1 securing frame communication in browsers 17 th usenix security symposium (2008) 2008.11.27 adam...

1

Securing Frame Communication in Browsers

17th USENIX Security Symposium (2008)

2008.11.27

Adam Barth, Collin Jackson, John C. Mitchell

Network & Security Lab, KAIST

Agenda

BackgroundProblem DefinitionGoal & ContributionFrame IsolationFrame CommunicationRelated WorkConclusion

2

Network & Security Lab, KAIST

Background : Mashup

A Web site combining content from multiple sources Integrator

• Combining the contents

Gadget• Integrated

contents

3

From Google

From NASA From Daum

Network & Security Lab, KAIST

Background : Mashup

Mashup use two method for implementation Insert JavaScript

• The integrator embeds a <script> tags• The script runs with all of the integrator’s

privileges Iframe element

• Can represent different principal• Frame can draw only on its own rectangle

4

Network & Security Lab, KAIST

Problem Definition

The frames can contain untrusted content Try to access the other frames for malicious

action

Web attacker Owns an attacker.com User visits attacker.com Optional assumption

• Gets to embeds a malicious gadget on integrator site

5

Network & Security Lab, KAIST

Goal & Contribution

Enhance the security on Mashup included untrusted gadget Isolation between each frames

• Propose the security policy. Secure frame communication

• Make up for the weak points in existing approaches

6

Network & Security Lab, KAIST

Frame Isolation : Navigation Policy

Permissive Policy A frame can navigate any other frame

Cross-Window Attacks

7

Network & Security Lab, KAIST

Frame Isolation : Navigation Policy

Window Policy A frame can navigate only frames in its window

8

Gadget Hijacking

Network & Security Lab, KAIST

Frame Isolation : Navigation Policy

Child Policy A frame can navigate only its direct children Reduce the policy’s compatibility with existing

sites

Descendant Policy A frame can navigate only its descendants Provide the most attractive trade-off between

security and compatibility

9

Network & Security Lab, KAIST

Frame Isolation : Navigation Policy

Policy Behavior

10

Policy Behavior

Permissive

Window

Descendent

Child

Network & Security Lab, KAIST

Frame Isolation : Deployment

Safari Apple accepted author’s patch about

descendant policyFirefox

Mozilla accepted author’s patch in Firefox 3Flash

Adobe agreed about descendant policyOpera

They plan to fix these vulnerabilities

11

Network & Security Lab, KAIST

Frame Communication

Some Mashup need to communication method for providing rich content The fragment Identifier channel postMessage Channel

12

Security Properties Confidentiality

A message can be read only by its intended recipient

Authentication The Ability of the recipient to unambiguously

determine the sender of a message

Network & Security Lab, KAIST

Frame Communication : The Fragment Identifier Channel

The fragment identifier http://aaa.com/#hello

Send short information to other frame using the fragment identifier

Doesn’t reload content in the frame• No network traffic, but frame can read its

fragment

13

Frame 1

Frame 2

Parent.location=http://aaa.com/#Message_1230483

SetInterval(checkForMessge,200);

Network & Security Lab, KAIST

Frame Communication : The Fragment Identifier Channel

Security properties Confidentiality : Yes Authentication : No Not a secure channel

Windows Live channel Attempts to build a secure channel over the

fragment identifier channelSmesh and Open Ajax 1.1

14

Network & Security Lab, KAIST

Frame Communication : The Fragment Identifier Channel

Windows Live channel The Lowe anomaly can be exploited to

impersonate the integrator

Smesh and Open Ajax 1.1

15

Network & Security Lab, KAIST

Secure Fragment Messaging The fragment identifier channel can be secured

using a variant of the Needham-Schroeder-Lowe Protocol

The responder must include his identity in the second message of the protocol

16

Frame Communication : The Fragment Identifier Channel

Network & Security Lab, KAIST

Adoption Microsoft : Windows Live Channels library IBM : OpenAjax Hub 1.1

17

Frame Communication : The Fragment Identifier Channel

Network & Security Lab, KAIST

New API for inter-frame communication in the HTML 5 Supported in latest betas of many browsers

• IE 8, Firefox 3,Safari, Opera

To send a message to another frame, the sender calls the postMessage method frame[0].postMessage(“Hello world.”); The browser generates a message event in the

recipient’s frame• Contain message, the origin of the sender, a

JavaScript pointer to sender’s frame

18

Frame Communication : The postMessage Channel

Network & Security Lab, KAIST

Security properties Confidentiality : No Authentication : Yes Not a secure channel

Two type attack method Recursive Mashup Attack Replay Attack

19

Frame Communication : The postMessage Channel

Network & Security Lab, KAIST

Recursive Mashup attack The attacker load the integrator inside a frame

• Can carry out an attack without violating the descendant frame policy

Attacker hijacks content of postMessage

20

Frame Communication : The postMessage Channel

Attacker

Network & Security Lab, KAIST 21

Frame Communication : The postMessage Channel

Replay attack Embedding the honest gadget in attacker’s

frame Can intercept postMessage, even under the

child frame policy

Network & Security Lab, KAIST 22

Frame Communication : The postMessage Channel

Securing postMessage Let the sending specify the recipient

• frame[0].postMessage(“hello”,http://gadget.com)

• Can omit argument if confidentiality not required

Adoption HTML 5.0 Firefox 3 Safari IE 8

Network & Security Lab, KAIST

Related work

Safe subsets of HTML and Javascript This approach require gedgets to be written in a

“safe subset” of HTML and JavaScript Writing programs in one of these safe subsets is

often awkward Subspace

This approach used a multi level hierarchy based on document.domain property

The descendant frame navigation policy is required to prevent gadget hijacking.

MashupOS

23

Network & Security Lab, KAIST

Conclusion

All proposals deployed to real users

Frame isolation Improved frame navigation policy

Frame communication Secured fragment identifier messaging Secured new postMessage API

24

Network & Security Lab, KAIST 25

Q&A