web security: browsersinst.eecs.berkeley.edu/~cs161/sp14/slides/2.19.browsers.pdf · from...
TRANSCRIPT
![Page 1: Web Security: Browsersinst.eecs.berkeley.edu/~cs161/sp14/slides/2.19.Browsers.pdf · From Clickjacking: Attacks and Defenses, by Lin-Shung Huang et al, Carnegie Mellon University](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0fb97f7e708231d4459312/html5/thumbnails/1.jpg)
Web Security: Browsers
CS 161: Computer Security Prof. David Wagner
February 19, 2013
![Page 2: Web Security: Browsersinst.eecs.berkeley.edu/~cs161/sp14/slides/2.19.Browsers.pdf · From Clickjacking: Attacks and Defenses, by Lin-Shung Huang et al, Carnegie Mellon University](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0fb97f7e708231d4459312/html5/thumbnails/2.jpg)
Announcements
• Midterm 1: in class, next Monday, here • Midterm review session:
Saturday 2/22, 2-4pm, 100 GPB • Project 1 is now out; due Monday 3/3 • HW1 solutions are posted • No discussion sections next week
![Page 3: Web Security: Browsersinst.eecs.berkeley.edu/~cs161/sp14/slides/2.19.Browsers.pdf · From Clickjacking: Attacks and Defenses, by Lin-Shung Huang et al, Carnegie Mellon University](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0fb97f7e708231d4459312/html5/thumbnails/3.jpg)
Goals For Today
• Web security challenges that are specific to web browsers – Quick reminder: web “driveby” attacks – Social engineering users: Clickjacking
• Server-side solutions cannot fix these problems
![Page 4: Web Security: Browsersinst.eecs.berkeley.edu/~cs161/sp14/slides/2.19.Browsers.pdf · From Clickjacking: Attacks and Defenses, by Lin-Shung Huang et al, Carnegie Mellon University](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0fb97f7e708231d4459312/html5/thumbnails/4.jpg)
<title>Javascript demo page</title> <font size=30> Hello, <b> <script> var a = 1; var b = 2; document.write("world: ", a+b, "</b>"); </script>
Or what else?
Dynamic Web Pages • Rather than static HTML, web pages can be
expressed as a program, say written in Javascript:
Threats?
Or what else? Java, Flash, Active-X, PDF …
![Page 5: Web Security: Browsersinst.eecs.berkeley.edu/~cs161/sp14/slides/2.19.Browsers.pdf · From Clickjacking: Attacks and Defenses, by Lin-Shung Huang et al, Carnegie Mellon University](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0fb97f7e708231d4459312/html5/thumbnails/5.jpg)
Drive-By Downloads
Drive-By download = attack that infects your system just by you visiting a (malicious) web page. Your are now 0wnd!
![Page 6: Web Security: Browsersinst.eecs.berkeley.edu/~cs161/sp14/slides/2.19.Browsers.pdf · From Clickjacking: Attacks and Defenses, by Lin-Shung Huang et al, Carnegie Mellon University](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0fb97f7e708231d4459312/html5/thumbnails/6.jpg)
![Page 7: Web Security: Browsersinst.eecs.berkeley.edu/~cs161/sp14/slides/2.19.Browsers.pdf · From Clickjacking: Attacks and Defenses, by Lin-Shung Huang et al, Carnegie Mellon University](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0fb97f7e708231d4459312/html5/thumbnails/7.jpg)
![Page 8: Web Security: Browsersinst.eecs.berkeley.edu/~cs161/sp14/slides/2.19.Browsers.pdf · From Clickjacking: Attacks and Defenses, by Lin-Shung Huang et al, Carnegie Mellon University](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0fb97f7e708231d4459312/html5/thumbnails/8.jpg)
![Page 9: Web Security: Browsersinst.eecs.berkeley.edu/~cs161/sp14/slides/2.19.Browsers.pdf · From Clickjacking: Attacks and Defenses, by Lin-Shung Huang et al, Carnegie Mellon University](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0fb97f7e708231d4459312/html5/thumbnails/9.jpg)
![Page 10: Web Security: Browsersinst.eecs.berkeley.edu/~cs161/sp14/slides/2.19.Browsers.pdf · From Clickjacking: Attacks and Defenses, by Lin-Shung Huang et al, Carnegie Mellon University](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0fb97f7e708231d4459312/html5/thumbnails/10.jpg)
![Page 11: Web Security: Browsersinst.eecs.berkeley.edu/~cs161/sp14/slides/2.19.Browsers.pdf · From Clickjacking: Attacks and Defenses, by Lin-Shung Huang et al, Carnegie Mellon University](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0fb97f7e708231d4459312/html5/thumbnails/11.jpg)
![Page 12: Web Security: Browsersinst.eecs.berkeley.edu/~cs161/sp14/slides/2.19.Browsers.pdf · From Clickjacking: Attacks and Defenses, by Lin-Shung Huang et al, Carnegie Mellon University](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0fb97f7e708231d4459312/html5/thumbnails/12.jpg)
![Page 13: Web Security: Browsersinst.eecs.berkeley.edu/~cs161/sp14/slides/2.19.Browsers.pdf · From Clickjacking: Attacks and Defenses, by Lin-Shung Huang et al, Carnegie Mellon University](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0fb97f7e708231d4459312/html5/thumbnails/13.jpg)
Defenses Against Driveby Attacks
• Sandboxing: rich content (PDF, Flash, …) runs in a constrained environment – Implements Least Privilege
• Disable unneeded functionality – Excessive featurism kills! – But not always practical
• Patching / autoupdate – Still a race, and can be disruptive
• Control exposure to untrusted sites – E.g., Google Safe Browsing: dynamically updated list
of malware & phishing sites – Browser warns on any access …
![Page 14: Web Security: Browsersinst.eecs.berkeley.edu/~cs161/sp14/slides/2.19.Browsers.pdf · From Clickjacking: Attacks and Defenses, by Lin-Shung Huang et al, Carnegie Mellon University](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0fb97f7e708231d4459312/html5/thumbnails/14.jpg)
Misleading Users
• Browser assumes clicks & keystrokes = clear indication of what the user wants to do – Constitutes part of the user’s trusted path
• Attacker can meddle with integrity of this relationship in all sorts of ways …
![Page 15: Web Security: Browsersinst.eecs.berkeley.edu/~cs161/sp14/slides/2.19.Browsers.pdf · From Clickjacking: Attacks and Defenses, by Lin-Shung Huang et al, Carnegie Mellon University](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0fb97f7e708231d4459312/html5/thumbnails/15.jpg)
![Page 16: Web Security: Browsersinst.eecs.berkeley.edu/~cs161/sp14/slides/2.19.Browsers.pdf · From Clickjacking: Attacks and Defenses, by Lin-Shung Huang et al, Carnegie Mellon University](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0fb97f7e708231d4459312/html5/thumbnails/16.jpg)
Stealing Keystrokes (demo)
![Page 17: Web Security: Browsersinst.eecs.berkeley.edu/~cs161/sp14/slides/2.19.Browsers.pdf · From Clickjacking: Attacks and Defenses, by Lin-Shung Huang et al, Carnegie Mellon University](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0fb97f7e708231d4459312/html5/thumbnails/17.jpg)
Misleading Users
• Browser assumes clicks & keystrokes = clear indication of what the user wants to do – Constitutes part of the user’s trusted path
• Attacker can meddle with integrity of this relationship in all sorts of ways …
• Especially, recall the power of Javascript! – Alter page contents (dynamically) – Track events (mouse clicks, motion, keystrokes) – Read/set cookies – Issue web requests, read replies
![Page 18: Web Security: Browsersinst.eecs.berkeley.edu/~cs161/sp14/slides/2.19.Browsers.pdf · From Clickjacking: Attacks and Defenses, by Lin-Shung Huang et al, Carnegie Mellon University](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0fb97f7e708231d4459312/html5/thumbnails/18.jpg)
From Clickjacking: Attacks and Defenses, by Lin-Shung Huang et al, Carnegie Mellon University / Microsoft Research
Using JS to Steal Facebook Likes
• Bait-and-switch • Note: many of these attacks are similar to
TOCTTOU (Time of Check to Time of Use) vulnerabilities
Claim your FREE iPad
![Page 19: Web Security: Browsersinst.eecs.berkeley.edu/~cs161/sp14/slides/2.19.Browsers.pdf · From Clickjacking: Attacks and Defenses, by Lin-Shung Huang et al, Carnegie Mellon University](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0fb97f7e708231d4459312/html5/thumbnails/19.jpg)
From Clickjacking: Attacks and Defenses, by Lin-Shung Huang et al, Carnegie Mellon University / Microsoft Research
UI Subversion: Clickjacking • An attack application (script) compromises the context
integrity of another application’s User Interface when the user acts on the UI
1. Target checked 2. Initiate click
3. Target clicked
Temporal integrity Targetclicked = Targetchecked
Pointerclicked = Pointerchecked
Visual integrity Target is visible Pointer is visible
Context integrity consists of visual integrity + temporal integrity
![Page 20: Web Security: Browsersinst.eecs.berkeley.edu/~cs161/sp14/slides/2.19.Browsers.pdf · From Clickjacking: Attacks and Defenses, by Lin-Shung Huang et al, Carnegie Mellon University](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0fb97f7e708231d4459312/html5/thumbnails/20.jpg)
From Clickjacking: Attacks and Defenses, by Lin-Shung Huang et al, Carnegie Mellon University / Microsoft Research
Compromise visual integrity – target • Hiding the target • Partial overlays
Click
$0.15 $0.15
![Page 21: Web Security: Browsersinst.eecs.berkeley.edu/~cs161/sp14/slides/2.19.Browsers.pdf · From Clickjacking: Attacks and Defenses, by Lin-Shung Huang et al, Carnegie Mellon University](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0fb97f7e708231d4459312/html5/thumbnails/21.jpg)
From Clickjacking: Attacks and Defenses, by Lin-Shung Huang et al, Carnegie Mellon University / Microsoft Research
Claim your FREE iPad
Compromise visual integrity – pointer
• Manipulating cursor feedback
![Page 22: Web Security: Browsersinst.eecs.berkeley.edu/~cs161/sp14/slides/2.19.Browsers.pdf · From Clickjacking: Attacks and Defenses, by Lin-Shung Huang et al, Carnegie Mellon University](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0fb97f7e708231d4459312/html5/thumbnails/22.jpg)
From Clickjacking: Attacks and Defenses, by Lin-Shung Huang et al, Carnegie Mellon University / Microsoft Research
Clickjacking to Access the User’s Webcam
Fake cursor
Real cursor
![Page 23: Web Security: Browsersinst.eecs.berkeley.edu/~cs161/sp14/slides/2.19.Browsers.pdf · From Clickjacking: Attacks and Defenses, by Lin-Shung Huang et al, Carnegie Mellon University](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0fb97f7e708231d4459312/html5/thumbnails/23.jpg)
Some Clickjacking Defenses • Require confirmation for actions (annoys users) • Frame-busting: Web site ensures that its “vulnerable” pages can’t be included as a frame inside another browser frame – So user can’t be looking at it with something invisible
overlaid on top … – … nor have the site invisible above something else
![Page 24: Web Security: Browsersinst.eecs.berkeley.edu/~cs161/sp14/slides/2.19.Browsers.pdf · From Clickjacking: Attacks and Defenses, by Lin-Shung Huang et al, Carnegie Mellon University](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0fb97f7e708231d4459312/html5/thumbnails/24.jpg)
Attacker implements this attack by placing Twitter’s page in a “Frame” inside their own page. Otherwise the two pages wouldn’t overlap.
![Page 25: Web Security: Browsersinst.eecs.berkeley.edu/~cs161/sp14/slides/2.19.Browsers.pdf · From Clickjacking: Attacks and Defenses, by Lin-Shung Huang et al, Carnegie Mellon University](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0fb97f7e708231d4459312/html5/thumbnails/25.jpg)
Some Clickjacking Defenses • Require confirmation for actions (annoys users) • Frame-busting: Web site ensures that its “vulnerable” pages can’t be included as a frame inside another browser frame – So user can’t be looking at it with something invisible
overlaid on top … – … nor have the site invisible above something else
• Conceptually implemented with Javascript like: if (top.location != self.location) top.location = self.location;
(Note: actually quite tricky to get this right!)"• Current research considers more general approach …"
![Page 26: Web Security: Browsersinst.eecs.berkeley.edu/~cs161/sp14/slides/2.19.Browsers.pdf · From Clickjacking: Attacks and Defenses, by Lin-Shung Huang et al, Carnegie Mellon University](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0fb97f7e708231d4459312/html5/thumbnails/26.jpg)
From Clickjacking: Attacks and Defenses, by Lin-Shung Huang et al, Carnegie Mellon University / Microsoft Research
InContext Defense (Research) • A set of techniques to ensure context integrity
for user actions • Server opt-in approach
– Let websites indicate their sensitive UIs – Let browsers enforce context integrity when users
act on the sensitive UIs
attacker.com
![Page 27: Web Security: Browsersinst.eecs.berkeley.edu/~cs161/sp14/slides/2.19.Browsers.pdf · From Clickjacking: Attacks and Defenses, by Lin-Shung Huang et al, Carnegie Mellon University](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0fb97f7e708231d4459312/html5/thumbnails/27.jpg)
From Clickjacking: Attacks and Defenses, by Lin-Shung Huang et al, Carnegie Mellon University / Microsoft Research
Ensuring visual integrity of pointer • Remove cursor customization
– Attack success: 43% -> 16%
![Page 28: Web Security: Browsersinst.eecs.berkeley.edu/~cs161/sp14/slides/2.19.Browsers.pdf · From Clickjacking: Attacks and Defenses, by Lin-Shung Huang et al, Carnegie Mellon University](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0fb97f7e708231d4459312/html5/thumbnails/28.jpg)
From Clickjacking: Attacks and Defenses, by Lin-Shung Huang et al, Carnegie Mellon University / Microsoft Research
Ensuring visual integrity of pointer • Freeze screen around target on pointer entry
– Attack success: 43% -> 15% – Attack success (margin=10px): 12% – Attack success (margin=20px): 4% (baseline:5%)
Margin=10px Margin=20px
![Page 29: Web Security: Browsersinst.eecs.berkeley.edu/~cs161/sp14/slides/2.19.Browsers.pdf · From Clickjacking: Attacks and Defenses, by Lin-Shung Huang et al, Carnegie Mellon University](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0fb97f7e708231d4459312/html5/thumbnails/29.jpg)
From Clickjacking: Attacks and Defenses, by Lin-Shung Huang et al, Carnegie Mellon University / Microsoft Research
Ensuring visual integrity of pointer • Lightbox effect around target on pointer entry
– Attack success (Freezing + lightbox): 2%
![Page 30: Web Security: Browsersinst.eecs.berkeley.edu/~cs161/sp14/slides/2.19.Browsers.pdf · From Clickjacking: Attacks and Defenses, by Lin-Shung Huang et al, Carnegie Mellon University](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0fb97f7e708231d4459312/html5/thumbnails/30.jpg)
From Clickjacking: Attacks and Defenses, by Lin-Shung Huang et al, Carnegie Mellon University / Microsoft Research
• UI delay: after visual changes on target or pointer, invalidate clicks for X ms – Attack success (delay=250ms): 47% -> 2% (2/91) – Attack success (delay=500ms): 1% (1/89)
Enforcing temporal integrity
![Page 31: Web Security: Browsersinst.eecs.berkeley.edu/~cs161/sp14/slides/2.19.Browsers.pdf · From Clickjacking: Attacks and Defenses, by Lin-Shung Huang et al, Carnegie Mellon University](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0fb97f7e708231d4459312/html5/thumbnails/31.jpg)
From Clickjacking: Attacks and Defenses, by Lin-Shung Huang et al, Carnegie Mellon University / Microsoft Research
Enforcing temporal integrity • Pointer re-entry: after visual changes on
target, invalidate clicks until pointer re-enters target – Attack success: 0% (0/88)
31
![Page 32: Web Security: Browsersinst.eecs.berkeley.edu/~cs161/sp14/slides/2.19.Browsers.pdf · From Clickjacking: Attacks and Defenses, by Lin-Shung Huang et al, Carnegie Mellon University](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0fb97f7e708231d4459312/html5/thumbnails/32.jpg)
Other Forms of UI Sneakiness • Along with stealing events, attackers can
use power of Javascript customization / dynamic changes to mess with the user’s mind …"
• For example, the user may not be paying sufficient attention ... "– Tabnabbing"
• Or they might find themselves living in The Matrix …"
![Page 33: Web Security: Browsersinst.eecs.berkeley.edu/~cs161/sp14/slides/2.19.Browsers.pdf · From Clickjacking: Attacks and Defenses, by Lin-Shung Huang et al, Carnegie Mellon University](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0fb97f7e708231d4459312/html5/thumbnails/33.jpg)
“Browser in Browser”
Apparent browser is just a fully interactive image generated by Javascript running in real browser!
![Page 34: Web Security: Browsersinst.eecs.berkeley.edu/~cs161/sp14/slides/2.19.Browsers.pdf · From Clickjacking: Attacks and Defenses, by Lin-Shung Huang et al, Carnegie Mellon University](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0fb97f7e708231d4459312/html5/thumbnails/34.jpg)
Lessons
• Clickjacking is an injection attack on the human brain
• Trusted path is critical to security • The web security model was not designed
with trusted path in mind • Changing the web security model is
challenging, because of legacy constraints
![Page 35: Web Security: Browsersinst.eecs.berkeley.edu/~cs161/sp14/slides/2.19.Browsers.pdf · From Clickjacking: Attacks and Defenses, by Lin-Shung Huang et al, Carnegie Mellon University](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0fb97f7e708231d4459312/html5/thumbnails/35.jpg)
Discussion
• So, how do these lessons apply to desktop applications?
• Compare the security model for desktop apps: – Are desktop apps safer against these attacks? – Are desktop apps riskier against these attacks?
![Page 36: Web Security: Browsersinst.eecs.berkeley.edu/~cs161/sp14/slides/2.19.Browsers.pdf · From Clickjacking: Attacks and Defenses, by Lin-Shung Huang et al, Carnegie Mellon University](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0fb97f7e708231d4459312/html5/thumbnails/36.jpg)
![Page 37: Web Security: Browsersinst.eecs.berkeley.edu/~cs161/sp14/slides/2.19.Browsers.pdf · From Clickjacking: Attacks and Defenses, by Lin-Shung Huang et al, Carnegie Mellon University](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0fb97f7e708231d4459312/html5/thumbnails/37.jpg)
Discussion
• So, how do these lessons apply to mobile (smartphone/tablet) apps?
• Compare the security model for mobile apps: – Are mobile apps safer against these attacks? – Are mobile apps riskier against these attacks?