securing frame communication in browsers
DESCRIPTION
Securing Frame Communication in Browsers. Collin Jackson Joint work with Adam Barth and John C. Mitchell. Why use frames?. Modularity Brings together content from multiple sources Client-side aggregation Isolation Different frames can represent different principals - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Securing Frame Communication in Browsers](https://reader035.vdocument.in/reader035/viewer/2022062810/56815b74550346895dc96eeb/html5/thumbnails/1.jpg)
Securing Frame Communication in Browsers
Collin Jackson
Joint work with Adam Barth and John C. Mitchell
![Page 2: Securing Frame Communication in Browsers](https://reader035.vdocument.in/reader035/viewer/2022062810/56815b74550346895dc96eeb/html5/thumbnails/2.jpg)
Why use frames?• Modularity
– Brings together content from multiple sources
– Client-side aggregation
• Isolation– Different frames can
represent different principals– Can’t script each other– Frame can draw only on its
own rectangle– Easier than sanitization
src = 7.gmodules.com/...name = remote_iframe_7
src = google.com/…name = awglogin
![Page 3: Securing Frame Communication in Browsers](https://reader035.vdocument.in/reader035/viewer/2022062810/56815b74550346895dc96eeb/html5/thumbnails/3.jpg)
Threat Model• Web attacker
– Controls attacker.com ($5)– Can obtain SSL/TLS certificate for attacker.com ($0)– User visits attacker.com– Optional additional assumption:
Gets to embeds a malicious gadget (ad) on integrator site
• Stronger threat models– Network attacker: Can inspect or corrupt traffic– Malware attacker: Already escaped from the browser
![Page 4: Securing Frame Communication in Browsers](https://reader035.vdocument.in/reader035/viewer/2022062810/56815b74550346895dc96eeb/html5/thumbnails/4.jpg)
A frame can navigate any frame.
Frame Navigation• Who decides a frame’s content?
Permissive Policy
![Page 5: Securing Frame Communication in Browsers](https://reader035.vdocument.in/reader035/viewer/2022062810/56815b74550346895dc96eeb/html5/thumbnails/5.jpg)
Guninski Attack
window.open("https://www.google.com/...")window.open("https://www.attacker.com/...", "awglogin")
awglogin
![Page 6: Securing Frame Communication in Browsers](https://reader035.vdocument.in/reader035/viewer/2022062810/56815b74550346895dc96eeb/html5/thumbnails/6.jpg)
A frame can navigate frames in its own window.
Window Policy
![Page 7: Securing Frame Communication in Browsers](https://reader035.vdocument.in/reader035/viewer/2022062810/56815b74550346895dc96eeb/html5/thumbnails/7.jpg)
Gadget Hijacking
top.frames[1].location = "http:/www.attacker.com/...“;top.frames[2].location = "http:/www.attacker.com/...“;
...
![Page 8: Securing Frame Communication in Browsers](https://reader035.vdocument.in/reader035/viewer/2022062810/56815b74550346895dc96eeb/html5/thumbnails/8.jpg)
Gadget Hijacking
![Page 9: Securing Frame Communication in Browsers](https://reader035.vdocument.in/reader035/viewer/2022062810/56815b74550346895dc96eeb/html5/thumbnails/9.jpg)
Policy Testing
![Page 10: Securing Frame Communication in Browsers](https://reader035.vdocument.in/reader035/viewer/2022062810/56815b74550346895dc96eeb/html5/thumbnails/10.jpg)
A frame can navigateits children.
Parent Policy
A frame can navigateits descendants.
Ancestor Policy
![Page 11: Securing Frame Communication in Browsers](https://reader035.vdocument.in/reader035/viewer/2022062810/56815b74550346895dc96eeb/html5/thumbnails/11.jpg)
Frame Navigation Policies
Browser Policy Propagation IE 6 (default) Permissive N/A IE 6 (option) Parent No IE7 (no Flash) Ancestor Yes IE7 (with Flash) Permissive N/A Firefox 2 Window Sometimes Safari 2 Permissive N/A
![Page 12: Securing Frame Communication in Browsers](https://reader035.vdocument.in/reader035/viewer/2022062810/56815b74550346895dc96eeb/html5/thumbnails/12.jpg)
Frame Navigation Policies
Browser Policy Propagation
IE7 (no Flash) Ancestor Yes IE7 (with Flash) Ancestor Yes Firefox 3 Ancestor Yes Safari 3 Ancestor Yes
![Page 13: Securing Frame Communication in Browsers](https://reader035.vdocument.in/reader035/viewer/2022062810/56815b74550346895dc96eeb/html5/thumbnails/13.jpg)
Frame Communication
![Page 14: Securing Frame Communication in Browsers](https://reader035.vdocument.in/reader035/viewer/2022062810/56815b74550346895dc96eeb/html5/thumbnails/14.jpg)
Fragment Identifier Messaging• Send information by navigating a frame
– http://gadget.com/#hello
• Navigating to fragment doesn’t reload frame– No network traffic, but frame can read its fragment
• Not a secure channel– Confidentiality– Integrity– Authentication
![Page 15: Securing Frame Communication in Browsers](https://reader035.vdocument.in/reader035/viewer/2022062810/56815b74550346895dc96eeb/html5/thumbnails/15.jpg)
Fix: Improve the protocol• Proposed Needham-Schroeder-Lowe
• Adoption– Microsoft: Windows Live Channels library– IBM: OpenAjax Hub 1.1
![Page 16: Securing Frame Communication in Browsers](https://reader035.vdocument.in/reader035/viewer/2022062810/56815b74550346895dc96eeb/html5/thumbnails/16.jpg)
postMessage• New API for inter-frame communication• Supported in latest betas of many browsers
• Not a secure channel– Confidentiality– Integrity– Authentication
![Page 17: Securing Frame Communication in Browsers](https://reader035.vdocument.in/reader035/viewer/2022062810/56815b74550346895dc96eeb/html5/thumbnails/17.jpg)
Reply Attack
![Page 18: Securing Frame Communication in Browsers](https://reader035.vdocument.in/reader035/viewer/2022062810/56815b74550346895dc96eeb/html5/thumbnails/18.jpg)
Fix: Improve the API• Let the sending specify the recipient
– frame[0].postMessage(“Hello”, “http://gadget.com”)– Can omit argument if confidentiality not required
• Adoption– Firefox 3– Internet Explorer 8– Safari 3.1
![Page 19: Securing Frame Communication in Browsers](https://reader035.vdocument.in/reader035/viewer/2022062810/56815b74550346895dc96eeb/html5/thumbnails/19.jpg)
Conclusion• All proposals deployed to real users • Frame isolation
– Improved frame navigation policy• Fixed Guninski and Gadget Hijacking
– Drive-by-downloads still a concern…
• Frame communication– Secured fragment identifier messaging– Secured new postMessage API