Protecting Browsers from DNS Rebinding Attacks Collin - PDF document

Figure1:FirewallCircumventionUsingRebindingPinningisnolongeraneectivedefenseagainstDNSre-bindingattacksincurrentbrowsersbecauseofvulnerabil-itiesintroducedbyplug-ins.Theseplug-insprovideaddi-tionalfunctionality,includingsocket-levelnetworkaccess,towebpages.Thebrowserandeachplug-inmaintainsep-aratepindatabases,creatinganewclassofvulnerabilitieswecallmulti-pinvulnerabilitiesthatpermitanattackertomountDNSrebindingattacks.Wedemonstrate,forexam-ple,howtoexploittheinteractionbetweenthebrowserandJavaLiveConnecttopinthebrowsertooneIPaddresswhilepinningJavatoanotherIPaddress,permittingtheattackertoreadandwritedatadirectlyonsocketstoahostandportoftheattacker'schoicedespitestrongpinningbyeachcomponent.Ourexperimentsshowhowanattackercanexploitmulti-pinvulnerabilitiestocheaplyandecientlyassembleatem-porary,large-scalebotnetwork.Ourndingssuggestthatnearly90%ofwebbrowsersarevulnerabletorebindingat-tacksthatonlyrequireafewhundredsofmillisecondstoconduct(seeTable1).Theseattacksdonotrequireuserstoclickonanymaliciouslinks:usersneedonlyviewanat-tacker'swebadvertisement.Byspendinglessthan$100onadvertising,anattackercanhijack100;000uniqueIPad-dresstosendspam,commitclickfraud,orotherwisemisuseasopennetworkproxies.ThebulkofourworkfocusesondesigningrobustdefensestoDNSrebindingattacksthatprotectcurrentandfuturebrowsersandplug-ins:1.Tocombatrewallcircumvention,werecommendor-ganizationsdeployDNSresolversthatpreventexternalnamesfromresolvingtointernaladdresses.Wepro-videanopen-sourceimplementationofsucharesolverin300linesofCcalleddnswall[15].2.ForFlashPlayer,Java,andLiveConnect,wesuggestspecic,easy-to-deploypatchestopreventmulti-pinvulnerabilities,mitigatinglarge-scaleexploitationofDNSrebindingforrewallcircumventionandIPhi-jacking. Technology AttackTime LiveConnect(JVMloaded) 47:810:3ms FlashPlayer9 1925:7ms InternetExplorer6(noplug-ins) 1000ms InternetExplorer7(noplug-ins) 1000ms Firefox1.5and2(noplug-ins) 1000ms Safari2(noplug-ins) 1000ms LiveConnect 129437ms Opera9(noplug-ins) 4000ms Table1:TimeRequiredforDNSRebindingAttackbyTechnology(95%Condence)3.WeproposetwooptionsforprotectingbrowsersfromDNSrebinding:smarterpinningthatprovidesbettersecurityandrobustness,andabackwards-compatibleuseoftheDNSsystemthatxesrebindingvulnerabil-itiesattheirroot(whichweimplementedasa72-linepatchtoFirefox2).Theremainderofthepaperisorganizedasfollows.Sec-tion2describesexistingbrowserpolicyfornetworkaccess.Section3detailsDNSrebindingvulnerabilities,includingstandardDNSrebindingandcurrentmulti-pinvulnerabili-ties.Section4explainstwoclassesofattacksthatusethesevulnerabilities,rewallcircumventionandIPhijacking,andcontainsourexperimentalresults.Section5proposesde-fensesagainstbothclassesofattacks.Section6describesrelatedwork.Section7concludes.2.NETWORKACCESSINTHEBROWSERTodisplaywebpages,browsersareinstructedtomakenetworkrequestsbystaticcontentsuchasHTMLandbyactivecontentsuchasJavaScript,FlashPlayer,Java,andCSS.Browsersrestrictthisnetworkaccessinordertotopre-ventwebsitesfrommakingmaliciousnetworkconnections.Thesame-originpolicyprovidespartialresourceisolationbyrestrictingaccessaccordingtoorigin,specifyingwhencontentfromoneorigincanaccessaresourceinanotherori-gin.ThepolicyappliestobothnetworkaccessandbrowserstatesuchastheDocumentObjectModel(DOM)interface,cookies,cache,history,andthepassworddatabase[20].Theattacksdescribedinthispapercircumventthesameorigin-policyfornetworkaccess.AccessWithinSameOrigin.Withinthesameorigin,bothcontentandbrowserscriptscanreadandwritenet-workresourcesusingtheHTTPprotocol.Plug-ins,suchasFlashPlayerandJava,canaccessnetworksocketsdirectly,allowingthemtomakeTCPconnectionsand,insomecases,sendandreceiveUDPpacketsaswell.Javadoesnotrestrictaccessbasedonportnumber,butFlashPlayerpermitsac-cesstoportnumberslessthan1024onlyifthemachineauthorizestheconnectioninanXMLpolicyservedfromaportnumberlessthan1024.AccessBetweenDierentOrigins.Ingeneral,con-tentfromoneorigincanmakeHTTPrequeststoserversinanotherorigin,butitcannotreadresponses,eectivelyrestrictingaccessto\send-only."FlashPlayerpermitsitsmoviestoreadbackHTTPresponsesfromdierentorigins,providedtheremoteserverrespondswithanXMLpolicyauthorizingthemovie'sorigin.FlashPlayeralsopermits readingandwritingdataonTCPconnectionstoarbitraryportnumbers,againprovidedtheremoteserverrespondswithasuitableXMLpolicyonanappropriateport.Byconvention,certaintypesofwebcontentareassumedtobepubliclibraries,suchasJavaScript,CSS,Javaap-plets,andSWFmovies.Theselesmaybeincludedacrossdomains.Forexample,oneorigincanincludeaCSSlefromanotheroriginandreaditstext.Scriptscanalsoreadcertainpropertiesofotherobjectsloadedacrossdomains,suchastheheightandwidthofanimage.ProhibitedAccess.Sometypesofnetworkaccessarepro-hibitedevenwithinthesameorigin.InternetExplorer7blocksportnumbers19(chargen),21(FTP),25(SMTP),110(POP3),119(NNTP),and143(IMAP),Firefox2blocksthoseplus51additionalportnumbers,butSafari2doesnotblockanyports.Someoftheseportrestrictionsaredesignedtopreventmaliciouswebsiteoperatorsfromleveragingvis-itingbrowserstolaunchdistributeddenialofserviceortosendspame-mail,whereasotherspreventuniversalcross-sitescriptingviatheHTMLFormProtocolAttack[41].OriginDenition.Dierentdenitionsof\origin"areusedbydierentpartsofthebrowser.Fornetworkaccess,browsersenforcethesame-originpolicy[38]basedonthreecomponentsoftheUniformResourceLocator(URL)fromwhichitobtainedthecontent.AtypicalURLiscomposedofthebelowcomponents:scheme://hostname:port/pathCurrentbrowserstreattwoobjectsasbelongingtothesameoriginif,andonlyif,theirURLscontainthesamescheme,hostname,andportnumber(e.g.,http://amazon.com/isadierentoriginthanhttp://amazon.co.uk/,eventhoughthetwodomainsareownedbythesamecompany).OtherresourcesusefewercomponentsoftheURL.Forexample,cookiesuseonlythehostname.ObjectsontheInternet,however,arenotaccessedbyhostname.Toconnecttoaserver,thebrowsermustrsttrans-lateahostnameintoanIPaddressandthenopenasockettothatIPaddress.IfonehostnameresolvestomultipleIPaddressesownedbymultipleentities,thebrowserwilltreatthemasiftheywerethesameorigineventhoughtheyare,fromanownershippoint-of-view,dierent.3.DNSREBINDINGVULNERABILITIESThenetworkaccesspolicyinwebbrowsersisbasedonhostnames,whichareboundbytheDomainNameSys-tem(DNS)toIPaddresses.AnattackermountingaDNSrebindingattackattemptstosubvertthissecuritypolicybybindinghisorherhostnametoboththeattackandtargetserver'sIPaddresses.3.1StandardRebindingVulnerabilitiesAstandardrebindingattackusesasinglebrowsertech-nology(e.g.JavaScript,Java,orFlashPlayer)toconnecttomultipleIPaddresseswiththesamehostname.MultipleARecords.WhenaclientresolvesahostnameusingDNS,theauthoritativeservercanrespondwithmul-tipleArecordsindicatingtheIPaddressesofthehost.TherstattackusingDNSrebinding[8]in1996leveragedthispropertytoconfusethesecuritypolicyoftheJavaVirtualMachine(JVM):1.Aclientvisitsamaliciouswebsite,attacker.com,con-tainingaJavaapplet.Theattacker'sDNSserverbindsattacker.comtotwoIPaddresses:theattacker'swebserverandthetarget'swebserver.2.Theclientexecutestheattacker'sapplet,whichopensasockettothetarget.TheJVMpermitsthisconnec-tion,becausethetarget'sIPaddressiscontainedintheDNSrecordforattacker.com.CurrentversionsoftheJVMarenotvulnerabletothisat-tackbecausetheJavasecuritypolicyhasbeenchanged.Ap-pletsarenowrestrictedtoconnectingtotheIPaddressfromwhichtheywereloaded.(CurrentattacksonJavaarede-scribedinSection3.2.)IntheJavaScriptversionofthisattack,theattackersendssomeJavaScripttothebrowserthatinstructsthebrowsertoconnectbacktoattacker.com.Theattacker'sserverrefusesthissecondTCPconnection,forcingthebrowsertoswitchovertothevictimIPaddress[21].ByusingaRSTpackettorefusetheconnection,theattackercancausesomebrowserstoswitchtothenewIPaddressafteronesecond.SubsequentXMLHttpRequestsissuedbytheattacker'scodewillconnecttothenewIPaddress.Time-VaryingDNS.In2001,theoriginalattackonJavawasextended[36]touseusetime-varyingDNS:1.Aclientvisitsamaliciouswebsite,attacker.com,containingJavaScript.Theattacker'sDNSserverisconguredtobindattacker.comtotheattacker'sIPaddresswithaveryshortTTL.2.Theattackerrebindsattacker.comtothetarget'sIPaddress.3.ThemaliciousscriptusesframesorXMLHttpRequesttoconnecttoattacker.com,whichnowresolvestotheIPaddressofthetarget'sserver.BecausetheconnectioninStep3hasthesamehostnameastheoriginalmaliciousscript,thebrowserpermitstheat-tackertoreadtheresponsefromthetarget.PinninginCurrentBrowsers.Currentbrowsersdefendagainstthestandardrebindingattackby\pinning"hostnamestoIPaddress,preventinghostnamesfromreferringtomultipleIPaddresses.InternetExplorer7pinsDNSbindingsfor30minutes.1Unfortunately,iftheattacker'sdomainhasmultipleArecordsandthecurrentserverbecomesunavailable,thebrowserwilltryadierentIPaddresswithinonesecond.InternetExplorer6alsopinsDNSbindingsfor30min-utes,butanattackercancausethebrowsertoreleaseitspinafteronesecondbyforcingaconnectiontothecurrentIPaddresstofail,forexamplebyincludingtheelement&#ximg-;剐src="http://attacker.com:81/". 1ThedurationissetbytheregistrykeysDnsCacheTimeoutandServerInfoTimeOutinHKEY CURRENT USERnSOFTWAREnMicrosoftWindowsnCurrentVersionnInternetSettings 4.ATTACKSUSINGDNSREBINDINGAnattackercanexploittheDNSrebindingvulnerabilitiesdescribedinSection3tomountanumberofattacks.Forsomeoftheseattacks,theattackerrequiresthedirectsocketaccessaordedbyDNSrebindingwithFlashPlayerandJava,whereasothersrequireonlytheabilitytoreadHTTPresponsesfromthetarget.Theattacksfallintotwobroadcategories,accordingtotheattacker'sgoal:FirewallCircumvention.TheattackercanuseDNSre-bindingtoaccessmachinesbehindrewallsthatheorshecannotaccessdirectly.Withdirectsocketaccess,theattackercaninteractwithanumberofinternalservicesbesidesHTTP.IPHijacking.TheattackercanalsouseDNSrebindingtoaccesspubliclyavailableserversfromtheclient'sIPaddress.Thisallowstheattackertotakeadvantageofthetarget'simplicitorexplicittrustintheclient'sIPaddress.Tomounttheseattacks,theattackermustrstinducetheclienttoloadsomeactivecontent.ThiscanbedonebyavarietyoftechniquesdiscussedinSection4.4.Onceloadedontotheclient'smachine,theattacker'scodecancommuni-catewithanymachinereachablebytheclient.4.1FirewallCircumventionArewallrestrictstracbetweencomputernetworksindierentzonesoftrust.SomeexamplesincludeblockingconnectionsfromthepublicInternettointernalmachinesandmediatingconnectionsfrominternalmachinestoInter-netserverswithapplication-levelproxies.Firewallcircum-ventionattacksbypasstheprohibitiononinboundconnec-tions,allowingtheattackertoconnecttointernalserverswhiletheuserisvisitingtheattacker'sInternetwebpage(seeFigure1).SpideringtheIntranet.TheattackerneednotspecifythetargetmachinebyIPaddress.Instead,theattackercanguesstheinternalhostnameofthetarget,forexamplehr.corp.company.com,andrebindattacker.comtoaCNAMErecordpointingtothathostname.Theclient'sownrecur-siveDNSresolverwillcompletetheresolutionandreturntheIPaddressofthetarget.Intranethostnamesareoftenguessableandoccasionallydisclosedpublicly[30,9].ThistechniqueobviatestheneedfortheattackertoscanIPad-dressestondaninterestingtargetbutdoesnotworkwiththemultipleArecordtechniquedescribedinSection3.1.Havingfoundamachineontheintranet,theattackercanconnecttothemachineoverHTTPandrequesttherootdocument.IftheserverrespondswithanHTMLpage,theattackercanfollowlinksandsearchformsonthatpage,eventuallyspideringtheentireintranet.Webserversinsidecorporaterewallsoftenhostcondentialdocuments,rely-ingontherewalltopreventuntrustedusersfromaccessingthedocuments.UsingaDNSrebindingattack,theattackercanleveragetheclient'sbrowsertoreadthesedocumentsandexltratethemtotheattacker,forexamplebysubmit-tinganHTMLformtotheattacker'swebserver.CompromisingUnpatchedMachines.Networkadmin-istratorsoftendonotpatchinternalmachinesasquicklyasInternet-facingmachinesbecausethepatchingprocessistime-consumingandexpensive.Theattackercanattempttoexploitknownvulnerabilitiesinmachinesontheinternalnetwork.Inparticular,theattackercanattempttoexploittheclientmachineitself.Theattacksagainsttheclientit-selforiginatefromlocalhostandsobypasssoftwarere-wallsandothersecuritychecks,includingmanydesignedtoprotectseriousvulnerabilities.Ifanexploitsucceeds,theattackercanestablishapresencewithintherewallthatpersistsevenafterclientsclosetheirbrowsers.AbusingInternalOpenServices.Internalnetworkscontainmanyopenservicesintendedforinternaluseonly.Forexample,networkprintersoftenacceptprintjobsfrominternalmachineswithoutadditionalauthentication.Theattackercanusedirectsocketaccesstocommandnetworkprinterstoexhausttheirtonerandpapersupplies.Similarly,usersinsiderewallsoftenfeelcomfortablecre-atinglesharesorFTPserversaccessibletoanonymoususersundertheassumptionthattheserverswillbeavail-ableonlytoclientswithinthenetwork.Withtheabilitytoreadandwritearbitrarysockets,theattackercanexltratetheshareddocumentsandusetheseserverstostoreillicitinformationforlaterretrieval.Consumerroutersareofteninstalledwithoutchangingthedefaultpassword,makingthemanattractivetargetforre-congurationattacksbywebpages[40].Firmwarepatcheshaveattemptedtosecureroutersagainstcross-sitescriptingandcross-siterequestforgery,inaneorttopreventrecon-gurationattacks.DNSrebindingattacksallowtheattackerdirectsocketaccesstotherouter,bypassingthesedefenses.4.2IPHijackingAttackerscanalsouseDNSrebindingattackstotargetmachinesonthepublicInternet.Fortheseattacks,theat-tackerisnotleveragingtheclient'smachinetoconnecttootherwiseinaccessibleservicesbutinsteadabusingtheim-plicitorexplicittrustpublicserviceshaveintheclient'sIPaddress.Oncetheattackerhashijackedaclient'sIPad-dress,thereareseveralattacksheorshecanperpetrate.CommittingClickFraud.Webpublishersareoftenpaidbywebadvertisersonaper-clickbasis.Fraudulentpublish-erscanincreasetheiradvertisingrevenuebygeneratingfakeclicks,andadvertiserscandraincompetitors'budgetsbyclickingontheiradvertisements.Theexactalgorithmsusedbyadvertisingnetworkstodetectthese\invalid"clicksareproprietary,buttheIPaddressinitiatingtheclickiswidelybelievedtobeanessentialinput.Infact,onecommonuseofbotnetworksistogenerateclicks[7].ClickfraudwouldappeartorequireonlytheabilitytosendHTTPrequeststotheadvertisingnetwork,butadver-tisersdefendagainstthesend-onlyattacks,permittedbythesame-originpolicy,byincludingauniquenoncewitheveryadvertisingimpression.Clickslackingthecorrectnoncearerejectedasinvalid,requiringtheattackertoreadthenoncefromanHTTPresponseinordertogenerateaclick.Thisattackishighlycost-eective,astheattackercanbuyadvertisingimpressions,whichcosttensofcentsperthousand,andconvertthemintoclicks,worthtensofcentseach.Theattackissucientlycost-eectivethattheat-tackerneednotconverteverypurchasedimpressionintoaclick.Instead,thefraudstercanusemostofthepurchasedimpressionstogeneratefakeimpressionsonthesite,main-tainingabelievableclick-throughrate. Werantherebindingexperimentonthe44;301(86:9%)impressionsthatreportedFlashPlayer9.Wedidnotat-tempttoexploitotherrebindingvulnerabilities(seeTa-ble2).Theexperimentwassuccessfulon30;636(60:1%)impressionsand27;480uniqueIPaddresses.Theattackwaslesssuccessfulonthe1;672impressionsservedtoMacOS,succeeding36:4%ofthetime,comparedtoasuccessrateof70:0%onthe49;535(97:2%)Windowsimpressions.4MacOSismoreresistanttothisrebindingattackduetosomecachingofDNSentriesdespitetheirzeroTTL.Foreachsuccessfulexperiment,wemeasuredhowlonganattackercouldhaveusedtheclient'snetworkaccessbyload-ingthetargetdocumentatexponentiallylongerintervals,asshowninFigure2.Themedianimpressiondurationwas32seconds,with25%oftheimpressionslastinglongerthan256seconds.Weobserved9impressionswithadurationofatleast36:4hours,25atleast18:2hours,and81atleast9:1hours.Inaggregate,weobtained100:3machine-daysofnet-workaccess.Theseobservationsareconsistentwiththoseof[24].Thelargenumberofattacksendingbetween4:2and8:5minutessuggeststhatthisisacommondurationoftimeforuserstospendonawebpage.Discussion.OurexperimentalresultsshowthatDNSre-bindingvulnerabilitiesarewidespreadandcost-eectivetoexploitonalargescale.Eachimpressioncosts$0:0005and54%oftheimpressionsconverttosuccessfulattacksfromuniqueIPaddresses.Tohijack100;000IPaddressesforatemporarybotnetwork,andattackerwouldneedtospendlessthan$100.Thistechniquecomparesfavorablytorent-ingatraditionalbotnetworkforsendingspame-mailandcommittingclickfraudfortworeasons.First,theseapplica-tionsrequirelargenumbersof\fresh"IPaddressforshortdurationsascompromisedmachinesarequicklyblacklisted.Second,whileestimatesoftherentalcostofbotnetworksvary[44,14,7],thistechniqueappearstobeatleastoneortwoordersofmagnitudelessexpensive.5.DEFENSESAGAINSTREBINDINGDefensesforDNSrebindingattackscanbeimplementedinbrowsers,plug-ins,DNSresolvers,rewalls,andservers.Thesedefensesrangeincomplexityofdevelopment,di-cultyofdeployment,andeectivenessagainstrewallcir-cumventionandIPhijacking.Inadditiontonecessarymit-igationsforFlashPlayer,JavaLiveConnect,andbrowsers,weproposethreelong-termdefenses.Toprotectagainstre-wallcircumvention,weproposeasolutionthatcanbede-ployedunilaterallybyorganizationsattheirnetworkbound-ary.Tofullydefendagainstrebindingattacks,weproposetwodefenses:onethatrequiressocket-levelnetworkaccessbeauthorizedexplicitlybythedestinationserverandan-otherworksevenifsocketsareallowedbydefault.5.1FixingFirewallCircumventionNetworkscanbeprotectedagainstrewallcircumventionbyforbiddingexternalhostnamesfromresolvingtointernalIPaddresses,eectivelypreventingtheattackerfromnam-ingthetargetserver.Withouttheabilitytonamethetar-get,theattackerisunabletoaggregatethetargetserverintoanoriginunderhisorhercontrol.Thesemaliciousbindings 4Wesucceededinopeningasocketwith2of11PlayStation3impressions(thosewithFlashPlayer9),butnoneofthe12NintendoWiiimpressionswerevulnerable.canbeblockedeitherbylteringpacketsattherewall[5]orbymodifyingtheDNSresolversusedbyclientsonthenetwork.Enterprise.Byblockingoutboundtraconport53,arewalladministratorforanorganizationcanforceallinternalmachines,includingHTTPproxiesandVPNclients,touseaDNSserverthatiscongurednottoresolveexternalnamestointernalIPaddresses.Toimplementthisapproach,wedevelopeda300lineCprogram,dnswall[15],thatrunsalongsideBINDandenforcesthispolicy.Consumer.Manyconsumerrewalls,suchasthoseproducedbyLinksys,alreadyexposeacachingDNSresolverandcanbeaugmentedwithdnswalltoblockDNSresponsesthatcontainprivateIPaddresses.Thevendorsofthesedeviceshaveanincentivetopatchtheirrewallsbecausetheserebindingattackscanbeusedtoreconguretheserouterstomountfurtherat-tacksontheirowners.Software.Softwarerewalls,suchastheWindowsFirewall,canalsopreventtheirowncircumventionbyblockingDNSresolutionsto127.*.*.*.Thistech-niquedoesnotdefendservicesboundtotheexternalnetworkinterfacebutdoesprotectsalargenumberofservicesthatbindonlytotheloopbackinterface.BlockingexternalnamesfromresolvingtointernaladdressespreventsrewallcircumventionbutdoesnotdefendagainstIPhijacking.AnattackercanstilluseinternalmachinestoattackservicesrunningonthepublicInternet.5.2FixingPlug-insPlug-insareaparticularsourceofcomplexityindefend-ingagainstDNSrebindingattacksbecausetheyenablesub-secondattacks,providesocket-levelnetworkaccess,andop-erateindependentlyfrombrowsers.Inordertopreventre-bindingattacks,theseplug-insmustbepatched.FlashPlayer.WhenaSWFmovieopensasockettoanewhostname,itrequestsapolicyoverthesockettode-terminewhetherthehostacceptssocketconnectionsfromtheoriginofthemovie.FlashPlayercouldxmostofitsrebindingvulnerabilitiesbyconsideringapolicyvalidforasocketconnectiononlyifitobtainedthepolicyfromthesameIPaddressinadditiontoitscurrentrequirementthatitobtainedthepolicyfromthesamehostname.Us-ingthisdesign,whenattacker.comisreboundtothetar-getIPaddress,FlashPlayerwillrefusetoopenasockettothataddressunlessthetargetprovidesapolicyauthorizingattacker.com.ThissimplerenementusesexistingFlashPlayerpolicydeploymentsandisbackwardscompatible,ashostnamesexpectingFlashPlayerconnectionsalreadyservepolicydocumentsfromalloftheirIPaddresses.SWFmoviescanalsoaccessportsnumbers1024ontheiroriginhostnamewithoutrequestingapolicy.Al-thoughthemajorityofservicesanattackercanprotablytarget(e.g.,SMTP,HTTP,HTTPS,SSH,FTP,NNTP)arehostedonlow-numberedports,otherservicessuchasMySQL,BitTorrent,IRC,andHTTPproxiesarevulnera-ble.Tofullyprotectagainstrebindingattacks,FlashPlayercouldrequestapolicybeforeopeningsocketstoanyport,evenbacktoitsorigin.However,thismodicationbreaks usedforembeddedcontent(e.g.,www.yahoo.comem-bedsimagesfromus.i1.yimg.com).WethenissuedDNSqueriesforthesehostsevery10minutesfor24hours,recordingtheIPaddressesreported.Inthisexperiment,58%reportedasingleIPaddressconsistentlyacrossallqueries.Notethatgeographicloadbalancingisnotcapturedinourdatabecauseweissuedourqueriesfromasinglemachine,mimickingthebehaviorofarealclient.Averagedoverthe42%ofhostsreportingmultipleIPaddresses,ifabrowserpinnedtoanIPaddressatrandom,theexpectedfrac-tionofIPaddressesavailableforrebindingunderclassCnetworkpinningis81:3%comparedwith16:4%un-derstrictIPaddresspinning,suggestingthatclassCpinningissignicantlymorerobusttoserverfailure.Otherheuristicsforpinwidtharepossible.Forexample,thebrowsercouldpreventrebindingbetweenpublicIPad-dressesandtheRFC1918[35]privateIPaddresses.Thisprovidesgreaterrobustnessforfail-oversacrossdatacentersandfordynamicDNS.LocalRodeo[22,45]isaFirefoxex-tensionthatimplementsRFC1918pinningforJavaScript.Asforsecurity,RFC1918pinninglargelypreventsrewallcircumventionbutdoesnotprotectagainstIPhijackingnordoesitpreventrewallcircumventioninthecasewherearewallprotectsnon-privateIPaddresses,whichisthecaseformanyreal-lifeprotectednetworksandpersonalsoftwarerewalls.EventhewidestpossiblepinningheuristicpreventssomelegitimaterebindingofDNSnames.Forexample,publichostnamescontrolledbyanorganizationoftenhavetwoIPaddresses,aprivateIPaddressusedbyclientswithintherewallandapublicIPaddressusedbyclientsontheInter-net.Pinningpreventsemployeesfromproperlyconnectingtotheseseversafterjoiningtheorganization'sVirtualPri-vateNetwork(VPN)asthosehostnamesappeartorebindfrompublictoprivateIPaddresses.Policy-basedPinning.Insteadofusingunpinningheuris-tics,weproposebrowsersconsultserver-suppliedpoliciestodeterminewhenitissafetore-pinahostnamefromoneIPaddresstoanother,providingrobustnesswithoutdegradingsecurity.Tore-pinsafely,thebrowsermustobtainapolicyfromboththeoldandnewIPaddress(becausesomeat-tacksrstbindtotheattackerwhereasothersrstbindtothetarget).Serverscansupplythispolicyatawell-knownlocation,suchas/crossdomain.xml,orinreverseDNS(seeSection5.4).PinningPitfalls.Correctlyimplementingpinninghassev-eralsubtletiesthatarecriticaltoitsabilitytodefendagainstDNSrebindingattacks.CommonPinDatabase.Toeliminatemulti-pinat-tacks,pinning-baseddefenserequirethatallbrowsertechnologiesthataccessthenetworkshareacommonpindatabase.Manyplug-ins,includingFlashPlayerandSilverlight,alreadyusethebrowser'spinswhenissuingHTTPrequestsbecausetheyissuethesere-queststhroughthebrowser.ToshareDNSpinsforotherkindsofnetworkaccess,eitherthebrowsercouldexposeaninterfacetoitspindatabaseortheoperatingsystemcouldpininitsDNSresolver.Unfortunately,browservendorsappearreluctanttoexposesuchaninterface[12,33]andpinningintheoperatingsystemeitherchangesthesemanticsofDNSforotherapplica-tionsorrequiresthattheOStreatsbrowsersandtheirplug-insdierentlyfromotherapplications.Cache.Thebrowser'scacheandallplug-incachesmustbemodiedtopreventrebindingattacks.Cur-rently,objectsstoredinthecacheareretrievedbyURL,irrespectiveoftheoriginatingIPaddress,creat-ingarebindingvulnerability:acachedscriptfromtheattackermightrunlaterwhenattacker.comisboundtothetarget.Topreventthisattack,objectsinthecachemustberetrievedbybothURLandoriginat-ingIPaddress.ThisdegradesperformancewhenthebrowserpinstoanewIPaddress,whichmightoccurwhenthehostattherstIPaddressfails,theuserstartsanewbrowsingsession,ortheuser'snetworkconnectivitychanges.Theseeventsareuncommonandareunlikelytoimpactperformancesignicantly.document.domain.Evenwiththestrictestpinning,aserverisvulnerabletorebindingattacksifithostsawebpagethatexecutesthefollowing,seeminglyin-nocuous,JavaScript:document.domain=document.domain;Afterapagesetsitsdomainproperty,thebrowseral-lowscross-origininteractionswithotherpagesthathavesettheirdomainpropertytothesamevalue[42,17].Thisidiom,usedbyanumberofJavaScriptli-braries6,setsthedomainpropertytoavalueunderthecontroloftheattacker:thecurrenthostname.5.4FixingBrowsers(Default-AllowSockets)InsteadoftryingtopreventahostnamefromrebindingfromoneIPaddresstoanother|afairlycommonevent|adierentapproachtodefendingagainstrebindingistopre-venttheattackerfromnamingthetargetserver,essentiallygeneralizingdnswalltotheInternet.Withouttheabilitytonamethetargetserver,theattackercannotmountaDNSrebindingattackagainstthetarget.Thisapproachdefendsagainstrebinding,canallowsocketaccessbydefault,andpreservestherobustnessofdynamicDNS.HostNameAuthorization.OntheInternet,clientsre-quireadditionalinformationtodeterminethesetofvalidhostnamesforangivenIPaddress.Weproposethatserversadvertisethesetofhostnamestheyconsidervalidforthem-selvesandclientschecktheseadvertisementsbeforebindingahostnametoanIPaddress,makingexplicitwhichhostnamescanmaptowhichIPaddresses.Hostnameautho-rizationpreventsrebindingattacksbecausehonestmachineswillnotadvertisehostnamescontrolledbyattackers.ReverseDNSalreadyprovidesamappingfromIPad-dressestohostnames.TheownerofanIPaddressipisdelegatednamingauthorityforip.in-addr.arpaandtypi-callystoresaPTRrecordcontainingthehostnameassoci-atedwiththatIPaddress.TheserecordsareinsucientforhostnameauthorizationbecauseasingleIPaddresscanhavemanyvalidhostnames,andexistingPTRrecordsdonotindicatethatotherhostnamesareinvalid. 6Forexample,\Dojo"AJAXlibrary,Strutsservlet/JSPbasedwebapplicationframework,jsMathAJAXMathemat-icslibrary,andSun's\Ultimateclient-sideJavaScriptclientsni"libraryarevulnerableinthisway. AcknowledgmentsWethankDrewDean,DarinFisher,JeremiahGrossman,MartinJohns,DanKaminsky,ChrisKarlof,JimRoskind,andDanWallachfortheirhelpfulsuggestionsandfeedback.ThisworkissupportedbygrantsfromtheNationalScienceFoundationandtheUSDepartmentofHomelandSecurity.8.REFERENCES[1]Adobe.FlashPlayerPenetration.http://www.adobe.com/products/player census/flashplayer/.[2]Adobe.AdobeFlashPlayer9Security.http://www.adobe.com/devnet/flashplayer/articles/flash player 9 security.pdf,July2006.[3]Alexa.Topsites.http://www.alexa.com/site/ds/top sites?ts mode=global.[4]K.Anvil.Anti-DNSpinning+socketin ash.http://www.jumperz.net/,2007.[5]W.CheswickandS.Bellovin.ADNSlterandswitchforpacket-lteringgateways.InProc.Usenix,1996.[6]N.Chou,R.Ledesma,Y.Teraguchi,andJ.Mitchell.Client-sidedefenseagainstweb-basedidentitytheft.InProc.NDSS,2004.[7]N.Daswani,M.Stoppelman,etal.TheanatomyofClickbot.A.InProc.HotBots,2007.[8]D.Dean,E.W.Felten,andD.S.Wallach.Javasecurity:fromHotJavatoNetscapeandbeyond.InIEEESymposiumonSecurityandPrivacy:Oakland,California,May1996.[9]D.Edwards.YourMOMAknowsbest,December2005.http://xooglers.blogspot.com/2005/12/your-moma-knows-best.html.[10]K.FenziandD.Wreski.LinuxsecurityHOWTO,January2004.[11]R.Fieldingetal.HypertextTransferProtocol|HTTP/1.1.RFC2616,June1999.[12]D.Fisher,2007.Personalcommunication.[13]D.Fisheretal.ProblemswithnewDNScache(\pinning"forever).https://bugzilla.mozilla.org/show bug.cgi?id=162871.[14]D.Goodin.Calif.manpleadsguiltytofelonyhacking.AssociatedPress,Janurary2005.[15]Google.dnswall.http://code.google.com/p/google-dnswall/.[16]Google.GoogleSafeBrowsingforFirefox,2005.http://www.google.com/tools/firefox/safebrowsing/.[17]S.Grimmetal.Settingdocument.domaindoesn'tmatchanimplicitparentdomain.https://bugzilla.mozilla.org/show bug.cgi?id=183143.[18]J.GrossmanandT.Niedzialkowski.Hackingintranetwebsitesfromtheoutside:JavaScriptmalwarejustgotalotmoredangerous.InBlackhatUSA,August2006.Invitedtalk.[19]I.Hicksonetal.HTML5WorkingDraft.http://www.whatwg.org/specs/web-apps/current-work/.[20]C.Jackson,A.Bortz,D.Boneh,andJ.Mitchell.Protectingbrowserstatefromwebprivacyattacks.InProc.WWW,2006.[21]M.Johns.(somewhat)breakingthesame-originpolicybyunderminingDNSpinning,August2006.http://shampoo.antville.org/stories/1451301/.[22]M.JohnsandJ.Winter.ProtectingtheIntranetagainst\JavaScriptMalware"andrelatedattacks.InProc.DIMVA,July2007.[23]C.K.Karlof,U.Shankar,D.Tygar,andD.Wagner.Dynamicpharmingattacksandthelockedsame-originpoliciesforwebbrowsers.InProc.CCS,October2007.[24]V.T.Lam,S.Antonatos,P.Akritidis,andK.G.Anagnostakis.Puppetnets:Misusingwebbrowsersasadistributedattackinfrastructure.InProc.CCS,2006.[25]G.Maone.DNSSpoong/Pinning.http://sla.ckers.org/forum/read.php?6,4511,14500.[26]G.Maone.NoScript.http://noscript.net/.[27]C.Masone,K.Baek,andS.Smith.WSKE:webserverkeyenabledcookies.InProc.USEC,2007.[28]A.Megacz.XWTFoundationSecurityAdvisory.http://xwt.org/research/papers/sop.txt.[29]A.MegaczandD.Meketa.X-RequestOrigin.http://www.xwt.org/x-requestorigin.txt.[30]Microsoft.MicrosoftWebEnterprisePortal,January2004.http://www.microsoft.com/technet/itshowcase/content/MSWebTWP.mspx.[31]Microsoft.Microsoftphishinglter:Anewapproachtobuildingtrustine-commercecontent,2005.[32]P.Mockapetris.DomainNames|ImplementationandSpecication.IETFRFC1035,November1987.[33]C.Nuuja(Adobe),2007.Personalcommunication.[34]G.Ollmann.Thepharmingguide.http://www.ngssoftware.com/papers/ThePharmingGuide.pdf,August2005.[35]Y.Rekhter,B.Moskowitz,D.Karrenberg,G.J.deGroot,andE.Lear.AddressAllocationforPrivateInternets.IETFRFC1918,February1996.[36]J.Roskind.AttacksagainsttheNetscapebrowser.InRSAConference,April2001.Invitedtalk.[37]D.Ross.NotesonDNSpinning.http://blogs.msdn.com/dross/archive/2007/07/09/notes-on-dns-pinning.aspx,2007.[38]J.Ruderman.JavaScriptSecurity:SameOrigin.http://www.mozilla.org/projects/security/components/same-origin.html.[39]Spamhaus.Thespamhausblocklist,2007.http://www.spamhaus.org/sbl/.[40]S.Stamm,Z.Ramzan,andM.Jakobsson.Drive-bypharming.TechnicalReport641,ComputerScience,IndianaUniversity,December2006.[41]J.Topf.HTMLFormProtocolAttack,August2001.http://www.remote.org/jochen/sec/hfpa/hfpa.pdf.[42]D.Veditzetal.document.domainabusedtoaccesshostsbehindrewall.https://bugzilla.mozilla.org/show bug.cgi?id=154930.[43]W3C.TheXMLHttpRequestObject,February2007.http://www.w3.org/TR/XMLHttpRequest/.[44]B.Warner.HomePCsrentedoutinsabotage-for-hireracket.Reuters,July2004.[45]J.WinterandM.Johns.LocalRodeo:Client-sideprotectionagainstJavaScriptMalware.http://databasement.net/labs/localrodeo/,2007.[46]M.WongandW.Schlitt.SenderPolicyFramework(SPF)forAuthorizingUseofDomainsinE-Mail.IETFRFC4408,April2006.