modern client side defenses
play

Modern client-side defenses Deian Stefan Today How can we build - PowerPoint PPT Presentation

Sep 12, 2023 •132 likes •709 views

CSE 127: Computer Security Modern client-side defenses Deian Stefan Today How can we build flexible and secure client-side web applications (from vulnerable/untrusted components) Modern web sites are complicated Modern web sites are

  1. CSE 127: Computer Security Modern client-side defenses Deian Stefan

  2. Today How can we build flexible and secure client-side web applications (from vulnerable/untrusted components)

  3. Modern web sites are complicated

  4. Modern web sites are complicated Ad code Page code 3rd-party libs 3rd-party frame

  5. Many acting parties on a site • Page developer • Library developers • Service providers • Data provides • Ad providers • CDNs • Network provider

  6. • How do we protect page from ads/services? • How to share data with a cross-origin page? • How to protect one user from another’s content? • How do we protect the page from a library? • How do we protect the page from the CDN? • How do we protect the page from network provider?

  7. 
 
 
 
 
 Recall: Same origin policy Idea: isolate content from different origins ➤ E.g., can’t access document of cross-origin page ➤ E.g., can’t inspect responses from cross-origin 
 ✓ DOM access postMessage ✓ a.com b.com c.com JSON

  8. Why is the SOP not good enough?

  9. The SOP is not strict enough • Third-party libs run with privilege of the page • Code within page can arbitrarily leak data ➤ How? • iframes isolation is limited ➤ Can’t isolate user-provided content from page (why?) ➤ Can’t isolate third-party ad placed in iframe (why?)

  10. The SOP is not strict enough • Third-party libs run with privilege of the page • Code within page can arbitrarily leak data ➤ How? • iframes isolation is limited ➤ Can’t isolate user-provided content from page (why?) ➤ Can’t isolate third-party ad placed in iframe (why?)

  11. The SOP is not strict enough • Third-party libs run with privilege of the page • Code within page can arbitrarily leak data ➤ How? • iframes isolation is limited ➤ Can’t isolate user-provided content from page (why?) ➤ Can’t isolate third-party ad placed in iframe (why?)

  12. The SOP is not flexible enough • Can’t read cross-origin responses ➤ What if we want to fetch data from provider.com? ➤ JSONP To fetch data, insert new script tag: 
 - <script src=“https://provider.com/getData?cb=f”></script> To share data, reply back with script wrapping data 
 - f({ ...data...}) ➤ Why is this a terrible idea? Provider data can easily be leaked (CSRF) - Page is not protected from provider (XSS) -

  13. The SOP is not flexible enough • Can’t read cross-origin responses ➤ What if we want to fetch data from provider.com? ➤ JSONP To fetch data, insert new script tag: 
 - <script src=“https://provider.com/getData?cb=f”></script> To share data, reply back with script wrapping data 
 - f({ ...data...}) ➤ Why is this a terrible idea? Provider data can easily be leaked (CSRF) - Page is not protected from provider (XSS) -

  14. The SOP doesn’t make for some things…

  15. Outline: modern mechanisms • iframe sandbox • Content security policy (CSP) • HTTP strict transport security (HSTS) • Subresource integrity (SRI) • Cross-origin resource sharing (CORS)

  16. iframe sandbox Idea: restrict actions iframe can perform Approach: set sandbox attribute, by default: ➤ disallows JavaScript and triggers (autofocus, autoplay videos etc.) ➤ disallows form submission ➤ disallows popups ➤ disallows navigating embedding page ➤ runs page in unique origin: no storage/cookies

  17. Whitelisting privileges Can enable dangerous features by whitelisting: ➤ allow-scripts: allows JS + triggers (autofocus, autoplay, etc.) ➤ allow-forms: allow form submission ➤ allow-pointer-lock: allow fine-grained mouse moves ➤ allow-popups: allow iframe to create popups ➤ allow-top-navigation: allow breaking out of frame ➤ allow-same-origin: retain original origin

  18. What can you do with iframe sandbox? • Run content in iframe with least privilege ➤ Only grant content privileges it needs • Privilege separate page into multiple iframes ➤ Split different parts of page into sandboxed iframes

  19. 
 Least privilege: twitter button <a class=“twitter-share-button" href="https://twitter.com/share">Tweet</a> <script> window.twttr=(function(d,s,id){var js,fjs=d.getElementsByTagName(s) [0],t=window.twttr||{};if(d.getElementById(id))return t;js=d.createElement(s);js.id=id;js.src="https://platform.twitter.com/ widgets.js";fjs.parentNode.insertBefore(js,fjs);t._e=[];t.ready=function(f) {t._e.push(f);};return t;}(document,"script","twitter-wjs")); </script> ➤ What’s the problem with this embedding approach? • Using iframes 
 <iframe src="https://platform.twitter.com/widgets/tweet_button.html" style="border: 0; width:130px; height:20px;"></iframe> ➤ What’s the problem without sandbox flag?

  20. 
 Least privilege: twitter button <a class=“twitter-share-button" href="https://twitter.com/share">Tweet</a> <script> window.twttr=(function(d,s,id){var js,fjs=d.getElementsByTagName(s) [0],t=window.twttr||{};if(d.getElementById(id))return t;js=d.createElement(s);js.id=id;js.src="https://platform.twitter.com/ widgets.js";fjs.parentNode.insertBefore(js,fjs);t._e=[];t.ready=function(f) {t._e.push(f);};return t;}(document,"script","twitter-wjs")); </script> ➤ What’s the problem with this embedding approach? • Using iframes 
 <iframe src="https://platform.twitter.com/widgets/tweet_button.html" style="border: 0; width:130px; height:20px;"></iframe> ➤ What’s the problem without sandbox flag?

  21. 
 
 
 Least privilege: twitter button • With sandbox: remove all permissions and then enable JS, popups, form submission, etc. 
 <iframe src=“https://platform.twitter.com/widgets/tweet_button.html" sandbox=“allow-same-origin allow-scripts allow-popups allow-forms” style="border: 0; width:130px; height:20px;"></iframe>

  22. 
 
 Privilege separation: blog feed • Typically include user content inline: 
 <div class=“post”> 
 <div class=“author”>{{post.author}}</div> 
 <div class=“body”>{{post.body}}</div> 
 </div> ➤ Problem with this? • With iframe sandbox: 
 <iframe sandbox srcdoc=“... 
 <div class=“post”> 
 <div class=“author”>{{post.author}}</div> 
 <div class=“body”>{{post.body}}</div> 
 </div>...”></iframe> ➤ May need allow-scripts - why? ➤ Is allow-same-origin safe to whitelist?

  23. 
 
 Privilege separation: blog feed • Typically include user content inline: 
 <div class=“post”> 
 <div class=“author”>{{post.author}}</div> 
 <div class=“body”>{{post.body}}</div> 
 </div> ➤ Problem with this? • With iframe sandbox: 
 <iframe sandbox srcdoc=“... 
 <div class=“post”> 
 <div class=“author”>{{post.author}}</div> 
 <div class=“body”>{{post.body}}</div> 
 </div>...”></iframe> ➤ May need allow-scripts - why? ➤ Is allow-same-origin safe to whitelist?

  24. What are some limitations of iframe sandbox?

  25. 
 
 Too strict vs. not strict enough • Consider running library in sandboxed iframes ➤ E.g., password strength checker 
 b.ru/chk.html a.com ➤ Desired guarantee: checker cannot leak password • Problem: sandbox does not restrict exfiltration ➤ Can use XHR to write password to b.ru

  26. Too strict vs. not strict enough • Can we limit the origins that the page (iframe or otherwise) can talk talk to? ➤ Can only leak to a trusted set of origins ➤ Gives us a more fine-grained notion of least privilege • This can also prevent or limit damages due to XSS

  27. Outline: modern mechanisms • iframe sandbox (quick refresher) • Content security policy (CSP) • HTTP strict transport security (HSTS) • Subresource integrity (SRI) • Cross-origin resource sharing (CORS)

  28. Content Security Policy (CSP) • Idea: restrict resource loading to a whitelist ➤ By restricting to whom page can talk to: restrict where data is leaked! • Approach: send page with CSP header that contains fine-grained directives ➤ E.g., allow loads from CDN, no frames, no plugins Content-Security-Policy: default-src https://cdn.example.net; 
 child-src 'none'; object-src 'none'

  29. script-src: where you can load scripts from connect-src: limits the origins you can XHR to font-src: where to fetch web fonts form form-action: where forms can be submitted child-src: where to load frames/workers from img-src: where to load images from … default-src: default fallback

  30. Special keywords • ‘none’ - match nothing • ‘self’ - match this origin • ‘unsafe-inline’ - allow unsafe JS & CSS • ‘unsafe-eval’ - allow unsafe eval (and the like) • http: - match anything with http scheme • https: - match anything with https scheme

  31. How can CSP help with XSS? • If you whitelist all places you can load scripts from: ➤ Only execute code from trusted origins ➤ Remaining vector for attack: inline scripts • CSP by default disallows inline scripts ➤ If scripts are enabled at least it disallows eval

Recommend

Modern client-side defenses Deian Stefan Today How can we build flexible and secure client-side

Modern client-side defenses Deian Stefan Today How can we build flexible and secure client-side

CSE 127: Computer Security Modern client-side defenses Deian Stefan Today How can we build flexible and secure client-side web applications (from vulnerable/untrusted components) Modern web sites are complicated Many acting parties on a site

867 views • 62 slides
Modern client-side defenses Deian Stefan Today How can we use sophisticated isolation

Modern client-side defenses Deian Stefan Today How can we use sophisticated isolation

Modern client-side defenses Deian Stefan Today How can we use sophisticated isolation and interaction between components to develop flexible, interesting web applications, while protecting confidentiality and integrity Today

1.46k views • 110 slides
Storing Data Thierry Sans Modern Web Platform Client Side Server Side Web API Database Why

Storing Data Thierry Sans Modern Web Platform Client Side Server Side Web API Database Why

Storing Data Thierry Sans Modern Web Platform Client Side Server Side Web API Database Why using a database Persistency Concurrency (avoid race conditions) Query Scalability SQL vs NoSQL databases Relational database (SQL

475 views • 10 slides
ROP is S(ll Dangerous: Breaking Modern Defenses David Wagner

ROP is S(ll Dangerous: Breaking Modern Defenses David Wagner

ROP is S(ll Dangerous: Breaking Modern Defenses David Wagner Nicholas Carlini Return Oriented Programming Basic ROP Mo(va(ons DEP Data

712 views • 11 slides
CSCC09 Programming on the Web Thierry Sans Architecture of a Web Application Client Side

CSCC09 Programming on the Web Thierry Sans Architecture of a Web Application Client Side

CSCC09 Programming on the Web Thierry Sans Architecture of a Web Application Client Side Server Side Web Server Web Browser Web Technologies Content Resources Presentation management Client Side Processing Multimedia The evolution of

1.24k views • 23 slides
Cookies and Sessions Thierry Security assumptions You have absolutely no control on the client

Cookies and Sessions Thierry Security assumptions You have absolutely no control on the client

Cookies and Sessions Thierry Security assumptions You have absolutely no control on the client Client Side Server Side Web Server Database Web Browser Cookies The big picture key/value pairs data Client Side Server Side HTTP request

783 views • 13 slides
CSE 154 LECTURE 6: JAVASCRIPT Client-side scripting client-side script : code runs in browser

CSE 154 LECTURE 6: JAVASCRIPT Client-side scripting client-side script : code runs in browser

CSE 154 LECTURE 6: JAVASCRIPT Client-side scripting client-side script : code runs in browser after page is sent back from server often this code manipulates the page or responds to user actions What is JavaScript? a lightweight

643 views • 29 slides
Side-Channel Attacks and Defenses for SGX and SEV Yinqian Zhang Associate Professor Computer

Side-Channel Attacks and Defenses for SGX and SEV Yinqian Zhang Associate Professor Computer

Open Source Enclave Workshop 2019 Side-Channel Attacks and Defenses for SGX and SEV Yinqian Zhang Associate Professor Computer Science &amp; Engineering The Ohio State University Userland TEEs on Commodity Processors Application VM VM

154 views • 14 slides
DC3158 Summary Summary Client Side Exploitation Attack Chaining. Client Side

DC3158 Summary Summary Client Side Exploitation Attack Chaining. Client Side

DEFCON DC3158 Summary Summary Client Side Exploitation Attack Chaining. Client Side Exploitation Script Based Attack Powershell,Jscript,Vbscript Vbscript:still people use IE, you can call wmic and powershell script to execute.

428 views • 15 slides
Covert and Side Channel Attacks and Defenses Mengjia Yan Fall 2020 Based on slides from

Covert and Side Channel Attacks and Defenses Mengjia Yan Fall 2020 Based on slides from

Covert and Side Channel Attacks and Defenses Mengjia Yan Fall 2020 Based on slides from Christopher W. Fletcher Reminder Lab assignment will be released 09/21 Monday Recommend to read Cache missing for fun and profit. (2005).

563 views • 38 slides
Covert and Side Channel Attacks and Defenses Mengjia Yan Fall 2020 Based on slides from

Covert and Side Channel Attacks and Defenses Mengjia Yan Fall 2020 Based on slides from

Covert and Side Channel Attacks and Defenses Mengjia Yan Fall 2020 Based on slides from Christopher W. Fletcher Reminder Lab assignment will be released 09/21 Monday Recommend to read Cache missing for fun and profit. (2005).

1.03k views • 66 slides
Client-Side Direct I/O for NFS Mike Kupfer kupfer@Eng.Sun.COM 28 February 1997 1 Client-Side

Client-Side Direct I/O for NFS Mike Kupfer kupfer@Eng.Sun.COM 28 February 1997 1 Client-Side

Client-Side Direct I/O for NFS Mike Kupfer kupfer@Eng.Sun.COM 28 February 1997 1 Client-Side Direct I/O for NFS Connectathon 1997 Disclaimer This is not a product announcement. 2 Client-Side Direct I/O for NFS Connectathon 1997

311 views • 16 slides
CSE392/ISE331 Attacks against the client-side of web applications Nick Nikiforakis

CSE392/ISE331 Attacks against the client-side of web applications Nick Nikiforakis

CSE392/ISE331 Attacks against the client-side of web applications Nick Nikiforakis nick@cs.stonybrook.edu Despite the same origin policy Many things can go wrong at the client-side of a web application Popular attacks Cross-site

266 views • 15 slides
CSE 510 Web Data Engineering Client-Side Programming JavaScript UB CSE 510 Web Data Engineering

CSE 510 Web Data Engineering Client-Side Programming JavaScript UB CSE 510 Web Data Engineering

CSE 510 Web Data Engineering Client-Side Programming JavaScript UB CSE 510 Web Data Engineering Web Programming Paradigms So far we have seen server-side programming Next Enrich user experience, interactivity with client- side

759 views • 24 slides
Cutting-edge Think Tank BLACK HAT EUROPE 2008 CLIENT-SIDE SECURITY Overview of various

Cutting-edge Think Tank BLACK HAT EUROPE 2008 CLIENT-SIDE SECURITY Overview of various

Cutting-edge Think Tank BLACK HAT EUROPE 2008 CLIENT-SIDE SECURITY Overview of various Client-Side Hacking Tricks and Techniques pdp Information Security Researcher, founder of the GNUCITIZEN group OBJECTIVES I was planning to...

948 views • 59 slides
Write Fast, Read in the Past: Causal Consistency for Client-side Apps with SwiftCloud App App

Write Fast, Read in the Past: Causal Consistency for Client-side Apps with SwiftCloud App App

Challenge: Database Access for Client-side Apps Write Fast, Read in the Past: Causal Consistency for Client-side Apps with SwiftCloud App App Presented by Marek Zawirski App App Inria / UPMC-LIP6, Paris (now at Google, Zrich) Marek

469 views • 13 slides
CLIENT-SIDE STATIC ANALYSIS Ben Livshits, Microsoft Research Overview of Todays Lecture 2

CLIENT-SIDE STATIC ANALYSIS Ben Livshits, Microsoft Research Overview of Todays Lecture 2

CLIENT-SIDE STATIC ANALYSIS Ben Livshits, Microsoft Research Overview of Todays Lecture 2 Client-side JavaScript Browser Analysis of JavaScript Plugins eval and code Extensions obfuscation Firefox extension model

812 views • 51 slides
Web Engineering 1. Introduction 2. Client Side Programming Prof. Dr. Dr. h.c. mult. Gerhard

Web Engineering 1. Introduction 2. Client Side Programming Prof. Dr. Dr. h.c. mult. Gerhard

Content Web Engineering 1. Introduction 2. Client Side Programming Prof. Dr. Dr. h.c. mult. Gerhard Krger, Albrecht Schmidt 3. Server Side Programming Universitt Karlsruhe Fakultt fr Informatik Institut fr Telematik Wintersemester

395 views • 17 slides
Web Engineering 1. Introduction 2. Client Side Programming Prof. Dr. Dr. h.c. mult. Gerhard

Web Engineering 1. Introduction 2. Client Side Programming Prof. Dr. Dr. h.c. mult. Gerhard

Content Web Engineering 1. Introduction 2. Client Side Programming Prof. Dr. Dr. h.c. mult. Gerhard Krger, Albrecht Schmidt 3. Server Side Programming Universitt Karlsruhe Fakultt fr Informatik Institut fr Telematik Wintersemester

532 views • 14 slides
MODERN MEMORY DEFENSES GRAD SEC SEP 14 2017 TODAYS PAPERS CONTROL FLOW INTEGRITY

MODERN MEMORY DEFENSES GRAD SEC SEP 14 2017 TODAYS PAPERS CONTROL FLOW INTEGRITY

MODERN MEMORY DEFENSES GRAD SEC SEP 14 2017 TODAYS PAPERS CONTROL FLOW INTEGRITY Fundamentally, code injection attacks altered the target programs control flow Recall: Confidentiality, Integrity, Availability Most integrity

937 views • 30 slides
EAP Client-side Transport draft-boursetty-eap-cst-00.txt IETF 57 EAP WG July 2003 A typical EAP

EAP Client-side Transport draft-boursetty-eap-cst-00.txt IETF 57 EAP WG July 2003 A typical EAP

EAP Client-side Transport draft-boursetty-eap-cst-00.txt IETF 57 EAP WG July 2003 A typical EAP setup Access Target Client NAS Network Network AAA server S 2 A new EAP setup Authentication AuthToken AuthServer Integrity Client

628 views • 7 slides
PHP Introduction ATLS 3020 Digital Media 2 Aileen Pierce Client vs. Server Side Scripting

PHP Introduction ATLS 3020 Digital Media 2 Aileen Pierce Client vs. Server Side Scripting

PHP Introduction ATLS 3020 Digital Media 2 Aileen Pierce Client vs. Server Side Scripting Client-side scripting (browser) Designed to interact with the user s web page Event-driven Restricted to what a web browser can

329 views • 29 slides
Preference Defenses: New Value Ordinary Preference Defenses: New Value, Ordinary Course and

Preference Defenses: New Value Ordinary Preference Defenses: New Value, Ordinary Course and

Presenting a live 90 minute webinar with interactive Q&amp;A Preference Defenses: New Value Ordinary Preference Defenses: New Value, Ordinary Course and Contemporaneous Exchange Managing the Audit Process, Mitigating Regulatory Sanctions, and

893 views • 52 slides
AJAX Andrea Ferracani Client side programming client - server communication

AJAX Andrea Ferracani Client side programming client - server communication

AJAX Andrea Ferracani Client side programming client - server communication andreaferracani@gmail.com luned 6 maggio 2013 DOM - Document Object Model The Document Object Model ( DOM ) is a

824 views • 39 slides

More recommend