projects web browser security - stanford...
TRANSCRIPT
1
Web Browser Security
John Mitchell
CS 155 Spring 2006
Course Schedule
ProjectsProj 1: Assigned April 11, Due April 27 Proj 2: Assigned May 2, Due May 18 Proj 3: Assigned May 18, Due June 8 No Late Days
HomeworkHW 1: Assigned April 20, Due May 4 HW 2: Assigned May 11, Due May 25 HW 3: no HW3 this year
Outline
Browser reviewBugs happenHTTP, scripts, events, DOMSession state and cookies
Protecting the browser environmentExecution sandboxAccess policies, signed scripts
Privacy and confidentiality for sensitive informationProtecting the file system, OS, platformProtecting information associated with other browser processes (e.g., other windows)Protecting the user against deceptionProtecting against traffic analysis
Browser and Network
Browser
Network
Browser sends requestsMay reveal private information (in forms, cookies)
Browser receives information, codeMay corrupt state by running unsafe code
Interaction susceptible to network attacksConsider network security later in the course
OSHardware
Web site
request
reply
2
Microsoft Issues New IE Browser Security PatchBy Richard Karpinski
Microsoft has released a security patch that closes some major holes in its Internet Explorer browser The so-called "cumulative patch" fixes six different IE problems ...Affected browsers include Internet Explorer 5.01, 5.5 and 6.0. Microsoft rated the potential security breaches as "critical."
Tuesday, February 12, 2002 Feb 2002 patch addresses:
A buffer overrun associated with an HTML directive ... Hackers could use this breach to run malicious code on a user's system. A scripting vulnerability that would let an attacker read files on a user's systems. A vulnerability related to the display of file names ... Hackerscould … misrepresent the name of a file ... and trick a userinto downloading an unsafe file. A vulnerability that would allow a Web page to improperly invoke an application installed on a user's system to open a file on a Web site. … more …
MS announced 20 vulnerabilities on April 13, 2004 !!!
And then again last year, …
Windows Security Updates Summary for April 2005Published: April 12, 2005
A security issue has been identified that could allow an attacker to compromise a computer running Internet Explorer and gain control over it. You can help protect your computer by installing this update from Microsoft. After you install this item, you may have to restart your computer.
Microsoft Security Bulletin MS06-013, April 2006
Browser security topics
Review HTTP, scriptingControlling outgoing information
CookiesCookie mechanism, JunkBuster
Routing privacyAnonymizer, Crowds
Privacy policy – P3P
Risks from incoming executable codeJavaScriptActiveXPlug-insJava
HyperText Transfer Protocol
Used to request and return data Methods: GET, POST, HEAD, …
Stateless request/response protocolEach request is independent of previous requestsStatelessness has a significant impact on design and implementation of applications
EvolutionHTTP 1.0: simple HTTP 1.1: more complex
HTTP
3
GET /default.asp HTTP/1.0Accept: image/gif, image/x-bitmap, image/jpeg, */*Accept-Language: enUser-Agent: Mozilla/1.22 (compatible; MSIE 2.0; Windows 95)Connection: Keep-AliveIf-Modified-Since: Sunday, 17-Apr-96 04:32:58 GMT
HTTP RequestMethod File HTTP version Headers
Data – none for GETBlank line
HTTP/1.0 200 OKDate: Sun, 21 Apr 1996 02:20:42 GMTServer: Microsoft-Internet-Information-Server/5.0 Connection: keep-aliveContent-Type: text/htmlLast-Modified: Thu, 18 Apr 1996 17:39:05 GMTContent-Length: 2543
<HTML> Some data... blah, blah, blah </HTML>
HTTP ResponseHTTP version Status code Reason phrase Headers
Data
HTTP Server Status Codes
DescriptionCode
Internal Server Error500Not Found404Forbidden – not authorized403Unauthorized401
Bad Request – not understood
400Moved Temporarily302Moved Permanently301Created201OK200
Return code 401Used to indicate HTTP authorizationHTTP authorization has serious problems!!!
HTML and Scripting
<html>…
<P> <script>
var num1, num2, sumnum1 = prompt("Enter first number")num2 = prompt("Enter second number")sum = parseInt(num1) + parseInt(num2)alert("Sum = " + sum)
</script>…
</html>
Browser receives content, displays HTML and executes scripts
Events
<script type="text/javascript">function whichButton(event) {if (event.button==1) {
alert("You clicked the left mouse button!") }else {
alert("You clicked the right mouse button!") }}
</script>…<body onmousedown="whichButton(event)">…</body>
Mouse event causes page-defined function to be called
Other events: onLoad, onMouseMove, onKeyPress, onUnLoad
Document object model (DOM)
Object-oriented interface used to read and write documents
web page in HTML is structured dataDOM provides representation of this hierarchy
ExamplesProperties: document.alinkColor, document.URL, document.forms[ ], document.links[ ], document.anchors[ ]Methods: document.write(document.referrer)
Also Browser Object Model (BOM)Window, Document, Frames[], History, Location, Navigator (type and version of browser)
4
Need for session state
www.e_buy.com
www.e_buy.com/shopping.cfm?
pID=269
View Catalog
www.e_buy.com/shopping.cfm?
pID=269&item1=102030405
www.e_buy.com/checkout.cfm?
pID=269&item1=102030405
Check outSelect Item
Store session information in URL; Easily read on network
Store info across sessions?
CookiesA cookie is a file created by an Internet site to store information on your computer
BrowserServer
Enters form data
Stores cookie
BrowserServer
Requests cookie
Returns data
Http is stateless protocol; cookies add state
Cookie
A named string stored by the browserAccessible as property of the Document objectCan be read and written entirely on client side using Javascript
Accessibilitypersists for the duration of the browser session (but an expiration date may be given)is associated with the subtree of the document that created it (but a cookie path may be specified)is accessible to pages on the server that created it (but a cookie domain may be declared)
Browser security risks
Compromise hostWrite to file systemInterfere with other processes in browser environment
Steal informationRead file systemRead information associated with other browser processes (e.g., other windows)Fool the userReveal information through traffic analysis
Browser sandbox
IdeaCode executed in browser has only restricted access to OS, network, and browser data structures
IsolationSimilar to OS process isolation, conceptuallyBrowser is a “weak” OSSame-origin principle
Browser “process” consists of related pages and the site they come from
Same-Origin Principle
Basic ideaOnly the site that stores some information in the browser may later read or modify that information (or depend on it in any way).
DetailsWhat is a “site”?
URL, domain, pages from same site … ?
What is “information”?cookies, document object, cache, … ?
Default only: users can set other policiesNo way to keep sites from sharing information
5
Java
General programming languageWeb pages may contain Java code
Java executed by Java Virtual MachineSpecial security measures associated with Java code from remote URLs
Javascript, other security models are based on Java security model
Java Applet
Local windowDownload
Seat mapAirline data
Local dataUser profileCredit card
TransmissionSelect seatEncrypted msg
Mobile code security mechanisms
Examine code before executingJava bytecode verifier performs critical tests
Interpret code and trap risky operationsJava bytecode interpreter does run-time testsSecurity manager applies local access policy
Security manager policy based onSite that suppplied the codeCode signing – who signed it?
A.classA.java JavaCompiler
B.class
Loader
Verifier
Linker
Bytecode Interpreter
Java Virtual Machine
Compile source code
Network
Java Virtual Machine Architecture
Class loader
Runtime system loads classes as neededWhen class is referenced, loader searches for file of compiled bytecode instructions
Default loading mechanism can be replaced Define alternate ClassLoader object
Extend the abstract ClassLoader class and implementation
Can obtain bytecode from network VM restricts applet communication to site that supplied applet
Verifier
Bytecode may not come from standard compilerEvil hacker may write dangerous bytecode
Verifier checks correctness of bytecodeEvery instruction must have a valid operation code Every branch instruction must branch to the start of some other instruction, not middle of instruction Every method must have a structurally correct signature Every instruction obeys the Java type discipline
Last condition is fairly complicated .
6
Type Safety of JVM
Load-time type checkingRun-time type checking
All casts are checked to make sure type safeAll array references are checked to be within boundsReferences are tested to be not null before dereference
Additional featuresAutomatic garbage collection NO pointer arithmetic
If program accesses memory, the memory is allocated to the program and declared with correct type
How do we know verifier is correct?
Many early attacks based on verifier errorsFormal studies prove correctness
Abadi and StataFreund and Mitchell
Found error in initialize-before-use analysis
JVM uses stack machine
JavaClass A extends Object {
int ivoid f(int val) { i = val + 1;}
}
BytecodeMethod void f(int)
aload 0 ; object ref thisiload 1 ; int valiconst 1 iadd ; add val +1putfield #4 <Field int i>return
data area
local variables
operandstack
Return addr, exception info, Const pool res.
JVM Activation Record
refers to const pool
Java Object Initialization
No easy pattern to match.Multiple refs to same uninitialized object.
Bug in Sun’s JDK 1.1.4
Example:
variables 1 and 2 contain references to two different objects,verifier thinks they are aliases
Security Manager
Java library functions call security managerSecurity manager object answers at run time
Decide if calling code is allowed to do operationExamine protection domain of calling class
Signer: organization that signed code before loadingLocation: URL where the Java classes came from
Uses the system policy to decide access permission
7
Stack Inspection
Permission depends onPermission of calling methodPermission of all methods above it on stack
Up to method that is trusted and asserts this trust
Many details omitted
java.io.FileInputStream
method f
method g
method h
Stories: Netscape font / passwd bug; Shockwave plug-in
ActiveX
ActiveX controls reside on client's machine, activated by HTML object tag on the page
ActiveX controls are not interpreted by browserCompiled binaries executed by client OSControls can be downloaded and installed
Security model relies on three componentsDigital signatures to verify source of binaryIE policy can reject controls from network zonesControls marked by author as safe for initialization, safe for scripting which affects the way control used
Once accepted, installed and started, no control over execution
Installing Controls
If you install and run, no further control over the code.
In principle, browser/OS could apply sandboxing, other techniques for containing risks in native code. But don’t count on it.
Risks associated with controls
MSDN WarningAn ActiveX control can be an extremely insecure way to provide a feature
Why?A COM object, control can do any user action
read and write Windows registryaccess the local file system
Other web pages can attack a controlOnce installed, control can be accessed by any pagePage only needs to know class identifier (CLSID)
Recommendation: use other means if possible
http://msdn.microsoft.com/library/default.asp?url=/code/list/ie.asp
IE Browser Helper Objects (Extensions)
COM components loaded when IE starts upRun in same memory context as the browserPerform any action on IE windows and modules
Detect browser eventsGoBack, GoForward, and DocumentComplete
Access browser menu, toolbar and make changes Create windows to display additional information Install hooks to monitor messages and actions
Summary: No protection from extensions
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwebgen/html/bho.asp
JavaScript
Executed by browserUsed in many attacks (to exploit other vulnerabilities)
Cookie attack from earlier slide (08 Nov 2001):With the assistance of some JavaScript code, an attacker could construct a Web page or HTML-based e-mail that could access any cookie in the browser's memory or those stored on disk ...
JavaScript runsBefore the HTML is loaded, before the document is viewedWhile the document is viewed, or as the browser is leaving
8
Javascript Security Model
“Sandbox” design (at least conceptually)No direct file access or network access
Same-origin policyCan only read properties of documents and windows from same place: server, protocol, port
Access control with signed scriptsUser can grant privileges to signed scripts
UniversalBrowserRead/WriteUniversalFileread,UniversalSendMail
Reference: http://www.devarticles.com/c/a/JavaScript/JavaScript-Security/
Examples, assuming www.example.com
Different protocol Does not pass ftp://www.example.com/
Different domain Does not pass http://otherdomain.com/
Different server Does not pass http://www2.example.com/ dir/page.html
Different port Does not pass http://www.example.com:8080/dir/page.html
Same domain and protocol Passes http://www.example.com/ other1/other2/index.html
Same domain and protocol Passes http://www.example.com/ index.html
Reason
Result of Same Origin Check with www.example.comURL of Target Window
Same-origin check applies to access to window object of other frames, etc.
Same-origin check
Example Javascriptvar w = window.open(http://www.google.com);// After 10 seconds, see what URL they're looking atvar snoopedURL;setTimeout("snoopedURL = w.location.href)", 10 * 1000);
What should this do?Succeed if loaded from www.google.com, or origin of whatever page is being viewed Fail otherwise? Some browsers don’t fail
Script on page can reset domainTo more general domain than actual source of page Allows other scripts to access that document properties without violating the same-origin policy
Problems with S-O Principle
Poorly enforced on some browsersParticularly older browsers
Limitations if site hosts unrelated pagesExample: Web server often hosts sites for unrelated parties
http://www.example.com/account/ http://www.example.com/otheraccount/
Same-origin policy, allows script on one page to access properties of document from another
Finer grained control using signed scriptsSee article for more info
LiveConnect
Netscape-supported interaction between Java applets, plugins, and JavaScript
JavaObject is a JavaScript wrapper on Java object JSObject is a Java on a JavaScript object
QuestionWhat kind of same-origin policy do we get here?
Browser Cookie Management
Cookie Same-origin ownershipOnce a cookie is saved on your computer, only the Web site that created the cookie can read it.
VariationsTemporary cookies
Stored until you quit your browser
Persistent cookiesRemain until deleted or expire
Third-party cookiesOriginates on or sent to a web site other than the one that provided the current page
9
Third-party cookies
Get a page from merchant.comContains <img src=http://doubleclick.com/advt.gif>Image fetched from DoubleClick.com
DoubleClick knows IP address and page you were looking at
DoubleClick sends back a suitable advertisementStores a cookie that identifies "you" at DoubleClick
Next time you get page with a doubleclick.com imageYour DoubleClick cookie is sent back to DoubleClickDoubleClick could maintain the set of sites you viewed Send back targeted advertising (and a new cookie)
Cooperating sitesCan pass information to DoubleClick in URL, …
Example: Mortgage Center
<html><title>Mortgage Center</title><body>… http://www.loanweb.com/ad.asp?RLID=0b70at1ep0k9
What’s this?
Cookie issues
Cookies maintain record of your browsing habitsCookie stores information as set of name/value pairsMay include any information a web site knows about youSites track your activity from multiple visits to site
Sites can share this information (e.g., DoubleClick)Browser attacks could invade your “privacy”
08 Nov 2001Users of Microsoft's browser and e-mail programs could be vulnerable to having their browser cookies stolen or modified due to a new security bug in Internet Explorer (IE), the company warned today.
Managing cookie policy via proxy
BrowserProxy
Network
Proxy intercepts request and response May modify cookies before sending to BrowserCan do other checks: filter ads, block sites, etc.
Cookie Jar
Sample Proxy:
Cookie management by policy in cookiefileDefault: all cookies are silently crunched Options
Allow cookies only to/from certain sitesBlock cookies to browser (but allow to server)Send vanilla wafers instead
Block URLs matching any pattern in blockfileExample: pattern /*.*/ad matches http://nomatterwhere.com/images/advert/g3487.gif
Easy to write your own http proxy; you can try this at home
Fooling the user
password?
Sends email: “There is a problem with your eBuy account”
User clicks on email link to www.ebuj.com.
User thinks it is ebuy.com, enters eBuy username and password.
Password sent to bad guy
10
Some Stanford projects
Password phishing
Common password problem
Keylogger spyware
Transaction generator spyware
SafeHistory
PwdHash
SpyBlock (no server changes)
SpyBlock (with server changes)
SafeCacheSpoofGuard
Password Phishing Problem
User cannot reliably identify fake sitesCaptured password can be used at target site
Bank A
Fake Site
pwdApwdA
Common Password Problem
Phishing attack or break-in at site B reveals pwd at AServer-side solutions will not keep pwd safeSolution: Strengthen with client-side support
Bank A
low security site
high security site
pwdA
pwdB
= pwdA
Site B
Password Hashing
Generate a unique password per siteHMACfido:123(banka.com) ⇒ Q7a+0ekEXbHMACfido:123(siteb.com) ⇒ OzX2+ICiqc
Hashed password is not usable at any other site Protects against password phishingProtects against common password problem
Bank A
hash(pwdB, SiteB)
hash(pwdA, BankA)
Site B
pwdA
pwdB
=
Password Hashing: a popular idea
Recent password hashing projects:
Similar hashing algorithmsOnly PwdHash defends against spoofing and is invisible to the user
Site PasswordPassword Maker
GenpassPasswdlet
Password Composer
Magic Password GeneratorPwdHash
Password Generator Extension
The Spoofing Problem
JavaScript can display password fields or dialogs:
Unhashed password sent to attacker in clear
11
Password Prefix
Original pwdshould never be visibleto web page
OzX2+ICiqcSite B
@@fido:123
@@fido:1
23@@abcdefgh
Password Prefix: How it works
Normal operation: Prefix in password field
Abnormal operation: Prefix in non-password field
Can just ignore the prefix and not hashRemind user not to enter password
@@fido:123 ⇒ @@abcdefgh ⇒ **********abcdefgh ⇒ fido:123
HMACfido:123(siteb.com) ⇒ Q7a+0ekEXb
PwdHash protection problem
ProblemJavascript on malicious web page can try to intercept user password from PwdHashJavascript attacks
Script activated with user changes focus Script can read input, may run before PwdHash
Keyboard monitoring and loggingSpoof parts of web browser UICommunicate across network
SolutionImplement keystroke logger in PwdHash
The Perfect Phishing Email
Bank of America customers see:“Click here to see your Bank of America statement”
Wells Fargo customers see:“Click here to see your Wells Fargo statement”
Works in Outlook; behavior is by design
Fooling the user using browser state
Reading browser history
CSS properties of hyperlinksCan also use cache-based techniques
Violation of the same-origin principle:“One site cannot use information belonging to another site.”
Visited link tracking
Visited links displayed in different color (74% of sites)Information easily accessible by javascript
Attacks also without javascript
Bank logo images are stacked on top of each otherCSS rules cause the un-visited links to vanishPage displays bank logo of site that user has visited
<html><head><style> a { position:absolute; border:0; } a:link { display:none } </style></head><body><a href='http://www.bankofamerica.com/'><img src='bankofamerica.gif'></a><a href='https://www.wellsfargo.com/'><img src='wellsfargo.gif'></a><a href='http://www.usbank.com/'><img src='usbank.gif'></a>...</body></html>
http://www.safehistory.com/
12
Preserving web privacy
Your IP address may be visible to web sitesThis may reveal your employer, ISP, etc.Can link activities on different sites, different times
Can you prevent sites from learning about you?Anonymizer
Single site that hides origin of web request
CrowdsDistributed solution
Browsing Anonymizers
Web Anonymizer hides your IP address
What does anonymizer.com know about you?
BrowserServerAnonymizer
www.anonymizer.com/cgi-bin/redirect.cgi?url=…
Related approach to anonymity
Hide source of messages by routing them randomlyRouters don’t know for sure if the apparent source of the message is the actual sender or simply another router
Only secure against local attackers!
Existing systems: Freenet, Crowds, etc.
Crowds [Reiter,Rubin ‘98]
C C4
C1C2
C
C
CC3
C0sender recipient
CC
C
Cpf
1-pf
Sender randomly chooses a path through the crowdSome routers are honest, some corruptAfter receiving a message, honest router flips a coin
With probability Pf routes to the next member on the pathWith probability 1- Pf sends directly to the recipient
What Does Anonymity Mean?
Beyond suspicionThe observed source of the message is no more likely to be the actual sender than anybody else
Probable innocenceProbability <50% that the observed source of the message is the actual sender
Possible innocenceNon-trivial probability that the observed source of the message is not the actual sender
Guaranteed by Crowds if there aresufficiently few corrupt routers
How web sites use your information
You may enter information to buy productName, address, credit card number, …
How will web site use this informationCharge your card and mail your purchaseGive sales information to other businesses?
Platform for privacy preferences (P3P)Framework for reaching agreement on use of personal informationEnforcement at server side is another matter…
13
Basic P3P Concepts
useragent
user datarepository
preferences
service
proposal
agreementuser
datapractices
Credit: Lorrie Cranor
A Simple P3P Conversation
useragent service
User agent: Get index.htmlService: Here is my P3P proposal - I collect click-
stream data and computer information for web site and system administration and customization of site
User agent: OK, I accept your proposalService: Here is index.html