Password Managers: Attacks and Defenses David Silver, Suman Jana, Dan Boneh, Stanford University Eric Chen, Collin Jackson, Carnegie Mellon University.

Slides:

Advertisements

Similar presentations

Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.

Advertisements

ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.

HTTPS and the Lock Icon Dan Boneh. Goals for this lecture Brief overview of HTTPS: How the SSL/TLS protocol works (very briefly) How to use HTTPS Integrating.

Web Filtering. ExchangeDefender Web Filtering provides policy-controlled protection from dangerous content on the web. Web Filtering is agent based, allowing.

Protecting Browsers from Cross-Origin CSS Attacks Lin-Shung Huang, Zack Weinberg Carnegie Mellon University Chris Evans Google Collin Jackson Carnegie.

WEB BROWSER SECURITY By Robert Sellers Brian Bauer.

17 th ACM CCS (October, 2010).  Introduction  Threat Model  Cross-Origin CSS Attacks  Example Attacks  Defenses  Experiment  Related Work 2 A Presentation.

Password Managers: Attacks and Defenses David SilverSuman JanaDan Boneh Stanford University Eric ChenCollin Jackson Carnegie Mellon University Usenix Security.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

An Evaluation of the Google Chrome Extension Security Architecture

On the Incoherencies in Web Browser Access Control Policies Authors: Kapil Singh, et al Presented by Yi Yang.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

Lab 3 Cookie Stealing using XSS Kara James, Chelsea Collins, Trevor Norwood, David Johnson.

Security and JavaScript. Learning Objectives By the end of this lecture, you should be able to: – Describe what is meant by JavaScript’s same-origin security.

Subspace: Secure Cross-Domain Communication for Web Mashups Collin Jackson Stanford University Helen J. Wang Microsoft Research ACM WWW, May, 2007 Presenter:

Subspace: Secure Cross-Domain Communication for Web Mashups In Proceedings of the 16th International World Wide Web Conference. (WWW), 2007 Collin Jackson,

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

1 CS 3870/CS 5870 Static and Dynamic Web Pages ASP.NET and IIS.

Prevent Cross-Site Scripting (XSS) attack

1 CS 3870/CS 5870 Static and Dynamic Web Pages ASP.NET and IIS.

CSCI 6962: Server-side Design and Programming Introduction to AJAX.

WEB SPOOFING by Miguel and Ngan. Content Web Spoofing Demo What is Web Spoofing How the attack works Different types of web spoofing How to spot a spoofed.

CSCI 6962: Server-side Design and Programming Secure Web Programming.

Web Browser Security Prepared By Mohammed EL-Batta Mohammed Soubih Supervised By Eng. Eman alajrami Explain Date 10. may University of Palestine.

JavaScript, Fourth Edition

IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 1 Active Man in the Middle Attacks The.

November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University

Working with Cookies Managing Data in a Web Site Using JavaScript Cookies* *Check and comply with the current legislation regarding handling cookies.

JSProxy: Safety from Javascript Benjamin Prosnitz, Tang Yi, Yinzhi Cao.

06/10/2015AJAX 1. 2 Introduction All material from AJAX – what is it? Traditional web pages and operation Examples of AJAX use Creating.

Gaurav Aggarwal and Elie Bursztein, Collin Jackson, Dan Boneh, USENIX (Aug.,2010) A N A NALYSIS OF P RIVATE B ROWSING M ODES IN M ODERN B ROWSERS 1.

Database-Driven Web Sites, Second Edition1 Chapter 5 WEB SERVERS.

Chapter 8 Cookies And Security JavaScript, Third Edition.

CSCE 201 Web Browser Security Fall CSCE Farkas2 Web Evolution Web Evolution Past: Human usage – HTTP – Static Web pages (HTML) Current: Human.

Tutorial 5 Windows and Frames Section B - Working with Frames and Other Objects Go to Other Objects.

XP Tutorial 6 New Perspectives on JavaScript, Comprehensive1 Working with Windows and Frames Enhancing a Web Site with Interactive Windows.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

1 Robust Defenses for Cross-Site Request Forgery Adam Barth, Collin Jackson, John C. Mitchell Stanford University 15th ACM CCS.

Department of Computer Science Internet Performance Measurements using Firefox Extensions Scot L. DeDeo Professor Craig Wills.

Ajax. –Asynchronous JavaScript and XML –Umbrella term for technologies that often: Use client-side scripting for layout and formatting Use less than full.

Introduction to JavaScript CS101 Introduction to Computing.

THE DEVIL IS IN THE (IMPLEMENTATION) DETAILS: AN EMPIRICAL ANALYSIS OF OAUTH SSO SYSTEMS SAN-TSAI SUN & KONSTANTIN BEZNOSOV PRESENTED BY: NAZISH KHAN COMPSCI.

University of Central Florida The Postman Always Rings Twice: Attacking & Defending postMessage in HTML5 Websites Ankur Verma University of Central Florida,

CS526Topic 12: Web Security (2)1 Information Security CS 526 Topic 9 Web Security Part 2.

Cross-site request forgery Collin Jackson CS 142 Winter 2009.

Web Browsing *TAKE NOTES*. Millions of people browse the Web every day for research, shopping, job duties and entertainment. Installing a web browser.

Project 5: Using Pop-Up Windows Essentials for Design JavaScript Level One Michael Brooks.

1 Utkarsha MishraCOMPSCI 725 David Silver, Suman Jana, Eric Chen, Collin Jackson, and Dan Boneh. “Password Managers: Attacks and Defenses.” In Proceedings.

Session Management Tyler Moore CS7403 University of Tulsa Slides adapted in part or whole from Dan Boneh, Stanford CS155 1.

 AJAX technology  Rich User Experience  Characteristics  Real live examples  JavaScript and AJAX  Web application workflow model – synchronous vs.

Goals Be able to identify the parts of a URL Determine the safeness of a link Know the best places to find the info you need Know how to deal with toolbars.

By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,

The Postman Always Rings Twice: Attacking and Defending postMessage in HTML5 Websites Paper by Sooel Son and Vitaly Shmatikov, The University of Texas.

SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.

Web Security (cont.) 1. Referral issues r HTTP referer (originally referrer) – HTTP header that designates calling resource  Page on which a link is.

Google’s Gruyere1 : An XSS Example Presented by: Terry Gregory

Group 18: Chris Hood Brett Poche

Data Virtualization Tutorial… CORS and CIS

Cross-Site Forgery

How to register and use ODMAP for Fire/EMS and other partners

Password Managers: Attacks and Defenses

AUTOFILL FORMS. Open Internet explorer browser.

Analyzing WebView Vulnerabilities in Android Applications

Business Zone Ethernet Cease Order Journey – User Guide

Protecting Browsers from Extension Vulnerabilities

Cross-Site Scripting Attack (XSS)

Cross Site Request Forgery (CSRF)

Presentation transcript:

Password Managers: Attacks and Defenses David Silver, Suman Jana, Dan Boneh, Stanford University Eric Chen, Collin Jackson, Carnegie Mellon University 23 th USENIX Security Symposium, San Diego, CA, August /09/30 Advanced Defense Lab Seminar - Liang-Hsuan Lin

Outline Introduction Password managers: a survey Threat model Remote extraction of passwords from password managers (Sweep Attacks) Strengthening password managers Conclusion 2

A tool for… 3 Convenience?Security? Goal: Both!

Password Manager Workflow 4 Password Manager Save manually entered password Autofill username and password

Manual Autofill 5 Page Load

Automatic Autofill 6 Page Load X

Should We Autofill? 7

8

Autofill policies The domain and path Protocol: HTTP vs. HTTPS Modified form action Autocomplete attribute Modified password field name 9

The Domain and Path Autofilled on any page within the same domain as the page from which the password was originally saved All password managers i.e. example.edu/~linliang example.edu/~ On the same domain, treated as a single site

Protocol: HTTP vs. HTTPS Suppose the password was saved on a login page loaded over one protocol, but if the current login page is loaded over a different protocol with all other element of the URL are the same, will the password managers autofill? 1Password, Keeper, LastPass allow autofill after user interaction Norton IdentitySafe will autofill in this case Others, refuse to autofill 11

Modified Form Action 12 At Save: Now: Automatic Autofill If action changed by JavaScript after autofilling? form.action=“

Autocomplete Attribute If we set Respect attribute: Firefox, Mobile Safari, the default Android Browser Ignore attribute: others 13

14

Additional Password Manager Features iFrame autofill Not autofill: IdentitySafe, Mobile Safari, LastPass Manual interaction: Desktop Chrome Autofill: Firefox, Safari, Chrome for Android Visibility IdentitySafe Autofill method KeePass Autofill and submit 1Password, LastPass, IdentitySafe, KeePass 15

Sweep Attacks Stealing multiple passwords without user interaction 16

Thread Model: Coffee-shop Attacker 17 Goal: Trick password manager into revealing b.com’s password

Redirect Sweep Attack 18 GET papajohns.com GET att.com REDIRECT att.com + attacker JSatt.com automatic autofill get att.com password! GET papajohns.com papajohns.com

iFrame Sweep Attack Hotspot landing page contains invisible iFrames pointing to the arbitrary pages at multiple target sites Inject JavaScript in each iFrames then steal and exfiltrate credentials The increasing of network traffic and memory usage can be more reasonable by using hierarchical arrangement 19

Example: iFrame not same-origin with parent 20

Window Sweep Attack Uses windows instead of invisible iFrames Attacker trick users into disabling their popup blocker, the landing page can open each of the victim pages in separate window 21

Brief Summary 22

Injection Techniques HTTP login page Active mixed content XSS injection Leftover passwords 23

HTTP login pages HTTP pages trivially vulnerable to code injection by coffee shop attacker 24

Active Mixed Content Any HTTPS webpage containing active content (e.g. scripts) that is fetched over HTTP is also dangerous For example, embedding a Shockwave Flash (SWF) file over HTTP if not blocked correctly can be used by a network attack to inject arbitrary scripts [J. Hodges, et al][J. Hodges, et al] 25

Leftover Passwords The user’s password manager may contain leftover passwords from older, less secure version of a site An attacker could spoof the old site to steal the leftover password For example, if a user’s password manager contained a password for Facebook from before its switch to HTTPS, an attacker could spoof an HTTP Facebook login page to steal the password 26

Password Exfiltration Method #1: Stealth Method #2: Action 27

Method #1: Stealth The attacker waits until the login form is populated with the user’s credentials automatically by a password manager, and execute the following code: 28

Method #2: Action The attacker can modify a login form’s action attribute so that it submits to an attacker- controlled site 29

Strengthening Password Managers Defense #1: Forcing user interaction Defense #2: Secure Filling 30

Defense #1: Forcing User Interaction 31 Page Load Always require user interaction PM should show the domain name being autofilled before the filling occurs

Implementation of Forcing User Interaction Let wait_for_username = true; In password_form_fill_data.h [link]link But this will lose convenience

Defense #2: Secure Filling More secure than manual entry Don’t let Javascript read autofilled passwords Let form submit only if action matches action when password was saved (Site must submit form using HTTPS) Prototype implementation in Chromium (~50 lines) 33

Secure Filling Properties a)Store the “action” when the field were first saved b)Let the password field unreadable while autofill in progress c)If the username or password fields are modified while autofill in progress, the autofill aborts d)Once autofill is finished, wait for all JavaScript code done, the browser checks whether the form’s action are changed 34

Implementation of Secure Filling In password_autofill_agert.cc [link]link 35 FillUserNameAndPassword Fill the password field with dummy value Store the real password and the form’s action in a PasswordInfo object WillSendSubmitEvent Check the dummy value is still present If it is, and if the form’s action matches the action we had stored Replace the dummy value with the real password and submit

Limitation of Secure Filling AJAX-bases login When the login form’s submit button is pressed, these sites use JavaScript to read the form fields, then construct and submit an XMLHTTPRequest object. Not compatible with Secure Filling 10 sites out of Alexa Top 50 use AJAX to submit password forms Workaround Submit form in iFrame (X) Create browser sendPassword API 36

Conclusions Automatic autofill has lots of problems Sweep Attacks: steal passwords without any user interaction Defenses Require user interaction before filling passwords Secure Filling Just as convenient for user but much more secure 37