beware of finer-grained origins

Download Beware of Finer-Grained Origins

If you can't read please download the document

Post on 05-Jan-2016

27 views

Category:

Documents

0 download

Embed Size (px)

DESCRIPTION

Beware of Finer-Grained Origins. Collin Jackson Adam Barth Stanford University. Security Context Determined By URL. "Origin" = https://login.yahoo.com/config/login. (Port). Scheme. Host. Sub-Origin Privileges. Origin Contamination. Trust Specified By URL. Import - PowerPoint PPT Presentation

TRANSCRIPT

  • Beware of Finer-Grained OriginsCollin JacksonAdam Barth

    Stanford University

  • Security Context Determined By URL"Origin" =

    https://login.yahoo.com/config/login

    SchemeHost(Port)

  • Sub-Origin PrivilegesOriginContamination

  • Trust Specified By URLImport

    Export

    var xhr = new XMLHttpRequest();xhr.open("POST", "ajax.php");

  • Threat ModelsWeb Attackerhttps://www.attacker.comFree user visitUpgrade: Network AttackerEavesdropCorrupt network trafficUpgrade: Cert-Mismatch AttackerUser clicks through certificate errorsAttacker still does not have trusted sites certificateCross-Path AttackerSame origin as good site, different path

  • Browser Features

    DefensesFeatureSub-Origin PrivilegeAttackerOrigin ContaminationLibrary ImportData ExportCookie PathsRead CookieWSKERead CookieCertificate Errors (IE7)Show LockEVShow OrganizationLocked Same-Origin PolicyRead CookiePetname ToolbarShow PetnamePasspetObtain PasswordMixed ContentShow LockN/AenablePrivilegeInstall SoftwareIP-based OriginsNetwork Requests

  • Mixed Content

  • WSKEWeb Server Key-Enabled CookiesSecure cookies only sent for same TLS key

  • Locked SOPFiner-grained origin (scheme, host, port, broken)Broken HTTPS page cant script valid HTTPS page

    Banks often import libraries

    User clicks through cert error for paypalobjects.comReal PayPal imports script from paypalobjects.comAttacker runs script as unbroken PayPal

    Sites cannot safely use , CSS, SWF, etc

  • More Anti-Phishing using CertificatesIgnore the address bar, use cert instead

    Extended Validation

    PasspetPetname

    What about ?

  • TLS ForwardingCertificate belongs to bankDomain name belongs to attackerAttacker can hijack session at any time

    Certificate UI is confused

  • TLS Forwarding Example

  • TLS Forwarding - Consequences

    Might not be PayPal

    This is really PayPal, right?

  • TLS Forwarding Network Attack

    Origin contamination Polluted cache

  • Firefox enablePrivilege API

  • Abusing enablePrivilegeRelies on certificate, ignores host nameSigned HTML can import libraries and be scripted by its origin

    Is this code really from Yahoo!?

  • Cookie Pathshttp://www.stanford.edu/~aliceSet-Cookie: skrt=04f4; path=/~alicehttp://www.stanford.edu/~eve Set-Cookie: skrt=52f9; path=/~eve

    alert(frames[0].document.cookie);

  • DNS Rebinding AttackRead permitted: its the same originFirewallwww.evil.comweb serverns.evil.comDNS server171.64.7.115corporateweb server

    192.168.0.100[DWF96, R01]DNS-SEC cannot stop this attack

  • IP-based OriginsFiner-grained origin (scheme, host, port, IP)

    www.evil.com=192.168.0.100 imports

    www.evil.com=171.64.7.115 serves evil scriptRead contents of documentPOST it back to www.evil.com

  • SOLUTIONS

  • EmbraceGrant privileges to originsFrame NavigationPhishing FilterPassword DatabaseLocal StoragepostMessageCross-site XHRXDomainRequest

  • ExtendInclude fine-grained origin in URL

    YURL:https://y-cl7h3f7jwyj3fvmw7jpnjfvf2xlcmayi.yurl.net/

    HTTPEV:httpev://www.paypal.com/

  • DestroyProblem: documents that lack the sub-origin privilege

    Eliminate privilegeSafeLock

    Eliminate documentForceHTTPSForceCertificateStrict Petname

  • Solutions

    DefensesFeatureSub-Origin PrivilegeAttackerOrigin ContaminationLibrary ImportData ExportCookie PathsRead CookieWSKERead CookieCertificate Errors (IE7)Show LockEVShow OrganizationLocked Same-Origin PolicyRead CookiePetname ToolbarShow PetnamePasspetObtain PasswordMixed ContentShow LockN/AenablePrivilegeInstall SoftwareIP-based OriginsNetwork Requests

  • Solutions

    DefensesFeatureSub-Origin PrivilegeAttackerOrigin ContaminationLibrary ImportData ExportCookie PathsRead CookieExtendWSKERead CookieCertificate Errors (IE7)Show LockDestroyEVShow OrganizationDestroyLocked Same-Origin PolicyRead CookieExtendPetname ToolbarShow PetnameDestroyPasspetObtain PasswordDestroyMixed ContentShow LockDestroyDestroyN/AenablePrivilegeInstall SoftwareDestroyIP-based OriginsNetwork Requests

  • SummarySub-origin privileges dont work Origin contaminationPrivilege escalation via script injectionBeware of finer-grained originsTrust specified by URLImport/ExportThree approaches for new featuresEmbrace, extend, destroy