complex security policy a longitudinal analysis of
play

Complex Security Policy? A Longitudinal Analysis of Deployed - PowerPoint PPT Presentation

Jan 25, 2023 •558 likes •878 views

Complex Security Policy? A Longitudinal Analysis of Deployed Content Security Policies Sebastian Roth , Timothy Barron, Stefano Calzavara, Nick Nikiforakis & Ben Stock Network and Distributed System Security Symposium (NDSS '20) Cross-Site

  1. Complex Security Policy? A Longitudinal Analysis of Deployed Content Security Policies Sebastian Roth , Timothy Barron, Stefano Calzavara, Nick Nikiforakis & Ben Stock Network and Distributed System Security Symposium (NDSS '20)

  2. Cross-Site Scripting (XSS) m o 1. XSS Payload c . n l u v t s https://vuln.com?pl= <script src=evil.com> e u q e R T E G P T T H . e 2 s n o p s e R P T T H . 3 4. HTTP GET Request evil.com 5. HTTP Response of evil.js NDSS 2020 – Sebastian Roth – Complex Security Policy? 2

  3. Content Security Policy (CSP) m o 1. XSS Payload c . n l u v t s https://vuln.com?pl= <script src=evil.com> e u q e R T E r e G d P a T e T H H P . S 2 C h t i w e s n o p s e R P T T H . 3 4. HTTP GET Request evil.com 5. HTTP Response of evil.js NDSS 2020 – Sebastian Roth – Complex Security Policy? 3

  4. Content Security Policy (CSP) <html> <html> <body> <body> <!-- ad.com includes company.com --> <script nonce="d90e0153c074f6c3fcf53"> <script let script = src="https://ad.com/someads.js"> document.createElement("script"); </script> script.src = "http://ad.com/ad.js"; <script> document.body.appendChild(script); script-src // ... meaningful inline script </script> https://company.com </script> </body> </body> 'nonce-d90e0153c074f6c3fcf53' </html> </html> '12 '14 '16 <html> script-src script-src <body> https://ad.com 'nonce-d90e0153c074f6c3fcf53' <!-- ad.com includes company.com --> https://company.com 'strict-dynamic' <script nonce="d90e0153c074f6c3fcf53" 'unsafe-inline' src="https://ad.com/someads.js"> </script> <script nonce="d90e0153c074f6c3fcf53"> // ... meaningful inline script </script> </body> </html> NDSS 2020 – Sebastian Roth – Complex Security Policy? 4

  5. Research Questions • We know from others studies that: – CSP adoption is far behind expectations – Many deployed policies are insecure Ø Why is CSPs adoption so low? Ø For what purpose is CSP used in the wild? Ø What are the problems of deploying a CSP? NDSS 2020 – Sebastian Roth – Complex Security Policy? 5

  6. Methodology Dataset Data Analytics Construction Collection Create a list of the Top Use Wayback Machine Classify CSP Use-Cases • • • 10k sites over time. Collected 20,179 CSPs Analyze the Directives • • Intersection of the Checked Archive and their Use-Cases • Alexa Top sites of each Data against Common Detailed case-studies • month 2012 – 2018 Crawl & Developer opinions NDSS 2020 – Sebastian Roth – Complex Security Policy? 6

  7. Use-Case 1: Script Content Control CSP Adoption Script Content Control 1000 800 600 400 200 0 2014 2015 2016 2017 2018 NDSS 2020 – Sebastian Roth – Complex Security Policy? 7

  8. Use-Case 1: Script Content Control Script Content Control 'unsafe-inline' http: || https: || * 450 Used ‘unsafe- Has inline inline‘ in CSP event-handlers 300 378 180 (48%) 150 0 2014 2015 2016 2017 2018 NDSS 2020 – Sebastian Roth – Complex Security Policy? 8

  9. Script Content Control – Example Airbnb’s journey to secure their CSP They needed 3 ½ years to deploy a non-trivially bypassable CSP • 222 changes later • CSP report-only • script-src: 32 entries (incl. https:) • script-src: 17 entries 11-2014 12-2017 • Tried to harden the CSP • Added https: • script-src: 28 entries • script-src: 22 entries 03-2015 01-2018 • enforcement mode • Finally secure CSP • script-src: 5 entries (incl. https:) • script-src: 33 entries 03-2018 05-2015 NDSS 2020 – Sebastian Roth – Complex Security Policy? 9

  10. Use-Case 2: TLS Enforcement CSP Adoption Script Content Control TLS Enforement 1000 800 600 400 200 0 2014 2015 2016 2017 2018 NDSS 2020 – Sebastian Roth – Complex Security Policy? 10

  11. Use-Case 2: TLS Enforcement TLS Enforcement Upgrade Insecure Requests Block All Mixed Content Whitelist HTTPS schema 500 400 300 200 100 0 2016 2017 2018 NDSS 2020 – Sebastian Roth – Complex Security Policy? 11

  12. Use-Case 2: TLS Enforcement • We collected all main pages of Upgrade-Insecure-Requests sites from the Archive and extracted the 3 rd party URLs • How hard is HTTPS migration in the wild? – Mixed Content on 4,785 sites from the Alexa Top 10k – For 89% of them, all HTTP resources are upgradeable NDSS 2020 – Sebastian Roth – Complex Security Policy? 12

  13. Framing based attacks https://kittenpics.org/ Wanna see more Kittens? Yes! NDSS 2020 – Sebastian Roth – Complex Security Policy? 13

  14. Framing Control – X-Frame-Options X-Headers are not standardized! Leads to security problems: • Partial support • Double Framing ... as well as functionality problems • X-Frame-Options can only have a single whitelist entry NDSS 2020 – Sebastian Roth – Complex Security Policy? 14

  15. Use-Case 3: Framing Control CSP Adoption Script Content Control TLS Enforement Framing Control 1000 800 600 400 200 0 2014 2015 2016 2017 2018 NDSS 2020 – Sebastian Roth – Complex Security Policy? 15

  16. Use-Case 3: Framing Control How does CSP frame-ancestors fix these problems: - Partial support / Inconsistent implementation: CSP frame-ancestors is a well-defined standard in CSP since 2014. Thus, all “modern” browsers support it. - Double Framing: Applies to all of a frame's ancestors not only the top-most frame. - Explicit whitelist: frame-ancestors supports wildcards and multiple source-expressions frame-ancestors www.foo.com ‘self’ *.partner.com NDSS 2020 – Sebastian Roth – Complex Security Policy? 16

  17. Use-Case 3: Framing Control X-Frame-Options CSP frame-ancestors Both 3500 3000 2500 2000 1500 1000 XFO Deprecated 500 0 2012 2013 2014 2015 2016 2017 2018 NDSS 2020 – Sebastian Roth – Complex Security Policy? 17

  18. Framing Control – Developer Study We notified the 2,699 Web sites about their problem using XFO but not • CSP frame-ancestors via email. Received 117 responses that went beyond automatic answers. • Many developers have the misconception that different CSP features • cannot be used in isolation! NDSS 2020 – Sebastian Roth – Complex Security Policy? 18

  19. Developer Study CSP destroys Web applications „ [...] adding CSP [...] already placed on the roadmap in August of last year. We ran into some trouble with properly enabling the “ policies, as they ended up effectively killing the website. NDSS 2020 – Sebastian Roth – Complex Security Policy? 19

  20. Developer Study Misconceptions about CSP „ CSP is a complex beast [...]. Some of our partner are iframing our site. We already had issue to implement the X-Frame “ header, that we did not want to deal with CSP. NDSS 2020 – Sebastian Roth – Complex Security Policy? 20

  21. Framing Control – Developer Study Do you believe CSP is a viable Would your site work out of the box option to improve your site’s if you deployed a script-content resilience against XSS attacks? restricting CSP today (disallow eval, inline scripts, and event handlers)? 40 40 30 30 20 20 10 10 0 0 Yes No I don't No Yes No I don't No know answer know answer NDSS 2020 – Sebastian Roth – Complex Security Policy? 21

  22. Complex Security Policy? NDSS 2020 – Sebastian Roth – Complex Security Policy? 22

  23. How to go back in time? Also stores original HTTP headers prefixed with X-Archive-Orig- NDSS 2020 – Sebastian Roth – Complex Security Policy? 23

  24. Appendix – Developer Study Building a CSP requires massive effort „ We have a small team. Do we want to update our version of python or do we want to add CSP? Do we want to move to the “ new LTS version of Ubuntu or CSP? […] CSP always loose. NDSS 2020 – Sebastian Roth – Complex Security Policy? 24

  25. Appendix – Developer Study CSP is too complex to deploy „ […] many first and third party integrations […] having a generic CSP policy that adds value and which is suitable for our entire “ estate is something that is very difficult to achieve. NDSS 2020 – Sebastian Roth – Complex Security Policy? 25

  26. Developer Study Did you know about the frame- Did you know that frame-ancestors ancestors directive and its improved can be deployed independently of protection capabilities compared to any other part of CSP before our X-Frame-Options before our notification? notification? 30 15 20 10 10 5 0 0 Yes No No answer Yes No No answer NDSS 2020 – Sebastian Roth – Complex Security Policy? 26

  27. Appendix – Developer Study Why have you implemented the X-Frame-Options header? Pentest / Consultant Tools we use Own decision Other 0 5 10 15 20 25 NDSS 2020 – Sebastian Roth – Complex Security Policy? 27

Recommend

Gender and Intra-Household Entitlements: a Cross-National Longitudinal Analysis Longitudinal

Gender and Intra-Household Entitlements: a Cross-National Longitudinal Analysis Longitudinal

Gender and Intra-Household Entitlements: a Cross-National Longitudinal Analysis Longitudinal Analysis GenIX advisory meeting GenIX advisory meeting 12 April 2010 Objectives of the project Policy: usually assumes away

541 views • 19 slides
Improvements in Transportation Security Analysis from a Complex Risk Mitigation Framework for the

Improvements in Transportation Security Analysis from a Complex Risk Mitigation Framework for the

Improvements in Transportation Security Analysis from a Complex Risk Mitigation Framework for the Security of International Spent Nuclear Fuel Transportation Adam D. Williams Global Security Research &amp; Analysis Sandia National Laboratories

505 views • 13 slides
Longitudinal Analysis for Continuous Outcomes Brandon LeBeau Assistant Professor DataCamp

Longitudinal Analysis for Continuous Outcomes Brandon LeBeau Assistant Professor DataCamp

DataCamp Longitudinal Analysis in R LONGITUDINAL ANALYSIS IN R Longitudinal Analysis for Continuous Outcomes Brandon LeBeau Assistant Professor DataCamp Longitudinal Analysis in R Visualizing longitudinal data code Let's explore the data!

299 views • 26 slides
Introduction to Longitudinal Data Brandon LeBeau Assistant Professor DataCamp Longitudinal

Introduction to Longitudinal Data Brandon LeBeau Assistant Professor DataCamp Longitudinal

DataCamp Longitudinal Analysis in R LONGITUDINAL ANALYSIS IN R Introduction to Longitudinal Data Brandon LeBeau Assistant Professor DataCamp Longitudinal Analysis in R What is longitudinal data? 3 or more measurements on same unit Multiple

672 views • 22 slides
1 Longitudinal Analysis Survival Trees Mining Frequent Episodes Summary Longitudinal Analysis

1 Longitudinal Analysis Survival Trees Mining Frequent Episodes Summary Longitudinal Analysis

Longitudinal Analysis Survival Trees Mining Frequent Episodes Summary Longitudinal Analysis Survival Trees Mining Frequent Episodes Summary Outline Longitudinal Analysis 1 Motivation Mining Event Histories: A Social Scientist View

423 views • 6 slides
Simulating Neurodegeneration through Longitudinal Population Analysis of Structural and Diffusion

Simulating Neurodegeneration through Longitudinal Population Analysis of Structural and Diffusion

Outline Background Simulating neurodegneration through longitudinal population analysis Simulating Neurodegeneration through Longitudinal Population Analysis of Structural and Diffusion Weighted MRI Data Modat et al. MICCAI 2014 Bishesh

720 views • 26 slides
A Longitudinal Analysis of Student Fees: The Roles of States and Institutions Robert Kelchen

A Longitudinal Analysis of Student Fees: The Roles of States and Institutions Robert Kelchen

A Longitudinal Analysis of Student Fees: The Roles of States and Institutions Robert Kelchen Assistant Professor Department of Education Leadership, Management and Policy Seton Hall University robert.kelchen@shu.edu, @rkelchen March 15, 2014

552 views • 21 slides
A Longitudinal Look at Longitudinal Mediation Models David P. MacKinnon, Arizona State

A Longitudinal Look at Longitudinal Mediation Models David P. MacKinnon, Arizona State

A Longitudinal Look at Longitudinal Mediation Models David P. MacKinnon, Arizona State University Causal Mediation Analysis Ghent, Belgium University of Ghent January 28-29, 2013 Introduction Assumptions Unique Issues with Longitudinal

1.12k views • 69 slides
A Hierarchical Mixed Effect Model for the Analysis of Model for the Analysis of Longitudinal

A Hierarchical Mixed Effect Model for the Analysis of Model for the Analysis of Longitudinal

A Hierarchical Mixed Effect Model for the Analysis of Model for the Analysis of Longitudinal DCE-MRI Studies Volker J. Schmid Department of Statistics Ludwig-Maximilians-University Munich L d i M i ili U i i M i h joint work with j

421 views • 30 slides
The Longitudinal Aging Study Amsterdam and the challenge of informing policy and practice

The Longitudinal Aging Study Amsterdam and the challenge of informing policy and practice

The Longitudinal Aging Study Amsterdam and the challenge of informing policy and practice Martijn Huisman LASA Scientific Director Dept. Epidemiology &amp; Biostatistics Dept. Sociology 17-01-2017 Longitudinal Aging Study Amsterdam Birth

483 views • 32 slides
An Analysis of the GWV An Analysis of the GWV Security Policy Security Policy Jim Alves- -Foss

An Analysis of the GWV An Analysis of the GWV Security Policy Security Policy Jim Alves- -Foss

An Analysis of the GWV An Analysis of the GWV Security Policy Security Policy Jim Alves- -Foss and Carol Taylor Foss and Carol Taylor Jim Alves Center for Secure and Dependable Systems Center for Secure and Dependable Systems University of

455 views • 23 slides
Two Tools for the Analysis of Longitudinal Data: Motivations, Applications and Issues Vern

Two Tools for the Analysis of Longitudinal Data: Motivations, Applications and Issues Vern

Two Tools for the Analysis of Longitudinal Data: Motivations, Applications and Issues Two Tools for the Analysis of Longitudinal Data: Motivations, Applications and Issues Vern Farewell Medical Research Council Biostatistics Unit, UK Flexible

817 views • 54 slides
HOW TO WRITE AN INFORMATION SECURITY POLICY INTRODUCTION This section is intended to help you

HOW TO WRITE AN INFORMATION SECURITY POLICY INTRODUCTION This section is intended to help you

HOW TO WRITE AN INFORMATION SECURITY POLICY INTRODUCTION This section is intended to help you produce an information security policy. Some of the information contained here is of a particularly detailed and complex nature and may not, therefore,

469 views • 8 slides
Robust Analysis using RoMulOC for the Longitudinal Control of a Civil Aircraft Guilherme

Robust Analysis using RoMulOC for the Longitudinal Control of a Civil Aircraft Guilherme

Robust Analysis using RoMulOC for the Longitudinal Control of a Civil Aircraft Guilherme Chevarria Dimitri Peaucelle Denis Arzelier Guilhem Puyou IEEE-MSC - Yokohama - September 8-10, 2010 Introduction Test robust analysis tools on

232 views • 22 slides
Longitudinal Data Analysis I PSYC 575 October 3, 2020 (updated: 3 October 2020) Learning

Longitudinal Data Analysis I PSYC 575 October 3, 2020 (updated: 3 October 2020) Learning

Longitudinal Data Analysis I PSYC 575 October 3, 2020 (updated: 3 October 2020) Learning Objectives Describe the similarities and differences between longitudinal data and cross-sectional clustered data Perform some basic attrition

753 views • 36 slides
Discrete complex analysis and probability Stanislav Smirnov Hyderabad, August 20, 2010 Complex

Discrete complex analysis and probability Stanislav Smirnov Hyderabad, August 20, 2010 Complex

Discrete complex analysis and probability Stanislav Smirnov Hyderabad, August 20, 2010 Complex analysis studies holomorphic and harmonic functions on the subdomains of the complex plane C and Riemann surfaces Discrete complex analysis studies

510 views • 34 slides
Longitudinal Analysis CSE545 - Fall2017 Supplemental Presentation Introduction Time Series

Longitudinal Analysis CSE545 - Fall2017 Supplemental Presentation Introduction Time Series

Longitudinal Analysis CSE545 - Fall2017 Supplemental Presentation Introduction Time Series Analysis Goal: Understanding temporal patterns of data (or real world events) Common tasks: Trend Analysis: Extrapolate patterns over time (typically

602 views • 25 slides
Longitudinal Data Analysis with Mixed Models A Graphical Overview Georges Monette, Ph.D., P.Stat.

Longitudinal Data Analysis with Mixed Models A Graphical Overview Georges Monette, Ph.D., P.Stat.

Longitudinal Data Analysis with Mixed Models A Graphical Overview Georges Monette, Ph.D., P.Stat. georges@yorku.ca www.math.yorku.ca/~georges Workshop on Longitudinal Data Analysis for Business and Biostatistics May 10, 2007 1

1.64k views • 116 slides
Longitudinal Data Analysis II II PSYC 575 October 6, 2020 (updated: 18 October 2020) Learning

Longitudinal Data Analysis II II PSYC 575 October 6, 2020 (updated: 18 October 2020) Learning

Longitudinal Data Analysis II II PSYC 575 October 6, 2020 (updated: 18 October 2020) Learning Objectives Describe the difference between analyzing trends vs. analyzing dynamics with longitudinal data Run analyses with time-varying

516 views • 19 slides
Com puter Security Part Tw o Previously Introduction Threat analysis Threats

Com puter Security Part Tw o Previously Introduction Threat analysis Threats

Com puter Security Part Tw o Previously Introduction Threat analysis Threats Policy Specification Design Implementation Operation and Maintenance Now Multilateral and Multilevel security Security policies

355 views • 24 slides
2d-shape Analysis using Complex Analysis Alexander Yu. Solynin Texas Tech University New

2d-shape Analysis using Complex Analysis Alexander Yu. Solynin Texas Tech University New

2d-shape Analysis using Complex Analysis Alexander Yu. Solynin Texas Tech University New Developments in Complex Analysis and Function Theory University of Crete, Heraklion, Greece July 4, 2018 Acknowledgements: The author thanks Prof.

902 views • 74 slides
Longitudinal + Reliability = Joint Modeling Carles Serrat Institute of Statistics and Mathematics

Longitudinal + Reliability = Joint Modeling Carles Serrat Institute of Statistics and Mathematics

1- Introduction 2- Longitudinal Data Analysis 3- Survival Analysis 4- The Standard Joint Model 5- Extensions of the Standard Joint Model Longitudinal + Reliability = Joint Modeling Carles Serrat Institute of Statistics and Mathematics Applied

564 views • 33 slides
Centennial School District 2019-20 Final Budget: A Longitudinal Analysis June 11, 2019

Centennial School District 2019-20 Final Budget: A Longitudinal Analysis June 11, 2019

Centennial School District 2019-20 Final Budget: A Longitudinal Analysis June 11, 2019 Christopher M. Berdnik, PCSBA Chief Financial Officer Agenda The purpose of this analysis is to walk backwards 12 years through recent Centennial School

281 views • 13 slides
Com puter Security Last tim e Introduction Threat analysis Threats Introduction

Com puter Security Last tim e Introduction Threat analysis Threats Introduction

Com puter Security Last tim e Introduction Threat analysis Threats Introduction to access control Policy matrix Specification Design Implementation Operation and Maintenance Security in the Course Lectures

784 views • 40 slides

More recommend