Uploads Contact
/
Login Upload
Beware of FinerGrained Origins Collin Jackson Stanford University collinjcs Beware of FinerGrained Origins Collin Jackson Stanford University collinjcs

Beware of FinerGrained Origins Collin Jackson Stanford University collinjcs - PDF document

giovanna-bartolotta
giovanna-bartolotta . @giovanna-bartolotta
Follow
483 views
Uploaded On 2015-02-23
About Share Download

Beware of FinerGrained Origins Collin Jackson Stanford University collinjcs - PPT Presentation

stanfordedu Adam Barth Stanford University abarthcsstanfordedu Abstract The security policy of browsers provides no isolation be tween documents from the same origin scheme host and port even if those documents have different security char acteristic ID: 38430

stanfordedu Adam Barth Stanford University

Share:

Link:

Embed:

Download Presentation from below link

Download Pdf The PPT/PDF document "Beware of FinerGrained Origins Collin Ja..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.

Presentation Transcript

Circumventedby Feature Sub-OriginPrivilege ContaminatedOrigin LibraryImport DataExport CookiePaths ReadCookie X WSKE ReadCookie X X X MixedContent ShowLock X N/A CerticateErrors(IE7) ShowLock X X X ExtendedValidation ShowOrganization X X X PetnameToolbar ShowPetname X X X Passpet ObtainPassword X X X SignedJARs InstallSoftware X X N/A LockedSOP ReadCookie X X IP-basedOrigins NetworkRequests X X Table1.Undesirableinteractionsbetweenbrowserfeaturesapproachharmonizesthenewsecurityfeaturewiththecurrentbrowsersecuritypolicy.2.Extend.ExtendURLstocontaintherelevantsecu-rityinformationandrenethebrowser'snotionofanorigintodistinguishURLsbasedonthisinformation.Thisapproachletsauthorsspecifytherelevantsecu-rityinformationwhenimportinglibrariesandexport-ingdata.3.Destroy.Preventthebrowserfromrenderingdocu-mentsthatwouldnotbegrantedtheprivilege.Thisap-proachpreventsdocumentsthatlacktheprivilegefromobtainingtheprivilegebecausethebrowseractsasifthosedocumentsdidnotexist.Organization.Therestofthispaperisorganizedasfol-lows.InSection2,weprovideexamplesoforigincontami-nation.InSection3,wedescribeexistingner-grainedori-ginproposalsandshowtheirlibraryimportanddataexportinteractions.InSection4,weshowhowtheseattackscanbeprevented.Section5concludes.2OriginContaminationTherearenumerousbrowsersecurityfeaturesthatgrantprivilegestoasubsetofdocumentsinanorigin.Manyofthesefeaturesfailtoaccountforthebrowser'sscriptingpol-icyandcontainthesamepoorinteraction:adocumentthatlackstheprivilegecanescalateitsprivilegesbyinjectingscriptintoadocumentthathastheprivilege.CookiePaths.Oneclassicexampleofasub-originprivilegeistheabilitytoreadcookieswith“path”at-tributes.Inordertoreadsuchacookie,thepathofthedocument'sURLmustextendthepathofthecookie.However,theabilitytoreadthesecookiesleakstoalldocumentsintheoriginbecauseasame-origindoc-umentcaninjectscriptintoadocumentwiththeap-propriatepath(evena404“notfound”document)andreadthecookies.This“vulnerability”hasbeenknownforanumberofyears[10].Thisvulnerabilitywas“xed”bydeclaringthepathattributetobeaconve-niencefeatureratherthanasecurityfeature.WebServerKey-EnabledCookies.Amodernex-ampleofthesamephenomenonisWebServerKey-Enabled(WSKE)cookies[9].AWSKEcookiecanbereadonlybydocumentsretrievedoveranHTTPSses-sionthatusesthesamepublickeyasthesessionthatstoredthecookie.Thissub-originprivilege,theabilitytoreadaWSKEcookieforaspecickey,hasthesamevulnerabilityasthepathattribute.Adocumentfromthesameorigin(butretrievedusingadifferentkey)caninjectscriptintoadocumentwiththeappropriatekeyandreadthecookie[8].MixedContent.BrowserstypicallyindicatewhetheranHTTPSdocumentimportsscriptlibrariesoverHTTP.ThesescriptslacktheprotectionaffordedbyHTTPSandcanbereplacedbyanactivenetworkat-tacker.Browsers,however,failtoindicatethatotherdocumentsinthesameoriginarecontaminatedbymixedcontent,asshowninFigure1.OnceanHTTPSdocumenthasimportedamaliciousscript,thescriptcancaninjectmaliciousscriptsintoeveryreachable1documentinthesameorigin,includingthosecurrentlydisplayingalockicon.Thus,adocumentwithouttheprivilegetoshowalockiconcanobtainthatprivilegeduetoorigincontamination.CerticateErrors.InInternetExplorer7,documentsobtainedfromHTTPSconnectionswithcerticateer-rorsaredisplayedwitharedaddressbarandthetext 1AnattackercanreachadocumenteitherviaaJavaScriptpointerorbydesignatingthedocument'swindowbyname.2 Figure2.ExtendedValidationorigincontamination.Anactivenetworkattackercontaminatesthebank'sorigin.Whentheuservisitstherealbank,andtheattackerinjectsscriptintothebank'sdocumentwithoutdisturbingtheExtendedValidationindicator. owncontrol,butthebrowserresolvestheseURLsrelativetotheURLofthecurrentdocument.Iftheattackerhasal-teredtheURLofthedocument,forexamplebynamingtheservercontainingthedocumentevil.com,relativeURLsareresolvedtoanabsoluteURLsunderthecontroloftheattacker.LockedSame-OriginPolicy.Thelockedsame-originpolicy[8]augmentsWSKE[9]byreningoriginsforHTTPSdocumentstoincludetheserver'spublickey.Thegoalofthispolicyistopreventapharmingat-tacker(whocontrolsDNSandcantricktheuserintoclickingthroughcerticatewarnings)fromreadingtheSecurecookiesfromalegitimateHTTPSsession.Ifthelegitimatedocumentimportsalibrary,apharmingattackercancircumventthelockedsame-originpolicyandreadtheforbiddenSecurecookies.Insteadofin-terposingontheloadingofthedocument,thepharmerwaitsforthedocumenttoimportalibraryandthensuppliesamaliciousresponse.Themaliciouslibraryisexecutedwiththedocument'sprivilegesandcanreadtheSecurecookies.IP-basedOrigins.TheHTML5specicationpro-posesthatbrowsersreneoriginstoincludeIPad-dressesinordertopreventDNSrebindingattacks[7],preventingtheattacker'sscriptfromaccesssingcon-tenthostatthetarget'sIPaddress.InaDNSrebindingattack,theattacker'sDNSserverpointsevil.comtoboththeattacker'sserverandthevictim'sserver.Ifadocumenthostedbythevictimserverusesarela-tivepathtoimportalibrary,thebrowserwillresolvethepathrelativetoevil.com.Whenthebrowserre-trievesthelibrary,theattackercanrebindevil.comtotheattacker'sserver,replywithamaliciouslibrary,andrunscriptintheoriginforthevictim'sIPaddress,circumventingtheIP-basedrestrictions.Passpet.Passpet[11]isanextensionofthePetnameToolbarthatgeneratespasswordsbasedpetnames.Whentheuserclicksonhisorher“pet,”Passpetin-jectsthegeneratedpasswordintothesite'spasswordeld.Thegoalofthisfeatureistopreventphishingattacksbytraininguserstoclicktheirpetratherthanenteringpasswordsintowebpages.Iftheuseriswill-ingtoacceptacommonnamemismatch(andthebankexportsdatatoarelativeURL),aphishingattackercanstealtheuser'sbankpassword(seeFigure4):1.Whentheuservisitshttps://evil.com/,theattackerforwardseachpacketoftheHTTPSsessiontobank.com.2.IftheuserclicksthroughtheHTTPSwarningdi-alogbox,thebrowserestablishesaTLSsessionwiththerealbank,whorespondswithaloginformthatsubmitstoarelativepath,/login.ThePasspetindicatorconsidersonlythecerti-cateandshowsthebank'spetname,eventhoughthelocationbarreadshttps://evil.com.3.Theuserclickshisorherpettologin.Basedonthecerticate,Passpetinjectstheuser'sbankpasswordintothepasswordeld.4 Figure3.SignedJARorigincontamination.ThisYahoo!ImageSearchdocumentcontainsaframetoevil.com,whichishostingaJARsignedbyYahoo!.Clicking“Allow”letstheattackerinstallsoftwareontheuser'smachine.IftheuserhadpreviouslygrantedYahoo!thisprivilege,andchecked“Remembermydecision,”thebrowserwouldlettheattackerinstallsoftwarewithoutprompting. 4.Whentheusersubmitstheloginform,theat-tackerceasestoforwardthesessionandestab-lishesanewTLSsessiondirectlywiththeuser,presentingavalidcerticateforevil.com.5.ThebrowseracceptsthisTLSsessionasvalidandsendsthepasswordtotheattacker,whocannowloginastheuserattherealbanksite.Anattackercanalsousethistechniquetostealpass-wordsfromusersofthePetnameToolbariftheuserenterstheirpasswordbasedonthedisplayedpetname,asinstructedbythedocumentation[3].4SolutionsDesignersofnewbrowserfeaturesmustconsiderboththeimplicitandexplicittrustrelationsbetweendocuments.Weproposethreeapproachestoimprovingthebrowser'sse-curitypolicythatinteractsecurelywiththebrowser'sscript-ingpolicyandthebrowser'sarchitectureforimportingli-brariesandexportingdata.Embrace.Thesimplestapproachtodesigningnewprivi-legesistoembracethecurrentscriptingpolicyandexplic-itlygranttheprivilegeeithertoall,ortonone,ofthedocu-mentsinanorigin.Thisisthemostcommonapproachandisusedbythevastmajorityofnewbrowserfeatures.FrameNavigation.Theframenavigationpolicyin-cludedinInternetExplorer6,Firefox2,andOpera9grantsnavigationprivilegestodocumentsbasedontheirlocationintheframehierarchy.Themod-ernframenavigationpolicy,adoptedinInternetEx-plorer7,Firefox3,andSafari3[1],explicitlypropa-gatesnavigationprivilegesbasedonorigin.Thispol-icyismoreconvenientforwebdevelopersbecauseitislessrestrictive,butisnolesssecurebecauseanattackercouldalwayshaveinjectedscriptsintotheappropriatedocumentstoachievethesameresults.PhishingFilters.ThephishingltersincludedinIn-ternetExplorerandFirefoxconsideranorigintocon-taineitherentirelyphishingorentirelynon-phishingdocuments.Hadthedesignersofthephishinglterattemptedtoclassifyindividualdocuments,aphish-ingpagecouldhavesuppressedthephishingwarningbyinjectingscriptintoadocumentclassiedasnon-phishing.Thecurrentdesignavoidsthispitfallbyem-bracingorigincontamination.Extend.Finer-grainedoriginscanbemadesecurebyex-tendingURLstocontainenoughinformationtodesignateane-grainedoriginfully.ThispreventslibraryimportanddataexportvulnerabilitiesbecauseadocumentcanfullyspecifyitstrustrelationshipsusingURLs.5 Figure4.Passpetdataexport.Thephishingwebsiteforwardstrafcbetweentheuserandtherealbank,causingacommonnamemismatchwarning.Becausethebank'scerticatewasused,Passpetinjectstheuser'sbankpasswordintotheloginform.Whentheloginformissubmittedtoarelativepath,thebrowserestablishesavalidTLSsessionwiththeattackerandsendsthepassword. HTTPEV.TheExtendedValidationbehaviorde-scribedinSection2couldbeaddressedbycreatinganHTTPEVschemethatissimilartotheHTTPSscheme,exceptthatonlyExtendedValidationcer-ticatesarepermitted.AHTTPSdocumentwithadomain-validatedcerticatewouldbeunabletoscriptanHTTPEVdocumentbecausetheirschemeswouldnotmatch.Whenadocumentincludesalibrary,thedocument'sauthorcanuseHTTPEVtorequireanEVcerticate,preventingdomain-validatedcontentfrombeingdisplayedwithEVsecurityindicators.YURL.AYURL[2]isaURLthatincludesapublickeybeforeitshostname.YURLsareretrievedusingaTLSsessionwhosepublickeymustmatchthekeyembeddedintheURL.Connectionsthatdonotusethespeciedpublickeymustbeblockedwithoutgiv-ingtheuseranopportunitytoproceedinsecurely.AbrowserthatsupportsYURLswouldnotconsidertwodocumentstobeinthesameoriginiftheirpublickeysdidnotmatch.YURLsarenotvulnerabletolibraryimportordataexportattacksbecausetheURLsusedforimportorexportspecifythepublickeyforthein-tendedsourceofthelibraryorrecipientofthedata[8].Inparticular,thepublickeyremainsunchangedwhenarelativeURLisresolvedtoanabsoluteURL.Destroy.Anotherapproachtosecuringner-grainedori-ginsistodestroycontaminatedorigins.Thebrowsercaneliminateanoriginbyrefusingtodisplayorexecuteanyofitscontent.Insomecases,thebrowsercanrevokethepriv-ilegefromtheentireoriginifthebrowserdisplaysadocu-mentthatwouldnotbegrantedtheprivilege.ForceHTTPS.WhenanoriginenablesForce-HTTPS[5],thebrowserrefusestoignorecerticateerrorsforthatoriginandrefusestoimportnon-HTTPSlibrariesintothatorigin'sdocuments.ForceHTTPSprotectsanoriginfrombeingcontaminatedbyinse-curecontentbypreventingthatcontentfromenteringthebrowser.SafeLock.Whenadocumentimportsanon-HTTPSlibrary,thebrowsershouldrevoketheprivilegetodisplayalockiconfromalldocumentsinthesameoriginasthecontaminateddocument,preventingthenon-HTTPScontentfromdisplayingalockicon.Wehaveimplementedthisbehaviorasa286-lineexten-siontoFirefox,whichcanbedownloadedfromourwebsite[6].ForceCerticate.WecollaboratedwithMozillatode-ployaner-grainedorigininFirefox2.0.0.15thatpre-ventunsigneddocumentsfromtamperingwithsignedJARs[4].Thegoalofthissecuritypolicyistoen-surethatadocumentsignedwithaparticularpublickeycerticatecanbemodiedonlybothotherdoc-umentssignedwiththesamecerticate.Topreventlibraryimportattacks,thebrowserblockssignedJARsfromimportingscriptsthatareunsignedorsignedbyanothercerticate.6 5ConclusionManycurrentandproposedbrowserfeaturesextendthebrowser'ssecuritypolicybygrantingadditionalprivilegestodocuments.Ifdesignedincorrectly,thesefeaturesinter-actpoorlywiththebrowser'sexistingsecuritypolicy,re-sultingintheunexpectedprivilegeescalation.Mostcom-monly,aprivilegeisgrantedtosome,butnotall,ofthedocumentsinaorigin.Thedocumentswithoutthissub-originprivilegecanoftenescalatetheirprivilegesbyinject-ingscriptintodocumentsintheiroriginthatdopossesstheprivilege.Wedescribeanumberofbrowserfeaturesthatareaffectedbysuchorigincontamination.Themostnaturalresponsetoorigincontaminationistorenethebrowser'sscriptingpolicytoprohibitdocumentsthatlacktheprivilegefromscriptingdocumentsthathavetheprivilege.Thedesignofthesener-grainedoriginsiscomplicatedbythebuilt-inbrowserfacilitiesforexplicitendorsementanddeclassication.Thesefeaturescanbeex-ploitedbyanattackertobypassthestricterscriptingpolicy.Wesuggestthreeapproachesforaddressingthelimita-tionsofner-grainedorigins.Intheembraceapproach,theprivilegeisgrantedexplicitlytoentireorigins.Intheex-tendapproach,URLsareextendedwithadditionalsecurityinformationthatisusedtorenethebrowser'snotionoforiginandrestrictwhichdocumentshavetheprivilege.Inthedestroyapproach,thebrowserrefusestointeractwithresourcesthatlackthedesiredsecurityproperty,preventingthemfromescalatingtheirprivileges.AcknowledgmentsWethankDanBoneh,TylerClose,ChrisKarloff,JohnMitchell,Ka-PingYee,andBorisZbarskyfortheirhelpfulsuggestionsandfeedback.ThisworkissupportedbygrantsfromtheNationalScienceFoundationandtheUSDepart-mentofHomelandSecurity.References[1]AdamBarth,CollinJackson,andJohnC.Mitchell.Securingframecommunicationinbrowsers.InPro-ceedingsofthe17thUSENIXSecuritySymposium,2008.[2]TylerClose.Decentralizedidentication.http://www.waterken.com/dev/YURL/.[3]TylerClose.Petnametool.http://www.waterken.com/user/PetnameTool/.[4]MozillaFoundation.SignedJARtampering,July2008.http://www.mozilla.org/security/announce/2008/mfsa2008-23.html.[5]CollinJacksonandAdamBarth.ForceHTTPS:Pro-tectinghigh-securitywebsitesfromnetworkattacks.InProceedingsofthe17thInternationalWorldWideWebConference,2008.[6]CollinJacksonandAdamBarth.SafeLock:Preventingorigincontaminationbymixedcon-tent,2008.http://crypto.stanford.edu/websec/safelock.[7]CollinJackson,AdamBarth,AndrewBortz,WeidongShao,andDanBoneh.ProtectingbrowsersfromDNSrebindingattacks.InProceedingsofthe14thACMConferenceonComputerandCommunicationsSecu-rity(CCS2007),November2007.[8]ChrisKarlof,UmeshShankar,J.D.Tygar,andDavidWagner.Dynamicpharmingattacksandlockedsame-originpoliciesforwebbrowsers.InProceedingsofthe14thACMConferenceonComputerandCommu-nicationsSecurity(CCS2007),November2007.[9]ChrisMasone,Kwang-HyunBaek,andSeanSmith.Wske:Webserverkeyenabledcookies.InProceed-ingsofUsableSecurity2007(USEC'07).[10]MartinO'Neal.Cookiepathbestpractice.http://research.corsaire.com/whitepapers/040323-cookie-path-best-practi%ce.pdf.[11]Ka-PingYeeandKragenSitaker.Passpet:Conve-nientpasswordmanagementandphishingprotection.InProceedingsofthe2006SymposiumonUsablePri-vacyandSecurity(SOUPS).7

Related Contents


Beware of FinerGrained Origins Collin Jackson Stanford
Beware of FinerGrained Origins Collin Jackson Stanford PDF document
402 views
An Analysis of Private Browsing Modes in Modern Browsers Gaurav Aggarwal Elie Bursztein
An Analysis of Private Browsing Modes in Modern Browsers Gaurav Aggarwal Elie Bursztein PDF document
583 views
The Security Architecture of the Chromium Browser Adam Barth UC Berkeley Collin Jackson
The Security Architecture of the Chromium Browser Adam Barth UC Berkeley Collin Jackson PDF document
532 views
Protecting Browsers from DNS Rebinding Attacks Collin
Protecting Browsers from DNS Rebinding Attacks Collin PDF document
462 views
How Slow is the Means Method David Arthur Stanford University Stanford CA darthu
How Slow is the Means Method David Arthur Stanford University Stanford CA darthu PDF document
538 views
Stanford Tech Report CTSR Digital Video Stabilization and Rolling Shutter Correction
Stanford Tech Report CTSR Digital Video Stabilization and Rolling Shutter Correction PDF document
655 views
Depth Discontinuities by PixeltoPixel Stereo Stan Bircheld Carlo Tomasi Department of
Depth Discontinuities by PixeltoPixel Stereo Stan Bircheld Carlo Tomasi Department of PDF document
680 views
Steering User Behavior with Badges Ashton Anderson Daniel Huttenlocher Jon Kleinberg Jure
Steering User Behavior with Badges Ashton Anderson Daniel Huttenlocher Jon Kleinberg Jure PDF document
614 views
Patterns of Temporal Variation in Online Media Jaewon Yang Stanford University crucisstanford
Patterns of Temporal Variation in Online Media Jaewon Yang Stanford University crucisstanford PDF document
452 views
Patterns of Temporal Variation in Online Media Jaewon Yang Stanford University crucisstanford
Patterns of Temporal Variation in Online Media Jaewon Yang Stanford University crucisstanford PDF document
522 views
Scalable KMeans Bahman Bahmani Stanford University Stanford CA bahmanstanford
Scalable KMeans Bahman Bahmani Stanford University Stanford CA bahmanstanford PDF document
549 views
The InformationForm Data Association Filter Brad Schumitsch Sebastian Thrun Gary Bradski
The InformationForm Data Association Filter Brad Schumitsch Sebastian Thrun Gary Bradski PDF document
588 views
Next Show more