Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Systematic Approach to Uncover Security Flaws in GUI Logic 2008. 03. 31 Distributed Multimedia Computing Lab. Minjae Cho

Published byMorgan King Modified over 9 years ago

Similar presentations

Presentation on theme: "A Systematic Approach to Uncover Security Flaws in GUI Logic 2008. 03. 31 Distributed Multimedia Computing Lab. Minjae Cho"— Presentation transcript:

1 A Systematic Approach to Uncover Security Flaws in GUI Logic 2008. 03. 31 Distributed Multimedia Computing Lab. Minjae Cho popeye@ece.hanyang.ac.kr

2 A Systematic Approach to Uncover Security Flaws in GUI Logic Paper Information Title A Systematic Approach to Uncover Security Flaws in GUI Logic Authors Shuo Chen †, José Meseguer ‡, Ralf Sasse † ‡, Helen J. Wang †, Yi-Min Wang † † Systems and Networking Group, Microsoft Research ‡ Dept. of Computer Science, University of Illinois at Urbana-Champaign Published IEEE Symposium on Security and Privacy 2007(SP ’07)

3 A Systematic Approach to Uncover Security Flaws in GUI Logic The Conference Information Claremont Resort, Berkeley, Oakland, CA 2007/05/20 ~ 2007/05/23 http://www.ieee-security.org/TC/SP2007/oakland07.html

4 A Systematic Approach to Uncover Security Flaws in GUI Logic Contents Introduction Visual Spoofing Motivation and Goal Overview of Methodology Status bar Spoofing Address bar Spoofing Conclusions Contributions Bug reporting for IE7

5 A Systematic Approach to Uncover Security Flaws in GUI Logic Visual Spoofing: A Serious Security Problem A simple equation 1000 miles × trusted + 20 inches × untrusted = untrusted Examples: status bar spoofing and address bar spoofing IE, Firefox and Netscape all have security flaws in GUI. 1000 miles, trusted Web server 20 inches, Untrusted

6 A Systematic Approach to Uncover Security Flaws in GUI Logic Research motivation and goal GUI behaviors are driven by complex logic E.g., how to handle mouse messages and update the status bar, how to update the address bar during navigations Need a systematic approach to examine its correctness Goal: to apply formal methods to reason about GUI logic in order to proactively uncover browser spoofing bugs.

7 A Systematic Approach to Uncover Security Flaws in GUI Logic Overview of Our Approach Execution context System state Program Logic (pseudo code) The modeled system User’s action sequence Program invariant Reasoning Engine (The Maude System: a rewriting logic engine) Visual invariant Source code of browser GUI violation Potential spoofing scenarios Real spoofing scenarios Real world Formal world (d) (e) (c) (a) (b) (f)

8 A Systematic Approach to Uncover Security Flaws in GUI Logic Case study: status bar spoofing: basic concepts status bar <a><a> Page My button Toward the user Document Object Model Tree (DOM Tree) Page layout Element stacks

9 A Systematic Approach to Uncover Security Flaws in GUI Logic Case Study: status bar spoofing: mouse handling logic In status bar spoofing, only three raw mouse messages are relevant MouseMove, LeftButtonDown, LeftButtonUp Each HTML element has three virtual methods HandleMessage, DoClick, ClickAction Pseudo code in the paper Every element has different behavior about updating the status bar ( SetStatusText ) and navigating to the target URL ( FollowHyperlink ). Message bubbling (passing the mouse message to the parent element) Every element can decide whether to continue the bubbling or cancel the bubbling We used Maude to model the source code of the mouse handling logic

10 A Systematic Approach to Uncover Security Flaws in GUI Logic Case Study: status bar spoofing: finding attacks System state: status bar URL, user memorized URL User action sequence: MouseMove, MouseMove, Inspection, LeftButtonDown, LeftButtonUp (only need two MouseMoves because status bar is memoryless, a sequence of MouseMoves is equivalent to one MouseMove) (canonicalized) Execution context: DOM tree structures (canonicalized) (at most two branches, corresponding to two MouseMoves) Program invariant: at the time of the function call FollowHyperlink(targetURL), targetURL = user memorized URL Use Maude to search for spoofing scenarios

11 A Systematic Approach to Uncover Security Flaws in GUI Logic Examples of Status Bar Spoofs All because of unexpected combinations of element behaviors input field anchor form paypal.com form target = foo.com anchor target = paypal.com image button form paypal.com form target = foo.com image target = paypal.com Element stack Element layouts label anchor label’s target = foo.com anchor’s target = paypal.com image label img’s target = paypal.com label’s target = foo.com

12 A Systematic Approach to Uncover Security Flaws in GUI Logic Case Study: address bar spoofing: basic concepts (browser, renderer, frame, markup) Renderer Frame1 from PayPal Browser. http://MySite.com Current Markup Pending Markup PrimaryFrame from MySite.com Frame2 from MSN

13 A Systematic Approach to Uncover Security Flaws in GUI Logic Pseudo code model: loading a new page FollowHyperlink start navigation ready PostMan Event queue SetInteractive NavigationComplete SetAddressBar SwitchMarkup onPaint EnsureView RenderView Posting an event Calling a function ensure Invoking a handler (Posted by OS)

14 A Systematic Approach to Uncover Security Flaws in GUI Logic Pseudo code model: history travel start navigation ready PostMan Event queue SetInteractive NavigationComplete SetAddressBar SwitchMarkup onPaint EnsureView RenderView ensure History_Back Travel LoadHistory Posting an event Calling a function Invoking a handler (Posted by OS)

15 A Systematic Approach to Uncover Security Flaws in GUI Logic Pseudo code model: opening a page in a new window CreatePendingDocObject start-loading LoadDocument Event queue Load CreateMarkup SetAddressBar LoadFromInfo CreateRenderer WindowOpen PostMan download- content SetClientSite InitDocHost SwitchMarkup

16 A Systematic Approach to Uncover Security Flaws in GUI Logic Case Study: Address Bar Spoofing System state: PrimaryFrame, other frames, current markups, pending markups, address bar URL... User action sequence: Page loading, history traveling and window opening Execution context: A set of Boolean conditions affecting the execution path Program invariant: The address bar should display the URL of the current markup of the primary frame.

17 A Systematic Approach to Uncover Security Flaws in GUI Logic Discovered Address Bar Spoof (An Atomicity Bug) 1.Load a real paypal page, then loads a page from evil.com https://paypal.com https://evil.com#xxxxx...xxxxxxx > 4000 characters (=buffer size) 2. When switched in new page, browser cannot update the address bar because the URL is longer than buffer size.

18 A Systematic Approach to Uncover Security Flaws in GUI Logic Discovered address bar spoof (a race condition) https://evil.com https://paypal.com c:\windows\system32\shdoclc.dl l?http History back Load a new page 1.Load evil page 2.Then load error page 3. Exploiting Race condition to history back and new page at the same time

19 A Systematic Approach to Uncover Security Flaws in GUI Logic Conclusions Contributions Formulated GUI logic correctness as a new research problem Proposed a systematic approach to proactively uncover security flaws in browser GUI Demonstrated the benefit of the systematic approach to the GUI implementation. The approach is not IE specific. Other browsers (e.g., Firefox, Opera, Netscape, etc) Non-browser applications (e.g., Outlook, Outlook Express)

20 A Systematic Approach to Uncover Security Flaws in GUI Logic Summary of bug reporting for IE 7 Found many new scenarios for the status bar spoofing, filed them as 9 bugs against IE. All fixed before IE7 RC 1 (release candidate 1). 4 new scenarios of the address bar spoofing Non-atomic update of the address bar (2 bugs) Non-atomic update of the content area Race condition: multiple frames compete to be the primary IE team has fixed two, and proposed the fixes for the other 2 to go into the next version.

Download ppt "A Systematic Approach to Uncover Security Flaws in GUI Logic 2008. 03. 31 Distributed Multimedia Computing Lab. Minjae Cho"

Similar presentations

4/11/2007 and 4/12/2007 Purdue University and University of Illinois at Urbana-Champaign Browser Security: A New Research Territory Shuo Chen Cybersecurity.

4/11/2007 and 4/12/2007 Purdue University and University of Illinois at Urbana-Champaign Browser Security: A New Research Territory Shuo Chen Cybersecurity.
JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.

JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.
The Web Warrior Guide to Web Design Technologies

The Web Warrior Guide to Web Design Technologies
1 14th ACM Conference on Computer and Communications Security, Alexandria, VA Shuo Chen †, David Ross ‡, Yi-Min Wang † † Internet Services Research Center.

1 14th ACM Conference on Computer and Communications Security, Alexandria, VA Shuo Chen †, David Ross ‡, Yi-Min Wang † † Internet Services Research Center.
User Centered Web Site Engineering Part 2. Iterative Process of User-Centered Web Engineering Prototype Evaluate Discovery Maintenance Implementation.

User Centered Web Site Engineering Part 2. Iterative Process of User-Centered Web Engineering Prototype Evaluate Discovery Maintenance Implementation.
Chapter 16 Dynamic HTML and Animation The Web Warrior Guide to Web Design Technologies.

Chapter 16 Dynamic HTML and Animation The Web Warrior Guide to Web Design Technologies.
1 Shuo Chen ISRC, MSR March 2008. 2 Browser security is still very broad. I usually differentiate three types of issues – their causes and potential solutions.

1 Shuo Chen ISRC, MSR March Browser security is still very broad. I usually differentiate three types of issues – their causes and potential solutions.
Understanding Computers, Ch. 21 Chapter 2 Using Your PC, Windows, and the Web.

Understanding Computers, Ch. 21 Chapter 2 Using Your PC, Windows, and the Web.
CM143 - Web Week 2 Basic HTML. Links and Image Tags.

CM143 - Web Week 2 Basic HTML. Links and Image Tags.
JavaScript 101 Lesson 5: Introduction to Events. Lesson Topics Event driven programming Events and event handlers The onClick event handler for hyperlinks.

JavaScript 101 Lesson 5: Introduction to Events. Lesson Topics Event driven programming Events and event handlers The onClick event handler for hyperlinks.
Chapter 9 Introduction to the Document Object Model (DOM) JavaScript, Third Edition.

Chapter 9 Introduction to the Document Object Model (DOM) JavaScript, Third Edition.
Chapter 1 Getting Started With Dreamweaver. Explore the Dreamweaver Workspace The Dreamweaver workspace is where you can find all the tools to create.

Chapter 1 Getting Started With Dreamweaver. Explore the Dreamweaver Workspace The Dreamweaver workspace is where you can find all the tools to create.
User Centered Web Site Engineering Part 2. Developing Site Structure & Content Content View Addressing content Outlining content Creating a content delivery.

User Centered Web Site Engineering Part 2. Developing Site Structure & Content Content View Addressing content Outlining content Creating a content delivery.
THE BASICS OF THE WEB Davison Web Design. Introduction to the Web Main Ideas The Internet is a worldwide network of hardware. The World Wide Web is part.

THE BASICS OF THE WEB Davison Web Design. Introduction to the Web Main Ideas The Internet is a worldwide network of hardware. The World Wide Web is part.
4.1 JavaScript Introduction

4.1 JavaScript Introduction
_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications1.

_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications1.
JavaScript and The Document Object Model MMIS 656 Web Design Technologies Acknowledgements: 1.Notes from David Shrader, NSU GSCIS 2.Some material adapted.

JavaScript and The Document Object Model MMIS 656 Web Design Technologies Acknowledgements: 1.Notes from David Shrader, NSU GSCIS 2.Some material adapted.
Samuvel Johnson 1286120 2 nd MCA B. Contents  Introduction to Real-time systems  Two main types of system  Testing real-time software  Difficulties.

Samuvel Johnson nd MCA B. Contents  Introduction to Real-time systems  Two main types of system  Testing real-time software  Difficulties.
Chapter 6: Forms JavaScript - Introductory. Previewing the Product Registration Form.

Chapter 6: Forms JavaScript - Introductory. Previewing the Product Registration Form.
Lecturer: Ghadah Aldehim

Lecturer: Ghadah Aldehim

Similar presentations

Ads by Google