complex security policy a longitudinal analysis of
play

Complex Security Policy? A Longitudinal Analysis of Deployed - PowerPoint PPT Presentation

Jan 25, 2023 •558 likes •878 views

Complex Security Policy? A Longitudinal Analysis of Deployed Content Security Policies Sebastian Roth , Timothy Barron, Stefano Calzavara, Nick Nikiforakis & Ben Stock Network and Distributed System Security Symposium (NDSS '20) Cross-Site

  1. Complex Security Policy? A Longitudinal Analysis of Deployed Content Security Policies Sebastian Roth , Timothy Barron, Stefano Calzavara, Nick Nikiforakis & Ben Stock Network and Distributed System Security Symposium (NDSS '20)

  2. Cross-Site Scripting (XSS) m o 1. XSS Payload c . n l u v t s https://vuln.com?pl= <script src=evil.com> e u q e R T E G P T T H . e 2 s n o p s e R P T T H . 3 4. HTTP GET Request evil.com 5. HTTP Response of evil.js NDSS 2020 – Sebastian Roth – Complex Security Policy? 2

  3. Content Security Policy (CSP) m o 1. XSS Payload c . n l u v t s https://vuln.com?pl= <script src=evil.com> e u q e R T E r e G d P a T e T H H P . S 2 C h t i w e s n o p s e R P T T H . 3 4. HTTP GET Request evil.com 5. HTTP Response of evil.js NDSS 2020 – Sebastian Roth – Complex Security Policy? 3

  4. Content Security Policy (CSP) <html> <html> <body> <body> <!-- ad.com includes company.com --> <script nonce="d90e0153c074f6c3fcf53"> <script let script = src="https://ad.com/someads.js"> document.createElement("script"); </script> script.src = "http://ad.com/ad.js"; <script> document.body.appendChild(script); script-src // ... meaningful inline script </script> https://company.com </script> </body> </body> 'nonce-d90e0153c074f6c3fcf53' </html> </html> '12 '14 '16 <html> script-src script-src <body> https://ad.com 'nonce-d90e0153c074f6c3fcf53' <!-- ad.com includes company.com --> https://company.com 'strict-dynamic' <script nonce="d90e0153c074f6c3fcf53" 'unsafe-inline' src="https://ad.com/someads.js"> </script> <script nonce="d90e0153c074f6c3fcf53"> // ... meaningful inline script </script> </body> </html> NDSS 2020 – Sebastian Roth – Complex Security Policy? 4

  5. Research Questions • We know from others studies that: – CSP adoption is far behind expectations – Many deployed policies are insecure Ø Why is CSPs adoption so low? Ø For what purpose is CSP used in the wild? Ø What are the problems of deploying a CSP? NDSS 2020 – Sebastian Roth – Complex Security Policy? 5

  6. Methodology Dataset Data Analytics Construction Collection Create a list of the Top Use Wayback Machine Classify CSP Use-Cases • • • 10k sites over time. Collected 20,179 CSPs Analyze the Directives • • Intersection of the Checked Archive and their Use-Cases • Alexa Top sites of each Data against Common Detailed case-studies • month 2012 – 2018 Crawl & Developer opinions NDSS 2020 – Sebastian Roth – Complex Security Policy? 6

  7. Use-Case 1: Script Content Control CSP Adoption Script Content Control 1000 800 600 400 200 0 2014 2015 2016 2017 2018 NDSS 2020 – Sebastian Roth – Complex Security Policy? 7

  8. Use-Case 1: Script Content Control Script Content Control 'unsafe-inline' http: || https: || * 450 Used ‘unsafe- Has inline inline‘ in CSP event-handlers 300 378 180 (48%) 150 0 2014 2015 2016 2017 2018 NDSS 2020 – Sebastian Roth – Complex Security Policy? 8

  9. Script Content Control – Example Airbnb’s journey to secure their CSP They needed 3 ½ years to deploy a non-trivially bypassable CSP • 222 changes later • CSP report-only • script-src: 32 entries (incl. https:) • script-src: 17 entries 11-2014 12-2017 • Tried to harden the CSP • Added https: • script-src: 28 entries • script-src: 22 entries 03-2015 01-2018 • enforcement mode • Finally secure CSP • script-src: 5 entries (incl. https:) • script-src: 33 entries 03-2018 05-2015 NDSS 2020 – Sebastian Roth – Complex Security Policy? 9

  10. Use-Case 2: TLS Enforcement CSP Adoption Script Content Control TLS Enforement 1000 800 600 400 200 0 2014 2015 2016 2017 2018 NDSS 2020 – Sebastian Roth – Complex Security Policy? 10

  11. Use-Case 2: TLS Enforcement TLS Enforcement Upgrade Insecure Requests Block All Mixed Content Whitelist HTTPS schema 500 400 300 200 100 0 2016 2017 2018 NDSS 2020 – Sebastian Roth – Complex Security Policy? 11

  12. Use-Case 2: TLS Enforcement • We collected all main pages of Upgrade-Insecure-Requests sites from the Archive and extracted the 3 rd party URLs • How hard is HTTPS migration in the wild? – Mixed Content on 4,785 sites from the Alexa Top 10k – For 89% of them, all HTTP resources are upgradeable NDSS 2020 – Sebastian Roth – Complex Security Policy? 12

  13. Framing based attacks https://kittenpics.org/ Wanna see more Kittens? Yes! NDSS 2020 – Sebastian Roth – Complex Security Policy? 13

  14. Framing Control – X-Frame-Options X-Headers are not standardized! Leads to security problems: • Partial support • Double Framing ... as well as functionality problems • X-Frame-Options can only have a single whitelist entry NDSS 2020 – Sebastian Roth – Complex Security Policy? 14

  15. Use-Case 3: Framing Control CSP Adoption Script Content Control TLS Enforement Framing Control 1000 800 600 400 200 0 2014 2015 2016 2017 2018 NDSS 2020 – Sebastian Roth – Complex Security Policy? 15

  16. Use-Case 3: Framing Control How does CSP frame-ancestors fix these problems: - Partial support / Inconsistent implementation: CSP frame-ancestors is a well-defined standard in CSP since 2014. Thus, all “modern” browsers support it. - Double Framing: Applies to all of a frame's ancestors not only the top-most frame. - Explicit whitelist: frame-ancestors supports wildcards and multiple source-expressions frame-ancestors www.foo.com ‘self’ *.partner.com NDSS 2020 – Sebastian Roth – Complex Security Policy? 16

  17. Use-Case 3: Framing Control X-Frame-Options CSP frame-ancestors Both 3500 3000 2500 2000 1500 1000 XFO Deprecated 500 0 2012 2013 2014 2015 2016 2017 2018 NDSS 2020 – Sebastian Roth – Complex Security Policy? 17

  18. Framing Control – Developer Study We notified the 2,699 Web sites about their problem using XFO but not • CSP frame-ancestors via email. Received 117 responses that went beyond automatic answers. • Many developers have the misconception that different CSP features • cannot be used in isolation! NDSS 2020 – Sebastian Roth – Complex Security Policy? 18

  19. Developer Study CSP destroys Web applications „ [...] adding CSP [...] already placed on the roadmap in August of last year. We ran into some trouble with properly enabling the “ policies, as they ended up effectively killing the website. NDSS 2020 – Sebastian Roth – Complex Security Policy? 19

  20. Developer Study Misconceptions about CSP „ CSP is a complex beast [...]. Some of our partner are iframing our site. We already had issue to implement the X-Frame “ header, that we did not want to deal with CSP. NDSS 2020 – Sebastian Roth – Complex Security Policy? 20

  21. Framing Control – Developer Study Do you believe CSP is a viable Would your site work out of the box option to improve your site’s if you deployed a script-content resilience against XSS attacks? restricting CSP today (disallow eval, inline scripts, and event handlers)? 40 40 30 30 20 20 10 10 0 0 Yes No I don't No Yes No I don't No know answer know answer NDSS 2020 – Sebastian Roth – Complex Security Policy? 21

  22. Complex Security Policy? NDSS 2020 – Sebastian Roth – Complex Security Policy? 22

  23. How to go back in time? Also stores original HTTP headers prefixed with X-Archive-Orig- NDSS 2020 – Sebastian Roth – Complex Security Policy? 23

  24. Appendix – Developer Study Building a CSP requires massive effort „ We have a small team. Do we want to update our version of python or do we want to add CSP? Do we want to move to the “ new LTS version of Ubuntu or CSP? […] CSP always loose. NDSS 2020 – Sebastian Roth – Complex Security Policy? 24

  25. Appendix – Developer Study CSP is too complex to deploy „ […] many first and third party integrations […] having a generic CSP policy that adds value and which is suitable for our entire “ estate is something that is very difficult to achieve. NDSS 2020 – Sebastian Roth – Complex Security Policy? 25

  26. Developer Study Did you know about the frame- Did you know that frame-ancestors ancestors directive and its improved can be deployed independently of protection capabilities compared to any other part of CSP before our X-Frame-Options before our notification? notification? 30 15 20 10 10 5 0 0 Yes No No answer Yes No No answer NDSS 2020 – Sebastian Roth – Complex Security Policy? 26

  27. Appendix – Developer Study Why have you implemented the X-Frame-Options header? Pentest / Consultant Tools we use Own decision Other 0 5 10 15 20 25 NDSS 2020 – Sebastian Roth – Complex Security Policy? 27

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Gender and Intra-Household Entitlements: a Cross-National Longitudinal Analysis Longitudinal

Gender and Intra-Household Entitlements: a Cross-National Longitudinal Analysis Longitudinal

Gender and Intra-Household Entitlements: a Cross-National Longitudinal Analysis Longitudinal Analysis GenIX advisory meeting GenIX advisory meeting 12 April 2010 Objectives of the project Policy: usually assumes away

541 views • 19 slides
Improvements in Transportation Security Analysis from a Complex Risk Mitigation Framework for the

Improvements in Transportation Security Analysis from a Complex Risk Mitigation Framework for the

Improvements in Transportation Security Analysis from a Complex Risk Mitigation Framework for the Security of International Spent Nuclear Fuel Transportation Adam D. Williams Global Security Research &amp; Analysis Sandia National Laboratories

505 views • 13 slides
Longitudinal Analysis for Continuous Outcomes Brandon LeBeau Assistant Professor DataCamp

Longitudinal Analysis for Continuous Outcomes Brandon LeBeau Assistant Professor DataCamp

DataCamp Longitudinal Analysis in R LONGITUDINAL ANALYSIS IN R Longitudinal Analysis for Continuous Outcomes Brandon LeBeau Assistant Professor DataCamp Longitudinal Analysis in R Visualizing longitudinal data code Let's explore the data!

299 views • 26 slides
Introduction to Longitudinal Data Brandon LeBeau Assistant Professor DataCamp Longitudinal

Introduction to Longitudinal Data Brandon LeBeau Assistant Professor DataCamp Longitudinal

DataCamp Longitudinal Analysis in R LONGITUDINAL ANALYSIS IN R Introduction to Longitudinal Data Brandon LeBeau Assistant Professor DataCamp Longitudinal Analysis in R What is longitudinal data? 3 or more measurements on same unit Multiple

672 views • 22 slides
1 Longitudinal Analysis Survival Trees Mining Frequent Episodes Summary Longitudinal Analysis

1 Longitudinal Analysis Survival Trees Mining Frequent Episodes Summary Longitudinal Analysis

Longitudinal Analysis Survival Trees Mining Frequent Episodes Summary Longitudinal Analysis Survival Trees Mining Frequent Episodes Summary Outline Longitudinal Analysis 1 Motivation Mining Event Histories: A Social Scientist View

423 views • 6 slides
Simulating Neurodegeneration through Longitudinal Population Analysis of Structural and Diffusion

Simulating Neurodegeneration through Longitudinal Population Analysis of Structural and Diffusion

Outline Background Simulating neurodegneration through longitudinal population analysis Simulating Neurodegeneration through Longitudinal Population Analysis of Structural and Diffusion Weighted MRI Data Modat et al. MICCAI 2014 Bishesh

720 views • 26 slides
A Longitudinal Analysis of Student Fees: The Roles of States and Institutions Robert Kelchen

A Longitudinal Analysis of Student Fees: The Roles of States and Institutions Robert Kelchen

A Longitudinal Analysis of Student Fees: The Roles of States and Institutions Robert Kelchen Assistant Professor Department of Education Leadership, Management and Policy Seton Hall University robert.kelchen@shu.edu, @rkelchen March 15, 2014

552 views • 21 slides
A Longitudinal Look at Longitudinal Mediation Models David P. MacKinnon, Arizona State

A Longitudinal Look at Longitudinal Mediation Models David P. MacKinnon, Arizona State

A Longitudinal Look at Longitudinal Mediation Models David P. MacKinnon, Arizona State University Causal Mediation Analysis Ghent, Belgium University of Ghent January 28-29, 2013 Introduction Assumptions Unique Issues with Longitudinal

1.12k views • 69 slides
A Hierarchical Mixed Effect Model for the Analysis of Model for the Analysis of Longitudinal

A Hierarchical Mixed Effect Model for the Analysis of Model for the Analysis of Longitudinal

A Hierarchical Mixed Effect Model for the Analysis of Model for the Analysis of Longitudinal DCE-MRI Studies Volker J. Schmid Department of Statistics Ludwig-Maximilians-University Munich L d i M i ili U i i M i h joint work with j

421 views • 30 slides
The Longitudinal Aging Study Amsterdam and the challenge of informing policy and practice

The Longitudinal Aging Study Amsterdam and the challenge of informing policy and practice

The Longitudinal Aging Study Amsterdam and the challenge of informing policy and practice Martijn Huisman LASA Scientific Director Dept. Epidemiology &amp; Biostatistics Dept. Sociology 17-01-2017 Longitudinal Aging Study Amsterdam Birth

483 views • 32 slides
An Analysis of the GWV An Analysis of the GWV Security Policy Security Policy Jim Alves- -Foss

An Analysis of the GWV An Analysis of the GWV Security Policy Security Policy Jim Alves- -Foss

An Analysis of the GWV An Analysis of the GWV Security Policy Security Policy Jim Alves- -Foss and Carol Taylor Foss and Carol Taylor Jim Alves Center for Secure and Dependable Systems Center for Secure and Dependable Systems University of

455 views • 23 slides
Two Tools for the Analysis of Longitudinal Data: Motivations, Applications and Issues Vern

Two Tools for the Analysis of Longitudinal Data: Motivations, Applications and Issues Vern

Two Tools for the Analysis of Longitudinal Data: Motivations, Applications and Issues Two Tools for the Analysis of Longitudinal Data: Motivations, Applications and Issues Vern Farewell Medical Research Council Biostatistics Unit, UK Flexible

817 views • 54 slides
HOW TO WRITE AN INFORMATION SECURITY POLICY INTRODUCTION This section is intended to help you

HOW TO WRITE AN INFORMATION SECURITY POLICY INTRODUCTION This section is intended to help you

HOW TO WRITE AN INFORMATION SECURITY POLICY INTRODUCTION This section is intended to help you produce an information security policy. Some of the information contained here is of a particularly detailed and complex nature and may not, therefore,

469 views • 8 slides
Robust Analysis using RoMulOC for the Longitudinal Control of a Civil Aircraft Guilherme

Robust Analysis using RoMulOC for the Longitudinal Control of a Civil Aircraft Guilherme

Robust Analysis using RoMulOC for the Longitudinal Control of a Civil Aircraft Guilherme Chevarria Dimitri Peaucelle Denis Arzelier Guilhem Puyou IEEE-MSC - Yokohama - September 8-10, 2010 Introduction Test robust analysis tools on

232 views • 22 slides
Longitudinal Data Analysis I PSYC 575 October 3, 2020 (updated: 3 October 2020) Learning

Longitudinal Data Analysis I PSYC 575 October 3, 2020 (updated: 3 October 2020) Learning

Longitudinal Data Analysis I PSYC 575 October 3, 2020 (updated: 3 October 2020) Learning Objectives Describe the similarities and differences between longitudinal data and cross-sectional clustered data Perform some basic attrition

753 views • 36 slides
Discrete complex analysis and probability Stanislav Smirnov Hyderabad, August 20, 2010 Complex

Discrete complex analysis and probability Stanislav Smirnov Hyderabad, August 20, 2010 Complex

Discrete complex analysis and probability Stanislav Smirnov Hyderabad, August 20, 2010 Complex analysis studies holomorphic and harmonic functions on the subdomains of the complex plane C and Riemann surfaces Discrete complex analysis studies

510 views • 34 slides
Third-party Authentication Landscape Anna Vapen , Niklas Carlsson, Nahid Shahmehri Linkping

Third-party Authentication Landscape Anna Vapen , Niklas Carlsson, Nahid Shahmehri Linkping

Longitudinal Analysis of the Third-party Authentication Landscape Anna Vapen , Niklas Carlsson, Nahid Shahmehri Linkping University, Sweden 2 Background: Third-party Web Authentication Web Authentication Registration with each website

516 views • 23 slides
Innovative retirement products An Chen , University of Ulm joint with: Peter Hieber (Technical

Innovative retirement products An Chen , University of Ulm joint with: Peter Hieber (Technical

Innovative retirement products An Chen , University of Ulm joint with: Peter Hieber (Technical University of Munich) Jakob Klein (Allianz Life) Manuel Rach (University of Ulm) Thorsten Sehner (University of Ulm) 2. ISM-UUlm Joint Workshop

737 views • 38 slides
Gift Planning in a Capital Campaign Stelter Webinar November 13, 2019 Michael Degenhart

Gift Planning in a Capital Campaign Stelter Webinar November 13, 2019 Michael Degenhart

11/13/2019 Gift Planning in a Capital Campaign Stelter Webinar November 13, 2019 Michael Degenhart Assistant Vice President Penn State University Presenter Tasked with an overall gift planning goal of over $130 million annually in

422 views • 16 slides
Temperature monitors overview (with focus on Static T-gradient thermometers) A. Cervera M.A.

Temperature monitors overview (with focus on Static T-gradient thermometers) A. Cervera M.A.

LAr Instrumentation Scope Review CERN, 19/06/2019 Temperature monitors overview (with focus on Static T-gradient thermometers) A. Cervera M.A. Garca Peris (IFIC-Valencia) With assistance from C.Streff (SDSU), E. Voirin (FNAL), A. Hahn

1.88k views • 95 slides
Mobile Network Performance from User Devices: A Longitudinal, Multidimensional Analysis Ashkan

Mobile Network Performance from User Devices: A Longitudinal, Multidimensional Analysis Ashkan

Mobile Network Performance from User Devices: A Longitudinal, Multidimensional Analysis Ashkan Nikravesh , David R. Choffnes, Ethan Katz-Bassett Z. Morley Mao, Matt Welsh Problem Mobile Network Performance: Poor visibility into user

922 views • 61 slides
Designing a Multipurpose Designing a Multipurpose Longitudinal Incentives Experiment for the

Designing a Multipurpose Designing a Multipurpose Longitudinal Incentives Experiment for the

Designing a Multipurpose Designing a Multipurpose Longitudinal Incentives Experiment for the SIPP Ashley Westra U.S. Census Bureau* U.S. Census Bureau DC-AAPOR &amp; WSS: Summer Conference Preview/Review 2015 August 3 2015 August 3, 2015

932 views • 20 slides
Adoption and Adult Outcomes in the Early Chiaki Moriguchi John Parman 20th Century Introduction

Adoption and Adult Outcomes in the Early Chiaki Moriguchi John Parman 20th Century Introduction

Adoption and Adult Outcomes in the Early 20th Century Adoption and Adult Outcomes in the Early Chiaki Moriguchi John Parman 20th Century Introduction Chiaki Moriguchi Historical Adoption John Parman Institute for Economic Constructing

1.01k views • 54 slides
Creating a Cradle to Career Data System Why Early Childhood Data Are Critical March 27, 2019

Creating a Cradle to Career Data System Why Early Childhood Data Are Critical March 27, 2019

Creating a Cradle to Career Data System Why Early Childhood Data Are Critical March 27, 2019 Early Childhood Data Collaborative www.ecedata.org Mission The Early Childhood Data Collaborative (ECDC) promotes policies and practices to support

409 views • 15 slides

More recommend