20065817 Su Yong Kim. Contents Domain Isolation Real-World Attacks Script Accenting Mechanism Attack Scenarios Revisited Performance Conclusion 2.

Slides:



Advertisements
Similar presentations
Debugging ACL Scripts.
Advertisements

Operating Systems Components of OS
Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.
Using Replicated Execution for a More Secure and Reliable Browser Authors: Hui Xue, Nathan Dautenhahn, Samuel T. King University of Illinois at Urbana.
Mobile Code Security Aviel D. Rubin, Daniel E. Geer, Jr. MOBILE CODE SECURITY, IEEE Internet Computing, 1998 Minkyu Lee
Software Fault Injection for Survivability Jeffrey M. Voas & Anup K. Ghosh Presented by Alison Teoh.
An Evaluation of the Google Chrome Extension Security Architecture
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 20 Slide 1 Critical systems development.
1 14th ACM Conference on Computer and Communications Security, Alexandria, VA Shuo Chen †, David Ross ‡, Yi-Min Wang † † Internet Services Research Center.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
SEERE, Neum 2009 Runtime verification of Java programs using ITL Vladimir Valkanov, Damyan Mitev Plovdiv, Bulgaria.
Slides prepared by Rose Williams, Binghamton University Chapter 1 Getting Started 1.1 Introduction to Java.
Why Security Testing Is Hard Herbert H. Thompson Presenter: Alicia Young.
A Guide to Oracle9i1 Introduction To Forms Builder Chapter 5.
Why Security Testing Is Hard by Herbert H. Thompson presented by Carlos Hernandez.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
1 Verifying Architecture Jaein Jeong Johnathon Jamison This presentation will probably involve audience discussion, which will create action items. Use.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh
Computer Security and Penetration Testing
Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.
Rainbow Facilitating Restorative Functionality Within Distributed Autonomic Systems Philip Miseldine, Prof. Taleb-Bendiab Liverpool John Moores University.
Javascript and the Web Whys and Hows of Javascript.
FALL 2005CSI 4118 – UNIVERSITY OF OTTAWA1 Part 4 Web technologies: HTTP, CGI, PHP,Java applets)
JavaScript and The Document Object Model MMIS 656 Web Design Technologies Acknowledgements: 1.Notes from David Shrader, NSU GSCIS 2.Some material adapted.
Hamdi Yesilyurt, MA Student in MSDF & PhD-Public Affaris SQL Riji Jacob MS Student in Computer Science.
ASP.NET  ASP.NET is a web development platform, which provides a programming model, a comprehensive software infrastructure and various services required.
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
Survey “Intrusion Detection: Systems and Models” “A Stateful Intrusion Detection System for World-Wide Web Servers”
Computer Security and Penetration Testing
3-Protecting Systems Dr. John P. Abraham Professor UTPA.
1 Internet Browsing Vulnerabilities and Security ECE4112 Final Lab Ye Yan Frank Park Scott Kim Neil Joshi.
IVEC: Off-Chip Memory Integrity Protection for Both Security and Reliability Ruirui Huang, G. Edward Suh Cornell University.
INTRODUCTION TO JAVASCRIPT AND DOM Internet Engineering Spring 2012.
Identity-Based Secure Distributed Data Storage Schemes.
Isolating JavaScript in Dynamic Code Environments Execution Environments for Cloud Applications – Spring 2011.
RELATIONAL FAULT TOLERANT INTERFACE TO HETEROGENEOUS DISTRIBUTED DATABASES Prof. Osama Abulnaja Afraa Khalifah
Reporter: PCLee. Although assertions are a great tool for aiding debugging in the design and implementation verification stages, their use.
Packet Vaccine: Black-box Exploit Detection and Signature Generation
Debugging in Java. Common Bugs Compilation or syntactical errors are the first that you will encounter and the easiest to debug They are usually the result.
COMPUTER SECURITY MIDTERM REVIEW CS161 University of California BerkeleyApril 4, 2012.
Chapter 1 Section 1.1 Introduction to Java Slides prepared by Rose Williams, Binghamton University Kenrick Mock, University of Alaska Anchorage.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Introduction to JavaScript CS101 Introduction to Computing.
1 Original Source : and Problem and Problem Solving.ppt.
SilkTest 2008 R2 SP1: Silk4J Introduction. ConfidentialCopyright © 2008 Borland Software Corporation. 2 What is Silk4J? Silk4J enables you to create functional.
M. Alexander Helen J. Wang Yunxin Liu Microsoft Research 1 Presented by Zhaoliang Duan.
Protecting Browsers from Extension Vulnerabilities Paper by: Adam Barth, Adrienne Porter Felt, Prateek Saxena at University of California, Berkeley and.
1 Isolating Web Programs in Modern Browser Architectures CS6204: Cloud Environment Spring 2011.
Introduction Program File Authorization Security Theorem Active Code Authorization Authorization Logic Implementation considerations Conclusion.
Application Communities Phase II Technical Progress, Instrumentation, System Design, Plans March 10, 2009.
SCRIPT PROGRAMMING WITH FLASH Introductory Level 1.
 Web pages originally static  Page is delivered exactly as stored on server  Same information displayed for all users, from all contexts  Dynamic.
Shasta Console Operations February 2010 Tony Caleb.
The Postman Always Rings Twice: Attacking and Defending postMessage in HTML5 Websites Paper by Sooel Son and Vitaly Shmatikov, The University of Texas.
SOFTWARE TESTING AND QUALITY ASSURANCE. Software Testing.
Shuo Chen Microsoft Research One Microsoft Way David Ross Security Technology Unit, Microsoft One Microsoft Way Yi-Min Wang Microsoft Research One Microsoft.
By : Praveen Tiwari.  It is a malicious technique of tricking a web user into clicking on something different to what the user perceives they are clicking.
Applications Active Web Documents Active Web Documents.
Static Detection of Cross-Site Scripting Vulnerabilities
Information Security and Algorithms Tae Kyu Lee
Security mechanisms and vulnerabilities in .NET
BrowserShield: Vulnerability-Driven Filtering of Dynamic HTML
Testing the Software with Blinders on
High Coverage Detection of Input-Related Security Faults
Motivation and Problem Statement
CS5123 Software Validation and Quality Assurance
Understanding and Preventing Buffer Overflow Attacks in Unix
Web Application Development Using PHP
Return-to-libc Attacks
Presentation transcript:

Su Yong Kim

Contents Domain Isolation Real-World Attacks Script Accenting Mechanism Attack Scenarios Revisited Performance Conclusion 2

Domain Isolation of IE Frame-based Isolation Scripts from one frame can access documents in another frame if and only if the two frames are from the same domain Same Origin Policy 3

Importance of Same Origin Policy 4 duam.net DaumWnd.document.submitForm.action =

Window Proxy Clone of the Window object String comparison is performed to check if the two domains are identical 5

Real-World Attacks Malicious frame Victim frame Purpose of attacks The script “doEvil” from is executed in the document from 6

Exploiting the Interactions between IE and Windows Explorer 7

Exploiting Function Aliasing 8

Exploiting the Excessive Expressiveness of Frame Navigation 9

Exploiting the Semantics of User Events The script from in Frame0 Creates frame1 to load Calls document.body.setCapture() to capture all mouse events When the user clicks inside Frame1 The event is handled by the method body.onClick() in Frame0 Event.srcElement in Frame0 can be used to access document object in Frame1 10

Exploiting the Semantics of User Events 11

Reason for Isolation Failure Unexpected execution scenarios to bypass the check Single-point check buried deep in the call stack  Challenging for developers to enumerate and test all these unexpected scenarios  Difficult to guarantee that the checks are performed exhaustively and correctly 12

Script Accenting Generate a 32-bit random number as the accent key for each domain of frame Before sending scripts or object name queries, XOR every 32-bit word in scripts and object name queries with the accent key of owner frame Does not increate the length of the script No possibility of buffer overflow After receiving scripts or object name queries XOR every 32-bit word in scripts and object name queries with the accent key of receiver frame 13

Accenting Script Source Code 14

Accenting Object Name Queries 15

Attack 1 Revisited Open(“file:javascript:doEvil”, “frame2”) InvokeNavigation does not accent “file:javascript:doEvil” because it is not javascript-URL Windows Explorer removes the “file:” and passes “javascript:doEvil” to frame2 Compile de-accents “javascript:doEvil”  ATTACK Fails! 16

Attack 2 Revisited Location.assign(‘javascript:doEvil’) InvokeNavigation accents “javascript:doEvil” with the key of Compile de-accents (javascript:doEvil) k with the key of  ATTACK Fails! 17

Attack 3 Revisited Frame2.open(“javascript:doEvil”, “frame1”) InvokeNavigation accents “javascript:doEvil” with the key of Because script source code resides in Compile de-accents (javascript:doEvil) k with the key of  ATTACK Fails! 18

Attack 4 Revisited Event.srcElement InvokeByName accents object name queries with the key of GetDispatchID de-accents (object name queries) k with the key of  ATTACK Fails! 19

XOR Probing Attacks Guessing (k atk k vtm ) Attack String doEvil (k atk k vtm ) Probability 1/(256) 4 Verification No way to detect syntax error of victim’s frame 20

Performance Worst Case 3.16 % overhead 21

Conclusion Analysis of IE’s domain-isolation mechanism and the known attacks Proposal of the script accenting technique Extension to non-browser platform Application Domain of CLR(Common Language Runtime) in.NET framework Limitation IE-dependent implementation 22

Discussion Thanks for Listening! 23

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.