1 securing frame communication in browsers 17 th usenix security symposium (2008) 2008.11.27 adam...

1

Securing Frame Communication in Browsers

17th USENIX Security Symposium (2008)

2008.11.27

Adam Barth, Collin Jackson, John C. Mitchell

Network & Security Lab, KAIST

Agenda

BackgroundProblem DefinitionGoal & ContributionFrame IsolationFrame CommunicationRelated WorkConclusion

2


Background : Mashup

A Web site combining content from multiple sources Integrator

• Combining the contents

Gadget• Integrated

contents

3

From Google

From NASA From Daum


Background : Mashup

Mashup use two method for implementation Insert JavaScript

• The integrator embeds a <script> tags• The script runs with all of the integrator’s

privileges Iframe element

• Can represent different principal• Frame can draw only on its own rectangle

4


Problem Definition

The frames can contain untrusted content Try to access the other frames for malicious

action

Web attacker Owns an attacker.com User visits attacker.com Optional assumption

• Gets to embeds a malicious gadget on integrator site

5


Goal & Contribution

Enhance the security on Mashup included untrusted gadget Isolation between each frames

• Propose the security policy. Secure frame communication

• Make up for the weak points in existing approaches

6


Frame Isolation : Navigation Policy

Permissive Policy A frame can navigate any other frame

Cross-Window Attacks

7



Window Policy A frame can navigate only frames in its window

8

Gadget Hijacking



Child Policy A frame can navigate only its direct children Reduce the policy’s compatibility with existing

sites

Descendant Policy A frame can navigate only its descendants Provide the most attractive trade-off between

security and compatibility

9



Policy Behavior

10

Policy Behavior

Permissive

Window

Descendent

Child


Frame Isolation : Deployment

Safari Apple accepted author’s patch about

descendant policyFirefox

Mozilla accepted author’s patch in Firefox 3Flash

Adobe agreed about descendant policyOpera

They plan to fix these vulnerabilities

11


Frame Communication

Some Mashup need to communication method for providing rich content The fragment Identifier channel postMessage Channel

12

Security Properties Confidentiality

A message can be read only by its intended recipient

Authentication The Ability of the recipient to unambiguously

determine the sender of a message


Frame Communication : The Fragment Identifier Channel

The fragment identifier http://aaa.com/#hello

Send short information to other frame using the fragment identifier

Doesn’t reload content in the frame• No network traffic, but frame can read its

fragment

13

Frame 1

Frame 2

Parent.location=http://aaa.com/#Message_1230483

SetInterval(checkForMessge,200);



Security properties Confidentiality : Yes Authentication : No Not a secure channel

Windows Live channel Attempts to build a secure channel over the

fragment identifier channelSmesh and Open Ajax 1.1

14



Windows Live channel The Lowe anomaly can be exploited to

impersonate the integrator

Smesh and Open Ajax 1.1

15


Secure Fragment Messaging The fragment identifier channel can be secured

using a variant of the Needham-Schroeder-Lowe Protocol

The responder must include his identity in the second message of the protocol

16



Adoption Microsoft : Windows Live Channels library IBM : OpenAjax Hub 1.1

17



New API for inter-frame communication in the HTML 5 Supported in latest betas of many browsers

• IE 8, Firefox 3,Safari, Opera

To send a message to another frame, the sender calls the postMessage method frame[0].postMessage(“Hello world.”); The browser generates a message event in the

recipient’s frame• Contain message, the origin of the sender, a

JavaScript pointer to sender’s frame

18

Frame Communication : The postMessage Channel


Security properties Confidentiality : No Authentication : Yes Not a secure channel

Two type attack method Recursive Mashup Attack Replay Attack

19



Recursive Mashup attack The attacker load the integrator inside a frame

• Can carry out an attack without violating the descendant frame policy

Attacker hijacks content of postMessage

20


Attacker

Network & Security Lab, KAIST 21


Replay attack Embedding the honest gadget in attacker’s

frame Can intercept postMessage, even under the

child frame policy



Securing postMessage Let the sending specify the recipient

• frame[0].postMessage(“hello”,http://gadget.com)

• Can omit argument if confidentiality not required

Adoption HTML 5.0 Firefox 3 Safari IE 8


Related work

Safe subsets of HTML and Javascript This approach require gedgets to be written in a

“safe subset” of HTML and JavaScript Writing programs in one of these safe subsets is

often awkward Subspace

This approach used a multi level hierarchy based on document.domain property

The descendant frame navigation policy is required to prevent gadget hijacking.

MashupOS

23


Conclusion

All proposals deployed to real users

Frame isolation Improved frame navigation policy

Frame communication Secured fragment identifier messaging Secured new postMessage API

24


Q&A

1 securing frame communication in browsers 17 th usenix security symposium (2008) 2008.11.27 adam...

Documents

security policy

network security lab

kaist frame isolation

kaist frame communication

securing frame communication

secure frame communication

message slide

different principal