Designing Trustworthy User-Agents for a Hostile Web Usenix - - PowerPoint PPT Presentation

designing trustworthy
SMART_READER_LITE
LIVE PREVIEW

Designing Trustworthy User-Agents for a Hostile Web Usenix - - PowerPoint PPT Presentation

Dec 27, 2022 115 likes •1k views

Designing Trustworthy User-Agents for a Hostile Web Usenix Security 2009 IE8 Program Manager - Security IE7 PM Networking & Trust Developer of Fiddler, TamperIE, IEToys IE 7 significantly reduced attack surface against the browser and

slide-1
SLIDE 1

Designing Trustworthy User-Agents for a Hostile Web

Usenix Security 2009

slide-2
SLIDE 2

IE8 Program Manager - Security IE7 PM – Networking & Trust Developer of Fiddler, TamperIE, IEToys

slide-3
SLIDE 3

IE 7 significantly reduced attack surface against the browser and local machine…

slide-4
SLIDE 4
  • WebApp attacks (CSRF, XSS,

ClickJacking, splitting) could become the next big vector of exploit.

  • More high-value information is moving to

the web.

  • Social Engineering and exploitation of add-
  • ns continues to grow.
  • The Web platform itself is getting richer.
  • and the next generation of attackers is

coming out of grade school.

but…

slide-5
SLIDE 5

Worst of all, it turns out that crime does pay (quite well) after all.

slide-6
SLIDE 6

Why is browser security so elusive?

slide-7
SLIDE 7

Complexity.

slide-8
SLIDE 8

The security architecture of the current web platform was largely an afterthought.

slide-9
SLIDE 9

Maybe there’s a shortcut?

slide-10
SLIDE 10

We could block nearly 100% of exploits by removing just one component from the system…

slide-11
SLIDE 11

The Network cable

slide-12
SLIDE 12

Or, we could block a majority of exploits by removing a different component from the system…

slide-13
SLIDE 13

The user

slide-14
SLIDE 14

So, if we re-architect everything, or get rid of the users, or get rid of the network, then security might be easy.

FAIL

slide-15
SLIDE 15

Tradeoffs are complicated.

Security is straightforward.

slide-16
SLIDE 16

Yes, Microsoft is a big, influential company...

slide-17
SLIDE 17

…but the Internet is bigger.

slide-18
SLIDE 18
  • Many hundreds of millions of users…
  • From all over the world…
  • Visiting billions of web pages…
  • And most don’t really even know what a

“browser” is!

slide-19
SLIDE 19

The Web is surprisingly fragile.

slide-20
SLIDE 20

For most web users, it’s all about value.

slide-21
SLIDE 21

The browser that most users will ask for…

Race car

slide-22
SLIDE 22

The browser that meets users security expectations…

Amphibious assault tank

slide-23
SLIDE 23

Bad guys only need to find one way in…

slide-24
SLIDE 24

Security Team’s Investments

Security Feature Improvements

Create security features that address the top vulnerabilities today and in the future

Secure Features

Reduce attack surface of existing code by closing legacy holes Apply security-focused rigors against new code

Provide Security and Compatibility

Users understand that improved security is a reason to upgrade

slide-25
SLIDE 25

Social Engineering Web App Vulnerabilities Browser & Add-on Vulnerabilities

Address the evolving threat landscape

Threat Focus Areas

slide-26
SLIDE 26

ActiveX

Browser/Add-on Vulnerabilities

slide-27
SLIDE 27

Is control permitted to run in browser without prompt? AX Opt–in Is control permitted to run on this site? PerSite AX Has control been flagged as unsafe?

ActiveX Killbits

ActiveX Gauntlet

Browser/Add-on Vulnerabilities Safe for scripting / initialization

IObjectSafety

slide-28
SLIDE 28

Per-site ActiveX

Helps prevent repurposing of ActiveX controls

Browser/Add-on Vulnerabilities

slide-29
SLIDE 29

Data Execution Prevention

Mitigates many memory-related vulnerabilities by blocking code execution Other protections like ASLR, SAFESEH, GS, etc

Browser/Add-on Vulnerabilities

slide-30
SLIDE 30

Protected Mode

Browser/Add-on Vulnerabilities

slide-31
SLIDE 31

Protected Mode

Loosely-coupled IE enables one frame to host both Low and Medium tabs Intranet Zone moved to Medium Integrity by default Silent Elevation List split Minor API improvements

DWebBrowserEvents2::NewProcess IE[Get|Set]ProtectedModeCookie IERefreshElevationPolicy (IE7 GDR) Other registry/filesystem helpers.

Browser/Add-on Vulnerabilities

slide-32
SLIDE 32

What’s the best way to develop secure, performant, and reliable C/C++ code?

slide-33
SLIDE 33

Don’t.

slide-34
SLIDE 34

Non-Binary Extensibility

slide-35
SLIDE 35

Accelerators

slide-36
SLIDE 36

WebSlices

slide-37
SLIDE 37

Visual Search Suggestions

slide-38
SLIDE 38
slide-39
SLIDE 39

Sometimes, threats are obvious…

slide-40
SLIDE 40

…but bad guys are getting smarter…

slide-41
SLIDE 41

Fake codecs and add-ons

slide-42
SLIDE 42

Fake antivirus scanners & utilities

slide-43
SLIDE 43

Try as we might… …we haven’t figured out how to patch the user.

slide-44
SLIDE 44

Group Policy Controls

Social Engineering

“Don’t ask my users to make security decisions.”

Policies include:

  • Treat certificate errors as fatal
  • Block insecure content
  • Prevent bypass of SmartScreen Filter warnings
  • Regulate ActiveX control install & availability

IE8 includes over 1400 group policy controls.

slide-45
SLIDE 45

What if we can’t get rid of the user?

slide-46
SLIDE 46
slide-47
SLIDE 47
slide-48
SLIDE 48
slide-49
SLIDE 49

A more effective warning?

slide-50
SLIDE 50

SmartScreen Download Block

slide-51
SLIDE 51

SmartScreen Block Page

slide-52
SLIDE 52

Domain Highlighting

slide-53
SLIDE 53

HTTPS - Extended Validation

  • Supported by all modern browsers.
  • Over 10,000 sites with extended validation certificates.
slide-54
SLIDE 54

International Domain Names

Protects against homograph style phishing attacks Unicode display restricted to user’s configured languages

Social Engineering

slide-55
SLIDE 55

HTTPS Mistakes

slide-56
SLIDE 56

Insecure Login Form

slide-57
SLIDE 57

Certificate Mismatch

slide-58
SLIDE 58

Mixed Content - Prompt

slide-59
SLIDE 59

Mixed Content Blocked

slide-60
SLIDE 60

Mixed Content shown – No lock

slide-61
SLIDE 61

Mitigating XSS

slide-62
SLIDE 62

XSS Statistics

XSS 70%

Info Leakage 4% Content Spoofing 6% SQL Leakage 5% Predictable Resource Location 5% HTTP Response Splitting 5% Other 6%

Source: WhiteHat Security, August 2008

slide-63
SLIDE 63

XSS Threats

Researcher Bryan Sullivan: “XSS is the new buffer overflow.”

slide-64
SLIDE 64

IE8 XSS Filter

slide-65
SLIDE 65

Comprehensive XSS Protection

slide-66
SLIDE 66

Securing Mashups

slide-67
SLIDE 67

How are mashups built today?

  • Cross-domain script inclusion
  • IFRAMEs
slide-68
SLIDE 68

XDomainRequest

  • Enables web developers to more securely

communicate between domains

  • Provides a mechanism to establish trust

between domains through an explicit acknowledgement of cross domain access

  • Access-Control-Allow-Origin syntax

standardized

slide-69
SLIDE 69

HTML5 postMessage()

  • Enables two domains to establish a trust

relationship to exchange object messages

  • Provides a web developer a more secure

mechanism to build cross-domain communication

  • Part of the HTML5 specification; supported by

all latest-version browsers.

slide-70
SLIDE 70

postMessage – Sending

// Find target frame var oFrame = document.getElementsByTagName('iframe')[0]; // postMessage will only deliver the 'Hello’ // message if the frame is currently // at the expected target site

  • Frame.contentWindow.postMessage('Hello',

'http://recipient.example.com');

slide-71
SLIDE 71

postMessage – Listening

// Listen for the event. For non-IE, use // addEventListener instead.

document.attachEvent('onmessage', function(e){ if (e.domain == 'expected.com') { // e.data contains the string // We can use it here. But how? } });

slide-72
SLIDE 72

JavaScript Object Notation

{"Weather": { "City": "Seattle", "Zip": 98052, "Forecast": { "Today": "Sunny", "Tonight": "Dark", "Tomorrow": "Sunny" } }}

slide-73
SLIDE 73

Native JSON Support

  • JSON.stringify()
  • JSON.parse()

Based on ECMAScript 3.1; natively supported by modern browsers.

slide-74
SLIDE 74

window.toStaticHTML()

Client-side string sanitization, based on the Microsoft Anti-XSS Library.

window.toStaticHTML( "This is some <b>HTML</b> with embedded script following... <script> alert('bang!'); </script>!“ ); returns: This is some <b>HTML</b> with embedded script following... !

slide-75
SLIDE 75

Putting it all together…

if (window.XDomainRequest){ var xdr = new XDomainRequest(); xdr.onload = function(){ var objWeather = JSON.parse(xdr.responseText); var oSpan = window.document.getElementById("spnWeather");

  • Span.innerHTML = window.toStaticHTML(

"Tonight it will be <b>" +

  • bjWeather.Weather.Forecast.Tonight +

"</b> in <u>" + objWeather.Weather.City + "</u>." ); }; xdr.open("POST", "http://evil.example.com/getweather.aspx"); xdr.send("98052"); }

slide-76
SLIDE 76

MIME-Sniffing

No upsniff from image/* X-Content-Type-Options: nosniff Option to force file save:

Content-Disposition: attachment;filename=“file.htm”;

X-Download-Options: NoOpen

slide-77
SLIDE 77

Best Practices

  • Filter content using the Microsoft Anti-Cross

Site Scripting Library.

  • Use JSON, toStaticHTML for local content

sanitization

  • Specify encoding using in the Content-Type

header:

Content-Type: text/html; charset=UTF-8

  • Use XDomainRequest and postMessage()

rather than using <SCRIPT SRC=>

  • Use HTTPOnly cookies

Set-Cookie: secret=value; httponly

slide-78
SLIDE 78

Design Flaws in the Web Platform

slide-79
SLIDE 79

Privacy

slide-80
SLIDE 80

File Upload Control

Text input control now read-only Server no longer gets full filename:

Content-Disposition: form-data; name="file1"; filename="File.zip“

Local JavaScript sees a fixed path for compatibility:

file1.value == “C:\fakepath\File.zip”

slide-81
SLIDE 81

Enhanced Cleanup

slide-82
SLIDE 82

InPrivate™ Browsing Shared PC privacy Browsing leaves no tracks locally (cookies, DOMStorage, cache, history, etc) InPrivate™ Filtering Awareness and control of web profile aggregation Assess, on an ongoing basis, user exposure to third- party content. Helps to prevent information disclosure by automatically blocking high-frequency third-party content from sites users visit.

InPrivate™

slide-83
SLIDE 83

InPrivate™ Browsing

Bonus: Helps mitigate CSS “Visited Links” History theft vector

slide-84
SLIDE 84

Background on 3rd Party Aggregation

Over time, users’ history and profiles can be surreptitiously aggregated

Any third-party content can be used like a tracking cookie

There is little end-user notification or control today Syndicated photos, weather, stocks, news articles; local analytics, etc….

Unclear accountability with third party security & privacy policies

User Visits Unique Sites

3 4 1 2 5

1

6 7 8 1

Contoso.com Tailspin.com Woodgrovebank.com Example.com Farbrican.com Southridge1-1.com Litware-final.com adventureworks.com Prosware-sol.com 3rd party Syndicator Web server
slide-85
SLIDE 85
slide-86
SLIDE 86

ericlaw@microsoft.com

Questions?

http://blogs.msdn.com/ie/archive/tags/Security/default.aspx

slide-87
SLIDE 87

XSS Filter

HTML MIME Type? YES Different Referer? Heuristic match on GET/POST Data? Build a signature for each heuristic match HTTP Response Signature match on HTTP response body? Neuter appropriate characters for each signature match Log results and inform the user that a XSS attack has been blocked YES YES YES YES Provide HTTP Response to Web Browser YES NO NO NO NO

Core Hubs:
All Converters PDF Hub Video Hub Audio Hub Image Hub File Compressor