cs 527 software security
play

CS-527 Software Security Browser Security Asst. Prof. Mathias Payer - PowerPoint PPT Presentation

CS-527 Software Security Browser Security Asst. Prof. Mathias Payer Department of Computer Science Purdue University TA: Kyriakos Ispoglou https://nebelwelt.net/teaching/17-527-SoftSec/ Spring 2017 Web Environment Table of Contents Web


  1. CS-527 Software Security Browser Security Asst. Prof. Mathias Payer Department of Computer Science Purdue University TA: Kyriakos Ispoglou https://nebelwelt.net/teaching/17-527-SoftSec/ Spring 2017

  2. Web Environment Table of Contents Web Environment 1 Design Principles 2 Browser isolation principles 3 Attack vectors 4 Summary and conclusion 5 Mathias Payer (Purdue University) CS-527 Software Security 2017 2 / 16

  3. Web Environment Basics Uniform Resource Locators (URLs) allow global identification of retrievable documents, specifying both the protocol and location of the resource. Location is broken into hostname, port, path, query (a sequence of variable=value statements with & as delimeter), and fragment, e.g., protocol://hostname:port/path/?query#fragment The Hyper Text Transfer Protocol (HTTP) allows a host to fetch URLs from a remote server. HTTP is a simple stateless protocol where a client requests a page (including some auxiliary headers). The response contains the HTTP version, status code, reason, headers, length, and data in a simple human readable format. Mathias Payer (Purdue University) CS-527 Software Security 2017 3 / 16

  4. Web Environment Browsers Modern browsers have evolved into complex applications that retrieve and display html documents retrieved over http. The browser process handles entering and displaying of the URI. Upon receiving a new display request the browser process asks the browser engine if the location is cached; if not, it requests the page over http. The renderer process takes web page and renders it. A window/frame uses a basic execution model that loops between content loading, rendering, and reacting to events (user actions, rendering, or timing). Mathias Payer (Purdue University) CS-527 Software Security 2017 4 / 16

  5. Web Environment Rendering Rendering is not that simple. A bunch of different parsers handle data in different formats. There’s HTML, JavaScript, CSS, Images, and many more. All parsers and the JavaScript engine that allows dynamic code to be executed, update the Document Object Model (DOM) tree which is then “rendered”. Mathias Payer (Purdue University) CS-527 Software Security 2017 5 / 16

  6. Design Principles Table of Contents Web Environment 1 Design Principles 2 Browser isolation principles 3 Attack vectors 4 Summary and conclusion 5 Mathias Payer (Purdue University) CS-527 Software Security 2017 6 / 16

  7. Design Principles Security goals A tab cannot compromise data on the system. A tab cannot compromise data in other tabs. A tab cannot hijack and control other tabs. Mathias Payer (Purdue University) CS-527 Software Security 2017 7 / 16

  8. Design Principles Different threat models Web attacker: may control a server and/or certificate. User actively visits the page (or app or ad). Network attacker: passive eavesdropper or active man in the middle (MITM), or ARP/DNS poisoning attack. OS attacker: exploit browser and control execution. Mathias Payer (Purdue University) CS-527 Software Security 2017 8 / 16

  9. Browser isolation principles Table of Contents Web Environment 1 Design Principles 2 Browser isolation principles 3 Attack vectors 4 Summary and conclusion 5 Mathias Payer (Purdue University) CS-527 Software Security 2017 9 / 16

  10. Browser isolation principles Browser isolation The browser isolates fault domains through processes. The browser process controls a GPU process, a sandbox for each renderer, and a set of sandboxes for different plugins. Each sandbox is isolated from the system and other sandboxes. Each sandbox is reduced to the least privilege. On Linux, chrome uses seccomp secured processes to enforce isolation and least privilege. Mathias Payer (Purdue University) CS-527 Software Security 2017 10 / 16

  11. Attack vectors Table of Contents Web Environment 1 Design Principles 2 Browser isolation principles 3 Attack vectors 4 Summary and conclusion 5 Mathias Payer (Purdue University) CS-527 Software Security 2017 11 / 16

  12. Attack vectors Heap spraying Browser sandboxes are very constrained but an attacker may execute arbitrary code through JavaScript. Vulnerabilities like use-after-free are often imprecise due to variance in the heap (i.e., where objects are allocated). Idea: spray a large amount of the same object across the heap, allocating many objects. Only one object will then have to be hit in the exploit. Heap spraying conceptually solves the same problem as NOP slides. How would you detect heap spraying? Mathias Payer (Purdue University) CS-527 Software Security 2017 12 / 16

  13. Attack vectors Information leaks Browsers have several side channels that allow an attacker to identify “loaded” resources. Web cache-based attacks: image/script load times Identification: supported fonts, plugin versions, sites visited System cache-based attacks: rowhammer, covert channels. Mathias Payer (Purdue University) CS-527 Software Security 2017 13 / 16

  14. Summary and conclusion Table of Contents Web Environment 1 Design Principles 2 Browser isolation principles 3 Attack vectors 4 Summary and conclusion 5 Mathias Payer (Purdue University) CS-527 Software Security 2017 14 / 16

  15. Summary and conclusion Summary Browsers leverage HTTP and URLs to retrieve HTML documents. Browsers run individual webpages at least privileges in isolation. An attacker may control the content of the website at different levels. Vulnerabilities in the browser allow an attacker to escape and escalate privileges. Two examples of attack vectors are heap spraying and side channels. Mathias Payer (Purdue University) CS-527 Software Security 2017 15 / 16

  16. Summary and conclusion Questions? ? Mathias Payer (Purdue University) CS-527 Software Security 2017 16 / 16

Recommend


More recommend