Web Browser Security
description
Transcript of Web Browser Security
Web Browser SecurityJohn Mitchell
CS 155 Spring 2006
Course ScheduleProjects Proj 1: Assigned April 11, Due April 27 Proj 2: Assigned May 2, Due May 18 Proj 3: Assigned May 18, Due June 8 No Late
Days Homework HW 1: Assigned April 20, Due May 4 HW 2: Assigned May 11, Due May 25 HW 3: no HW3 this year
OutlineBrowser review
Bugs happen HTTP, scripts, events, DOM Session state and cookies
Protecting the browser environment Execution sandbox Access policies, signed scripts
Privacy and confidentiality for sensitive information
Protecting the file system, OS, platform Protecting information associated with other browser
processes (e.g., other windows) Protecting the user against deception Protecting against traffic analysis
Browser and Network
Browser
Network
Browser sends requests May reveal private information (in forms, cookies)
Browser receives information, code May corrupt state by running unsafe code
Interaction susceptible to network attacks Consider network security later in the course
OSHardware
Web site
request
reply
Microsoft Issues New IE Browser Security Patch By Richard Karpinski Microsoft has released a security patch that closes
some major holes in its Internet Explorer browser The so-called "cumulative patch" fixes six different
IE problems ... Affected browsers include Internet Explorer 5.01,
5.5 and 6.0. Microsoft rated the potential security breaches as
"critical."
Tuesday, February 12, 2002
Feb 2002 patch addresses: A buffer overrun associated with an HTML
directive ... Hackers could use this breach to run malicious code on a user's system.
A scripting vulnerability that would let an attacker read files on a user's systems.
A vulnerability related to the display of file names ... Hackers could … misrepresent the name of a file ... and trick a user into downloading an unsafe file.
A vulnerability that would allow a Web page to improperly invoke an application installed on a user's system to open a file on a Web site.
… more …
MS announced 20 vulnerabilities on April 13, 2004 !!!
And then again last year, …Windows Security Updates Summary for April
2005Published: April 12, 2005 A security issue has been identified that
could allow an attacker to compromise a computer running Internet Explorer and gain control over it. You can help protect your computer by installing this update from Microsoft. After you install this item, you may have to restart your computer.
Microsoft Security Bulletin MS06-013, April 2006
Browser security topicsReview HTTP, scriptingControlling outgoing information
Cookies Cookie mechanism, JunkBuster
Routing privacy Anonymizer, Crowds
Privacy policy – P3PRisks from incoming executable code
JavaScript ActiveX Plug-ins Java
HyperText Transfer ProtocolUsed to request and return data Methods: GET, POST, HEAD, …
Stateless request/response protocol Each request is independent of previous
requests Statelessness has a significant impact on
design and implementation of applications Evolution HTTP 1.0: simple HTTP 1.1: more complex
HTTP
GET /default.asp HTTP/1.0Accept: image/gif, image/x-bitmap, image/jpeg, */*Accept-Language: enUser-Agent: Mozilla/1.22 (compatible; MSIE 2.0; Windows 95)Connection: Keep-AliveIf-Modified-Since: Sunday, 17-Apr-96 04:32:58 GMT
HTTP RequestMethod File HTTP version Headers
Data – none for GETBlank line
HTTP/1.0 200 OKDate: Sun, 21 Apr 1996 02:20:42 GMTServer: Microsoft-Internet-Information-Server/5.0 Connection: keep-aliveContent-Type: text/htmlLast-Modified: Thu, 18 Apr 1996 17:39:05 GMTContent-Length: 2543 <HTML> Some data... blah, blah, blah </HTML>
HTTP ResponseHTTP version Status code Reason phrase Headers
Data
HTTP Server Status CodesCode
Description
200 OK201 Created301 Moved Permanently302 Moved Temporarily400 Bad Request – not
understood401 Unauthorized403 Forbidden – not
authorized404 Not Found500 Internal Server Error
Return code 401 Used to indicate
HTTP authorization
HTTP authorization has serious problems!!!
HTML and Scripting<html> … <P> <script>
var num1, num2, sumnum1 = prompt("Enter first number")num2 = prompt("Enter second number")sum = parseInt(num1) + parseInt(num2)alert("Sum = " + sum)
</script>…
</html>
Browser receives content, displays HTML and executes scripts
Events<script type="text/javascript"> function whichButton(event) {
if (event.button==1) {alert("You clicked the left mouse
button!") }else {
alert("You clicked the right mouse button!")
}}</script>…<body onmousedown="whichButton(event)">…</body>
Mouse event causes page-defined function to be called
Other events: onLoad, onMouseMove, onKeyPress, onUnLoad
Document object model (DOM)
Object-oriented interface used to read and write documents
web page in HTML is structured data DOM provides representation of this hierarchy
Examples Properties: document.alinkColor, document.URL,
document.forms[ ], document.links[ ], document.anchors[ ]
Methods: document.write(document.referrer)
Also Browser Object Model (BOM) Window, Document, Frames[], History, Location,
Navigator (type and version of browser)
Need for session state
www.e_buy.com
www.e_buy.com/shopping.cfm?
pID=269
View Catalog
www.e_buy.com/shopping.cfm?
pID=269&item1=102030405
www.e_buy.com/checkout.cfm?
pID=269&item1=102030405
Check outSelect Item
Store session information in URL; Easily read on network
Store info across sessions?Cookies A cookie is a file created by an
Internet site to store information on your computerBrowser Server
Enters form data
Stores cookie
Browser ServerRequests cookie
Returns data
Http is stateless protocol; cookies add state
Cookie A named string stored by the browser Accessible as property of the Document object Can be read and written entirely on client side
using JavascriptAccessibility persists for the duration of the browser session
(but an expiration date may be given) is associated with the subtree of the document
that created it (but a cookie path may be specified)
is accessible to pages on the server that created it (but a cookie domain may be declared)
Browser security risksCompromise host Write to file system Interfere with other processes in browser
environmentSteal information Read file system Read information associated with other
browser processes (e.g., other windows) Fool the user Reveal information through traffic analysis
Browser sandboxIdea Code executed in browser has only
restricted access to OS, network, and browser data structures
Isolation Similar to OS process isolation,
conceptually Browser is a “weak” OS Same-origin principle
Browser “process” consists of related pages and the site they come from
Same-Origin PrincipleBasic idea Only the site that stores some information
in the browser may later read or modify that information (or depend on it in any way).
Details What is a “site”?
URL, domain, pages from same site … ? What is “information”?
cookies, document object, cache, … ? Default only: users can set other policies
No way to keep sites from sharing information
JavaGeneral programming languageWeb pages may contain Java code Java executed by Java Virtual Machine Special security measures associated
with Java code from remote URLsJavascript, other security models are based on Java security model
Java AppletLocal windowDownload Seat map Airline data
Local data User profile Credit card
Transmission Select seat Encrypted msg
Mobile code security mechanisms
Examine code before executing Java bytecode verifier performs critical tests
Interpret code and trap risky operations Java bytecode interpreter does run-time
tests Security manager applies local access policy
Security manager policy based on Site that suppplied the code Code signing – who signed it?
A.classA.java JavaCompiler
B.class
Loader
Verifier
Linker
Bytecode Interpreter
Java Virtual Machine
Compile source code
Network
Java Virtual Machine Architecture
Class loaderRuntime system loads classes as needed When class is referenced, loader searches for
file of compiled bytecode instructionsDefault loading mechanism can be replaced Define alternate ClassLoader object
Extend the abstract ClassLoader class and implementation
Can obtain bytecode from network VM restricts applet communication to site that
supplied applet
VerifierBytecode may not come from standard compiler Evil hacker may write dangerous bytecode
Verifier checks correctness of bytecode Every instruction must have a valid operation code Every branch instruction must branch to the start of
some other instruction, not middle of instruction Every method must have a structurally correct
signature Every instruction obeys the Java type discipline
Last condition is fairly complicated .
Type Safety of JVMLoad-time type checkingRun-time type checking All casts are checked to make sure type safe All array references are checked to be within bounds References are tested to be not null before
dereferenceAdditional features Automatic garbage collection NO pointer arithmetic
If program accesses memory, the memory is allocated to the program and declared with correct type
How do we know verifier is correct?
Many early attacks based on verifier errorsFormal studies prove correctness Abadi and Stata Freund and Mitchell
Found error in initialize-before-use analysis
JVM uses stack machineJavaClass A extends Object { int i void f(int val) { i = val +
1;}}
BytecodeMethod void f(int) aload 0 ; object ref this iload 1 ; int val iconst 1 iadd ; add val +1 putfield #4 <Field int i> return
data area
local variabl
es
operandstack
Return addr, exception info, Const pool res.
JVM Activation Record
refers to const pool
Java Object Initialization
No easy pattern to match.Multiple refs to same uninitialized object.
Bug in Sun’s JDK 1.1.4Example:
variables 1 and 2 contain references to two different objects,verifier thinks they are aliases
Security ManagerJava library functions call security managerSecurity manager object answers at run time Decide if calling code is allowed to do
operation Examine protection domain of calling class
Signer: organization that signed code before loading Location: URL where the Java classes came from
Uses the system policy to decide access permission
Stack Inspection Permission depends on Permission of calling
method Permission of all methods
above it on stack Up to method that is trusted
and asserts this trust
Many details omitted
java.io.FileInputStream
method f
method g
method h
Stories: Netscape font / passwd bug; Shockwave plug-in
ActiveXActiveX controls reside on client's machine, activated by HTML object tag on the page ActiveX controls are not interpreted by browser Compiled binaries executed by client OS Controls can be downloaded and installed
Security model relies on three components Digital signatures to verify source of binary IE policy can reject controls from network zones Controls marked by author as safe for initialization,
safe for scripting which affects the way control usedOnce accepted, installed and started, no control over execution
Installing Controls
If you install and run, no further control over the code. In principle, browser/OS could apply sandboxing, other techniques for containing risks in native code. But don’t
count on it.
Risks associated with controls
MSDN Warning An ActiveX control can be an extremely insecure way
to provide a featureWhy?
A COM object, control can do any user action read and write Windows registry access the local file system
Other web pages can attack a control Once installed, control can be accessed by any page Page only needs to know class identifier (CLSID)
Recommendation: use other means if possible
http://msdn.microsoft.com/library/default.asp?url=/code/list/ie.asp
IE Browser Helper Objects (Extensions)
COM components loaded when IE starts upRun in same memory context as the browserPerform any action on IE windows and modules Detect browser events
GoBack, GoForward, and DocumentComplete Access browser menu, toolbar and make changes Create windows to display additional information Install hooks to monitor messages and actions
Summary: No protection from extensions
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwebgen/html/bho.asp
JavaScriptExecuted by browserUsed in many attacks (to exploit other vulnerabilities) Cookie attack from earlier slide (08 Nov 2001):
With the assistance of some JavaScript code, an attacker could construct a Web page or HTML-based e-mail that could access any cookie in the browser's memory or those stored on disk ...
JavaScript runs Before the HTML is loaded, before the document is
viewed While the document is viewed, or as the browser is
leaving
Javascript Security Model“Sandbox” design (at least conceptually) No direct file access or network access
Same-origin policy Can only read properties of documents and
windows from same place: server, protocol, port
Access control with signed scripts User can grant privileges to signed scripts
UniversalBrowserRead/Write UniversalFileread, UniversalSendMail
Reference: http://www.devarticles.com/c/a/JavaScript/JavaScript-Security/
Examples, assuming www.example.com
URL of Target Window
Result of Same Origin Check with www.example.com Reason
http://www.example.com/ index.html
Passes Same domain and protocol
http://www.example.com/ other1/other2/index.html
Passes Same domain and protocol
http://www.example.com:8080/dir/page.html
Does not pass Different port
http://www2.example.com/ dir/page.html
Does not pass Different server
http://otherdomain.com/ Does not pass Different domain
ftp://www.example.com/ Does not pass Different protocol
Same-origin check applies to access to window object of other frames, etc.
Same-origin checkExample Javascript var w = window.open(http://www.google.com);
// After 10 seconds, see what URL they're looking atvar snoopedURL;setTimeout("snoopedURL = w.location.href)", 10 * 1000);
What should this do? Succeed if loaded from www.google.com, or origin of
whatever page is being viewed Fail otherwise? Some browsers don’t fail
Script on page can reset domain To more general domain than actual source of page Allows other scripts to access that document
properties without violating the same-origin policy
Problems with S-O PrinciplePoorly enforced on some browsers Particularly older browsers
Limitations if site hosts unrelated pages Example: Web server often hosts sites for
unrelated parties http://www.example.com/account/ http://www.example.com/otheraccount/
Same-origin policy, allows script on one page to access properties of document from another
Finer grained control using signed scripts See article for more info
LiveConnectNetscape-supported interaction between Java applets, plugins, and JavaScript JavaObject is a JavaScript wrapper on Java
object JSObject is a Java on a JavaScript object
Question What kind of same-origin policy do we get
here?
Browser Cookie ManagementCookie Same-origin ownership Once a cookie is saved on your computer, only
the Web site that created the cookie can read it.Variations Temporary cookies
Stored until you quit your browser Persistent cookies
Remain until deleted or expire Third-party cookies
Originates on or sent to a web site other than the one that provided the current page
Third-party cookiesGet a page from merchant.com
Contains <img src=http://doubleclick.com/advt.gif> Image fetched from DoubleClick.com
DoubleClick knows IP address and page you were looking atDoubleClick sends back a suitable advertisement
Stores a cookie that identifies "you" at DoubleClickNext time you get page with a doubleclick.com image
Your DoubleClick cookie is sent back to DoubleClick DoubleClick could maintain the set of sites you viewed Send back targeted advertising (and a new cookie)
Cooperating sites Can pass information to DoubleClick in URL, …
Example: Mortgage Center
<html><title>Mortgage Center</title><body>… http://www.loanweb.com/ad.asp?RLID=0b70at1ep0k9
What’s this?
Cookie issues Cookies maintain record of your browsing
habits Cookie stores information as set of name/value pairs May include any information a web site knows about
you Sites track your activity from multiple visits to site
Sites can share this information (e.g., DoubleClick)
Browser attacks could invade your “privacy”08 Nov 2001 Users of Microsoft's browser and e-mail programs could be
vulnerable to having their browser cookies stolen or modified due to a new security bug in Internet Explorer (IE), the company warned today.
Managing cookie policy via proxy
Browser ProxyNetwork
Proxy intercepts request and response May modify cookies before sending to BrowserCan do other checks: filter ads, block sites, etc.
Cookie Jar
Sample Proxy: Cookie management by policy in cookiefile Default: all cookies are silently crunched Options
Allow cookies only to/from certain sites Block cookies to browser (but allow to server) Send vanilla wafers instead
Block URLs matching any pattern in blockfile Example: pattern /*.*/ad matches
http://nomatterwhere.com/images/advert/g3487.gif
Easy to write your own http proxy; you can try this at home
Fooling the user
password?
Sends email: “There is a problem with your eBuy account”
User clicks on email link to www.ebuj.com.
User thinks it is ebuy.com, enters eBuy username and password.
Password sent to bad guy
Some Stanford projectsPassword phishing
Common password problem
Keylogger spyware
Transaction generator spyware
SafeHistory
PwdHash
SpyBlock (no server changes)
SpyBlock (with server changes)
SafeCacheSpoofGuard
Password Phishing Problem
User cannot reliably identify fake sitesCaptured password can be used at target site
Bank A
Fake Site
pwdApwdA
Common Password Problem
Phishing attack or break-in at site B reveals pwd at A
Server-side solutions will not keep pwd safe Solution: Strengthen with client-side support
Bank A
low security site
high security site
pwdA
pwdB
= pwdA
Site B
Password Hashing
Generate a unique password per site HMACfido:123(banka.com) Q7a+0ekEXb HMACfido:123(siteb.com) OzX2+ICiqc
Hashed password is not usable at any other site Protects against password phishing Protects against common password problem
Bank A
hash(pwdB, SiteB)
hash(pwdA, BankA)
Site B
pwdA
pwdB
=
Password Hashing: a popular idea
Recent password hashing projects:
Similar hashing algorithmsOnly PwdHash defends against spoofing and is invisible to the user
Site PasswordPassword MakerGenpass
PasswdletPassword Composer
Magic Password GeneratorPwdHash
Password Generator Extension
The Spoofing ProblemJavaScript can display password fields or dialogs:
Unhashed password sent to attacker in clear
Password Prefix
Original pwdshould never be visibleto web page
OzX2+ICiqc Site B
@@fido:123
@@fido:123 @@abcdefgh
Password Prefix: How it worksNormal operation: Prefix in password field
Abnormal operation: Prefix in non-password field
Can just ignore the prefix and not hash Remind user not to enter password
@@fido:123 @@abcdefgh **********abcdefgh fido:123
HMACfido:123(siteb.com) Q7a+0ekEXb
PwdHash protection problemProblem Javascript on malicious web page can try to
intercept user password from PwdHash Javascript attacks
Script activated with user changes focus Script can read input, may run before PwdHash
Keyboard monitoring and logging Spoof parts of web browser UI Communicate across network
Solution Implement keystroke logger in PwdHash
The Perfect Phishing EmailBank of America customers see: “Click here to see your Bank of
America statement”Wells Fargo customers see: “Click here to see your Wells Fargo
statement”Works in Outlook; behavior is by design
Fooling the user using browser state
Reading browser historyCSS properties of hyperlinksCan also use cache-based techniques
Violation of the same-origin principle:“One site cannot use information belonging to another site.”
Visited link trackingVisited links displayed in different color (74% of sites)
Information easily accessible by javascriptAttacks also without javascript
Bank logo images are stacked on top of each other CSS rules cause the un-visited links to vanish Page displays bank logo of site that user has visited
<html><head><style> a { position:absolute; border:0; } a:link { display:none } </style></head><body><a href='http://www.bankofamerica.com/'><img src='bankofamerica.gif'></a><a href='https://www.wellsfargo.com/'><img src='wellsfargo.gif'></a><a href='http://www.usbank.com/'><img src='usbank.gif'></a>...</body></html>
http://www.safehistory.com/
Preserving web privacyYour IP address may be visible to web sites This may reveal your employer, ISP, etc. Can link activities on different sites, different
timesCan you prevent sites from learning about you? Anonymizer
Single site that hides origin of web request Crowds
Distributed solution
Browsing Anonymizers
Web Anonymizer hides your IP address
What does anonymizer.com know about you?
Browser ServerAnonymizer
www.anonymizer.com/cgi-bin/redirect.cgi?
url=…
Related approach to anonymity
Hide source of messages by routing them randomlyRouters don’t know for sure if the apparent source of the message is the actual sender or simply another router
Only secure against local attackers!Existing systems: Freenet, Crowds, etc.
Crowds [Reiter,Rubin ‘98]
C C4
C1C2
C
CCC3
C0sender recipient
CC
CCpf
1-pf
Sender randomly chooses a path through the crowdSome routers are honest, some corruptAfter receiving a message, honest router flips a coin
With probability Pf routes to the next member on the path With probability 1- Pf sends directly to the recipient
What Does Anonymity Mean? Beyond suspicion The observed source of the message is no more
likely to be the actual sender than anybody elseProbable innocence Probability <50% that the observed source of
the message is the actual sender
Possible innocence Non-trivial probability that the observed source
of the message is not the actual sender
Guaranteed by Crowds if there aresufficiently few corrupt routers
How web sites use your information
You may enter information to buy product Name, address, credit card number, …
How will web site use this information Charge your card and mail your purchase Give sales information to other businesses?
Platform for privacy preferences (P3P) Framework for reaching agreement on use of
personal information Enforcement at server side is another matter…
Basic P3P Concepts
useragent
user datarepository
preferences
service
proposal
agreementuser
datapractices
Credit: Lorrie Cranor
A Simple P3P Conversation
useragent service
User agent: Get index.htmlService: Here is my P3P proposal - I collect click-
stream data and computer information for web site and system administration and customization of site
User agent: OK, I accept your proposalService: Here is index.html