Running Remote Code is Risky. Why Study Browser Security. Browser Sandbox. Threat Models. Security User Interface.

Transcription

1 CSE 127 Winter 2008 Security Collin Jackson Running Remote Code is Risky Compromise Host Write to file system Interfere with other processes Steal information Read file system Read information associated with other sites Fool the user 1 2 Sandbox Why Study Security Idea Code executed in browser has only limited access to OS, network, and browser data structures Isolation Similar to address spaces, conceptually is a weak OS Same-origin principle process consists of related pages and the site they come from 3 if you re not Microsoft, Mozilla, Apple, or Opera? Build better browsers Contribute to open source browsers (Firefox, Safari) Release your own modified browser (Flock) Embed a renderer in your program (Gecko, WebKit) Build better web applications s and firewalls can mitigate browser limitations Take advantage of opt-in browser security features Design workarounds for mashups Be a safer surfer Make informed security decisions Distinguish harmless warnings from attacks 4 Threat Models Web attacker Control attacker.com Can obtain SSL/TLS certificate for attacker.com ($0) User visits attacker.com Gadget attacker All capabilities of web attacker Embedded (perhaps as an ad) in site user trusts Network attacker Passive: Wireless eavesdropper Active: Evil router, DNS poisoning Malware attacker Attacker has escaped browser sandbox Security User Interface 5 6 1

2 Address Bar Where this content came from URLs Global identifiers of network-retrievable documents Example: awglogin Protocol Username Hostname Port Path Fragment Query Password possibly delegated to other sites URI: similar but slightly more general Special characters are encoded as hex: %0A = newline %20 or + = space, %2B = + (special exception) 7 8 HTTP Request HTTP Response Method File HTTP version Headers HTTP version Status code Reason phrase Headers GET /index.html HTTP/1.1 Accept: image/gif, image/x-bitmap, image/jpeg, */* Accept-Language: en User-Agent: Mozilla/1.22 (compatible; MSIE 2.0; Windows 95) Connection: Keep-Alive Host: Blank line Data none for GET HTTP/ OK Date: Sun, 21 Apr :20:42 GMT : Microsoft-Internet-Information-/5.0 Connection: keep-alive Content-Type: text/html Last-Modified: Thu, 18 Apr :39:05 GMT Content-Length: 2543 <HTML> Some data... blah, blah, blah </HTML> Data GET: no side effect. POST: possible side effect Lock Icon Mixed Content Is the connection encrypted? What can a network attacker if the address bar says

3 Phishing Warnings Lock Icon 2.0 Who am I talking to? Lock Icon 2.0 Status Bar Where you re going Trivially spoofable <a href= onclick= this.href = ; > PayPal</a> Still useful Usability MySpace/Slashdot scenario Document Object Model (DOM) Document Object Model Object-oriented interface used to read and write docs web page in HTML is structured data DOM provides representation of this hierarchy Examples Properties: document.alinkcolor, document.url, document.forms[ ], document.links[ ], document.anchors[ ] Methods: document.write(document.referrer) 17 Also Object Model (BOM) window, document, frames[], history, location, navigator (type and version of browser) 18 3

4 Same Origin Policy Web pages from different origins have limited access to each other s DOM. Origin is the tuple <domain, port, protocol> Full access Limited access DOM Security Examples Example HTML at <iframe src=" <img src=" Disallowed access: alert( frames[0].contentdocument.body.innerhtml ) alert( frames[0].location ) Allowed access: alert( images[0].height ) frames[0].location = " Setting document.domain Mixed Content Revisited Setting document.domain changes a document s origin. Can only be set to. -delimited suffix of domain name example.com example.com Origin is actually the tuple <domain, port, protocol, hassetdocumentdomain> Not dead code: document.domain = document.domain; 21 What s wrong with this picture? Goals: Prevent Bot-like Activity Spam Network Reading documents behind a firewall Send anywhere Some ports are inaccessible Read only from your origin Some formats are executable across origins Clicking advertisements Denial of service?

5 Same Origin Requests <script> var xhr = new XMLHttpRequest(); xhr.open("post", " foo/example.cgi", true); // asynchronous xhr.send("hello world!"); xhr.onload = function() { if (xhr.status == 200) { alert(xhr.responsetext); } } </script> Sending a Cross-Domain GET Data must be URL encoded <img src=" y"> sends: GET file.cgi?foo=1&bar=x%20y HTTP/1.1 Host: othersite.com Can t send to some restricted ports, like 25 (SMTP) Sending a Cross-Domain POST Cross-Domain Network Reading Can use any encoding <form method="post" action=" encoding="text/plain"> <input type="hidden" name= Hello world!\n\n2 +2 " value= 4 "> </form> <script>document.forms[0].submit()</script> sends: POST file.cgi HTTP/1.1 Host: othersite.com Hello world! 2 +2 =4 Can target a hidden iframe to do this in background Can t send to some restricted ports, like 25 (SMTP) 27 Executable data formats: <script src=" <link rel="stylesheet" href=" <img src=" <applet code=" Used extensively in mashups Not ideal for mutual distrust scenarios opt-in Access-Control header (Firefox 3) Flash Player s crossdomain.xml 28 Brief Review of DNS [DWF 96, R 01] DNS Rebinding Attack ns.evil.com Enterprise DNS TTL = 24 hours HTTP request ns.evil.com DNS server web server <iframe src=" corporate web server Firewall TTL = Read permitted: it s the same origin DNS-SEC cannot stop this attack ns.evil.com DNS server web server

6 DNS Rebinding Defenses mitigation: DNS Pinning Refuse to switch to a new IP Interacts poorly with proxies, VPN, dynamic DNS, Not consistently implemented in any browser -side defenses Check Host header for unrecognized domains Authenticate users with something other than IP Firewall defenses External names can t resolve to internal addresses Protects browsers inside the organization Cookies Cookies Used to store state on user s machine If expires=null: this session only domain = (who can read) ; expires = (when expires) ; secure = (only over SSL) Cookie: NAME = VALUE HTTP is stateless protocol; cookies add state 33 Cookie authentication Web Auth server POST login.cgi Username & pwd Set-cookie: auth=val GET restricted.html Cookie: auth=val If YES, restricted.html Validate user auth=val restricted.html auth=val YES/NO Store val Check val 34 Cookie Security Policy httponly Cookies Uses: User authentication Personalization User tracking: e.g. Doubleclick (3 rd party cookies) httponly Brower will store: At most 20 cookies/site, 3 KB / cookie Origin is the tuple <domain, path> Can set cookies valid across a domain suffix Cookie sent over HTTP(s), but not accessible to scripts cannot be read via document.cookie Helps prevent cookie theft via XSS but does not stop most other risks of XSS bugs

7 Cookie Integrity Attacks Secure Cookies domain=.com Secure=true Can inject cookies into sessions at other sites Log the user in as the attacker Solution: Effective TLD Provides confidentiality against network attacker will only send it back over HTTPS but not integrity Secure flag is not part of Cookie: header