DOC PREVIEW
UT CS 380S - Web Browser Security

This preview shows page 1-2-3-4-28-29-30-31-57-58-59-60 out of 60 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 60 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 60 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 60 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 60 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 60 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 60 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 60 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 60 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 60 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 60 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 60 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 60 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 60 pages.
Access to all documents
Download any document
Ad free experience

Unformatted text preview:

Web Browser SecurityReading AssignmentJavaScript Security Model (Redux)OS vs. Browser Analogies (Redux)JavaScript ContextsDOM and Access ControlDOM vs. JavaScript EngineCross-Context ReferencesDetecting Reference LeaksHeap Graph StatisticsComputing JavaScript ContextsExample Vulnerability in WebKitSolutionWeb Browser: the New OSSending a Cross-Domain GETMashupsiGoogleWindows Live.comBrowser Security PolicyCommon MisunderstandingCross-Frame ScriptingSOP ExamplesGuninski AttackGadget Hijacking in MashupsGadget HijackingPossible Frame Navigation PoliciesImplemented Browser PoliciesPrinciple: Pixel DelegationBest Solution: Descendant PolicyFrame CommunicationFragment Identifier MessagingIdentifier Messaging: ExampleProblems and LimitationsWith Return CommunicationpostMessageExample of postMessage UsageMessage Eavesdropping (1)Message Eavesdropping (2)Finer-Grained OriginsThe Lock IconCheckered History of the LockProblem with Embedded ContentMixed Content: HTTP and HTTPSMixed Content: UI ChallengesMixed Content and Network AttacksMixed Content IssuesExample of a VulnerabilityOrigin ContaminationPicture-in-Picture AttacksSSL/TLS and Its Adversary ModelPBP: Pretty-Bad-ProxyAttack #1: Error ResponseAttack #2: Redirection (3XX)Attack #3: HPIHSL PagesBrowsers Warn About This, Right?Bypassing Detection LogicPrevalence of HPIHSL PagesAttack #4: Visual ContextFeasibility of ExploitationVulnerability Status (May 2009)slide 1Vitaly Shmatikov(most slides from the Stanford Web security group)CS 380SWeb Browser Securityslide 2Reading AssignmentJackson and Barth. “Beware of Finer-Grained Origins” (W2SP 2008).Chen et al. “Pretty-Bad-Proxy: An Overlooked Adversary in Browsers’ HTTPS Deployments” (Oakland 2009).Optional: Barth et al. “Securing Frame Communication in Browsers” (Usenix Security 2008 and CACM).Optional: Barth et al. “Cross-Origin JavaScript Capability Leaks” (Usenix Security 2009).JavaScript Security Model (Redux)Same-origin policy•Frame can only read properties of documents and windows from same place: server, protocol, portDoes not apply to scripts loaded in enclosing frame from arbitrary site•This script runs as if it were loaded from the site that provided the page! <script type="text/javascript"> src="http://www.example.com/scripts/somescript.js"> </script> slide 3OS vs. Browser Analogies (Redux)Primitives•System calls•Processes•DiskPrincipals: Users•Discretionary access controlVulnerabilities•Buffer overflow•Root exploitPrimitives•Document object model•Frames•Cookies / localStoragePrincipals: “Origins”•Mandatory access controlVulnerabilities•Cross-site scripting•Universal scriptingOperating systemWeb browserslide 4JavaScript ContextsJavaScript context 1JavaScript context 2 JavaScript context 3slide 5DOM and Access ControlDOM Reference MonitorObjectJavaScript ContextGranted: give reference to object to JavaScriptAccess?slide 6[Barth et al.]Is accessing context allowed to handle the object?DOM: performs access control checks•When a DOM object is initially accessed, check if it’s Ok to give out a reference to this objectJavaScript engine: uses references as if they were capabilities•If context has a reference to an object, can use it without any access control checks… but these are the same DOM objects!What if a reference to an object leaks from one JavaScript context to another?DOM vs. JavaScript Engineslide 7[Barth et al.]Cross-Context Referencesslide 8[Barth et al.]Window 1 Window 2Global Object Global Objectdocument function foo()document function bar()Each window &frame has oneDOM reference monitorprevents bar() fromacquiring these referencesvia global objectIf bar() somehow managed to acquire direct references, no access checks would be performed on them!Instrument WebKit’s JavaScript engine with calls to heap analysis library•On object creation, reference, and destructionGoal: detect references between two contextsSample heap graphsDetecting Reference Leaksslide 9[Barth et al.]Empty pagegoogle.com (not much JS there)Empty page•82 nodes, 170 edgesgoogle.com•384 nodes, 733 edgesstore.apple.com/us•5332 nodes, 11691 edgesgmail.com•55106 nodes, 133567 edgesHeap Graph Statisticsslide 10[Barth et al.]Computing JavaScript Contextsslide 11[Barth et al.]Object PrototypeGlobal ObjectObjectContext is defined by its global object(new context: create new global object)Ultimate parent of all objectsin prototype class hierarchyObject__proto__When an object is created, there is a path to prototype via __proto__ property (direct or indirect)Context is the transitive closure of __proto__ referencesSignal a problem if ever see a reference betweennon-global objects of different contextsExample Vulnerability in WebKitslide 12[Barth et al.]If the location object was created during the execution of another context, it would be created with the wrong Object prototype. Attacker’s object can then redefine the behavior of functions, such as toString, that apply to all Objects created in the other context, so that they execute arbitrary JavaScript.Add access control to JavaScript references•get and put: check that context matches2% overhead•Inline caching helps: when a property is looked up for the first time, look up in hash table and record offset; subsequent accesses use recorded offset directly–If offset is available, no need for access control checks (why?)•10% overhead without cachingSee “Cross-Origin JavaScript Capability Leaks” for detailsSolutionslide 13Origins are similar to processes•One origin should not interfere with anotherSites often want and need to communicate•Google AdSense–<script src="http://googlesyndication.com/show_ads.js">•Mashups •Gadget aggregators - iGoogle, live.com …•To communicate with B, site A must give B full control–<script src=http://siteB.com/script.html>•Now script from site B runs as if its origin were site AWeb Browser: the New OSslide 14Sending a Cross-Domain GETScript can send anywhere•This is the basis of cross-site request forgery (XSRF)Data must be URL encoded<img src="http://othersite.com/file.cgi?foo=1&bar=x y">•Browser sendsGET file.cgi?foo=1&bar=x%20y HTTP/1.1Can’t send to some restricted ports•For example, port 25 (SMTP)Can use GET for denial of service (DoS) attacks•A popular site can DoS another site [Puppetnets]slide 15Mashupsslide


View Full Document

UT CS 380S - Web Browser Security

Download Web Browser Security
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Web Browser Security and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Web Browser Security 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?