towards a formal foundation of web security devdatta akhawe / adam barth / peifung eric lam john...
TRANSCRIPT
![Page 1: Towards a Formal Foundation of Web Security devdatta akhawe / adam barth / peifung eric lam john mitchell / dawn song](https://reader031.vdocuments.us/reader031/viewer/2022032802/56649e015503460f94aeb435/html5/thumbnails/1.jpg)
Towards a Formal Foundation of Web Security
devdatta akhawe / adam barth / peifung eric lamjohn mitchell / dawn song
![Page 2: Towards a Formal Foundation of Web Security devdatta akhawe / adam barth / peifung eric lam john mitchell / dawn song](https://reader031.vdocuments.us/reader031/viewer/2022032802/56649e015503460f94aeb435/html5/thumbnails/2.jpg)
motivation
the web is interestingweb security is hardformalization will help
![Page 3: Towards a Formal Foundation of Web Security devdatta akhawe / adam barth / peifung eric lam john mitchell / dawn song](https://reader031.vdocuments.us/reader031/viewer/2022032802/56649e015503460f94aeb435/html5/thumbnails/3.jpg)
informed abstract models
of the web platform
will be amenable to automation,
reveal practical attacks
and support useful evaluation of
alternate designs.
![Page 4: Towards a Formal Foundation of Web Security devdatta akhawe / adam barth / peifung eric lam john mitchell / dawn song](https://reader031.vdocuments.us/reader031/viewer/2022032802/56649e015503460f94aeb435/html5/thumbnails/4.jpg)
web security 101abstract model
alloy implementationcase studies
![Page 5: Towards a Formal Foundation of Web Security devdatta akhawe / adam barth / peifung eric lam john mitchell / dawn song](https://reader031.vdocuments.us/reader031/viewer/2022032802/56649e015503460f94aeb435/html5/thumbnails/5.jpg)
The complete isolation that SOP provides is too coarse for modern applications.
browsers handle code + documents from multiple sources and need to ensure integrity and confidentialityThe security of the whole system is a global property based on invariants at all three components
Network
robber.com
bank.com
Web Browser
robber.com bank.com
Same Origin Policy – code from different websites or “origins” shouldn’t interfere
User
Same Origin Event Cross Origin Event
![Page 6: Towards a Formal Foundation of Web Security devdatta akhawe / adam barth / peifung eric lam john mitchell / dawn song](https://reader031.vdocuments.us/reader031/viewer/2022032802/56649e015503460f94aeb435/html5/thumbnails/6.jpg)
web security 101
abstract modelalloy implementation
case studies
![Page 7: Towards a Formal Foundation of Web Security devdatta akhawe / adam barth / peifung eric lam john mitchell / dawn song](https://reader031.vdocuments.us/reader031/viewer/2022032802/56649e015503460f94aeb435/html5/thumbnails/7.jpg)
User
The security of the whole system is a global property based on invariants at all three components
Network
robber.com
bank.com
Web Browser
robber.com bank.com
User
Simple model of user – not confused and follows security indicators
Web Browser Network
Web Browser
Network
![Page 8: Towards a Formal Foundation of Web Security devdatta akhawe / adam barth / peifung eric lam john mitchell / dawn song](https://reader031.vdocuments.us/reader031/viewer/2022032802/56649e015503460f94aeb435/html5/thumbnails/8.jpg)
network browser
threats goals
network browser
threats goals
![Page 9: Towards a Formal Foundation of Web Security devdatta akhawe / adam barth / peifung eric lam john mitchell / dawn song](https://reader031.vdocuments.us/reader031/viewer/2022032802/56649e015503460f94aeb435/html5/thumbnails/9.jpg)
•The sandbox in which code runs•what are the semantics of the isolation? Origin, path, http(s)?
Script Context
•Location bar, http(s), lock icon•who decides what is shown ?
User Interface
•Stored passwords/cookies•when to send them?
State Storage
![Page 10: Towards a Formal Foundation of Web Security devdatta akhawe / adam barth / peifung eric lam john mitchell / dawn song](https://reader031.vdocuments.us/reader031/viewer/2022032802/56649e015503460f94aeb435/html5/thumbnails/10.jpg)
network browser
threats goals
network browser
threats goals
![Page 11: Towards a Formal Foundation of Web Security devdatta akhawe / adam barth / peifung eric lam john mitchell / dawn song](https://reader031.vdocuments.us/reader031/viewer/2022032802/56649e015503460f94aeb435/html5/thumbnails/11.jpg)
•Connected to network•May break specification (esp. attacker)•Many to many relationship with DNSservers•HTTP Methods, status codes, headers•Integrity – some headers/methods determined by attackerhttp•Different APIs with specific constraints•For example, XHR works only same-origin, Forms only allow GET/POST
network requests
![Page 12: Towards a Formal Foundation of Web Security devdatta akhawe / adam barth / peifung eric lam john mitchell / dawn song](https://reader031.vdocuments.us/reader031/viewer/2022032802/56649e015503460f94aeb435/html5/thumbnails/12.jpg)
network browser
threats goals
network browser
threats goals
![Page 13: Towards a Formal Foundation of Web Security devdatta akhawe / adam barth / peifung eric lam john mitchell / dawn song](https://reader031.vdocuments.us/reader031/viewer/2022032802/56649e015503460f94aeb435/html5/thumbnails/13.jpg)
web attacker• robber.com• browser APIs only
gadget attacker• can inject limited form of
content• comments on a blog
network attacker• can modify network
traffic• except encrypted content
• Malicious person with his own site• No special network privileges• Key threat model
threat model hierarchy
Note that any protocol not over HTTPS can be easily subverted by the network attacker
![Page 14: Towards a Formal Foundation of Web Security devdatta akhawe / adam barth / peifung eric lam john mitchell / dawn song](https://reader031.vdocuments.us/reader031/viewer/2022032802/56649e015503460f94aeb435/html5/thumbnails/14.jpg)
network browser
threats goals
network browser
threats goals
![Page 15: Towards a Formal Foundation of Web Security devdatta akhawe / adam barth / peifung eric lam john mitchell / dawn song](https://reader031.vdocuments.us/reader031/viewer/2022032802/56649e015503460f94aeb435/html5/thumbnails/15.jpg)
• Session integrity– Any action that an honest server takes should not be
directly/indirectly caused by a dishonest/untrusted principal
– A request caused by robber.com shouldn’t reduce money in my bank account
• Don’t break web invariants– Do not increase attack surface of benign applications– For example, currently cross-origin DELETE/PUT
requests with ambient authorization (cookies) aren’t allowed
security goals• Session integrity– Any action that an honest server takes should not be
directly/indirectly caused by a dishonest/untrusted principal
– A request caused by robber.com shouldn’t reduce money in my bank account
![Page 16: Towards a Formal Foundation of Web Security devdatta akhawe / adam barth / peifung eric lam john mitchell / dawn song](https://reader031.vdocuments.us/reader031/viewer/2022032802/56649e015503460f94aeb435/html5/thumbnails/16.jpg)
web security 101abstract model
alloy implementationcase studies
![Page 17: Towards a Formal Foundation of Web Security devdatta akhawe / adam barth / peifung eric lam john mitchell / dawn song](https://reader031.vdocuments.us/reader031/viewer/2022032802/56649e015503460f94aeb435/html5/thumbnails/17.jpg)
Alloy
• An object modeling language• Executable model eased development• Bounded model checker• Translates predicates to SAT instances• Easy visualization of counterexamples
![Page 18: Towards a Formal Foundation of Web Security devdatta akhawe / adam barth / peifung eric lam john mitchell / dawn song](https://reader031.vdocuments.us/reader031/viewer/2022032802/56649e015503460f94aeb435/html5/thumbnails/18.jpg)
metamodel
![Page 19: Towards a Formal Foundation of Web Security devdatta akhawe / adam barth / peifung eric lam john mitchell / dawn song](https://reader031.vdocuments.us/reader031/viewer/2022032802/56649e015503460f94aeb435/html5/thumbnails/19.jpg)
session integrity
// a function that for a given transaction// tells the list of servers involved in causing it
fun involvedServers[t:HTTPTransaction]:set NetworkEndpoint{// the ScriptContext origingetTransactionOwner[t].servers // get list of servers involved in redirect chain+ (t.*cause & HTTPTransaction).resp.from
}
pred webAttackerInCausalChain[t:HTTPTransaction]{// see if WebAttacker controlled server in set of involvedsome (WEBATTACKER.servers & involvedServers[t])
}
![Page 20: Towards a Formal Foundation of Web Security devdatta akhawe / adam barth / peifung eric lam john mitchell / dawn song](https://reader031.vdocuments.us/reader031/viewer/2022032802/56649e015503460f94aeb435/html5/thumbnails/20.jpg)
web security 101abstract model
alloy implementation
case studies
![Page 21: Towards a Formal Foundation of Web Security devdatta akhawe / adam barth / peifung eric lam john mitchell / dawn song](https://reader031.vdocuments.us/reader031/viewer/2022032802/56649e015503460f94aeb435/html5/thumbnails/21.jpg)
Name Type of vulnerability Previously
Origin Header integrity violation known
Cross Origin Resource Sharing breaks invariant known
HTML5 Form breaks invariant unknown
Referer Validation integrity violation unknown
WebAuth session fixation unknown
Name Type of vulnerability Previously
Origin Header integrity violation known
Cross Origin Resource Sharing breaks invariant known
HTML5 Form breaks invariant unknown
Referer Validation integrity violation unknown
WebAuth session fixation unknown
case studies
![Page 22: Towards a Formal Foundation of Web Security devdatta akhawe / adam barth / peifung eric lam john mitchell / dawn song](https://reader031.vdocuments.us/reader031/viewer/2022032802/56649e015503460f94aeb435/html5/thumbnails/22.jpg)
case studies
• HTML5 Form vulnerability– Extremely simple vulnerability – Missed completely by many experts until our
study• Referer Validation Vulnerability– Past verification not detailed enough
• WebAuth Vulnerability– More complicated– Hard to find without such analysis
![Page 23: Towards a Formal Foundation of Web Security devdatta akhawe / adam barth / peifung eric lam john mitchell / dawn song](https://reader031.vdocuments.us/reader031/viewer/2022032802/56649e015503460f94aeb435/html5/thumbnails/23.jpg)
HTML5 Form
![Page 24: Towards a Formal Foundation of Web Security devdatta akhawe / adam barth / peifung eric lam john mitchell / dawn song](https://reader031.vdocuments.us/reader031/viewer/2022032802/56649e015503460f94aeb435/html5/thumbnails/24.jpg)
HTML5
GET/POSTDELETEPUT
GET/POSTDELETEPUT
robber.com
bank.com
GET/POST
GET/POST
HTML4
Page at robber.com
![Page 25: Towards a Formal Foundation of Web Security devdatta akhawe / adam barth / peifung eric lam john mitchell / dawn song](https://reader031.vdocuments.us/reader031/viewer/2022032802/56649e015503460f94aeb435/html5/thumbnails/25.jpg)
the attack
![Page 26: Towards a Formal Foundation of Web Security devdatta akhawe / adam barth / peifung eric lam john mitchell / dawn song](https://reader031.vdocuments.us/reader031/viewer/2022032802/56649e015503460f94aeb435/html5/thumbnails/26.jpg)
HTML5
PUT
PUT ???
cross origin redirect to bank.com
“Don’t break web invariants” violated
robber.com
bank.com
Page at robber.com
Fix is to disable cross-origin redirects for special methods; model doesn’t find any error after fix
![Page 27: Towards a Formal Foundation of Web Security devdatta akhawe / adam barth / peifung eric lam john mitchell / dawn song](https://reader031.vdocuments.us/reader031/viewer/2022032802/56649e015503460f94aeb435/html5/thumbnails/27.jpg)
alloy counterexample(actual snapshot)
![Page 28: Towards a Formal Foundation of Web Security devdatta akhawe / adam barth / peifung eric lam john mitchell / dawn song](https://reader031.vdocuments.us/reader031/viewer/2022032802/56649e015503460f94aeb435/html5/thumbnails/28.jpg)
Referer Validation
![Page 29: Towards a Formal Foundation of Web Security devdatta akhawe / adam barth / peifung eric lam john mitchell / dawn song](https://reader031.vdocuments.us/reader031/viewer/2022032802/56649e015503460f94aeb435/html5/thumbnails/29.jpg)
WebAuth
![Page 30: Towards a Formal Foundation of Web Security devdatta akhawe / adam barth / peifung eric lam john mitchell / dawn song](https://reader031.vdocuments.us/reader031/viewer/2022032802/56649e015503460f94aeb435/html5/thumbnails/30.jpg)
WebAuth
• Single sign on solution at Stanford– called CalNet at Berkeley– also common in other academic institutions
• Single sign on: one password to rule them all– Provides a service similar to Kerberos, but on web
• At least two parties other than user– The single sign on provider (WebAuth Server)– The application, e.g. library services
![Page 31: Towards a Formal Foundation of Web Security devdatta akhawe / adam barth / peifung eric lam john mitchell / dawn song](https://reader031.vdocuments.us/reader031/viewer/2022032802/56649e015503460f94aeb435/html5/thumbnails/31.jpg)
Application
WebAuth Server
GET Secret
Access Denied! Login at WebAuth (redirect)
login form
UsernamePassword
Send Secret and Set Cookie identifying user for future
Username/Password ok! Redirect to App with identifier key
Run Crypto Checks on Identifier sentIdentifier Key
This completes the login procedure
![Page 32: Towards a Formal Foundation of Web Security devdatta akhawe / adam barth / peifung eric lam john mitchell / dawn song](https://reader031.vdocuments.us/reader031/viewer/2022032802/56649e015503460f94aeb435/html5/thumbnails/32.jpg)
the attack
![Page 33: Towards a Formal Foundation of Web Security devdatta akhawe / adam barth / peifung eric lam john mitchell / dawn song](https://reader031.vdocuments.us/reader031/viewer/2022032802/56649e015503460f94aeb435/html5/thumbnails/33.jpg)
Application
WebAuth Server
GET secret
Access Denied! Login at WebAuth (redirect)
UsernamePassword Username /Password ok!
Redirect to App with identifier key
Run Crypto Checks on Identifier sent
BLOCK and save link
Set cookie identifying user as ATTACKER
Send the link Follow link
attacker
benign user
login form
Attacker’s credentials
that identifies attackerIs this really that bad ?
![Page 34: Towards a Formal Foundation of Web Security devdatta akhawe / adam barth / peifung eric lam john mitchell / dawn song](https://reader031.vdocuments.us/reader031/viewer/2022032802/56649e015503460f94aeb435/html5/thumbnails/34.jpg)
why this is bad
• At UC Berkeley, I pay my bills via a service that uses CalNet
• Could be fooled into paying someone else’s bill
• Fix is to add a nonce to ensure that the application remembers context – model fails to find attack after fix
![Page 35: Towards a Formal Foundation of Web Security devdatta akhawe / adam barth / peifung eric lam john mitchell / dawn song](https://reader031.vdocuments.us/reader031/viewer/2022032802/56649e015503460f94aeb435/html5/thumbnails/35.jpg)
conclusion
![Page 36: Towards a Formal Foundation of Web Security devdatta akhawe / adam barth / peifung eric lam john mitchell / dawn song](https://reader031.vdocuments.us/reader031/viewer/2022032802/56649e015503460f94aeb435/html5/thumbnails/36.jpg)
informed abstract models
of the web platform
will be amenable to automation,
reveal practical attacks
and support useful evaluation of
alternate designs.
informed abstract models
of the web platform
will be amenable to automation,
reveal practical attacks
and support useful evaluation of
alternate designs.
![Page 37: Towards a Formal Foundation of Web Security devdatta akhawe / adam barth / peifung eric lam john mitchell / dawn song](https://reader031.vdocuments.us/reader031/viewer/2022032802/56649e015503460f94aeb435/html5/thumbnails/37.jpg)
images from sxc.hu
http://bit.ly/csf10-websec
thank you