1 securing frame communication in browsers 17 th usenix security symposium (2008) 2008.11.27 adam...
TRANSCRIPT
1
Securing Frame Communication in Browsers
17th USENIX Security Symposium (2008)
2008.11.27
Adam Barth, Collin Jackson, John C. Mitchell
Network & Security Lab, KAIST
Agenda
BackgroundProblem DefinitionGoal & ContributionFrame IsolationFrame CommunicationRelated WorkConclusion
2
Network & Security Lab, KAIST
Background : Mashup
A Web site combining content from multiple sources Integrator
• Combining the contents
Gadget• Integrated
contents
3
From Google
From NASA From Daum
Network & Security Lab, KAIST
Background : Mashup
Mashup use two method for implementation Insert JavaScript
• The integrator embeds a <script> tags• The script runs with all of the integrator’s
privileges Iframe element
• Can represent different principal• Frame can draw only on its own rectangle
4
Network & Security Lab, KAIST
Problem Definition
The frames can contain untrusted content Try to access the other frames for malicious
action
Web attacker Owns an attacker.com User visits attacker.com Optional assumption
• Gets to embeds a malicious gadget on integrator site
5
Network & Security Lab, KAIST
Goal & Contribution
Enhance the security on Mashup included untrusted gadget Isolation between each frames
• Propose the security policy. Secure frame communication
• Make up for the weak points in existing approaches
6
Network & Security Lab, KAIST
Frame Isolation : Navigation Policy
Permissive Policy A frame can navigate any other frame
Cross-Window Attacks
7
Network & Security Lab, KAIST
Frame Isolation : Navigation Policy
Window Policy A frame can navigate only frames in its window
8
Gadget Hijacking
Network & Security Lab, KAIST
Frame Isolation : Navigation Policy
Child Policy A frame can navigate only its direct children Reduce the policy’s compatibility with existing
sites
Descendant Policy A frame can navigate only its descendants Provide the most attractive trade-off between
security and compatibility
9
Network & Security Lab, KAIST
Frame Isolation : Navigation Policy
Policy Behavior
10
Policy Behavior
Permissive
Window
Descendent
Child
Network & Security Lab, KAIST
Frame Isolation : Deployment
Safari Apple accepted author’s patch about
descendant policyFirefox
Mozilla accepted author’s patch in Firefox 3Flash
Adobe agreed about descendant policyOpera
They plan to fix these vulnerabilities
11
Network & Security Lab, KAIST
Frame Communication
Some Mashup need to communication method for providing rich content The fragment Identifier channel postMessage Channel
12
Security Properties Confidentiality
A message can be read only by its intended recipient
Authentication The Ability of the recipient to unambiguously
determine the sender of a message
Network & Security Lab, KAIST
Frame Communication : The Fragment Identifier Channel
The fragment identifier http://aaa.com/#hello
Send short information to other frame using the fragment identifier
Doesn’t reload content in the frame• No network traffic, but frame can read its
fragment
13
Frame 1
Frame 2
Parent.location=http://aaa.com/#Message_1230483
SetInterval(checkForMessge,200);
Network & Security Lab, KAIST
Frame Communication : The Fragment Identifier Channel
Security properties Confidentiality : Yes Authentication : No Not a secure channel
Windows Live channel Attempts to build a secure channel over the
fragment identifier channelSmesh and Open Ajax 1.1
14
Network & Security Lab, KAIST
Frame Communication : The Fragment Identifier Channel
Windows Live channel The Lowe anomaly can be exploited to
impersonate the integrator
Smesh and Open Ajax 1.1
15
Network & Security Lab, KAIST
Secure Fragment Messaging The fragment identifier channel can be secured
using a variant of the Needham-Schroeder-Lowe Protocol
The responder must include his identity in the second message of the protocol
16
Frame Communication : The Fragment Identifier Channel
Network & Security Lab, KAIST
Adoption Microsoft : Windows Live Channels library IBM : OpenAjax Hub 1.1
17
Frame Communication : The Fragment Identifier Channel
Network & Security Lab, KAIST
New API for inter-frame communication in the HTML 5 Supported in latest betas of many browsers
• IE 8, Firefox 3,Safari, Opera
To send a message to another frame, the sender calls the postMessage method frame[0].postMessage(“Hello world.”); The browser generates a message event in the
recipient’s frame• Contain message, the origin of the sender, a
JavaScript pointer to sender’s frame
18
Frame Communication : The postMessage Channel
Network & Security Lab, KAIST
Security properties Confidentiality : No Authentication : Yes Not a secure channel
Two type attack method Recursive Mashup Attack Replay Attack
19
Frame Communication : The postMessage Channel
Network & Security Lab, KAIST
Recursive Mashup attack The attacker load the integrator inside a frame
• Can carry out an attack without violating the descendant frame policy
Attacker hijacks content of postMessage
20
Frame Communication : The postMessage Channel
Attacker
Network & Security Lab, KAIST 21
Frame Communication : The postMessage Channel
Replay attack Embedding the honest gadget in attacker’s
frame Can intercept postMessage, even under the
child frame policy
Network & Security Lab, KAIST 22
Frame Communication : The postMessage Channel
Securing postMessage Let the sending specify the recipient
• frame[0].postMessage(“hello”,http://gadget.com)
• Can omit argument if confidentiality not required
Adoption HTML 5.0 Firefox 3 Safari IE 8
Network & Security Lab, KAIST
Related work
Safe subsets of HTML and Javascript This approach require gedgets to be written in a
“safe subset” of HTML and JavaScript Writing programs in one of these safe subsets is
often awkward Subspace
This approach used a multi level hierarchy based on document.domain property
The descendant frame navigation policy is required to prevent gadget hijacking.
MashupOS
23
Network & Security Lab, KAIST
Conclusion
All proposals deployed to real users
Frame isolation Improved frame navigation policy
Frame communication Secured fragment identifier messaging Secured new postMessage API
24
Network & Security Lab, KAIST 25
Q&A