A Systematic Approach to Uncover Security Flaws in GUI Logic 2008. 03. 31 Distributed Multimedia Computing Lab. Minjae Cho

Slides:



Advertisements
Similar presentations
4/11/2007 and 4/12/2007 Purdue University and University of Illinois at Urbana-Champaign Browser Security: A New Research Territory Shuo Chen Cybersecurity.
Advertisements

JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.
The Web Warrior Guide to Web Design Technologies
1 14th ACM Conference on Computer and Communications Security, Alexandria, VA Shuo Chen †, David Ross ‡, Yi-Min Wang † † Internet Services Research Center.
User Centered Web Site Engineering Part 2. Iterative Process of User-Centered Web Engineering Prototype Evaluate Discovery Maintenance Implementation.
Chapter 16 Dynamic HTML and Animation The Web Warrior Guide to Web Design Technologies.
1 Shuo Chen ISRC, MSR March Browser security is still very broad. I usually differentiate three types of issues – their causes and potential solutions.
Understanding Computers, Ch. 21 Chapter 2 Using Your PC, Windows, and the Web.
CM143 - Web Week 2 Basic HTML. Links and Image Tags.
JavaScript 101 Lesson 5: Introduction to Events. Lesson Topics Event driven programming Events and event handlers The onClick event handler for hyperlinks.
Chapter 9 Introduction to the Document Object Model (DOM) JavaScript, Third Edition.
Chapter 1 Getting Started With Dreamweaver. Explore the Dreamweaver Workspace The Dreamweaver workspace is where you can find all the tools to create.
User Centered Web Site Engineering Part 2. Developing Site Structure & Content Content View Addressing content Outlining content Creating a content delivery.
THE BASICS OF THE WEB Davison Web Design. Introduction to the Web Main Ideas The Internet is a worldwide network of hardware. The World Wide Web is part.
4.1 JavaScript Introduction
_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications1.
JavaScript and The Document Object Model MMIS 656 Web Design Technologies Acknowledgements: 1.Notes from David Shrader, NSU GSCIS 2.Some material adapted.
Samuvel Johnson nd MCA B. Contents  Introduction to Real-time systems  Two main types of system  Testing real-time software  Difficulties.
Chapter 6: Forms JavaScript - Introductory. Previewing the Product Registration Form.
Lecturer: Ghadah Aldehim
Internet Information ISYS 105B. What is the Internet? Comprised of network of computers Started in 1969 by U.S. Defense Dept.
Introducing Dreamweaver MX 2004
Tutorial 1 Getting Started with Adobe Dreamweaver CS3
1 Web Basics Section 1.1 Compare the Internet and the Web Compare Web sites and Web pages Identify Web browser components Describe types of Web sites Section.
WEEK 3 AND 4 USING CLIENT-SIDE SCRIPTS TO ENHANCE WEB APPLICATIONS.
Lesson 19. JavaScript errors Since JavaScript is an interpreted language, syntax errors will usually cause the script to fail. Both browsers will provide.
The Architecture of Secure Systems Jim Alves-Foss Laboratory for Applied Logic Department of Computer Science University of Idaho By, Nagaashwini Katta.
University of Sunderland CDM105 Session 5 Web Authoring Tools The past and present A history of web authoring tools and an overview of Macromedia Dreamweaver.
Incorporating Multimedia into a Web Site (Case Study) Unit G.
CPSC 203 Introduction to Computers Lab 23 By Jie Gao.
Lesson13. JavaScript JavaScript is an interpreted language, designed to function within a web browser. It can also be used on the server.
JavaScript, Fourth Edition
Objective Understand concepts used to web-based digital media. Course Weight : 5%
Tutorial 8 Programming with ActionScript 3.0. XP Objectives Review the basics of ActionScript programming Compare ActionScript 2.0 and ActionScript 3.0.
Extending HTML CPSC 120 Principles of Computer Science April 9, 2012.
Introduction to JavaScript 41 Introduction to Programming the WWW I CMSC Winter 2004 Lecture 17.
1 Creating Web Pages Part 1. 2 OVERVIEW: HTML-What is it? HyperText Markup Language, the authoring language used to create documents on the World Wide.
CA Professional Web Site Development Class 2: Anatomy of a Web Site and Web Page & Intro to HTML.
Week 11 Creating Framed Layouts Objectives Understand the benefits and drawbacks of frames Understand and use frame syntax Customize frame characteristics.
1 After completing this lesson, you will be able to: Transfer your files to the Internet. Choose a method for posting your Web pages. Use Microsoft’s My.
Client-based Application Attacks Adli Abdul Wahid Dept. of Comp. Science, IIUM
5/21/2007 IEEE Symposium on Security and Privacy, Oakland, CA A Systematic Approach to Uncover Security Flaws in GUI Logic Shuo Chen †, José Meseguer ‡,
1 UNIT 13 The World Wide Web Lecturer: Kholood Baselm.
Module 2 – User Safety Privacy Attacks on end users Browser vulnerabilities.
Cs332a_chapt10.ppt CS332A Advanced HTML Programming DHTML Dynamic Hypertext Markup Language A term describing a series of technologies Not a stand-a-lone.
Quick overview of ASP.NET Ajax Ajax deep-dive Cover some key real-world problems Discuss solutions, patterns, opportunities Lots of demos And more of.
1 3 Computing System Fundamentals 3.4 Networked Computer Systems.
1 Web Servers (Chapter 21 – Pages( ) Outline 21.1 Introduction 21.2 HTTP Request Types 21.3 System Architecture.
Introduction to JavaScript Objects, Properties, Methods.
JavaScript, Fourth Edition Chapter 4 Manipulating the Browser Object Model.
The Web Wizard’s Guide to HTML Chapter One World Wide Web Basics.
Chapter 1 Getting Started With Dreamweaver. Exploring the Dreamweaver Workspace The Dreamweaver workspace is where you can find all the tools to create.
Web Design and Development. World Wide Web  World Wide Web (WWW or W3), collection of globally distributed text and multimedia documents and files 
1 Isolating Web Programs in Modern Browser Architectures CS6204: Cloud Environment Spring 2011.
Chapter 5 Introduction To Form Builder. Lesson A Objectives  Display Forms Builder forms in a Web browser  Use a data block form to view, insert, update,
Introduction to HTML. _______________________________________________________________________________________________________________ 2 Outline Key issues.
HTML Forms.
CSCI-235 Micro-Computers in Science The Internet and World Wide Web.
JavaScript 101 Introduction to Programming. Topics What is programming? The common elements found in most programming languages Introduction to JavaScript.
JavaScript Introduction and Background. 2 Web languages Three formal languages HTML JavaScript CSS Three different tasks Document description Client-side.
WWW4MAIL Past, present and future Onime, Clement E Scientific Computing Section The Abdus Salam ICTP Trieste, Italy.
Navigation Framework using CF Architecture for a Client-Server Application using the open standards of the Web presented by Kedar Desai Differential Technologies,
1 UNIT 13 The World Wide Web. Introduction 2 The World Wide Web: ▫ Commonly referred to as WWW or the Web. ▫ Is a service on the Internet. It consists.
Shuo Chen Microsoft Research One Microsoft Way David Ross Security Technology Unit, Microsoft One Microsoft Way Yi-Min Wang Microsoft Research One Microsoft.
ASP.NET Forms.
Project Objectives Publish to a remote server
BrowserShield: Vulnerability-Driven Filtering of Dynamic HTML
Understand Windows Forms Applications and Console-based Applications
SAP - CRM. SAP - CRM Course Content Introduction to SAP CRM Basics and Architecture Sap CRM Functional Overview Business Partner Organizational Management.
Web Technologies Computing Science Thompson Rivers University
Presentation transcript:

A Systematic Approach to Uncover Security Flaws in GUI Logic Distributed Multimedia Computing Lab. Minjae Cho

A Systematic Approach to Uncover Security Flaws in GUI Logic Paper Information Title A Systematic Approach to Uncover Security Flaws in GUI Logic Authors Shuo Chen †, José Meseguer ‡, Ralf Sasse † ‡, Helen J. Wang †, Yi-Min Wang † † Systems and Networking Group, Microsoft Research ‡ Dept. of Computer Science, University of Illinois at Urbana-Champaign Published IEEE Symposium on Security and Privacy 2007(SP ’07)

A Systematic Approach to Uncover Security Flaws in GUI Logic The Conference Information Claremont Resort, Berkeley, Oakland, CA 2007/05/20 ~ 2007/05/23

A Systematic Approach to Uncover Security Flaws in GUI Logic Contents Introduction Visual Spoofing Motivation and Goal Overview of Methodology Status bar Spoofing Address bar Spoofing Conclusions Contributions Bug reporting for IE7

A Systematic Approach to Uncover Security Flaws in GUI Logic Visual Spoofing: A Serious Security Problem A simple equation 1000 miles × trusted + 20 inches × untrusted = untrusted Examples: status bar spoofing and address bar spoofing IE, Firefox and Netscape all have security flaws in GUI miles, trusted Web server 20 inches, Untrusted

A Systematic Approach to Uncover Security Flaws in GUI Logic Research motivation and goal GUI behaviors are driven by complex logic E.g., how to handle mouse messages and update the status bar, how to update the address bar during navigations Need a systematic approach to examine its correctness Goal: to apply formal methods to reason about GUI logic in order to proactively uncover browser spoofing bugs.

A Systematic Approach to Uncover Security Flaws in GUI Logic Overview of Our Approach Execution context System state Program Logic (pseudo code) The modeled system User’s action sequence Program invariant Reasoning Engine (The Maude System: a rewriting logic engine) Visual invariant Source code of browser GUI violation Potential spoofing scenarios Real spoofing scenarios Real world Formal world (d) (e) (c) (a) (b) (f)

A Systematic Approach to Uncover Security Flaws in GUI Logic Case study: status bar spoofing: basic concepts status bar <a><a> Page My button Toward the user Document Object Model Tree (DOM Tree) Page layout Element stacks

A Systematic Approach to Uncover Security Flaws in GUI Logic Case Study: status bar spoofing: mouse handling logic In status bar spoofing, only three raw mouse messages are relevant MouseMove, LeftButtonDown, LeftButtonUp Each HTML element has three virtual methods HandleMessage, DoClick, ClickAction Pseudo code in the paper Every element has different behavior about updating the status bar ( SetStatusText ) and navigating to the target URL ( FollowHyperlink ). Message bubbling (passing the mouse message to the parent element) Every element can decide whether to continue the bubbling or cancel the bubbling We used Maude to model the source code of the mouse handling logic

A Systematic Approach to Uncover Security Flaws in GUI Logic Case Study: status bar spoofing: finding attacks System state: status bar URL, user memorized URL User action sequence: MouseMove, MouseMove, Inspection, LeftButtonDown, LeftButtonUp (only need two MouseMoves because status bar is memoryless, a sequence of MouseMoves is equivalent to one MouseMove) (canonicalized) Execution context: DOM tree structures (canonicalized) (at most two branches, corresponding to two MouseMoves) Program invariant: at the time of the function call FollowHyperlink(targetURL), targetURL = user memorized URL Use Maude to search for spoofing scenarios

A Systematic Approach to Uncover Security Flaws in GUI Logic Examples of Status Bar Spoofs All because of unexpected combinations of element behaviors input field anchor form paypal.com form target = foo.com anchor target = paypal.com image button form paypal.com form target = foo.com image target = paypal.com Element stack Element layouts label anchor label’s target = foo.com anchor’s target = paypal.com image label img’s target = paypal.com label’s target = foo.com

A Systematic Approach to Uncover Security Flaws in GUI Logic Case Study: address bar spoofing: basic concepts (browser, renderer, frame, markup) Renderer Frame1 from PayPal Browser. Current Markup Pending Markup PrimaryFrame from MySite.com Frame2 from MSN

A Systematic Approach to Uncover Security Flaws in GUI Logic Pseudo code model: loading a new page FollowHyperlink start navigation ready PostMan Event queue SetInteractive NavigationComplete SetAddressBar SwitchMarkup onPaint EnsureView RenderView Posting an event Calling a function ensure Invoking a handler (Posted by OS)

A Systematic Approach to Uncover Security Flaws in GUI Logic Pseudo code model: history travel start navigation ready PostMan Event queue SetInteractive NavigationComplete SetAddressBar SwitchMarkup onPaint EnsureView RenderView ensure History_Back Travel LoadHistory Posting an event Calling a function Invoking a handler (Posted by OS)

A Systematic Approach to Uncover Security Flaws in GUI Logic Pseudo code model: opening a page in a new window CreatePendingDocObject start-loading LoadDocument Event queue Load CreateMarkup SetAddressBar LoadFromInfo CreateRenderer WindowOpen PostMan download- content SetClientSite InitDocHost SwitchMarkup

A Systematic Approach to Uncover Security Flaws in GUI Logic Case Study: Address Bar Spoofing System state: PrimaryFrame, other frames, current markups, pending markups, address bar URL... User action sequence: Page loading, history traveling and window opening Execution context: A set of Boolean conditions affecting the execution path Program invariant: The address bar should display the URL of the current markup of the primary frame.

A Systematic Approach to Uncover Security Flaws in GUI Logic Discovered Address Bar Spoof (An Atomicity Bug) 1.Load a real paypal page, then loads a page from evil.com > 4000 characters (=buffer size) 2. When switched in new page, browser cannot update the address bar because the URL is longer than buffer size.

A Systematic Approach to Uncover Security Flaws in GUI Logic Discovered address bar spoof (a race condition) c:\windows\system32\shdoclc.dl l?http History back Load a new page 1.Load evil page 2.Then load error page 3. Exploiting Race condition to history back and new page at the same time

A Systematic Approach to Uncover Security Flaws in GUI Logic Conclusions Contributions Formulated GUI logic correctness as a new research problem Proposed a systematic approach to proactively uncover security flaws in browser GUI Demonstrated the benefit of the systematic approach to the GUI implementation. The approach is not IE specific. Other browsers (e.g., Firefox, Opera, Netscape, etc) Non-browser applications (e.g., Outlook, Outlook Express)

A Systematic Approach to Uncover Security Flaws in GUI Logic Summary of bug reporting for IE 7 Found many new scenarios for the status bar spoofing, filed them as 9 bugs against IE. All fixed before IE7 RC 1 (release candidate 1). 4 new scenarios of the address bar spoofing Non-atomic update of the address bar (2 bugs) Non-atomic update of the content area Race condition: multiple frames compete to be the primary IE team has fixed two, and proposed the fixes for the other 2 to go into the next version.