co co 447 lec ec 4
play

CO CO 447 | LEC EC 4 ADVANCED TOPICS OF WEB SECURITY MODEL AND - PowerPoint PPT Presentation

CO CO 447 | LEC EC 4 ADVANCED TOPICS OF WEB SECURITY MODEL AND ITS PITFALLS BROWSER VULNERABILITIES Dr. Benjamin Livshits Drive-by malware 3 4 Go Google le patch ches Chrome zero-da day under under active e at attacks 6 Con


  1. CO CO 447 | LEC EC 4 ADVANCED TOPICS OF WEB SECURITY MODEL AND ITS PITFALLS BROWSER VULNERABILITIES Dr. Benjamin Livshits

  2. Drive-by malware

  3. 3

  4. 4

  5. Go Google le patch ches Chrome zero-da day under under active e at attacks 6

  6. Con Continued 7

  7. Th Third 0-da day in n the he pa past yea ear 8

  8. Web Security Web Attacker Sets up malicious site visited by victim; no control of network Alice

  9. Network Security Network Attacker Intercepts and controls network communication Alice

  10. Web Malware Attacker Malware Attacker Escapes the browser to wreak havoc on Alice’s machine Alice

  11. Web Th Threat Models ¨ Web attacker ¤ Control https://attacker.com ¤ Can obtain SSL/TLS certificate for https://attacker.com ¤ User visits attacker.com n Or: runs attacker’s Facebook app, etc. This is what connects the world of web attacks to low-level ¨ Network attacker memory-based exploitation ¤ Passive: Wireless eavesdropper we’ve seen so far ¤ Active: Evil router, DNS poisoning ¨ Malware attacker ¤ Attacker escapes browser isolation mech chanisms and run separately under control of OS

  12. Cookies: Client State 13

  13. Cookies: Browser State POST … Browser Server HTTP Header: Set-cookie: NAME=VALUE ; domain = (who can read) ; If expires=NULL: expires = (when expires) ; this session only secure = (only over SSL) Browser POST … Server Cookie: NAME = VALUE HTTP is stateless protocol; cookies add state

  14. Cookie-Based Authentication Browser Web Server Auth server POST login.cgi Username & pwd Validate user auth=val Set-cookie: auth=val Store val GET restricted.html restricted.html Cookie: auth=val auth=val Check val If YES, YES/NO restricted.html

  15. Cookie Security Policy ¨ Uses: ¤ User authentication ¤ Personalization ¤ User tracking: e.g. Doubleclick (3 rd party cookies) ¨ Browser will store: ¤ At most 20 cookies/site, 3 KB / cookie ¨ Origin is the tuple <do <doma main, n, pa path> h> ¤ Can set cookies valid across a domain suffix

  16. Cookies From www.marketplace.org 17 17

  17. Secure Cookies GET … Browser Server HTTP Header: Set-cookie: NAME=VALUE ; Secure=true ¨ Provides confidentiality against network attacker ¨ Browser will only send cookie back over HTTPS ¨ No integrity ¤ Can rewrite secure cookies over HTTP ¤ Network attacker can rewrite secure cookie ¤ Can log user into attacker’s account

  18. A Real Secure Set-Cookie Request 19 19

  19. httpOnly Cookies GET … Browser Server HTTP Header: Set-cookie: NAME=VALUE ; httpOnly ¨ Cookie sent over HTTP(s), but no not acces essibl ble e to scripts ¤ cannot be read via document.cookie ¤ Helps prevent cookie theft via XSS ¨ … but does not stop most other risks of XSS bugs

  20. Fr Fram ame e and and Conten ent t Is Isola latio tion

  21. Frame and IFRAME ¨ Window may contain frames from different sources ¤ Frame: rigid division as part of frameset ¤ iFrame: fl floating inline frame ¨ iFrame example < iframe src="hello.html" width=450 height=100> If you can see this, your browser doesn't understand IFRAME. </ iframe > ¨ Why use frames? ¤ Delegate screen area to content from another source ¤ Browser provides isolation based on frames ¤ Parent may work even if frame is broken

  22. Floating IFRAME s 23 23

  23. Wi Windo ndows s Interact. . Wha What? 24

  24. Web vs. OS: An Analogy Op Oper erating system em We Web browser Primitives Primitives ¨ ¨ Document object model (DOM) ¤ System calls ¤ Frames ¤ Processes ¤ Cookies / localStorage ¤ Disk ¤ Principals: “Origins” ¨ Principals: Users Mandatory access control ¤ ¨ Discretionary access control ¤ Application-level vulnerabilities ¨ Cross-site scripting ¤ Low-level vulnerabilities ¨ Cross-site request forgery ¤ Buffer overflow SQL injection ¤ ¤ Other memory issues etc. ¤ ¤

  25. Policy Goals ¨ Safe to visit a potentially evil web site ¨ Safe to visit two pages at the same time ¤ Address bar distinguishes them ¨ Allow safe delegation

  26. Br Browser r Se Securi rity Me Mechanism A B A A B ¨ Each frame of a page has an origin ¤ Origin = < pr protocol :// ho host:po :port > ¨ Frame can access its own origin ¤ Network access, Read/write DOM, Storage (cookies) ¨ Frame cannot access data associated with a different origin

  27. Or Origin Determination: http://www.example.com 28 28

  28. Components of Browser Security y Policy ¨ Frame-Frame relationships ¤ canScript(A,B) n Can Frame A execute a script that manipulates arbitrary/nontrivial DOM elements of Frame B? ¤ canNavigate(A,B) n Can Frame A change the origin of content for Frame B? ¨ Frame-principal relationships ¤ readCookie(A,S), writeCookie(A,S) n Can Frame A read/write cookies from site S? See https://code.google.com/p/browsersec/wiki/Part1 https://code.google.com/p/browsersec/wiki/Part2

  29. Li Library I Imp mport ort E Excl cluded F From SO om SOP <script src=https://seal.verisign.com/getseal?host_name=a.com></script> VeriSign Script has privileges of im imported page, NOT source server. • Can script other pages in this origin, load more scripts • Other forms of importing •

  30. Do Domain ain R Rela laxatio ion www.facebook.com chat.facebook.com www.facebook.com facebook.com facebook.com chat.facebook.com www.facebook.com ¨ Origin: scheme, host, (port), hasSetDomain ¨ Try document.domain = document.domain

  31. Additional Mec Ad echanisms Server : CORS (Cross-origin network requests) Access-Control-Allow- Site B Site A Origin: <list of domains> Access-Control-Allow- Origin: * Client : Cross-origin client side communication Client-side messaging via navigation (old browsers) Site A context Site B context postMessage (modern browsers)

  32. if ifram ames es ¨ Embed HTML documents in other documents <iframe name=“myframe” src=“http://www.google.com/”> This text is ignored by most browsers. </iframe>

  33. Fr Fram ame e Bus usting ting ¨ Goal: prevent web page from loading in a frame ¤ example: opening login page in a frame will display correct passmark image ¨ Frame busting: if (top != self) top.location.href = location.href

  34. Be Better r Frame me Bu Busting ¨ Problem: Ja Javascr cript OnU OnUnl nload ev event <body onUnload="javascript: cause_an_abort;)"> ¨ Try this instead: if (top != self) top.location.href = location.href else { … code of page here …}

  35. Fr Fram ame e Bus usting ting via via Header Headers 36 36 Set X-Frame-Options to DENY or SAMEORIGIN dfd ¨ $ npm install busted var busted = require('busted'); var URL = 'http://www.bbc.co.uk'; busted.headersTest(URL, function(url, passed) { console.log(url + (passed ? ' passed ' : ' failed ') + 'the headers test.'); });

  36. CSP CSP an CORS

  37. CSP: Content Security Policy 38 38 ¨ Ex Exampl ple 1: ¤ A server wants all content to come from its own domain: X-Content-Security-Policy: default-src 'self‘ ¨ Ex Exampl ple 2: ¤ An auction site wants to allow images from an anywhere , plugin content from a list of tr trus usted media providers including a content distribution network, and sc scripts only from a server under its control hosting sanitized JavaScript: X-Content-Security-Policy: default-src 'self'; img-src *; object-src media1.example.com media2.example.com *.cdn.example.com; script-src trustedscripts.example.com

  38. CSP: Content Security Policy 39 39 Ex Exampl ple 3: ¨ ¤ A site op operation ons grou oup wants to globally deny all third-party scripts in the site, and a particular project team wants to also disallow third-party media in their section of the site. ¤ Site operations sends the first header while the pr project team am sends the second header, and the user-agent takes the in intersectio ion of the two headers to form the complete interpreted policy: X-Content-Security-Policy: default-src *; script-src 'self' X-Content-Security-Policy: default-src *; script-src 'self'; media-src 'self‘ Ex Exampl ple 4: ¨ ¤ Online banking site wants to ensure that all of the content in its pages is loaded over TLS to prevent attackers from eavesdropping on insecure content requests: X-Content-Security-Policy: default-src https://*:443

  39. XH XHR R and CSP CSP 40 40 var xhr = new XMLHttpRequest(); xhr.open("GET", "http://api.example.com/data.json", true); xhr.onreadystatechange = function() { if (xhr.readyState == 4) { // JSON.parse does not evaluate the attacker's scripts. var resp = JSON.parse(xhr.responseText); } } xhr.send();

  40. CO CORS 41 41 ¨ CORS can be used for a range of resources ¤ Invocations of the XMLHttpRequest or Fetch APIs in a cross-site manner, as discussed above. ¤ Web Fonts (for cross-domain font usage in @font-face within CSS), so that servers can deploy TrueType fonts that can only be cross-site loaded and used by web sites that are permitted to do so. ¤ WebGL textures. ¤ Images/video frames drawn to a canvas using drawImage. ¤ Stylesheets (for CSSOM access).

Recommend


More recommend