-tackerceasestoforwardthesessionandestab-lishesanewTLSsessiondirectlywiththeuser,presentingavalidcerticateforevil.com.5.ThebrowseracceptsthisTLSsessionasvalidandsendsthepasswordtotheattacker,whocannowloginastheuserattherealbanksite.Anattackercanalsousethistechniquetostealpass-wordsfromusersofthePetnameToolbariftheuserenterstheirpasswordbasedonthedisplayedpetname,asinstructedbythedocumentation[3].4SolutionsDesignersofnewbrowserfeaturesmustconsiderboththeimplicitandexplicittrustrelationsbetweendocuments.Weproposethreeapproachestoimprovingthebrowser'sse-curitypolicythatinteractsecurelywiththebrowser'sscript-ingpolicyandthebrowser'sarchitectureforimportingli-brariesandexportingdata.Embrace.Thesimplestapproachtodesigningnewprivi-legesistoembracethecurrentscriptingpolicyandexplic-itlygranttheprivilegeeithertoall,ortonone,ofthedocu-mentsinanorigin.Thisisthemostcommonapproachandisusedbythevastmajorityofnewbrowserfeatures.FrameNavigation.Theframenavigationpolicyin-cludedinInternetExplorer6,Firefox2,andOpera9grantsnavigationprivilegestodocumentsbasedontheirlocationintheframehierarchy.Themod-ernframenavigationpolicy,adoptedinInternetEx-plorer7,Firefox3,andSafari3[1],explicitlypropa-gatesnavigationprivilegesbasedonorigin.Thispol-icyismoreconvenientforwebdevelopersbecauseitislessrestrictive,butisnolesssecurebecauseanattackercouldalwayshaveinjectedscriptsintotheappropriatedocumentstoachievethesameresults.PhishingFilters.ThephishingltersincludedinIn-ternetExplorerandFirefoxconsideranorigintocon-taineitherentirelyphishingorentirelynon-phishingdocuments.Hadthedesignersofthephishinglterattemptedtoclassifyindividualdocuments,aphish-ingpagecouldhavesuppressedthephishingwarningbyinjectingscriptintoadocumentclassiedasnon-phishing.Thecurrentdesignavoidsthispitfallbyem-bracingorigincontamination.Extend.Finer-grainedoriginscanbemadesecurebyex-tendingURLstocontainenoughinformationtodesignateane-grainedoriginfully.ThispreventslibraryimportanddataexportvulnerabilitiesbecauseadocumentcanfullyspecifyitstrustrelationshipsusingURLs.5 Figure4.Passpetdataexport.Thephishingwebsiteforwardstrafcbetweentheuserandtherealbank,causingacommonnamemismatchwarning.Becausethebank'scerticatewasused,Passpetinjectstheuser'sbankpasswordintotheloginform.Whentheloginformissubmittedtoarelativepath,thebrowserestablishesavalidTLSsessionwiththeattackerandsendsthepassword. HTTPEV.TheExtendedValidationbehaviorde-scribedinSection2couldbeaddressedbycreatinganHTTPEVschemethatissimilartotheHTTPSscheme,exceptthatonlyExtendedValidationcer-ticatesarepermitted.AHTTPSdocumentwithadomain-validatedcerticatewouldbeunabletoscriptanHTTPEVdocumentbecausetheirschemeswouldnotmatch.Whenadocumentincludesalibrary,thedocument'sauthorcanuseHTTPEVtorequireanEVcerticate,preventingdomain-validatedcontentfrombeingdisplayedwithEVsecurityindicators.YURL.AYURL[2]isaURLthatincludesapublickeybeforeitshostname.YURLsareretrievedusingaTLSsessionwhosepublickeymustmatchthekeyembeddedintheURL.Connectionsthatdonotusethespeciedpublickeymustbeblockedwithoutgiv-ingtheuseranopportunitytoproceedinsecurely.AbrowserthatsupportsYURLswouldnotconsidertwodocumentstobeinthesameoriginiftheirpublickeysdidnotmatch.YURLsarenotvulnerabletolibraryimportordataexportattacksbecausetheURLsusedforimportorexportspecifythepublickeyforthein-tendedsourceofthelibraryorrecipientofthedata[8].Inparticular,thepublickeyremainsunchangedwhenarelativeURLisresolvedtoanabsoluteURL.Destroy.Anotherapproachtosecuringner-grainedori-ginsistodestroycontaminatedorigins.Thebrowsercaneliminateanoriginbyrefusingtodisplayorexecuteanyofitscontent.Insomecases,thebrowsercanrevokethepriv-ilegefromtheentireoriginifthebrowserdisplaysadocu-mentthatwouldnotbegrantedtheprivilege.ForceHTTPS.WhenanoriginenablesForce-HTTPS[5],thebrowserrefusestoignorecerticateerrorsforthatoriginandrefusestoimportnon-HTTPSlibrariesintothatorigin'sdocuments.ForceHTTPSprotectsanoriginfrombeingcontaminatedbyinse-curecontentbypreventingthatcontentfromenteringthebrowser.SafeLock.Whenadocumentimportsanon-HTTPSlibrary,thebrowsershouldrevoketheprivilegetodisplayalockiconfromalldocumentsinthesameoriginasthecontaminateddocument,preventingthenon-HTTPScontentfromdisplayingalockicon.Wehaveimplementedthisbehaviorasa286-lineexten-siontoFirefox,whichcanbedownloadedfromourwebsite[6].ForceCerticate.WecollaboratedwithMozillatode-ployaner-grainedorigininFirefox2.0.0.15thatpre-ventunsigneddocumentsfromtamperingwithsignedJARs[4].Thegoalofthissecuritypolicyistoen-surethatadocumentsignedwithaparticularpublickeycerticatecanbemodiedonlybothotherdoc-umentssignedwiththesamecerticate.Topreventlibraryimportattacks,thebrowserblockssignedJARsfromimportingscriptsthatareunsignedorsignedbyanothercerticate.6 5ConclusionManycurrentandproposedbrowserfeaturesextendthebrowser'ssecuritypolicybygrantingadditionalprivilegestodocuments.Ifdesignedincorrectly,thesefeaturesinter-actpoorlywiththebrowser'sexistingsecuritypolicy,re-sultingintheunexpectedprivilegeescalation.Mostcom-monly,aprivilegeisgrantedtosome,butnotall,ofthedocumentsinaorigin.Thedocumentswithoutthissub-originprivilegecanoftenescalatetheirprivilegesbyinject-ingscriptintodocumentsintheiroriginthatdopossesstheprivilege.Wedescribeanumberofbrowserfeaturesthatareaffectedbysuchorigincontamination.Themostnaturalresponsetoorigincontaminationistorenethebrowser'sscriptingpolicytoprohibitdocumentsthatlacktheprivilegefromscriptingdocumentsthathavetheprivilege.Thedesignofthesener-grainedoriginsiscomplicatedbythebuilt-inbrowserfacilitiesforexplicitendorsementanddeclassication.Thesefeaturescanbeex-ploitedbyanattackertobypassthestricterscriptingpolicy.Wesuggestthreeapproachesforaddressingthelimita-tionsofner-grainedorigins.Intheembraceapproach,theprivilegeisgrantedexplicitlytoentireorigins.Intheex-tendapproach,URLsareextendedwithadditionalsecurityinformationthatisusedtorenethebrowser'snotionoforiginandrestrictwhichdocumentshavetheprivilege.Inthedestroyapproach,thebrowserrefusestointeractwithresourcesthatlackthedesiredsecurityproperty,preventingthemfromescalatingtheirprivileges.AcknowledgmentsWethankDanBoneh,TylerClose,ChrisKarloff,JohnMitchell,Ka-PingYee,andBorisZbarskyfortheirhelpfulsuggestionsandfeedback.ThisworkissupportedbygrantsfromtheNationalScienceFoundationandtheUSDepart-mentofHomelandSecurity.References[1]AdamBarth,CollinJackson,andJohnC.Mitchell.Securingframecommunicationinbrowsers.InPro-ceedingsofthe17thUSENIXSecuritySymposium,2008.[2]TylerClose.Decentralizedidentication.http://www.waterken.com/dev/YURL/.[3]TylerClose.Petnametool.http://www.waterken.com/user/PetnameTool/.[4]MozillaFoundation.SignedJARtampering,July2008.http://www.mozilla.org/security/announce/2008/mfsa2008-23.html.[5]CollinJacksonandAdamBarth.ForceHTTPS:Pro-tectinghigh-securitywebsitesfromnetworkattacks.InProceedingsofthe17thInternationalWorldWideWebConference,2008.[6]CollinJacksonandAdamBarth.SafeLock:Preventingorigincontaminationbymixedcon-tent,2008.http://crypto.stanford.edu/websec/safelock.[7]CollinJackson,AdamBarth,AndrewBortz,WeidongShao,andDanBoneh.ProtectingbrowsersfromDNSrebindingattacks.InProceedingsofthe14thACMConferenceonComputerandCommunicationsSecu-rity(CCS2007),November2007.[8]ChrisKarlof,UmeshShankar,J.D.Tygar,andDavidWagner.Dynamicpharmingattacksandlockedsame-originpoliciesforwebbrowsers.InProceedingsofthe14thACMConferenceonComputerandCommu-nicationsSecurity(CCS2007),November2007.[9]ChrisMasone,Kwang-HyunBaek,andSeanSmith.Wske:Webserverkeyenabledcookies.InProceed-ingsofUsableSecurity2007(USEC'07).[10]MartinO'Neal.Cookiepathbestpractice.http://research.corsaire.com/whitepapers/040323-cookie-path-best-practi%ce.pdf.[11]Ka-PingYeeandKragenSitaker.Passpet:Conve-nientpasswordmanagementandphishingprotection.InProceedingsofthe2006SymposiumonUsablePri-vacyandSecurity(SOUPS).7