Residue Objects: A Challenge to Web Browser Security Robert - PowerPoint PPT Presentation

Residue Objects: A Challenge to Web Browser Security Robert Rosolek University of Warsaw

Agenda Introduction Background for object management in Internet Explorer Testing and studying residue objects Conclusions and Future Work

Part 1 Part 2 Part 3 Part 4 Introduction

Introduction Managing the lifetimes of objects in memory nontrivial task in complex systems especially tricky for browsers page may navigate away

Introduction Correct navigation semantics for page being navigated away: the page is 'gone' all it's objects disappear objects no longer usable Crucial for security.

Introduction So can we just destroy all objects of the page that is navigated away?

Introduction

Introduction Dilemma → Object garbage collected dangling references, memory corruption → Object not collected invalid object residing in memory

Residue objects Residue object - the object in the old page that still resides in the memory after the navigation

Visual Spoofing

Involuntary navigation

Cross-domain access same-origin policy difficulties with secure implementation hack opportunities

Memory corruption dangling references possibility of changing the control flow

Protection object invalidation seemingly simple mechanism Object is_valid : bool . . .

Bugs

Exploit example

Bugs Various logic errors: residue object object not marke d dead visible 'dead' objects premature release of reference

Main questions Reasons for implementation problems small public attention

Part 1 Part 2 Part 3 Part 4 Background for object management in Internet Explorer

ActiveX objects COM framework AddRef, Release – refcounting properties sub-objects

ActiveX objects HTML elements Javascript variables HTML and Javascript engines Hosting ActiveX objects: <object> tag in HTML new ActiveXObject(id) in Javascript nesting of HTML and JavaScript engines

Window and Document Document – HTML Document corresponding to HTML file Window – tab, frame, iframe, dialog box CWindow and CDocument COM classes Window 1 Window 1 navigation Document 2 Document 1

CWinProxy Document – same-domain accessibility Window - can be referenced from a different domain Proxy object necessary to comply with same-origin policy CWinProxy CWindow external ref

Part 1 Part 2 Part 3 Part 4 Testing and studying Residue Objects

Tactic for generating Residue Objects

Enumerative Approach Various: inner objects documents, windows, methods etc.

Enumerative Approach Various: inner objects ways of object hosting

Enumerative Approach Various: Navigate window NavWin to page.html: inner objects ways of object hosting open(“page.html”,”NavWin”) NavWin.location = “page.html” ways of navigation NavWin.Navigate(“page.html”)

Analysis Augmentation of browser code by logging important events about CWindow / CWinProxy / CDocument: construction destruction AddRef Release validation invalidation

Analysis call stack for every event to identify caller filtering out matching AddRef and Release events

Analysis tool Object chart objects in the memory after navigation reference owners

Pitfall 1 Invalidated Invisible CWindow object of inner window is invalidated inner window visible when created by createPopup() ref = innerWindow

Pitfall 1 Invalidated Invisible

Pitfall 1 Invalidated Invisible

Pitfall 1 Invalidated Invisible IE 8.0.6001 fixed in IE 9

Pitfall 2 Confusion due to polymorphism CWindow object of inner window is invalidated CFuncPointer object of innerWindow.setTimeout points to not invalidated CWinProxy delayed script can be run after navigation ref = innerWindow.setTimeout Method of the window

Pitfall 2 Confusion due to polymorphism CWindow object of inner window is invalidated CFuncPointer object of innerWindow.setTimeout points to not invalidated CWinProxy delayed script can be run after navigation fixed in IE 8.0.6001 ref = innerWindow.setTimeout Method of the acess denied error window

Pitfall 3 Cross-engine invalidation inner window hosted in different HTML engine CWindow object of inner window not invalidated ref = innerWindow different HTML engine

Pitfall 3 Cross-engine invalidation inner window hosted in different HTML engine CWindow object of inner window not invalidated ref = innerWindow different HTML engine still an issue in IE9

Pitfall 4 Erroneous refcounting one refcount is lost navigation of persistent window removes nav window dangling reference corruption of EIP register heap spray attack possible ref = NavWin.setTimeout Method of the window

Pitfall 4 Erroneous refcounting one refcount is lost navigation of persistent window removes nav window dangling reference corruption of EIP register heap spray attack possible ref = NavWin.setTimeout Method of the window Fixed by Microsoft in February 2009 security hot fix

Pitfall 5 Partially destroyed data structures inside valid objects same scenario as in pitfall 3 a script in child window of inner window CWindow object is valid broken internal data structures memory violations

Pitfall 5 Partially destroyed data structures inside valid objects same scenario as in pitfall 3 a script in child window of inner window CWindow object is valid broken internal data structures memory violations still an issue in IE 8

Part 1 Part 2 Part 3 Part 4 Conclusions and Future Work

Possible responses to the residue object problem automatic garbage collectors different processes - IE8 multi-proccess achitecture to render different windows - seperation of different web contents - prevents from direct overwriting of memory - objects can still be acessed through references in DCOM revision of DOM access policies and their implementation

New generation of browsers OP from University of Illinois Gazelle from Microsoft Research focus on security multi-process architecture acess control policies formal methods (OP) OS principles in browser (Gazelle)

Conclusions all browsers have to deal with residue objects problems need to be recognised as residue object problems and not individual bugs a lot of undiscovered bugs left

Future work Other document types: - XML - Flash - Microsoft Silverlight Other browsers: - Firefox - Safari

Thank you!