noncespaces using randomization to enforce information
play

Noncespaces: Using Randomization to Enforce Information Flow - PowerPoint PPT Presentation

Oct 13, 2022 •270 likes •1.08k views

Noncespaces: Using Randomization to Enforce Information Flow Tracking and Thwart Cross-Site Scripting Attacks Matthew Van Gundy and Hao Chen University of California, Davis 16th Annual Network & Distributed System Security Symposium

  1. Noncespaces: Using Randomization to Enforce Information Flow Tracking and Thwart Cross-Site Scripting Attacks Matthew Van Gundy and Hao Chen University of California, Davis 16th Annual Network & Distributed System Security Symposium Noncespaces NDSS ’09

  2. Cross-Site Scripting (XSS) Vulnerabilities Noncespaces NDSS ’09

  3. Cross-Site Scripting (XSS) Vulnerabilities <p class=’comment’> { $comment } </p> Noncespaces NDSS ’09

  4. Cross-Site Scripting (XSS) Vulnerabilities <p class=’comment’> Great Article! </p> Noncespaces NDSS ’09

  5. Cross-Site Scripting (XSS) Vulnerabilities <p class=’comment’> <script>p0wn()</script> </p> Noncespaces NDSS ’09

  6. Cross-Site Scripting (XSS) Vulnerabilities <p class=’comment’> </p> <script>p0wn()</script> <p> </p> Noncespaces NDSS ’09

  7. Threat Model ◮ An attacker can submit arbitrary content to XSS-vulnerable applications ◮ An attacker cannot compromise web server or browser directly ◮ Malicious content must contain XHTML tags and attributes Noncespaces NDSS ’09

  8. Limitations of Existing Solutions Server-side ◮ Server sanitizes untrusted data before sending it to the client ◮ Client may interpret data in an unexpected way ◮ E.g. Server replaces "<script>" with "" But attacker injects <script/xss> Client-side ◮ Client enforces a server-specified policy Challenges ◮ The client must know whether to trust content ◮ Attacker must not be able to forge trust metadata Noncespaces NDSS ’09

  9. Noncespaces Architecture ◮ Server partitions content into trust classes ◮ Server randomizes document to prevent forging of trust classification ◮ Server specifies policy of content permitted for each trust class ◮ Client displays the document only if it conforms to the policy Noncespaces NDSS ’09

  10. Namespaces in XML ◮ In (X)HTML: <q> = quote, <a> = anchor Noncespaces NDSS ’09

  11. Namespaces in XML ◮ In (X)HTML: <q> = quote, <a> = anchor ◮ In FAQML: <q> = question, <a> = answer Noncespaces NDSS ’09

  12. Namespaces in XML ◮ In (X)HTML: <q> = quote, <a> = anchor ◮ In FAQML: <q> = question, <a> = answer ◮ XHTML quote = ( "http://www.w3.org/1999/xhtml" , "q" ) Noncespaces NDSS ’09

  13. Namespaces in XML ◮ In (X)HTML: <q> = quote, <a> = anchor ◮ In FAQML: <q> = question, <a> = answer ◮ XHTML quote = ( "http://www.w3.org/1999/xhtml" , "q" ) ◮ FAQML question = ( "urn:FAQML" , "q" ) Noncespaces NDSS ’09

  14. Namespaces in XML ◮ In (X)HTML: <q> = quote, <a> = anchor ◮ In FAQML: <q> = question, <a> = answer ◮ XHTML quote = ( "http://www.w3.org/1999/xhtml" , "q" ) ◮ FAQML question = ( "urn:FAQML" , "q" ) ◮ < x ���� xmlns : x = ” http : // www . w3 . org / 1999 / xhtml � ” > ���� : q � �� Noncespaces NDSS ’09

  15. Namespaces in XML ◮ In (X)HTML: <q> = quote, <a> = anchor ◮ In FAQML: <q> = question, <a> = answer ◮ XHTML quote = ( "http://www.w3.org/1999/xhtml" , "q" ) ◮ FAQML question = ( "urn:FAQML" , "q" ) ◮ < x ���� xmlns : x = ” http : // www . w3 . org / 1999 / xhtml ” > ���� : q � �� � NamespaceURI Noncespaces NDSS ’09

  16. Namespaces in XML ◮ In (X)HTML: <q> = quote, <a> = anchor ◮ In FAQML: <q> = question, <a> = answer ◮ XHTML quote = ( "http://www.w3.org/1999/xhtml" , "q" ) ◮ FAQML question = ( "urn:FAQML" , "q" ) ◮ < x ���� xmlns : x = ” http : // www . w3 . org / 1999 / xhtml ” > : q ���� � �� � prefix NamespaceURI Noncespaces NDSS ’09

  17. Namespaces in XML ◮ In (X)HTML: <q> = quote, <a> = anchor ◮ In FAQML: <q> = question, <a> = answer ◮ XHTML quote = ( "http://www.w3.org/1999/xhtml" , "q" ) ◮ FAQML question = ( "urn:FAQML" , "q" ) ◮ < x xmlns : x = ” http : // www . w3 . org / 1999 / xhtml ” > : q ���� ���� � �� � prefix name NamespaceURI Noncespaces NDSS ’09

  18. Namespaces in XML ◮ In (X)HTML: <q> = quote, <a> = anchor ◮ In FAQML: <q> = question, <a> = answer ◮ XHTML quote = ( "http://www.w3.org/1999/xhtml" , "q" ) ◮ FAQML question = ( "urn:FAQML" , "q" ) ◮ < x xmlns : x = ” http : // www . w3 . org / 1999 / xhtml ” > : q ���� ���� � �� � prefix name NamespaceURI ◮ <f:q xmlns:f="urn:FAQML"> Noncespaces NDSS ’09

  19. Namespaces in XML ◮ In (X)HTML: <q> = quote, <a> = anchor ◮ In FAQML: <q> = question, <a> = answer ◮ XHTML quote = ( "http://www.w3.org/1999/xhtml" , "q" ) ◮ FAQML question = ( "urn:FAQML" , "q" ) ◮ < x xmlns : x = ” http : // www . w3 . org / 1999 / xhtml ” > : q ���� ���� � �� � prefix name NamespaceURI ◮ <f:q xmlns:f="urn:FAQML"> ◮ <faq:q xmlns:faq="urn:FAQML"> Noncespaces NDSS ’09

  20. Defeating Node Splitting ◮ <x:a>...</x:a> Noncespaces NDSS ’09

  21. Defeating Node Splitting ◮ <x:a>...</x:a> ◮ <x:a>... </a> Noncespaces NDSS ’09

  22. Defeating Node Splitting ◮ <x:a>...</x:a> ◮ <x:a>... </a> ◮ <x:a>... </y:a> Noncespaces NDSS ’09

  23. Encoding Trust Classifications ◮ Trusted <a> Noncespaces NDSS ’09

  24. Encoding Trust Classifications ◮ Trusted <a> ⇒ <t:a> Noncespaces NDSS ’09

  25. Encoding Trust Classifications ◮ Trusted <a> ⇒ <t:a> ◮ Untrusted <a> Noncespaces NDSS ’09

  26. Encoding Trust Classifications ◮ Trusted <a> ⇒ <t:a> ◮ Untrusted <a> ◮ Randomly choose trusted prefixes to prevent forgery Noncespaces NDSS ’09

  27. Web Page Before Noncespaces <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>nile.com : ++Shopping</title> </head> <body> <h1 id="title"> { $item->name } </h1> <h2>Reviews</h2> <p class=’review’> { $review } </p> </body> </html> Noncespaces NDSS ’09

  28. Node Splitting Attack After Noncespaces <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <r617:html xmlns="http://www.w3.org/1999/xhtml" xmlns:r617="http://www.w3.org/1999/xhtml"> <r617:head> <r617:title>nile.com : ++Shopping</r617:title> </r617:head> <r617:body> <r617:h1 r617:id="title">Useless Do-dad</r617:h1> <r617:h2>Reviews</r617:h2> <r617:p r617:class=’review’> </p> <script>p0wn()</script> <p> </r617:p> </r617:body> </r617:html> Noncespaces NDSS ’09

  29. XSS Attack After Noncespaces <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <r617:html xmlns="http://www.w3.org/1999/xhtml" xmlns:r617="http://www.w3.org/1999/xhtml"> <r617:head> <r617:title>nile.com : ++Shopping</r617:title> </r617:head> <r617:body> <r617:h1 r617:id="title">Useless Do-dad</r617:h1> <r617:h2>Reviews</r617:h2> <r617:p r617:class=’review’> <script src=’http://badguy.com/p0wn.js’ /> </r617:p> </r617:body> </r617:html> Noncespaces NDSS ’09

  30. Need for a client-side policy Innocuous Input <b>WARNING:</b> Noncespaces NDSS ’09

  31. Need for a client-side policy Innocuous Input <b>WARNING:</b> <em>very</em> important Noncespaces NDSS ’09

  32. Need for a client-side policy Innocuous Input <b>WARNING:</b> <em>very</em> important <a href=’http://useful.com/’>[1]</a> Noncespaces NDSS ’09

  33. Need for a client-side policy Innocuous Input <b>WARNING:</b> <em>very</em> important <a href=’http://useful.com/’>[1]</a> Malicious Input <b onmouseover=’...’ >WARNING:</b> Noncespaces NDSS ’09

  34. Need for a client-side policy Innocuous Input <b>WARNING:</b> <em>very</em> important <a href=’http://useful.com/’>[1]</a> Malicious Input <b onmouseover=’...’ >WARNING:</b> <em onclick=’...’ >very</em> important Noncespaces NDSS ’09

Recommend

Randomization Algorithm Theory WS 2012/13 Fabian Kuhn Randomization Randomized Algorithm: An

Randomization Algorithm Theory WS 2012/13 Fabian Kuhn Randomization Randomized Algorithm: An

Chapter 6 Randomization Algorithm Theory WS 2012/13 Fabian Kuhn Randomization Randomized Algorithm: An algorithm that uses (or can use) random coin flips in order to make decisions We will see: randomization can be a powerful tool to Make

497 views • 21 slides
Using Encryption to Enforce an Information Flow Policy Research Directions Jason Crampton

Using Encryption to Enforce an Information Flow Policy Research Directions Jason Crampton

Using Encryption to Enforce an Information Flow Policy Research Directions Jason Crampton Using Encryption to Enforce an Information Flow Policy Research Directions Jason Crampton Information Security Group Royal Holloway, University

472 views • 35 slides
HOMEOWNER INFORMATION MEETING PROPERTY MANAGEMENT Manage common elements Enforce

HOMEOWNER INFORMATION MEETING PROPERTY MANAGEMENT Manage common elements Enforce

HOMEOWNER INFORMATION MEETING PROPERTY MANAGEMENT Manage common elements Enforce Declaration, By-Laws and Rules as directed by Board of Directors Provide financial, administration, customer service and 24-hour emergency service

808 views • 36 slides
Address Space Randomization A n E f f e c t i v e I m p l e m e n t a t i o n Michael Cloppert

Address Space Randomization A n E f f e c t i v e I m p l e m e n t a t i o n Michael Cloppert

Address Space Randomization A n E f f e c t i v e I m p l e m e n t a t i o n Michael Cloppert May, 2006 Address Space Randomization Theory Randomize location of memory objects Libraries Heap User, kernel-space stack Foils attacks like

560 views • 15 slides
1 2 In stat. people may call these multistage trials (the randomization at each stage is

1 2 In stat. people may call these multistage trials (the randomization at each stage is

1 2 In stat. people may call these multistage trials (the randomization at each stage is assumed) 3 4 Hypothetical trial: Outcome is not shown but is on far right. The randomizations can take place up front. Equal randomization Usual

587 views • 36 slides
Test statistics and randomization distributions Applied Statistics and Experimental Design

Test statistics and randomization distributions Applied Statistics and Experimental Design

Summaries of sample populations Hypothesis testing via randomization Sensitivity to the alternative Basic decision theory Test statistics and randomization distributions Applied Statistics and Experimental Design Chapter 2 Peter Hoff

1.49k views • 126 slides
Gov 2002: 3. Randomization Inference Matthew Blackwell September 10, 2015 Where are we? Where

Gov 2002: 3. Randomization Inference Matthew Blackwell September 10, 2015 Where are we? Where

Gov 2002: 3. Randomization Inference Matthew Blackwell September 10, 2015 Where are we? Where are we going? Last week: What can we identify using randomization? Estimators were justifjed via unbiasedness and consistency. Standard

728 views • 54 slides
Stage III of Social Subprojects Selection, Youth Corps Project Randomization (computer-based

Stage III of Social Subprojects Selection, Youth Corps Project Randomization (computer-based

Stage III of Social Subprojects Selection, Youth Corps Project Randomization (computer-based random selection). 2018 What is randomization? Computer-based randomization is a process of random resources allocation that Excludes any human

376 views • 8 slides
What About Randomization Tests? Strengths Gail et al. (1996) reported nominal Type I and II

What About Randomization Tests? Strengths Gail et al. (1996) reported nominal Type I and II

What About Randomization Tests? Strengths Gail et al. (1996) reported nominal Type I and II error rates across a variety of conditions common to GRTs. Programs for randomization tests are available. Weaknesses The unadjusted

281 views • 6 slides
Beyond Domain Randomization Josh Tobin 6/23/19 Goals for this talk Understand domain

Beyond Domain Randomization Josh Tobin 6/23/19 Goals for this talk Understand domain

Beyond Domain Randomization Josh Tobin 6/23/19 Goals for this talk Understand domain randomization &amp; how it is being used today Discuss its limitations and what solutions could look like Josh Tobin Beyond Domain Randomization

651 views • 47 slides
The CCPC and Waste Markets in Ireland Fergal O Leary - Member The CCPC Protect &amp; Inform

The CCPC and Waste Markets in Ireland Fergal O Leary - Member The CCPC Protect &amp; Inform

The CCPC and Waste Markets in Ireland Fergal O Leary - Member The CCPC Protect &amp; Inform Enforce Regulate Enforce competition Monitor compliance Inform consumers about law with Grocery sector their rights regulations Enforce

580 views • 13 slides
Topic III.1: Swap Randomization Discrete Topics in Data Mining Universitt des Saarlandes,

Topic III.1: Swap Randomization Discrete Topics in Data Mining Universitt des Saarlandes,

Topic III.1: Swap Randomization Discrete Topics in Data Mining Universitt des Saarlandes, Saarbrcken Winter Semester 2012/13 T III.1- 1 Topic III.1: Swap Randomization 1. Motivation &amp; Basic Idea 2. Markov Chains and Sampling 2.1.

555 views • 34 slides
Br Breaking Kern rnel Ad Address ss Space La Layout Randomization (KASLR LR) wi with th

Br Breaking Kern rnel Ad Address ss Space La Layout Randomization (KASLR LR) wi with th

Br Breaking Kern rnel Ad Address ss Space La Layout Randomization (KASLR LR) wi with th Intel TSX Yeongjin Jang , Sangho Lee, and Taesoo Kim Georgia Institute of Technology Kernel Address Space Layout Randomization (KASLR) A

1.2k views • 102 slides
Experience with MAC Address Randomization in Windows 10 Christian Huitema Huitema@microsoft.com

Experience with MAC Address Randomization in Windows 10 Christian Huitema Huitema@microsoft.com

Experience with MAC Address Randomization in Windows 10 Christian Huitema Huitema@microsoft.com IETF 93, Prague, July 2015 MAC Randomization in WIndows 10 - 7/20/2015 1 IETF 93 MAC Address Randomization controlled from Windows 10 Wi-Fi UI

311 views • 6 slides
LR 2 : LR : Le Leakage-Re Resilient La Layout t Ra Randomization fo for Mo Mobile

LR 2 : LR : Le Leakage-Re Resilient La Layout t Ra Randomization fo for Mo Mobile

LR 2 : LR : Le Leakage-Re Resilient La Layout t Ra Randomization fo for Mo Mobile Devices Kjell Braden , Stephen Crane, Lucas Davi , Michael Franz , Per Larsen , Christopher Liebchen , Ahmad- Reza Sadeghi

578 views • 38 slides
Randomization and Restarts Remember the PLS? It has two very intriguing properties 1. A phase

Randomization and Restarts Remember the PLS? It has two very intriguing properties 1. A phase

Randomization and Restarts Remember the PLS? It has two very intriguing properties 1. A phase transition 2. A heavy-tailed distribution in performance profiles Let's start from property #1... HP: we generate PLS instances by randomly filling

771 views • 75 slides
Simulation Experiments and Trials 15-110 Friday 4/17 Learning Goals Use randomization

Simulation Experiments and Trials 15-110 Friday 4/17 Learning Goals Use randomization

Simulation Experiments and Trials 15-110 Friday 4/17 Learning Goals Use randomization and Monte Carlo methods to solve problems Organize animated simulations to observe how systems evolve over time 2 Randomness 3 Random

448 views • 27 slides
Faster PET Reconstruction with Non-Smooth Anatomical Priors by Randomization and Preconditioning

Faster PET Reconstruction with Non-Smooth Anatomical Priors by Randomization and Preconditioning

Faster PET Reconstruction with Non-Smooth Anatomical Priors by Randomization and Preconditioning Matthias J. Ehrhardt Institute for Mathematical Innovation University of Bath, UK November 4, 2019 Joint work with: Mathematics : Chambolle

390 views • 34 slides
Improving TCP/IP security through randomization without sacrificing interoperability Michael

Improving TCP/IP security through randomization without sacrificing interoperability Michael

Improving TCP/IP security through randomization without sacrificing interoperability Michael James Silbersack The FreeBSD Project Introduction Over the years, many security problems have been found in the TCP and IP protocols. This is not

539 views • 17 slides
Phase 2 Randomization: 1:1:1 Switch over to ARM A n=132 Treat to Niraparib Bevacizumab

Phase 2 Randomization: 1:1:1 Switch over to ARM A n=132 Treat to Niraparib Bevacizumab

ENGOT-OV24-NSGO/AVANOVA Phase 2 Randomization: 1:1:1 Switch over to ARM A n=132 Treat to Niraparib Bevacizumab PD/toxicity 300mg OD d1-21 15mg/kg q3w Platinum- sensitive Ovarian Cancer ARM B Treat to Randomize Niraparib

319 views • 7 slides
Commitment Letters in Commercial Loans Borrower and Lender Approaches to Negotiate and Enforce

Commitment Letters in Commercial Loans Borrower and Lender Approaches to Negotiate and Enforce

Presenting a live 90 minute webinar with interactive Q&amp;A Commitment Letters in Commercial Loans Borrower and Lender Approaches to Negotiate and Enforce Binding Loan Commitments THURS DAY, MARCH 15, 2012 1pm Eastern | 12pm Central

634 views • 24 slides
The Chilling Effect ct of Enforce cement of Computer Misuse: Evidence ces from Online Hack

The Chilling Effect ct of Enforce cement of Computer Misuse: Evidence ces from Online Hack

The Chilling Effect ct of Enforce cement of Computer Misuse: Evidence ces from Online Hack cker Forums Assistant Professor: Qiu-Hong WANG Singapore Management University Co-authors: Rui-Bin Geng, Seung Hyun Kim 11 July 2019, Cambridge Mo

323 views • 18 slides
Framing the Debate: How would Data Protection Authorities enforce compliance? 28/29 April 2011,

Framing the Debate: How would Data Protection Authorities enforce compliance? 28/29 April 2011,

Framing the Debate: How would Data Protection Authorities enforce compliance? 28/29 April 2011, Princeton, NJ, USA W3C Workshop on Web Tracking and User Privacy Hannes Tschofenig, Rob van Eijk Paper available at:

234 views • 8 slides
Enabling Hardware Randomization Across the Cache Hierarchy in Linux-Class Processors Max

Enabling Hardware Randomization Across the Cache Hierarchy in Linux-Class Processors Max

Enabling Hardware Randomization Across the Cache Hierarchy in Linux-Class Processors Max Doblas , Ioannis-Vatistas Kostalabros , Miquel Moret and Carles Hernndez Computer Sciences - Runtime Aware Architecture, Barcelona

1.17k views • 30 slides

More recommend