Presentation is loading. Please wait.

Presentation is loading. Please wait.

Browser code isolation

Published byJean-Claude Goulet Modified over 6 years ago

Similar presentations

Presentation on theme: "Browser code isolation"— Presentation transcript:

1 Browser code isolation
CS 155 Spring 2017 Browser code isolation John Mitchell

2 Topic of this class meeting
How can we use sophisticated isolation and interaction between components to develop flexible, interesting web applications, while protecting confidentiality and integrity ???

3 Why do we need isolation and communication?

4 Modern web sites are complex

5 Modern web “site” Code from many sources Combined in many ways

6 Sites handle sensitive information
Financial data Online banking, tax filing, shopping, budgeting, … Health data Genomics, prescriptions, … Personal data , messaging, affiliations, …

7 Basic questions How do we isolate code from different sources
Protecting sensitive information in browser Ensuring selected forms of integrity Allowing modern functionality, flexible interaction

8 More specifically How to protect a page from ads/services?
How to protect the page from a library? How do we protect page from CDN? How to share data with cross-origin page? How to protect one user from another’s content? How do we protect extension from page?

9 Are frames and same-origin policy enough?

10 Recall Same-Origin Policy (SOP)
Idea: Isolate content from different origins Restricts interaction between compartments Restricts network request and response Lets look at interframe and network interaction

11 Same-origin policy: frames and web
Dom access?

12 Same-origin policy: frames and web
postmessage communication?

13 Same-origin policy: frames and web
XmlHttpRequest? ?? Does the BROWSER refuse to send out the xhr? No, the server refuses to respond. To be more exact, in modern browsers it is done by preflighted requests. It means that for each cross-origin request, first an OPTIONS request is sent automatically by the browser whose headers are the exact same as the intended request will have but with no request body. The server responds also with headers only. Access-Control headers in the response will let the client browser know whether the request would be fulfilled according to the server's policies. In a sense the browser is preventing the request, but only because it already exchanged a request/response pair with the server and knows that there would be no point to attempt the request. If you forge a request in such a case, the server will still deny serving it.

14 Same-origin policy: frames and web
image request?

15 Same-origin frame and web summary
Isolate content from different origins Can send postmessage or embed image or js Can’t access document of cross-origin page Can’t inspect cross-origin responses

16 Limitation: Library Library included using tag
<script src="jquery.js"></script> No isolation Runs in same frame, same origin as rest of page May contain arbitrary code Library developer errors or malicious trojan horse Can redefine core features of JavaScript May violate developer invariants, assumptions jQuery used by 78% of the Quantcast top 10,000 sites, over 59% of the top million

17 Limitation: advertisement
<script src=“ <script src=“ Read password using the DOM API var c = document.getElementsByName(“password”)[0] Directly embedded third-party JavaScript poses a threat to critical hosting page resources One way to bring JavaScript into the page is via the script src= tag. What this would do is it would directly embedded the JavaScript into the page. Here there are two advertisements that have been directly embedded into the page. Now this what this ad wants to do it decorate the page, move round, react to mouse movementss It does this by using the Browser’s DOM API . DOM provides methods to access specific elements of the page and allows Javascript code to change their color, Resize them and do all sorts of fancy things. Now the DOM is quite powerfull, it gives you access to the location, cookie store and in this all these form fields on the hosting page. So if this ad is bad then it can steal the passwd and send it off to an evil location. So directly embedded third-party JavaScript poses a threat to critical hosting page resources. Lets study how third-party JavaScript is brought into the page Here are two ads directly embedded in the page. Their code is simply appending to the hosting page code. Many ads wish to decorate the hosting page and move around, which they do by invoking the DOM API of the page. Because the entire DOM is directly exposed to the ad code, the page is vulnerable to a range of attacks if the embedded code is malicious. For example it cans steal the password and send it off to a third party location. So it is important that untrusted ads must only have restricted access to the DOM. Send it to evil location (not subject to SOP) <img src=``

18 Limitation: Ad vs Ad <script src=“ <script src=“ $1 Buy Now Directly embedded third-party JavaScript poses a threat to other third-party components Not only the hosting page, if there are ads then via this malicious JavaScript can acess it via the DOM API and then change its contents So Attack the other ad: Change the price ! var a = document.getElementById(“sonyAd”) a.innerHTML = “$1 Buy Now”;

19 Same-origin policy limitations
Coarse and inflexible Does not restrict actions within a execution context Developers cannot change policy Does not prevent information leaks Can send data in image request, XHR request Image size can leak whether user logged in Cross-origin scripts run with privilege of page Injected scripts can corrupt and leak user data! No way to relax policy Can’t read cross-origin responses

20 Common but risky workaround
What if we want to fetch data from provider.com? JSONP  (“JSON with Padding”) To fetch data, insert new script tag: <script src=“ </script> To share data, reply back with script wrapping data: f({ ...data...}) Why is this dangerous? Provider data can easily be leaked (CSRF) Page is not protected from provider (XSS)

21 What is the basic mocule for isolation and communication?

22 “Browsing context” A browsing context may be A frame with its DOM
A web worker (thread), which does not have a DOM Every browsing context Has an origin, determined by protocol, host, port Is isolated from others by same-origin policy May communicate to others using postMessage Can make network requests using XHR or tags (<image>, …)

23 HTML5 Web Workers Separate thread; isolated but same origin
Not originally intended for security, but helps

24 Web Worker Run in an isolated thread, loaded from separate file
Web Worker Run in an isolated thread, loaded from separate file Same origin as frame that creates it, but no DOM Communicate using postMessage var worker = new Worker('task.js'); worker.postMessage(); // Start the worker. var worker = new Worker('doWork.js'); worker.addEventListener('message', function(e) { console.log('Worker said: ', e.data); }, false); worker.postMessage('Hello World'); // Send data to worker main thread self.addEventListener('message', function(e) { self.postMessage(e.data); // Return message it is sent }, false); doWork

25 Browsing context A browsing context may be A frame with its DOM
A web worker (thread), which does not have a DOM Every browsing context Has an origin, determined by protocol, host, port Is isolated from others by same-origin policy May communicate to others using postMessage Can make network requests using XHR or tags (<image>, …)

26 How can we restrict execution and communication?

27 Two ways to restrict execution
HTML5 iframe Sandbox Load with unique origin, limited privileges Content Security Policy (CSP) Whitelist instructing browser to only execute or render resources from specific sources

28 Useful concept: browsing context
A browsing context may be A frame with its DOM A web worker (thread), which does not have a DOM Every browsing context Has an origin, determined by protocol, host, port Is isolated from others by same-origin policy May communicate to others using postMessage Can make network requests using XHR or tags (<image>, …)

29 HTML5 Sandbox Idea: restrict frame actions
Directive sandbox ensures iframe has unique origin and cannot execute JavaScript Directive sandbox allow-scripts ensures iframe has unique origin

30 HTML5 Sandbox Idea: restrict frame actions
Directive sandbox ensures iframe has unique origin and cannot execute JavaScript Directive sandbox allow-scripts ensures iframe has unique origin

31 HTML5 Sandbox Idea: restrict frame actions
Directive sandbox ensures iframe has unique origin and cannot execute JavaScript Directive sandbox allow-scripts ensures iframe has unique origin

32 Sandbox example Twitter button in iframe
Sandbox: remove all permissions and then allow JavaScript, popups, form submission, and twitter.com cookies <iframe src= " style="border: 0; width:130px; height:20px;"> </iframe> <iframe sandbox="allow-same-origin allow-scripts allow-popups allow-forms" src=" style="border: 0; width:130px; height:20px;"></iframe>

33 Sandbox permissions allow-forms allows form submission
allow-popups allows popups allow-pointer-lock allows pointer lock (mouse moves) allow-same-origin allows the document to maintain its origin; pages loaded from  retain access to that origin’s data. allow-scripts allows JavaScript execution, and also allows features to trigger automatically (as they’d be trivial to implement via JavaScript) allow-top-navigation allows the document to break out of the frame by navigating the top-level window

34 Two ways to restrict execution
HTML5 iframe Sandbox Load with unique origin, limited privileges Content Security Policy (CSP) Whitelist instructing browser to only execute or render resources from specific sources

35 Content Security Policy (CSP)
Goal: prevent and limit damage of XSS XSS attacks bypass the same origin policy by tricking a site into delivering malicious code along with intended content Approach: restrict resource loading to a white-list Prohibits inline scripts embedded in script tags, inline event handlers and javascript: URLs Disable JavaScript eval(), new Function(), … Content-Security-Policy HTTP header allows site to create whitelist, instructs the browser to only execute or render resources from those sources

36 Content Security Policy (CSP)
Goal: prevent and limit damage of XSS attacks Approach: restrict resource loading to a white-list E.g., default-src ‘self’ img-src *

37 Content Security Policy (CSP)
Goal: prevent and limit damage of XSS attacks Approach: restrict resource loading to a white-list E.g., default-src ‘self’ img-src *

38 Content Security Policy (CSP)
Goal: prevent and limit damage of XSS attacks Approach: restrict resource loading to a white-list E.g., default-src ‘self’ img-src *

39 Content Security Policy (CSP)
Goal: prevent and limit damage of XSS attacks Approach: restrict resource loading to a white-list E.g., default-src ‘self’ img-src *

40 Content Security Policy (CSP)
Goal: prevent and limit damage of XSS attacks Approach: restrict resource loading to a white-list E.g., default-src ‘self’ img-src *

41 Content Security Policy (CSP)
Goal: prevent and limit damage of XSS attacks Approach: restrict resource loading to a white-list E.g., default-src ‘self’ img-src *

42 Content Security Policy (CSP)
Goal: prevent and limit damage of XSS attacks Approach: restrict resource loading to a white-list E.g., default-src ‘self’ img-src *

43 Content Security Policy & Sandboxing
Limitations: Data exfiltration is only partly contained Can leak to origins we can load resources from and sibling frames or child Workers (via postMessage) Scripts still run with privilege of page Can we reason about security of jQuery-sized lib?

44 CSP resource directives
script-src limits the origins for loading scripts connect-src limits the origins to which you can connect (via XHR, WebSockets, and EventSource). font-src specifies the origins that can serve web fonts. frame-src lists origins can be embedded as frames img-src lists origins from which images can be loaded. media-src restricts the origins for video and audio. object-src allows control over Flash, other plugins style-src is script-src counterpart for stylesheets default-src define the defaults for any directive not otherwise specified

45 CSP source lists Specify by scheme, e.g., https:
Host name, matching any origin on that host Fully qualified URI, e.g., Wildcards accepted, only as scheme, port, or in the leftmost position of the hostname:  'none‘ matches nothing 'self' matches the current origin, but not subdomains 'unsafe-inline' allows inline JavaScript and CSS 'unsafe-eval' allows text-to-JavaScript mechanisms like eval 

46 Modern Structuring Mechanisms
HTML5 iframe Sandbox Load with unique origin, limited privileges Content Security Policy (CSP) Whitelist instructing browser to only execute or render resources from specific sources HTML5 Web Workers Separate thread; isolated but same origin Not originally intended for security, but helps SubResource integrity (SRI) Cross-Origin Resource Sharing (CORS) Relax same-origin restrictions

47 Modern Structuring Mechanisms
HTML5 iframe Sandbox Load with unique origin, limited privileges Content Security Policy (CSP) Whitelist instructing browser to only execute or render resources from specific sources HTML5 Web Workers Separate thread; isolated but same origin Not originally intended for security, but helps SubResource integrity (SRI) Cross-Origin Resource Sharing (CORS) Relax same-origin restrictions

48 can we protect against network attackers or cdn that serves the wrong script or code?

49 Motivation for SRI Many pages pull scripts and styles from a wide variety of services and content delivery networks. How can we protect against downloading content from a hostile server (via DNS poisoning, or other such means), or modified file on the Content Delivery Network (CDN) Would using HTTPS address this problem?

50 Subresource integrity
Idea: page author specifies hash of (sub)resource they are loading; browser checks integrity E.g., integrity for scripts <link rel="stylesheet" href=" integrity="sha256-SDfwewFAE...wefjijfE"> E.g., integrity for link elements <script src=" integrity="sha256-C6CB9UYIS9UJeqinPHWTHVqh/E1uhG5Tw+Y5qFQmYg=">

51 What happens when check fails?
Case 1 (default): Browser reports violation and does not render/ execute resource Case 2: CSP directive with integrity-policy directive set to report Browser reports violation, but may render/execute resource

52 Can we define more permissive origin policies?

53 Cross-Origin Resource Sharing (CORS)
Amazon has multiple domains E.g., amazon.com and aws.com Problem: amazon.com can’t read cross-origin aws.com With CORS amazon.com can whitelist aws.com

54 How CORS works Browser sends Origin header with XHR request
E.g., Origin: Server can inspect Origin header and respond with Access-Control-Allow-Origin header E.g., Access-Control-Allow-Origin: E.g., Access-Control-Allow-Origin: *

55 Have we solved every security problem?

56 Goal: Password-strength checker
Strength checker can run in a separate frame Communicate by postMessage But we give password to untrusted code! Is there any way to make sure untrusted code does not export our password?

57 Confining the checker with COWL
Express sensitivity of data Checker can only receive password if its context label is as sensitive as the password Use postMessage API to send password Source specifies sensitivity of data at time of send

58 Conclusions?

59 Modern Structuring Mechanisms
HTML5 Web Workers; Separate thread; isolated but same origin Not originally intended for security, but helps HTML5 iframe Sandbox Load with unique origin, limited privileges Content Security Policy (CSP) Whitelist instructing browser to only execute or render resources from specific sources SubResource integrity (SRI) Cross-Origin Resource Sharing (CORS) Relax same-origin restrictions

60 Modern web site Code from many sources Combined in many ways

61 Challenges

62

Download ppt "Browser code isolation"

Similar presentations

Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.

Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.
HTML Forms. collect information for passing to server- side processes built up from standard widgets –text-input, radio buttons, check boxes, option lists,

HTML Forms. collect information for passing to server- side processes built up from standard widgets –text-input, radio buttons, check boxes, option lists,
Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.

JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.
Copyright Justin C. Klein Keane HTML 5 Security Philadelphia OWASP August, 2013.

Copyright Justin C. Klein Keane HTML 5 Security Philadelphia OWASP August, 2013.
I'll see your cross site scripting and raise you a Content Security Policy Lou Leone :: Rochester OWASP.

I'll see your cross site scripting and raise you a Content Security Policy Lou Leone :: Rochester OWASP.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
An Evaluation of the Google Chrome Extension Security Architecture

An Evaluation of the Google Chrome Extension Security Architecture
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
EECS 354 Network Security Cross Site Scripting (XSS)

EECS 354 Network Security Cross Site Scripting (XSS)
Site and user security concerns for real time content serving Chris Mejia, IAB Sean Snider, Yahoo! Prabhakar Goyal, Microsoft.

Site and user security concerns for real time content serving Chris Mejia, IAB Sean Snider, Yahoo! Prabhakar Goyal, Microsoft.
Internet Basics.

Internet Basics.
Frame isolation and the same origin policy Collin Jackson CS 142 Winter 2009.

Frame isolation and the same origin policy Collin Jackson CS 142 Winter 2009.
1 Subspace: Secure Cross Domain Communication for Web Mashups Collin Jackson and Helen J. Wang Mamadou H. Diallo.

1 Subspace: Secure Cross Domain Communication for Web Mashups Collin Jackson and Helen J. Wang Mamadou H. Diallo.
Subspace: Secure Cross-Domain Communication for Web Mashups Collin Jackson Stanford University Helen J. Wang Microsoft Research ACM WWW, May, 2007 Presenter:

Subspace: Secure Cross-Domain Communication for Web Mashups Collin Jackson Stanford University Helen J. Wang Microsoft Research ACM WWW, May, 2007 Presenter:
Web Development & Design Foundations with XHTML Chapter 9 Key Concepts.

Web Development & Design Foundations with XHTML Chapter 9 Key Concepts.
 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.

 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Chapter 9 Collecting Data with Forms. A form on a web page consists of form objects such as text boxes or radio buttons into which users type information.

Chapter 9 Collecting Data with Forms. A form on a web page consists of form objects such as text boxes or radio buttons into which users type information.

Similar presentations

Ads by Google