Web Browser SecurityJohn Mitchell

CS 155 Spring 2006

Course ScheduleProjects Proj 1: Assigned April 11, Due April 27 Proj 2: Assigned May 2, Due May 18 Proj 3: Assigned May 18, Due June 8 No Late

Days Homework HW 1: Assigned April 20, Due May 4 HW 2: Assigned May 11, Due May 25 HW 3: no HW3 this year

OutlineBrowser review

Bugs happen HTTP, scripts, events, DOM Session state and cookies

Protecting the browser environment Execution sandbox Access policies, signed scripts

Privacy and confidentiality for sensitive information

Protecting the file system, OS, platform Protecting information associated with other browser

processes (e.g., other windows) Protecting the user against deception Protecting against traffic analysis

Browser and Network

Browser

Network

Browser sends requests May reveal private information (in forms, cookies)

Browser receives information, code May corrupt state by running unsafe code

Interaction susceptible to network attacks Consider network security later in the course

OSHardware

Web site

request

reply

Microsoft Issues New IE Browser Security Patch By Richard Karpinski Microsoft has released a security patch that closes

some major holes in its Internet Explorer browser The so-called "cumulative patch" fixes six different

IE problems ... Affected browsers include Internet Explorer 5.01,

5.5 and 6.0. Microsoft rated the potential security breaches as

"critical."

Tuesday, February 12, 2002

Feb 2002 patch addresses: A buffer overrun associated with an HTML

directive ... Hackers could use this breach to run malicious code on a user's system.

A scripting vulnerability that would let an attacker read files on a user's systems.

A vulnerability related to the display of file names ... Hackers could … misrepresent the name of a file ... and trick a user into downloading an unsafe file.

A vulnerability that would allow a Web page to improperly invoke an application installed on a user's system to open a file on a Web site.

… more …

MS announced 20 vulnerabilities on April 13, 2004 !!!

And then again last year, …Windows Security Updates Summary for April

2005Published: April 12, 2005 A security issue has been identified that

could allow an attacker to compromise a computer running Internet Explorer and gain control over it. You can help protect your computer by installing this update from Microsoft. After you install this item, you may have to restart your computer.

Microsoft Security Bulletin MS06-013, April 2006

Browser security topicsReview HTTP, scriptingControlling outgoing information

Cookies Cookie mechanism, JunkBuster

Routing privacy Anonymizer, Crowds

Privacy policy – P3PRisks from incoming executable code

JavaScript ActiveX Plug-ins Java

HyperText Transfer ProtocolUsed to request and return data Methods: GET, POST, HEAD, …

Stateless request/response protocol Each request is independent of previous

requests Statelessness has a significant impact on

design and implementation of applications Evolution HTTP 1.0: simple HTTP 1.1: more complex

HTTP

GET /default.asp HTTP/1.0Accept: image/gif, image/x-bitmap, image/jpeg, */*Accept-Language: enUser-Agent: Mozilla/1.22 (compatible; MSIE 2.0; Windows 95)Connection: Keep-AliveIf-Modified-Since: Sunday, 17-Apr-96 04:32:58 GMT

HTTP RequestMethod File HTTP version Headers

Data – none for GETBlank line

HTTP/1.0 200 OKDate: Sun, 21 Apr 1996 02:20:42 GMTServer: Microsoft-Internet-Information-Server/5.0 Connection: keep-aliveContent-Type: text/htmlLast-Modified: Thu, 18 Apr 1996 17:39:05 GMTContent-Length: 2543 <HTML> Some data... blah, blah, blah </HTML>

HTTP ResponseHTTP version Status code Reason phrase Headers

Data

HTTP Server Status CodesCode

Description

200 OK201 Created301 Moved Permanently302 Moved Temporarily400 Bad Request – not

understood401 Unauthorized403 Forbidden – not

authorized404 Not Found500 Internal Server Error

Return code 401 Used to indicate

HTTP authorization

HTTP authorization has serious problems!!!

HTML and Scripting<html> … <P> <script>

var num1, num2, sumnum1 = prompt("Enter first number")num2 = prompt("Enter second number")sum = parseInt(num1) + parseInt(num2)alert("Sum = " + sum)

</script>…

</html>

Browser receives content, displays HTML and executes scripts

Events<script type="text/javascript"> function whichButton(event) {

if (event.button==1) {alert("You clicked the left mouse

button!") }else {

alert("You clicked the right mouse button!")

}}</script>…<body onmousedown="whichButton(event)">…</body>

Mouse event causes page-defined function to be called

Other events: onLoad, onMouseMove, onKeyPress, onUnLoad

Document object model (DOM)

Object-oriented interface used to read and write documents

web page in HTML is structured data DOM provides representation of this hierarchy

Examples Properties: document.alinkColor, document.URL,

document.forms[ ], document.links[ ], document.anchors[ ]

Methods: document.write(document.referrer)

Also Browser Object Model (BOM) Window, Document, Frames[], History, Location,

Navigator (type and version of browser)

Need for session state

www.e_buy.com

www.e_buy.com/shopping.cfm?

pID=269

View Catalog

www.e_buy.com/shopping.cfm?

pID=269&item1=102030405

www.e_buy.com/checkout.cfm?

pID=269&item1=102030405

Check outSelect Item

Store session information in URL; Easily read on network

Store info across sessions?Cookies A cookie is a file created by an

Internet site to store information on your computerBrowser Server

Enters form data

Stores cookie

Browser ServerRequests cookie

Returns data

Http is stateless protocol; cookies add state

Cookie A named string stored by the browser Accessible as property of the Document object Can be read and written entirely on client side

using JavascriptAccessibility persists for the duration of the browser session

(but an expiration date may be given) is associated with the subtree of the document

that created it (but a cookie path may be specified)

is accessible to pages on the server that created it (but a cookie domain may be declared)

Browser security risksCompromise host Write to file system Interfere with other processes in browser

environmentSteal information Read file system Read information associated with other

browser processes (e.g., other windows) Fool the user Reveal information through traffic analysis

Browser sandboxIdea Code executed in browser has only

restricted access to OS, network, and browser data structures

Isolation Similar to OS process isolation,

conceptually Browser is a “weak” OS Same-origin principle

Browser “process” consists of related pages and the site they come from

Same-Origin PrincipleBasic idea Only the site that stores some information

in the browser may later read or modify that information (or depend on it in any way).

Details What is a “site”?

URL, domain, pages from same site … ? What is “information”?

cookies, document object, cache, … ? Default only: users can set other policies

No way to keep sites from sharing information

JavaGeneral programming languageWeb pages may contain Java code Java executed by Java Virtual Machine Special security measures associated

with Java code from remote URLsJavascript, other security models are based on Java security model

Java AppletLocal windowDownload Seat map Airline data

Local data User profile Credit card

Transmission Select seat Encrypted msg

Mobile code security mechanisms

Examine code before executing Java bytecode verifier performs critical tests

Interpret code and trap risky operations Java bytecode interpreter does run-time

tests Security manager applies local access policy

Security manager policy based on Site that suppplied the code Code signing – who signed it?

A.classA.java JavaCompiler

B.class

Loader

Verifier

Linker

Bytecode Interpreter

Java Virtual Machine

Compile source code

Network

Java Virtual Machine Architecture

Class loaderRuntime system loads classes as needed When class is referenced, loader searches for

file of compiled bytecode instructionsDefault loading mechanism can be replaced Define alternate ClassLoader object

Extend the abstract ClassLoader class and implementation

Can obtain bytecode from network VM restricts applet communication to site that

supplied applet

VerifierBytecode may not come from standard compiler Evil hacker may write dangerous bytecode

Verifier checks correctness of bytecode Every instruction must have a valid operation code Every branch instruction must branch to the start of

some other instruction, not middle of instruction Every method must have a structurally correct

signature Every instruction obeys the Java type discipline

Last condition is fairly complicated .

Type Safety of JVMLoad-time type checkingRun-time type checking All casts are checked to make sure type safe All array references are checked to be within bounds References are tested to be not null before

dereferenceAdditional features Automatic garbage collection NO pointer arithmetic

If program accesses memory, the memory is allocated to the program and declared with correct type

How do we know verifier is correct?

Many early attacks based on verifier errorsFormal studies prove correctness Abadi and Stata Freund and Mitchell

Found error in initialize-before-use analysis

JVM uses stack machineJavaClass A extends Object { int i void f(int val) { i = val +

1;}}

BytecodeMethod void f(int) aload 0 ; object ref this iload 1 ; int val iconst 1 iadd ; add val +1 putfield #4 <Field int i> return

data area

local variabl

es

operandstack

Return addr, exception info, Const pool res.

JVM Activation Record

refers to const pool

Java Object Initialization

No easy pattern to match.Multiple refs to same uninitialized object.

Bug in Sun’s JDK 1.1.4Example:

variables 1 and 2 contain references to two different objects,verifier thinks they are aliases

Security ManagerJava library functions call security managerSecurity manager object answers at run time Decide if calling code is allowed to do

operation Examine protection domain of calling class

Signer: organization that signed code before loading Location: URL where the Java classes came from

Uses the system policy to decide access permission

Stack Inspection Permission depends on Permission of calling

method Permission of all methods

above it on stack Up to method that is trusted

and asserts this trust

Many details omitted

java.io.FileInputStream

method f

method g

method h

Stories: Netscape font / passwd bug; Shockwave plug-in

ActiveXActiveX controls reside on client's machine, activated by HTML object tag on the page ActiveX controls are not interpreted by browser Compiled binaries executed by client OS Controls can be downloaded and installed

Security model relies on three components Digital signatures to verify source of binary IE policy can reject controls from network zones Controls marked by author as safe for initialization,

safe for scripting which affects the way control usedOnce accepted, installed and started, no control over execution

Installing Controls

If you install and run, no further control over the code. In principle, browser/OS could apply sandboxing, other techniques for containing risks in native code. But don’t

count on it.

Risks associated with controls

MSDN Warning An ActiveX control can be an extremely insecure way

to provide a featureWhy?

A COM object, control can do any user action read and write Windows registry access the local file system

Other web pages can attack a control Once installed, control can be accessed by any page Page only needs to know class identifier (CLSID)

Recommendation: use other means if possible

http://msdn.microsoft.com/library/default.asp?url=/code/list/ie.asp

IE Browser Helper Objects (Extensions)

COM components loaded when IE starts upRun in same memory context as the browserPerform any action on IE windows and modules Detect browser events

GoBack, GoForward, and DocumentComplete Access browser menu, toolbar and make changes Create windows to display additional information Install hooks to monitor messages and actions

Summary: No protection from extensions

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwebgen/html/bho.asp

JavaScriptExecuted by browserUsed in many attacks (to exploit other vulnerabilities) Cookie attack from earlier slide (08 Nov 2001):

With the assistance of some JavaScript code, an attacker could construct a Web page or HTML-based e-mail that could access any cookie in the browser's memory or those stored on disk ...

JavaScript runs Before the HTML is loaded, before the document is

viewed While the document is viewed, or as the browser is

leaving

Javascript Security Model“Sandbox” design (at least conceptually) No direct file access or network access

Same-origin policy Can only read properties of documents and

windows from same place: server, protocol, port

Access control with signed scripts User can grant privileges to signed scripts

UniversalBrowserRead/Write UniversalFileread, UniversalSendMail

Reference: http://www.devarticles.com/c/a/JavaScript/JavaScript-Security/

Examples, assuming www.example.com

URL of Target Window

Result of Same Origin Check with www.example.com Reason

http://www.example.com/ index.html

Passes Same domain and protocol

http://www.example.com/ other1/other2/index.html

Passes Same domain and protocol

http://www.example.com:8080/dir/page.html

Does not pass Different port

http://www2.example.com/ dir/page.html

Does not pass Different server

http://otherdomain.com/ Does not pass Different domain

ftp://www.example.com/ Does not pass Different protocol

Same-origin check applies to access to window object of other frames, etc.

Same-origin checkExample Javascript var w = window.open(http://www.google.com);

// After 10 seconds, see what URL they're looking atvar snoopedURL;setTimeout("snoopedURL = w.location.href)", 10 * 1000);

What should this do? Succeed if loaded from www.google.com, or origin of

whatever page is being viewed Fail otherwise? Some browsers don’t fail

Script on page can reset domain To more general domain than actual source of page Allows other scripts to access that document

properties without violating the same-origin policy

Problems with S-O PrinciplePoorly enforced on some browsers Particularly older browsers

Limitations if site hosts unrelated pages Example: Web server often hosts sites for

unrelated parties http://www.example.com/account/ http://www.example.com/otheraccount/

Same-origin policy, allows script on one page to access properties of document from another

Finer grained control using signed scripts See article for more info

LiveConnectNetscape-supported interaction between Java applets, plugins, and JavaScript JavaObject is a JavaScript wrapper on Java

object JSObject is a Java on a JavaScript object

Question What kind of same-origin policy do we get

here?

Browser Cookie ManagementCookie Same-origin ownership Once a cookie is saved on your computer, only

the Web site that created the cookie can read it.Variations Temporary cookies

Stored until you quit your browser Persistent cookies

Remain until deleted or expire Third-party cookies

Originates on or sent to a web site other than the one that provided the current page

Third-party cookiesGet a page from merchant.com

Contains <img src=http://doubleclick.com/advt.gif> Image fetched from DoubleClick.com

DoubleClick knows IP address and page you were looking atDoubleClick sends back a suitable advertisement

Stores a cookie that identifies "you" at DoubleClickNext time you get page with a doubleclick.com image

Your DoubleClick cookie is sent back to DoubleClick DoubleClick could maintain the set of sites you viewed Send back targeted advertising (and a new cookie)

Cooperating sites Can pass information to DoubleClick in URL, …

Example: Mortgage Center

<html><title>Mortgage Center</title><body>… http://www.loanweb.com/ad.asp?RLID=0b70at1ep0k9

What’s this?

Cookie issues Cookies maintain record of your browsing

habits Cookie stores information as set of name/value pairs May include any information a web site knows about

you Sites track your activity from multiple visits to site

Sites can share this information (e.g., DoubleClick)

Browser attacks could invade your “privacy”08 Nov 2001 Users of Microsoft's browser and e-mail programs could be

vulnerable to having their browser cookies stolen or modified due to a new security bug in Internet Explorer (IE), the company warned today.

Managing cookie policy via proxy

Browser ProxyNetwork

Proxy intercepts request and response May modify cookies before sending to BrowserCan do other checks: filter ads, block sites, etc.

Cookie Jar

Sample Proxy: Cookie management by policy in cookiefile Default: all cookies are silently crunched Options

Allow cookies only to/from certain sites Block cookies to browser (but allow to server) Send vanilla wafers instead

Block URLs matching any pattern in blockfile Example: pattern /*.*/ad matches

http://nomatterwhere.com/images/advert/g3487.gif

Easy to write your own http proxy; you can try this at home

Fooling the user

password?

Sends email: “There is a problem with your eBuy account”

User clicks on email link to www.ebuj.com.

User thinks it is ebuy.com, enters eBuy username and password.

Password sent to bad guy

Some Stanford projectsPassword phishing

Common password problem

Keylogger spyware

Transaction generator spyware

SafeHistory

PwdHash

SpyBlock (no server changes)

SpyBlock (with server changes)

SafeCacheSpoofGuard

Password Phishing Problem

User cannot reliably identify fake sitesCaptured password can be used at target site

Bank A

Fake Site

pwdApwdA

Common Password Problem

Phishing attack or break-in at site B reveals pwd at A

Server-side solutions will not keep pwd safe Solution: Strengthen with client-side support

Bank A

low security site

high security site

pwdA

pwdB

= pwdA

Site B

Password Hashing

Generate a unique password per site HMACfido:123(banka.com) Q7a+0ekEXb HMACfido:123(siteb.com) OzX2+ICiqc

Hashed password is not usable at any other site Protects against password phishing Protects against common password problem

Bank A

hash(pwdB, SiteB)

hash(pwdA, BankA)

Site B

pwdA

pwdB

=

Password Hashing: a popular idea

Recent password hashing projects:

Similar hashing algorithmsOnly PwdHash defends against spoofing and is invisible to the user

Site PasswordPassword MakerGenpass

PasswdletPassword Composer

Magic Password GeneratorPwdHash

Password Generator Extension

The Spoofing ProblemJavaScript can display password fields or dialogs:

Unhashed password sent to attacker in clear

Password Prefix

Original pwdshould never be visibleto web page

OzX2+ICiqc Site B

@@fido:123

@@fido:123 @@abcdefgh

Password Prefix: How it worksNormal operation: Prefix in password field

Abnormal operation: Prefix in non-password field

Can just ignore the prefix and not hash Remind user not to enter password

@@fido:123 @@abcdefgh **********abcdefgh fido:123

HMACfido:123(siteb.com) Q7a+0ekEXb

PwdHash protection problemProblem Javascript on malicious web page can try to

intercept user password from PwdHash Javascript attacks

Script activated with user changes focus Script can read input, may run before PwdHash

Keyboard monitoring and logging Spoof parts of web browser UI Communicate across network

Solution Implement keystroke logger in PwdHash

The Perfect Phishing EmailBank of America customers see: “Click here to see your Bank of

America statement”Wells Fargo customers see: “Click here to see your Wells Fargo

statement”Works in Outlook; behavior is by design

Fooling the user using browser state

Reading browser historyCSS properties of hyperlinksCan also use cache-based techniques

Violation of the same-origin principle:“One site cannot use information belonging to another site.”

Visited link trackingVisited links displayed in different color (74% of sites)

Information easily accessible by javascriptAttacks also without javascript

Bank logo images are stacked on top of each other CSS rules cause the un-visited links to vanish Page displays bank logo of site that user has visited

<html><head><style> a { position:absolute; border:0; } a:link { display:none } </style></head><body><a href='http://www.bankofamerica.com/'><img src='bankofamerica.gif'></a><a href='https://www.wellsfargo.com/'><img src='wellsfargo.gif'></a><a href='http://www.usbank.com/'><img src='usbank.gif'></a>...</body></html>

http://www.safehistory.com/

Preserving web privacyYour IP address may be visible to web sites This may reveal your employer, ISP, etc. Can link activities on different sites, different

timesCan you prevent sites from learning about you? Anonymizer

Single site that hides origin of web request Crowds

Distributed solution

Browsing Anonymizers

Web Anonymizer hides your IP address

What does anonymizer.com know about you?

Browser ServerAnonymizer

www.anonymizer.com/cgi-bin/redirect.cgi?

url=…

Related approach to anonymity

Hide source of messages by routing them randomlyRouters don’t know for sure if the apparent source of the message is the actual sender or simply another router

Only secure against local attackers!Existing systems: Freenet, Crowds, etc.

Crowds [Reiter,Rubin ‘98]

C C4

C1C2

C

CCC3

C0sender recipient

CC

CCpf

1-pf

Sender randomly chooses a path through the crowdSome routers are honest, some corruptAfter receiving a message, honest router flips a coin

With probability Pf routes to the next member on the path With probability 1- Pf sends directly to the recipient

What Does Anonymity Mean? Beyond suspicion The observed source of the message is no more

likely to be the actual sender than anybody elseProbable innocence Probability <50% that the observed source of

the message is the actual sender

Possible innocence Non-trivial probability that the observed source

of the message is not the actual sender

Guaranteed by Crowds if there aresufficiently few corrupt routers

How web sites use your information

You may enter information to buy product Name, address, credit card number, …

How will web site use this information Charge your card and mail your purchase Give sales information to other businesses?

Platform for privacy preferences (P3P) Framework for reaching agreement on use of

personal information Enforcement at server side is another matter…

Basic P3P Concepts

useragent

user datarepository

preferences

service

proposal

agreementuser

datapractices

Credit: Lorrie Cranor

A Simple P3P Conversation

useragent service

User agent: Get index.htmlService: Here is my P3P proposal - I collect click-

stream data and computer information for web site and system administration and customization of site

User agent: OK, I accept your proposalService: Here is index.html