securing frame communication in browsers collin jackson joint work with adam barth and john c....
TRANSCRIPT
![Page 1: Securing Frame Communication in Browsers Collin Jackson Joint work with Adam Barth and John C. Mitchell](https://reader035.vdocuments.mx/reader035/viewer/2022081519/56649d0b5503460f949def4c/html5/thumbnails/1.jpg)
Securing Frame Communication in Browsers
Collin Jackson
Joint work with Adam Barth and John C. Mitchell
![Page 2: Securing Frame Communication in Browsers Collin Jackson Joint work with Adam Barth and John C. Mitchell](https://reader035.vdocuments.mx/reader035/viewer/2022081519/56649d0b5503460f949def4c/html5/thumbnails/2.jpg)
Why use frames?
• Modularity– Brings together content from
multiple sources– Client-side aggregation
• Isolation– Different frames can
represent different principals– Can’t script each other– Frame can draw only on its
own rectangle– Easier than sanitization
src = 7.gmodules.com/...name = remote_iframe_7
src = google.com/…name = awglogin
![Page 3: Securing Frame Communication in Browsers Collin Jackson Joint work with Adam Barth and John C. Mitchell](https://reader035.vdocuments.mx/reader035/viewer/2022081519/56649d0b5503460f949def4c/html5/thumbnails/3.jpg)
Threat Model
• Web attacker– Controls attacker.com ($5)– Can obtain SSL/TLS certificate for attacker.com ($0)– User visits attacker.com– Optional additional assumption:
Gets to embeds a malicious gadget (ad) on integrator site
• Stronger threat models– Network attacker: Can inspect or corrupt traffic– Malware attacker: Already escaped from the browser
![Page 4: Securing Frame Communication in Browsers Collin Jackson Joint work with Adam Barth and John C. Mitchell](https://reader035.vdocuments.mx/reader035/viewer/2022081519/56649d0b5503460f949def4c/html5/thumbnails/4.jpg)
A frame can navigate any frame.
Frame Navigation
• Who decides a frame’s content?
Permissive Policy
![Page 5: Securing Frame Communication in Browsers Collin Jackson Joint work with Adam Barth and John C. Mitchell](https://reader035.vdocuments.mx/reader035/viewer/2022081519/56649d0b5503460f949def4c/html5/thumbnails/5.jpg)
Guninski Attack
window.open("https://www.google.com/...")window.open("https://www.attacker.com/...", "awglogin")
awglogin
![Page 6: Securing Frame Communication in Browsers Collin Jackson Joint work with Adam Barth and John C. Mitchell](https://reader035.vdocuments.mx/reader035/viewer/2022081519/56649d0b5503460f949def4c/html5/thumbnails/6.jpg)
A frame can navigate frames in its own window.
Window Policy
![Page 7: Securing Frame Communication in Browsers Collin Jackson Joint work with Adam Barth and John C. Mitchell](https://reader035.vdocuments.mx/reader035/viewer/2022081519/56649d0b5503460f949def4c/html5/thumbnails/7.jpg)
Gadget Hijacking
top.frames[1].location = "http:/www.attacker.com/...“;top.frames[2].location = "http:/www.attacker.com/...“;
...
![Page 8: Securing Frame Communication in Browsers Collin Jackson Joint work with Adam Barth and John C. Mitchell](https://reader035.vdocuments.mx/reader035/viewer/2022081519/56649d0b5503460f949def4c/html5/thumbnails/8.jpg)
Gadget Hijacking
![Page 9: Securing Frame Communication in Browsers Collin Jackson Joint work with Adam Barth and John C. Mitchell](https://reader035.vdocuments.mx/reader035/viewer/2022081519/56649d0b5503460f949def4c/html5/thumbnails/9.jpg)
Policy Testing
![Page 10: Securing Frame Communication in Browsers Collin Jackson Joint work with Adam Barth and John C. Mitchell](https://reader035.vdocuments.mx/reader035/viewer/2022081519/56649d0b5503460f949def4c/html5/thumbnails/10.jpg)
A frame can navigateits children.
Parent Policy
A frame can navigateits descendants.
Ancestor Policy
![Page 11: Securing Frame Communication in Browsers Collin Jackson Joint work with Adam Barth and John C. Mitchell](https://reader035.vdocuments.mx/reader035/viewer/2022081519/56649d0b5503460f949def4c/html5/thumbnails/11.jpg)
Frame Navigation Policies
Browser Policy Propagation
IE 6 (default) Permissive N/A
IE 6 (option) Parent No
IE7 (no Flash) Ancestor Yes
IE7 (with Flash) Permissive N/A
Firefox 2 Window Sometimes
Safari 2 Permissive N/A
![Page 12: Securing Frame Communication in Browsers Collin Jackson Joint work with Adam Barth and John C. Mitchell](https://reader035.vdocuments.mx/reader035/viewer/2022081519/56649d0b5503460f949def4c/html5/thumbnails/12.jpg)
Frame Navigation Policies
Browser Policy Propagation
IE7 (no Flash) Ancestor Yes
IE7 (with Flash) Ancestor Yes
Firefox 3 Ancestor Yes
Safari 3 Ancestor Yes
![Page 13: Securing Frame Communication in Browsers Collin Jackson Joint work with Adam Barth and John C. Mitchell](https://reader035.vdocuments.mx/reader035/viewer/2022081519/56649d0b5503460f949def4c/html5/thumbnails/13.jpg)
Frame Communication
![Page 14: Securing Frame Communication in Browsers Collin Jackson Joint work with Adam Barth and John C. Mitchell](https://reader035.vdocuments.mx/reader035/viewer/2022081519/56649d0b5503460f949def4c/html5/thumbnails/14.jpg)
Fragment Identifier Messaging
• Send information by navigating a frame– http://gadget.com/#hello
• Navigating to fragment doesn’t reload frame– No network traffic, but frame can read its fragment
• Not a secure channel– Confidentiality– Integrity– Authentication
![Page 15: Securing Frame Communication in Browsers Collin Jackson Joint work with Adam Barth and John C. Mitchell](https://reader035.vdocuments.mx/reader035/viewer/2022081519/56649d0b5503460f949def4c/html5/thumbnails/15.jpg)
Fix: Improve the protocol
• Proposed Needham-Schroeder-Lowe
• Adoption– Microsoft: Windows Live Channels library– IBM: OpenAjax Hub 1.1
![Page 16: Securing Frame Communication in Browsers Collin Jackson Joint work with Adam Barth and John C. Mitchell](https://reader035.vdocuments.mx/reader035/viewer/2022081519/56649d0b5503460f949def4c/html5/thumbnails/16.jpg)
postMessage
• New API for inter-frame communication
• Supported in latest betas of many browsers
• Not a secure channel– Confidentiality– Integrity– Authentication
![Page 17: Securing Frame Communication in Browsers Collin Jackson Joint work with Adam Barth and John C. Mitchell](https://reader035.vdocuments.mx/reader035/viewer/2022081519/56649d0b5503460f949def4c/html5/thumbnails/17.jpg)
Reply Attack
![Page 18: Securing Frame Communication in Browsers Collin Jackson Joint work with Adam Barth and John C. Mitchell](https://reader035.vdocuments.mx/reader035/viewer/2022081519/56649d0b5503460f949def4c/html5/thumbnails/18.jpg)
Fix: Improve the API
• Let the sending specify the recipient– frame[0].postMessage(“Hello”, “http://gadget.com”)– Can omit argument if confidentiality not required
• Adoption– Firefox 3– Internet Explorer 8– Safari 3.1
![Page 19: Securing Frame Communication in Browsers Collin Jackson Joint work with Adam Barth and John C. Mitchell](https://reader035.vdocuments.mx/reader035/viewer/2022081519/56649d0b5503460f949def4c/html5/thumbnails/19.jpg)
Conclusion
• All proposals deployed to real users
• Frame isolation– Improved frame navigation policy
• Fixed Guninski and Gadget Hijacking– Drive-by-downloads still a concern…
• Frame communication– Secured fragment identifier messaging– Secured new postMessage API