a systematic approach to uncover security flaws in gui logic

5/21/2007 IEEE Symposium on Security and Privacy, Oakland, CA

A Systematic Approach to Uncover Security Flaws in GUI Logic

Shuo Chen†, José Meseguer‡, Ralf Sasse† ‡, Helen J. Wang†, Yi-Min Wang†

† Systems and Networking GroupMicrosoft Research

‡ Dept. of Computer Science

University of Illinois at Urbana-Champaign

5/21/2007 IEEE Symposium on Security and Privacy, Oakland, CA Slide: 2

Visual Spoofing: A Serious Security Problem

A simple equation 1000 miles × trusted + 20 inches × untrusted = untrusted

Examples: status bar spoofing and address bar spoofingIE, Firefox and Netscape all have security flaws in GUI.

1000 miles, trusted

Web server 20 inches, Untrusted


Research motivation and goal

GUI behaviors are driven by complex logic E.g., how to handle mouse messages and update the status bar, how to update the address bar during navigationsNeed a systematic approach to examine its correctness

Goal: to apply formal methods to reason about GUI logic in order to proactively uncover browser spoofing bugs.


Overview of Our Approach

Execution context

Execution context

System stateSystem state

Program Logic (pseudo code)

The modeled system

User’s action sequence

User’s action sequence

Programinvariant

Reasoning Engine(The Maude System: a rewriting logic engine)

Visualinvariant

Source code of browser GUI

Source code of browser GUI

viol

atio

n

Potential spoofing scenarios

Potential spoofing scenarios

Real spoofing scenarios

Real spoofing scenarios

Real world

Formal world

(d)

(e)

(c)

(a)

(b)

(f)


Case study: status bar spoofing: basic concepts

<body><button>

status bar

<html>

<head>

<title>

<body>

<a>

<img>

<button>

<button><img>

<a>

<html> <head><title>Page</title></head> <body> <a href="http://paypal.com"> <img src="a.jpg"> </a> <button> My button </button> </body></html>

<body><a>

<img><button>

Toward the user

Document Object Tree (DOM Tree)

Page layout

Element stacks


Case Study: status bar spoofing: mouse handling logic

In status bar spoofing, only three raw mouse messages are relevantMouseMove, LeftButtonDown, LeftButtonUp

Each HTML element has three virtual methodsHandleMessage, DoClick, ClickActionPseudo code in the paper

Every element has different behavior about updating the status bar (SetStatusText) and navigating to the target URL (FollowHyperlink).

Message bubbling (passing the mouse message to the parent element)

Every element can decide whether to continue the bubbling or cancel the bubbling

We used Maude to model the source code of the mouse handling logic


Case Study: status bar spoofing: finding attacks

System state: status bar URL, user memorized URL

User action sequence: MouseMove, MouseMove, Inspection, LeftButtonDown,

LeftButtonUp (only need two MouseMoves because status bar is memoryless, a sequence

of MouseMoves is equivalent to one MouseMove) (canonicalized)

Execution context: DOM tree structures (canonicalized)

(at most two branches, corresponding to two MouseMoves)

Program invariant: at the time of the function call FollowHyperlink(targetURL),

targetURL = user memorized URL

Use Maude to search for spoofing scenarios


Examples of Status Bar Spoofs

All because of unexpected combinations of element behaviors

input field

anchor

form

paypal.com

form target = foo.comanchor target = paypal.com

image

button

form

paypal.com

form target = foo.comimage target = paypal.com

Element stack Element layouts Element stack Element layouts

label

anchor

label’s target = foo.comanchor’s target = paypal.com

image

label

img’s target = paypal.comlabel’s target = foo.com


Case Study: address bar spoofing: basic concepts(browser, renderer, frame, markup)

Renderer

Frame1 from PayPal

Browser

.http://MySite.com

Current Markup

Pending Markup

PrimaryFrame from MySite.com

Frame2 from MSN


Case Study: Address Bar Spoofing

Program invariant: The address bar should display the URL of the current

markup of the primary frame.

User action sequence: Page loading, history traveling and window opening

Execution context: A set of Boolean conditions affecting the execution path

System state: PrimaryFrame, other frames, current markups, pending

markups, address bar URL ...


Pseudo code model: loading a new page

FollowHyperlink

startnavigation

ready

PostParser

Eve

ntqu

eue

Markup::SetInteractive

NavigationComplete

SetAddressBar

Frame::SwitchMarkup

onPaint

View::EnsureView

View::RenderView

Posting an event

Calling a function

ensure

Invoking a handler


Pseudo code model: history travel

startnavigation

ready

PostParser

Eve

ntqu

eue

Markup::SetInteractive

NavigationComplete

SetAddressBar

Frame::SwitchMarkup

onPaint

View::EnsureView

View::RenderView

ensure

History_Back

Travel

LoadHistory

Posting an event

Calling a function

Invoking a handler


Pseudo code model: opening a page in a new window

CreatePendingDocObject

start-loading

LoadDocument

Eve

ntqu

eue

Load

CreateMarkup

SetAddressBar

LoadFromInfo

LoadFromInfo

FollowHyperlink

onPaint

PostParser

View::RenderView

download-content

InitNewSetClientSite

InitDocHostSwitchMarkup


Discovered Address Bar Spoof (An Atomicity Bug)

https://evil.com#xxxxx...xxxxxxxhttps://paypal.com


Discovered address bar spoof (a race condition)

https://evil.com https://paypal.comc:\windows\system32\shdoclc.dl l?http

History back Load a new page


Summary of bug reporting for IE 7

Found many new scenarios for the status bar spoofing, filed them as 9 bugs against IE.

All fixed before IE7 RC 1 (release candidate 1).

4 new scenarios of the address bar spoofing Non-atomic update of the address bar (2 bugs)Non-atomic update of the content areaRace condition: multiple frames compete to be the primaryIE team has fixed two, and proposed the fixes for the other 2 to go into the next version.


Conclusions

Formulated GUI logic correctness as a new research problem

Proposed a systematic approach to proactively uncover security flaws in browser GUI

Demonstrated the benefit of the systematic approach to the GUI implementation.

The approach is not IE specific.Other browsers (e.g., Firefox, Opera, Netscape, etc)Non-browser applications (e.g., Outlook, Outlook Express)


Discussions

Are there spoofing bugs that are not logic flaws?Picture-in-picture, pop-up covering, chromeless window, symbol similarities (“vv” vs.“w”, “l” vs. “|”, etc)

Should we rely on users’ security awareness for anti-phishing?Ideally, no. An ideal security infrastructure should be transparent!

Many users ignore security warnings. [Dhamija-CHI-06][Wu-CHI-06][Schechter-S&P-07]

In reality, people have not found a satisfactory way for transparent security

White-listing? Sacrifice the openness of the web. Does not scale.Black-listing or intrusion detection? The signature precision and timeliness

Anti-phishing will remain a joint effort between browser vendors and users for many years

IE 7 has made many the efforts to make the GUI authentic.“Seat belts” are effective only when you “buckle up”! (Not ideal, but … )

a systematic approach to uncover security flaws in gui logic

Documents