Presentation is loading. Please wait.

Presentation is loading. Please wait.

Talking to Yourself for Fun and Profit Lin-Shung Huang ∗, Eric Y. Chen ∗, Adam Barth †, Eric Rescorla ‡ and Collin Jackson ∗ ∗ Carnegie Mellon University.

Published byKarina Botham Modified over 9 years ago

Similar presentations

Presentation on theme: "Talking to Yourself for Fun and Profit Lin-Shung Huang ∗, Eric Y. Chen ∗, Adam Barth †, Eric Rescorla ‡ and Collin Jackson ∗ ∗ Carnegie Mellon University."— Presentation transcript:

1 Talking to Yourself for Fun and Profit Lin-Shung Huang ∗, Eric Y. Chen ∗, Adam Barth †, Eric Rescorla ‡ and Collin Jackson ∗ ∗ Carnegie Mellon University † Google ‡ RTFM WEB 2.0 SECURITY AND PRIVACY 2011

2 Bringing Sockets to the Web Web applications need to talk to the cloud But HTTP is inefficient –E.g. chat, multiplayer games Plug-ins and HTML5 provide socket APIs Modest amounts of security analysis… Native: Plug-ins:

3 Existing Approaches Flash Player: Authorizes by policy files Java: Only talks to yourself B.com 01100111011101… A.com 01100111011101… B.com What could possibly go wrong?

4 Beware of Transparent Proxies Inspect and modify HTTP traffic –Content filtering –Web acceleration HTTP 200 OK Cache-Control: public … A.com GET / HTTP/1.0 Host: a.com GET / HTTP/1.0 Host: a.com GET / HTTP/1.0 Host: a.com HTTP 200 OK Cache-Control: public … Cache hit! HTTP 200 OK Cache-Control: public …

5 IP Hijacking [Auger '10] Allows connection to unauthorized destinations if routing by Host header Flash Player attacker.swf attacker.com IP: 2.2.2.2 To 2.2.2.2 port 80: GET / HTTP/1.1 Host: target.com target.com IP: 1.1.1.1 Route by Host To 2.2.2.2 port 843: To 2.2.2.2 port 843: Route by IP Alice

6 Cache Poisoning Even worse if routing by IP, and caching by Host header Bob Proxy Cache attacker.com IP: 2.2.2.2 target.com IP: 1.1.1.1 To 2.2.2.2 port 80: GET /script.js HTTP/1.1 Host: target.com Route by IP Alice Java VM attacker.class To 1.1.1.1 port 80: GET /script.js HTTP/1.1 Host: target.com Cache hit! script.js Cache by Host script.js

7 How bad is it? Advertising network experiments –$100 = 174,250 impressions –Observe browsers in the wild –Mount proof-of-concept attacks against our servers

8 Observed Vulnerabilities IP hijacking –Java: 3,152 of 51,273 (6.1%) –Flash Player: 2,109 of 30,045 (7%) Cache poisoning –Java: 53 of 30,045 (0.18%) –Flash Player: 108 of 51,273 (0.21%) –Less than $1 per exploitation!

9 Designing HTML5 WebSockets Strawman “consent” protocols 1.POST -based handshake 2.Upgrade -based handshake 3.CONNECT -based handshake Proposed modifications –Mask attacker-controlled bytes

10 Strawman #1 POST -based handshake –For HTML form elements – IP hijacking: 1,376 of 49,218 –Cache poisoning: 15 of 49,218

11 Strawman #2 Upgrade -based handshake –For layering TLS over HTTP – IP hijacking: 174 of 47,388 –Cache poisoning: 8 of 47,388

12 Strawman #3 CONNECT -based handshake –For tunneling TLS through proxies –2 spoofed HTTP requests routed by IP

13 Frame Masking Mask attacker-controlled bytes –Raw bytes on the wire should not be chosen by attacker –Stream cipher e.g. AES-CTR-128 –Per-frame random nonce –XOR cipher as alternative

14 Performance (a) 10 byte data frames(b) 100 byte data frames (c) 1000 byte data frames

15 Reaction Firefox and Opera temporarily disabled HTML5 WebSockets The WebSocket Protocol working group adopted a variant of our proposal, requiring XOR-based frame masking –Firefox dev build –Microsoft WebSockets prototype

16 Conclusion Roughly 7% browsers are behind proxies with implementation errors Protocols designers should consider how attackers can manipulate data to fool network intermediaries HTML5 WebSocket protocol is work in progress, we also recommend Java and Flash Player to address this issue

17 Thanks!

Download ppt "Talking to Yourself for Fun and Profit Lin-Shung Huang ∗, Eric Y. Chen ∗, Adam Barth †, Eric Rescorla ‡ and Collin Jackson ∗ ∗ Carnegie Mellon University."

Similar presentations

Hypertext Transfer PROTOCOL ----HTTP Sen Wang CSE5232 Network Programming.

Hypertext Transfer PROTOCOL ----HTTP Sen Wang CSE5232 Network Programming.
Microsoft Internet Security and Acceleration (ISA) Server 2004 Technical Overview

Microsoft Internet Security and Acceleration (ISA) Server 2004 Technical Overview
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
VOYAGER: Yet Another Secure Web Browser to Demonstrate Secure Socket Layer Working and Implementation By : Shrinivas G. Deshpande Advisor: Dr. Chung E.

VOYAGER: Yet Another Secure Web Browser to Demonstrate Secure Socket Layer Working and Implementation By : Shrinivas G. Deshpande Advisor: Dr. Chung E.
CMSC 414 Computer and Network Security Lecture 26 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 26 Jonathan Katz.
THE CASE FOR PREFETCHING AND PREVALIDATING TLS SERVER CERTIFICATES Emily Stark, Lin-Shung Huang, Dinesh Israni, Collin Jackson, Dan Boneh Presented by:

THE CASE FOR PREFETCHING AND PREVALIDATING TLS SERVER CERTIFICATES Emily Stark, Lin-Shung Huang, Dinesh Israni, Collin Jackson, Dan Boneh Presented by:
Chapter 7 Intro to Routing & Switching.  Upon completion of this chapter, you should be able to:  Explain the need for the transport layer.  Identify.

Chapter 7 Intro to Routing & Switching.  Upon completion of this chapter, you should be able to:  Explain the need for the transport layer.  Identify.
HTTP Cookies. CPSC 441 - Application Layer 2 User-server state: cookies Many major Web sites use cookies Four components: 1) cookie header line of HTTP.

HTTP Cookies. CPSC Application Layer 2 User-server state: cookies Many major Web sites use cookies Four components: 1) cookie header line of HTTP.
Module 5: Configuring Access to Internal Resources.

Module 5: Configuring Access to Internal Resources.
The Aerospace Clinic 2002 Team Members Nick Hertl (Project Manager) Will Berriel Richard Fujiyama Chip Bradford Faculty Advisor Professor Michael Erlinger.

The Aerospace Clinic 2002 Team Members Nick Hertl (Project Manager) Will Berriel Richard Fujiyama Chip Bradford Faculty Advisor Professor Michael Erlinger.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Web basics HTTP –http://www.ietf.org/rfc/rfc2616.txt –http://www2002.org/CDROM/refereed/444/ URI/L/Ns –http://www.ietf.org/rfc/rfc2396.txt HTML –http://www.w3.org/TR/html401/

Web basics HTTP – – URI/L/Ns – HTML –
Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.

Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.
Detecting Fraudulent Clicks From BotNets 2.0 Adam Barth Joint work with Dan Boneh, Andrew Bortz, Collin Jackson, John Mitchell, Weidong Shao, and Elizabeth.

Detecting Fraudulent Clicks From BotNets 2.0 Adam Barth Joint work with Dan Boneh, Andrew Bortz, Collin Jackson, John Mitchell, Weidong Shao, and Elizabeth.
Definition : Computer Virus A computer program with the characteristic feature of being able to generate copies of itself, and thereby spread. Additionally.

Definition : Computer Virus A computer program with the characteristic feature of being able to generate copies of itself, and thereby spread. Additionally.
Web server security Dr Jim Briggs WEBP security1.

Web server security Dr Jim Briggs WEBP security1.
1 Web Content Delivery Reading: Section 9.2.2 and 9.4.3 COS 461: Computer Networks Spring 2007 (MW 1:30-2:50 in Friend 004) Ioannis Avramopoulos Instructor:

1 Web Content Delivery Reading: Section and COS 461: Computer Networks Spring 2007 (MW 1:30-2:50 in Friend 004) Ioannis Avramopoulos Instructor:
Proxy Servers CS-480b Dick Steflik Proxy Servers Part of an overall Firewall strategy Sits between the local network and the external network Originally.

Proxy Servers CS-480b Dick Steflik Proxy Servers Part of an overall Firewall strategy Sits between the local network and the external network Originally.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
Secure Remote Access to an Internal Web Server Christian Gilmore, David Kormann, and Aviel D. Rubin ATT Labs - Research “The security policy usually amounts.

Secure Remote Access to an Internal Web Server Christian Gilmore, David Kormann, and Aviel D. Rubin ATT Labs - Research “The security policy usually amounts.

Similar presentations

Ads by Google