a systematic approach to uncover security flaws in gui logic
DESCRIPTION
A Systematic Approach to Uncover Security Flaws in GUI Logic. Shuo Chen † , José Meseguer ‡ , Ralf Sasse † ‡ , Helen J. Wang † , Yi-Min Wang †. † Systems and Networking Group Microsoft Research. ‡ Dept. of Computer Science University of Illinois at Urbana-Champaign. - PowerPoint PPT PresentationTRANSCRIPT
5/21/2007 IEEE Symposium on Security and Privacy, Oakland, CA
A Systematic Approach to Uncover Security Flaws in GUI Logic
Shuo Chen†, José Meseguer‡, Ralf Sasse† ‡, Helen J. Wang†, Yi-Min Wang†
† Systems and Networking GroupMicrosoft Research
‡ Dept. of Computer Science
University of Illinois at Urbana-Champaign
5/21/2007 IEEE Symposium on Security and Privacy, Oakland, CA Slide: 2
Visual Spoofing: A Serious Security Problem
A simple equation 1000 miles × trusted + 20 inches × untrusted = untrusted
Examples: status bar spoofing and address bar spoofingIE, Firefox and Netscape all have security flaws in GUI.
1000 miles, trusted
Web server 20 inches, Untrusted
5/21/2007 IEEE Symposium on Security and Privacy, Oakland, CA Slide: 3
Research motivation and goal
GUI behaviors are driven by complex logic E.g., how to handle mouse messages and update the status bar, how to update the address bar during navigationsNeed a systematic approach to examine its correctness
Goal: to apply formal methods to reason about GUI logic in order to proactively uncover browser spoofing bugs.
5/21/2007 IEEE Symposium on Security and Privacy, Oakland, CA Slide: 4
Overview of Our Approach
Execution context
Execution context
System stateSystem state
Program Logic (pseudo code)
The modeled system
User’s action sequence
User’s action sequence
Programinvariant
Reasoning Engine(The Maude System: a rewriting logic engine)
Visualinvariant
Source code of browser GUI
Source code of browser GUI
viol
atio
n
Potential spoofing scenarios
Potential spoofing scenarios
Real spoofing scenarios
Real spoofing scenarios
Real world
Formal world
(d)
(e)
(c)
(a)
(b)
(f)
5/21/2007 IEEE Symposium on Security and Privacy, Oakland, CA Slide: 5
Case study: status bar spoofing: basic concepts
<body><button>
status bar
<html>
<head>
<title>
<body>
<a>
<img>
<button>
<button><img>
<a>
<html> <head><title>Page</title></head> <body> <a href="http://paypal.com"> <img src="a.jpg"> </a> <button> My button </button> </body></html>
<body><a>
<img><button>
Toward the user
Document Object Tree (DOM Tree)
Page layout
Element stacks
5/21/2007 IEEE Symposium on Security and Privacy, Oakland, CA Slide: 6
Case Study: status bar spoofing: mouse handling logic
In status bar spoofing, only three raw mouse messages are relevantMouseMove, LeftButtonDown, LeftButtonUp
Each HTML element has three virtual methodsHandleMessage, DoClick, ClickActionPseudo code in the paper
Every element has different behavior about updating the status bar (SetStatusText) and navigating to the target URL (FollowHyperlink).
Message bubbling (passing the mouse message to the parent element)
Every element can decide whether to continue the bubbling or cancel the bubbling
We used Maude to model the source code of the mouse handling logic
5/21/2007 IEEE Symposium on Security and Privacy, Oakland, CA Slide: 7
Case Study: status bar spoofing: finding attacks
System state: status bar URL, user memorized URL
User action sequence: MouseMove, MouseMove, Inspection, LeftButtonDown,
LeftButtonUp (only need two MouseMoves because status bar is memoryless, a sequence
of MouseMoves is equivalent to one MouseMove) (canonicalized)
Execution context: DOM tree structures (canonicalized)
(at most two branches, corresponding to two MouseMoves)
Program invariant: at the time of the function call FollowHyperlink(targetURL),
targetURL = user memorized URL
Use Maude to search for spoofing scenarios
5/21/2007 IEEE Symposium on Security and Privacy, Oakland, CA Slide: 8
Examples of Status Bar Spoofs
All because of unexpected combinations of element behaviors
input field
anchor
form
paypal.com
form target = foo.comanchor target = paypal.com
image
button
form
paypal.com
form target = foo.comimage target = paypal.com
Element stack Element layouts Element stack Element layouts
label
anchor
label’s target = foo.comanchor’s target = paypal.com
image
label
img’s target = paypal.comlabel’s target = foo.com
5/21/2007 IEEE Symposium on Security and Privacy, Oakland, CA Slide: 9
Case Study: address bar spoofing: basic concepts(browser, renderer, frame, markup)
Renderer
Frame1 from PayPal
Browser
.http://MySite.com
Current Markup
Pending Markup
PrimaryFrame from MySite.com
Frame2 from MSN
5/21/2007 IEEE Symposium on Security and Privacy, Oakland, CA Slide: 10
Case Study: Address Bar Spoofing
Program invariant: The address bar should display the URL of the current
markup of the primary frame.
User action sequence: Page loading, history traveling and window opening
Execution context: A set of Boolean conditions affecting the execution path
System state: PrimaryFrame, other frames, current markups, pending
markups, address bar URL ...
5/21/2007 IEEE Symposium on Security and Privacy, Oakland, CA Slide: 11
Pseudo code model: loading a new page
FollowHyperlink
startnavigation
ready
PostParser
Eve
ntqu
eue
Markup::SetInteractive
NavigationComplete
SetAddressBar
Frame::SwitchMarkup
onPaint
View::EnsureView
View::RenderView
Posting an event
Calling a function
ensure
Invoking a handler
5/21/2007 IEEE Symposium on Security and Privacy, Oakland, CA Slide: 12
Pseudo code model: history travel
startnavigation
ready
PostParser
Eve
ntqu
eue
Markup::SetInteractive
NavigationComplete
SetAddressBar
Frame::SwitchMarkup
onPaint
View::EnsureView
View::RenderView
ensure
History_Back
Travel
LoadHistory
Posting an event
Calling a function
Invoking a handler
5/21/2007 IEEE Symposium on Security and Privacy, Oakland, CA Slide: 13
Pseudo code model: opening a page in a new window
CreatePendingDocObject
start-loading
LoadDocument
Eve
ntqu
eue
Load
CreateMarkup
SetAddressBar
LoadFromInfo
LoadFromInfo
FollowHyperlink
onPaint
PostParser
View::RenderView
download-content
InitNewSetClientSite
InitDocHostSwitchMarkup
5/21/2007 IEEE Symposium on Security and Privacy, Oakland, CA Slide: 14
Discovered Address Bar Spoof (An Atomicity Bug)
https://evil.com#xxxxx...xxxxxxxhttps://paypal.com
5/21/2007 IEEE Symposium on Security and Privacy, Oakland, CA Slide: 15
Discovered address bar spoof (a race condition)
https://evil.com https://paypal.comc:\windows\system32\shdoclc.dl l?http
History back Load a new page
5/21/2007 IEEE Symposium on Security and Privacy, Oakland, CA Slide: 16
Summary of bug reporting for IE 7
Found many new scenarios for the status bar spoofing, filed them as 9 bugs against IE.
All fixed before IE7 RC 1 (release candidate 1).
4 new scenarios of the address bar spoofing Non-atomic update of the address bar (2 bugs)Non-atomic update of the content areaRace condition: multiple frames compete to be the primaryIE team has fixed two, and proposed the fixes for the other 2 to go into the next version.
5/21/2007 IEEE Symposium on Security and Privacy, Oakland, CA Slide: 17
Conclusions
Formulated GUI logic correctness as a new research problem
Proposed a systematic approach to proactively uncover security flaws in browser GUI
Demonstrated the benefit of the systematic approach to the GUI implementation.
The approach is not IE specific.Other browsers (e.g., Firefox, Opera, Netscape, etc)Non-browser applications (e.g., Outlook, Outlook Express)
5/21/2007 IEEE Symposium on Security and Privacy, Oakland, CA Slide: 18
Discussions
Are there spoofing bugs that are not logic flaws?Picture-in-picture, pop-up covering, chromeless window, symbol similarities (“vv” vs.“w”, “l” vs. “|”, etc)
Should we rely on users’ security awareness for anti-phishing?Ideally, no. An ideal security infrastructure should be transparent!
Many users ignore security warnings. [Dhamija-CHI-06][Wu-CHI-06][Schechter-S&P-07]
In reality, people have not found a satisfactory way for transparent security
White-listing? Sacrifice the openness of the web. Does not scale.Black-listing or intrusion detection? The signature precision and timeliness
Anti-phishing will remain a joint effort between browser vendors and users for many years
IE 7 has made many the efforts to make the GUI authentic.“Seat belts” are effective only when you “buckle up”! (Not ideal, but … )