Browser code isolation

Transcription

1 CS 155 Sprig 2018 Browser code isolatio Joh Mitchell

2 Topic of this class meetig How ca we use sophisticated isolatio ad iteractio betwee compoets to develop flexible, iterestig web applicatios, while protectig cofidetiality ad itegrity???

3 WHY DO WE NEED ISOLATION AND COMMUNICATION?

4 Moder web sites are complex

5 Moder web site Code from may sources Combied i may ways

6 Sites hadle sesitive iformatio Fiacial data Olie bakig, tax filig, shoppig, budgetig, Health data Geomics, prescriptios, Persoal data , messagig, affiliatios,

7 Basic questios How do we isolate code from differet sources Protectig sesitive iformatio i browser Esurig selected forms of itegrity Allowig moder fuctioality, flexible iteractio

8 More specifically How to protect a page from ads/services? How to protect a page from a library? How do we protect a page from CDN? How to share data with cross-origi page? How to protect oe user from aother s cotet? How do we protect extesio from page?

9 ARE FRAMES AND SAME- ORIGIN POLICY ENOUGH?

10 Recall Same-Origi Policy (SOP) Idea: Isolate cotet from differet origis Restricts iteractio betwee compartmets Restricts etwork request ad respose Lets look at iterframe ad etwork iteractio

11 Same-origi policy: frames ad web Dom access?

12 Same-origi policy: frames ad web postmessage commuicatio?

13 Same-origi policy: frames ad web XmlHttpRequest???

14 Same-origi policy: frames ad web image request?

15 Same-origi frame ad web summary Isolate cotet from differet origis Ca sed postmessage or embed image or js Ca t access documet of cross-origi page Ca t ispect cross-origi resposes

16 Limitatio: Library Library icluded usig tag <script src="jquery.js"></script> No isolatio Rus i same frame, same origi as rest of page May cotai arbitrary code Library developer errors or malicious troja horse Ca redefie core features of JavaScript May violate developer ivariats, assumptios jquery used by 78% of the Quatcast top 10,000 sites, over 59% of the top millio

17 Limitatio: advertisemet <script src= ></script> <script src= ></script> Read password usig the DOM API var c = documet.getelemetsbyname( password )[0] Directly embedded third-party JavaScript poses a threat to critical hostig page resources Sed it to evil locatio (ot subject to SOP) <img src=`` > 17

18 Limitatio: Ad vs Ad <script src= ></script> <script src= ></script> $1 Buy Now Directly embedded third-party JavaScript poses a threat to other third-party compoets Attack the other ad: Chage the price! var a = documet.getelemetbyid( soyad ) a.ierhtml = $1 Buy Now ;

19 Same-origi policy limitatios Coarse ad iflexible Does ot restrict actios withi a executio cotext Developers caot chage policy Does ot prevet iformatio leaks Ca sed data i image request, XHR request Image size ca leak whether user logged i Cross-origi scripts ru with privilege of page Ijected scripts ca corrupt ad leak user data! No way to relax policy Ca t read cross-origi resposes

20 Commo but risky workaroud What if we wat to fetch data from provider.com? JSONP ( JSON with Paddig ) w To fetch data, isert ew script tag: <script src= > </script> w To share data, reply back with script wrappig data: f({...data...}) Why is this dagerous? Provider data ca easily be leaked (CSRF) Page is ot protected from provider (XSS)

21 WHAT IS THE GRANULARITY OF ISOLATION AND COMMUNICATION?

22 Browsig cotext A browsig cotext may be A frame with its DOM A web worker (thread), which does ot have a DOM Every browsig cotext Has a origi, determied by áprotocol, host, portñ Is isolated from others by same-origi policy May commuicate to others usig postmessage Ca make etwork requests usig XHR or tags (<image>, )

23 HTML5 Web Workers Separate thread, o DOM isolated but same origi Not origially iteded for security, but helps

24 Web Worker Ru i a isolated thread, loaded from separate file var worker = ew Worker('task.js'); worker.postmessage(); // Start the worker. Same origi as frame that creates it, but o DOM Commuicate usig postmessage mai thread dowork var worker = ew Worker('doWork.js'); worker.addevetlisteer('message', fuctio(e) { cosole.log('worker said: ', e.data); }, false); worker.postmessage('hello World'); // Sed data to worker self.addevetlisteer('message', fuctio(e) { self.postmessage(e.data); // Retur message it is set }, false);

25 Browsig cotext A browsig cotext may be A frame with its DOM A web worker (thread), which does ot have a DOM Every browsig cotext Has a origi, determied by áprotocol, host, portñ Is isolated from others by same-origi policy May commuicate to others usig postmessage Ca make etwork requests usig XHR or tags (<image>, )

26 HOW CAN WE RESTRICT EXECUTION AND COMMUNICATION?

27 Two ways to restrict executio HTML5 iframe Sadbox Load with uique origi, limited privileges Cotet Security Policy (CSP) Whitelist istructig browser to oly execute or reder resources from specific sources

28 HTML5 Sadbox Idea: restrict frame actios Directive sadbox esures iframe has uique origi ad caot execute JavaScript Directive sadbox allow-scripts esures iframe has uique origi

29 HTML5 Sadbox Idea: restrict frame actios Directive sadbox esures iframe has uique origi ad caot execute JavaScript Directive sadbox allow-scripts esures iframe has uique origi

30 HTML5 Sadbox Idea: restrict frame actios Directive sadbox esures iframe has uique origi ad caot execute JavaScript Directive sadbox allow-scripts esures iframe has uique origi

31 Sadbox example Twitter butto i iframe <iframe src= " style="border: 0; width:130px; height:20px;"> </iframe> Sadbox: remove all permissios ad the allow JavaScript, popups, form submissio, ad twitter.com cookies <iframe sadbox="allow-same-origi allow-scripts allow-popups allow-forms" src=" style="border: 0; width:130px; height:20px;"></iframe>

32 Sadbox permissios allow-forms allows form submissio allow-popups allows popups allow-poiter-lock allows poiter lock (mouse moves) allow-same-origi allows the documet to maitai its origi; pages loaded from will retai access to that origi s data. allow-scripts allows JavaScript executio, ad also allows features to trigger automatically (as they d be trivial to implemet via JavaScript) allow-top-avigatio allows the documet to break out of the frame by avigatig the top-level widow

33 Two ways to restrict executio HTML5 iframe Sadbox Load with uique origi, limited privileges Cotet Security Policy (CSP) Whitelist istructig browser to oly execute or reder resources from specific sources Uses HTTP header to specify policy Cotet-Security-Policy: policy

34 Cotet Security Policy (CSP) Goal: prevet ad limit damage of XSS XSS attacks bypass the same origi policy by trickig a site ito deliverig malicious code alog with iteded cotet Approach: restrict resource loadig to a white-list Prohibits ilie scripts embedded i script tags, ilie evet hadlers ad javascript: URLs Disable JavaScript eval(), ew Fuctio(), Cotet-Security-Policy HTTP header allows site to create whitelist, istructs the browser to oly execute or reder resources from those sources

35 Cotet Security Policy (CSP) Goal: prevet ad limit damage of XSS attacks Approach: restrict resource loadig to a white-list E.g., default-src self img-src *

36 Cotet Security Policy (CSP) Goal: prevet ad limit damage of XSS attacks Approach: restrict resource loadig to a white-list E.g., default-src self img-src *

37 Cotet Security Policy (CSP) Goal: prevet ad limit damage of XSS attacks Approach: restrict resource loadig to a white-list E.g., default-src self img-src *

38 Cotet Security Policy (CSP) Goal: prevet ad limit damage of XSS attacks Approach: restrict resource loadig to a white-list E.g., default-src self img-src *

39 Cotet Security Policy (CSP) Goal: prevet ad limit damage of XSS attacks Approach: restrict resource loadig to a white-list E.g., default-src self img-src *

40 Cotet Security Policy (CSP) Goal: prevet ad limit damage of XSS attacks Approach: restrict resource loadig to a white-list E.g., default-src self img-src *

41 Cotet Security Policy (CSP) Goal: prevet ad limit damage of XSS attacks Approach: restrict resource loadig to a white-list E.g., default-src self img-src *

42 Cotet Security Policy & Sadboxig Limitatios: Data exfiltratio is oly partly cotaied w Ca leak to origis we ca load resources from ad siblig frames or child Workers (via postmessage) Scripts still ru with privilege of page w Ca we reaso about security of jquery-sized lib?

43 CSP resource directives script-src limits the origis for loadig scripts coect-src limits the origis to which you ca coect (via XHR, WebSockets, ad EvetSource). fot-src specifies the origis that ca serve web fots. frame-src lists origis ca be embedded as frames img-src lists origis from which images ca be loaded. media-src restricts the origis for video ad audio. object-src allows cotrol over Flash, other plugis style-src is script-src couterpart for stylesheets default-src defie the defaults for ay directive ot otherwise specified

44 CSP source lists Specify by scheme, e.g., https: Host ame, matchig ay origi o that host Fully qualified URI, e.g., Wildcards accepted, oly as scheme, port, or i the leftmost positio of the hostame: 'oe matches othig 'self' matches the curret origi, but ot subdomais 'usafe-ilie' allows ilie JavaScript ad CSS 'usafe-eval' allows text-to-javascript mechaisms like eval

45 CAN WE PROTECT AGAINST NETWORK ATTACKERS OR CDN THAT SERVES THE WRONG SCRIPT OR CODE?

46 Motivatio for SRI May pages pull scripts ad styles from a wide variety of services ad cotet delivery etworks. How ca we protect agaist dowloadig cotet from a hostile server (via DNS poisoig, or other such meas), or modified file o the Cotet Delivery Network (CDN) Would usig HTTPS address this problem?

47 Subresource itegrity Idea: page author specifies hash of (sub)resource they are loadig; browser checks itegrity E.g., itegrity for scripts w <lik rel="stylesheet" href=" itegrity="sha256-sdfwewfae...wefjijfe"> E.g., itegrity for lik elemets w <script src=" mi.js" itegrity="sha256- C6CB9UYIS9UJeqiPHWTHVqh/E1uhG5Tw+Y5qF QmYg=">

48 What happes whe check fails? Case 1 (default): Browser reports violatio ad does ot reder/ execute resource Case 2: CSP directive with itegrity-policy directive set to report Browser reports violatio, but may reder/execute resource

49 CAN WE DEFINE MORE PERMISSIVE ORIGIN POLICIES?

50 Cross-Origi Resource Sharig (CORS) Amazo has multiple domais E.g., amazo.com ad aws.com Problem: amazo.com ca t read cross-origi aws.com With CORS amazo.com ca whitelist aws.com

51 How CORS works Browser seds Origi header with XHR request Server ca ispect Origi header ad respod with Access-Cotrol-Allow-Origi header

52

53 HAVE WE SOLVED EVERY SECURITY PROBLEM?

54 Goal: Password-stregth checker Stregth checker ca ru i a separate frame Commuicate by postmessage But we give password to utrusted code! Is there ay way to make sure utrusted code does ot export our password?

55 Cofiig the checker with COWL Express sesitivity of data Checker ca oly receive password if its cotext label is as sesitive as the password Use postmessage API to sed password Source specifies sesitivity of data at time of sed

56 Staford startup: Itrisic

57 CONCLUSIONS?

58 Moder Structurig Mechaisms HTML5 Web Workers; Separate thread; isolated but same origi Not origially iteded for security, but helps HTML5 iframe Sadbox Load with uique origi, limited privileges Cotet Security Policy (CSP) Whitelist istructig browser to oly execute or reder resources from specific sources SubResource itegrity (SRI) Cross-Origi Resource Sharig (CORS) Relax same-origi restrictios

59 Moder web site Code from may sources Combied i may ways

60 Challeges

61 Actig parties o a site Page developer Library developers Service providers Data provides Ad providers Other users CDNs Extesio developers

62 Browser Extesios Firefox user iterface writte i JavaScript ad XUL, a XML grammar that provides buttos, meus, The browser is implemeted i a XUL file cotaiig, e.g., this code defiig the status bar <statusbar id="status-bar">... <statusbarpael>s... </statusbar> Exted the browser by isertig ew XUL DOM elemets ito the browser widow ad modifyig them usig script ad attachig evet hadlers

63 I reviewig, thik about: How to protect a page from ads/services? How to protect a page from a library? How do we protect a page from CDN? How to share data with cross-origi page? How to protect oe user from aother s cotet? How do we protect extesio from page?