1 1 Web Browser Security Collin Jackson CS 161 Slide assistance: Adam Barth Dan Boneh John Mitchell 2 Running Remote Code is Risky ! Integrity  Compromise your machine  Install malware rootkit  Transact on your accounts ! Confidentiality  Read your information  Steal passwords  Read your email 3 Browser Sandbox ! Goal  Run remote web applications safely  Limited access to OS, network, and browser data ! Approach  Isolate sites in different security contexts  Browser manages resources, like an OS  Access control: same-origin policy  Pages from the “same site” can interact  Pages from “different sites” separated 4 Why study browser security? … if you’re not Microsoft, Mozilla, Apple, Google or Opera? ! Build better browsers  Contribute to open source browsers (Firefox, Safari)  Embed a renderer in your program (Gecko, WebKit) ! Build better web applications  Servers and firewalls can mitigate browser limitations  Take advantage of opt-in browser security features ! Be a safer surfer  Make informed security decisions  Distinguish harmless warnings from attacks 5 Threat Models ! Web attacker  Controls attacker.com  Has HTTPS certificate for attacker.com ($0)  User visits attacker.com ! Network attacker  Passive: Wireless eavesdropper  Active: Evil router, DNS poisoning ! Malware attacker  Escaped from browser sandbox 6 Security User Interface When is it safe to type my password?2 7 URLs ! Global identifiers of network-retrievable documents http://user:[email protected]:81/class?name=cs155#homework Protocol Username Password Host Port Path Query Fragment Safe to type your password? 8 Safe to type your password? 9 Safe to type your password? 10 Safe to type your password? 11 ??? ??? Safe to type your password? 123 13 Same-Origin Policy How does the browser isolate different sites? Windows Interact 14 Are all interactions good? 15 16 ! Different origins have limited interaction ! Origin is the tuple <domain, port, protocol> http://www.example.com:80/whoami http://www.example.com:80/hello https://www.example.com:443/hello http://www.example.com:443/hello Browser Same-Origin Policy  Full access  Limited access Same-Origin Policy Examples ! Example HTML at http://www.site.com/ <iframe(src="http://othersite.com/"></iframe>(( (<img(src="http://othersite.com/logo.gif">(! Disallowed: alert(frames[0].document.body.innerHTML) alert(frames[0].location) ! Allowed: ( (alert(images[0].height)(5 5frames[0].location(=("http://othersite.com/foo";(17 18 18 Mixed Content4 19 A Guninski Attack awglogin(window.open("https://attacker.com/",("awglogin");(What should the policy be? 20 Child Sibling Descendant Frame Bust Browser' Policy' "# $ %&'(a*lt- .'/012213' "# $ %o5t1o6- 781l& "#9 %6o :la28- ;'2<'6&a6t "#9 %=1t8 :la28- .'/012213' :1/'(o> ? @16&o= Aa(a/1 B .'/012213' C5'/a D @16&o= ETGH I 781l& Legacy Browser Behavior top.frames[1].location(=("http://www.attacker.com/...";(top.frames[2].location(=("http://www.attacker.com/...";(...((Window Policy Anomaly Principle: Pixel Delegation ! Frames delegate screen pixels  Child cannot draw outside its frame  Parent can draw over the child’s pixels ! Navigation similar to drawing  Navigation replaces frame contents  “Simulate” by drawing over frame ! Policy ought to match pixel delegation  Navigate a frame if can draw over the frame What should the policy be? 24 Child Sibling Descendant Frame Bust5 Why Frame Busting Matters 25 Browser' Policy' "#9 %6o :la28- ;'2<'6&a6t "#9 %=1t8 :la28- ;'2<'6&a6t :1/'(o> B ;'2<'6&a6t Aa(a/1 B ;'2<'6&a6t C5'/a D %0a6J 5ol1<1'2- ETGH I ;'2<'6&a6t Adoption of Descendant Policy Intermission Ask me about: 1000 lines of regression tests Frame busting and Yahoo PR for “extended validation” user study 27 Mashups How can different sites communicate? 28 HousingMaps.com 29 Windows Live Contacts 30 Add a contact Share contacts Integrator6 window.postMessage ! Secure channel between frames frames[0].postMessage("Attack(at(dawn!",((((((((((((((((((((((("http://gadget.com/");(window.addEventListener(function((e)({(((if((e.origin(==("http://integrator.com")({(((((...(e.data(...(}(},(false);(! Supported in brand-new browsers 31 Why include “targetOrigin”? ! What goes wrong? ( frames[0].postMessage("Attack(at(dawn!");(! Messages sent to frames, not principals  When would this happen? 32 Facebook Anecdote Thanks! You’ve been a great audience 33 34 Network Access Policy ! Send anywhere (Some ports are inaccessible) ! Read only from your origin (Some formats executable across origins) 35 Goals: Prevent Bot-like Activity ! Spam ! Reading documents behind a firewall ! Clicking advertisements ! Denial of service? 36 Same Origin Requests <script>(var(xhr(=(new(XMLHttpRequest();(xhr.open("POST",("http://www.example.com:81/foo/example.cgi",(true);((//(asynchronous(xhr.send("Hello(world!");(xhr.onload(=(function()({(((if((xhr.status(==(200)({(((((alert(xhr.responseText);(((}(}(</script>(7 37 Sending a Cross-Domain GET ! Data must be URL encoded <img(src="http://othersite.com/file.cgi?foo=1&bar=x(y"> ! Browser sends: GET(file.cgi?foo=1&bar=x%20y(HTTP/1.1(Host:(othersite.com(…(! Can’t send to some restricted ports, like 25 (SMTP) 38 Sending a Cross-Domain POST ! Can use any encoding(<form(method="POST"(action="http://othersite.com/file.cgi"(encoding="text/plain">(<input(type="hidden"(name=“Hello(world!\n\n2¥+2¥"(value=“4¥"> </form>(<script>document.forms[0].submit()</script>(! Browser sends:(POST(file.cgi(HTTP/1.1(Host:(othersite.com(…(Hello(world!(2¥+2¥=4¥(! Can target a hidden iframe to do this in background ! Can’t send to some restricted ports, like 25 (SMTP) 39 Cross-Domain Network Reading ! Executable data formats:(<script(src="http://othersite.com/file.js"></script>(<link(rel="stylesheet"(href="http://othersite.com/file.css"> <img(src="http://othersite.com/file.jpg"> <applet(code="http://othersite.com/File.class">  Used extensively in mashups  Not ideal for mutual distrust scenarios !