modern client side defenses
play

Modern client-side defenses Deian Stefan Today How can we build - PowerPoint PPT Presentation

Jan 09, 2023 •231 likes •867 views

CSE 127: Computer Security Modern client-side defenses Deian Stefan Today How can we build flexible and secure client-side web applications (from vulnerable/untrusted components) Modern web sites are complicated Many acting parties on a site

  1. CSE 127: Computer Security Modern client-side defenses Deian Stefan

  2. Today How can we build flexible and secure client-side web applications (from vulnerable/untrusted components)

  3. Modern web sites are complicated

  4. Many acting parties on a site • Page developer • Library developers • Service providers • Data provides • Ad providers • CDNs • Network provider

  5. • How do we protect page from ads/services? • How to share data with a cross-origin page? • How to protect one user from another’s content? • How do we protect the page from a library? • How do we protect the page from the CDN? • How do we protect the page from network provider?

  6. 
 
 
 
 
 Recall: Same origin policy Idea: isolate content from different origins ➤ E.g., can’t access document of cross-origin page ➤ E.g., can’t inspect responses from cross-origin 
 ✓ DOM access postMessage ✓ a.com b.com c.com JSON

  7. Why is the SOP not good enough?

  8. The SOP is not strict enough • Third-party libs run with privilege of the page • Code within page can arbitrarily leak/corrupt data ➤ How? So, how should we isolate untrusted code? • iframes isolation is limited ➤ Can’t isolate user-provided content from page (why?) ➤ Can’t isolate third-party ad placed in iframe (why?)

  9. The SOP is not strict enough • Third-party libs run with privilege of the page • Code within page can arbitrarily leak/corrupt data ➤ How? So, how should we isolate untrusted code? • iframes isolation is limited ➤ Can’t isolate user-provided content from page (why?) ➤ Can’t isolate third-party ad placed in iframe (why?)

  11. The SOP is not flexible enough • Can’t read cross-origin responses ➤ What if we want to fetch data from provider.com? ➤ JSON with padding (JSONP) To fetch data, insert new script tag: 
 - <script src=“https://provider.com/getData?cb=f”></script> To share data, reply back with script wrapping data 
 - f({ ...data...})

  12. http://example.com provider.com

  13. Why is JSONP is a terrible thing? • Provider data can easily be leaked (CSRF) • Page is not protected from provider (XSS)

  14. Why is JSONP is a terrible thing? • Provider data can easily be leaked (CSRF) • Page is not protected from provider (XSS)

  15. The SOP is also not enough security-wise

  16. Outline: modern mechanisms • iframe sandbox • Content security policy (CSP) • HTTP strict transport security (HSTS) • Subresource integrity (SRI) • Cross-origin resource sharing (CORS)

  17. iframe sandbox Idea: restrict actions iframe can perform Approach: set sandbox attribute, by default: ➤ disallows JavaScript and triggers (autofocus, autoplay videos etc.) ➤ disallows form submission ➤ disallows popups ➤ disallows navigating embedding page ➤ runs page in unique origin: no storage/cookies

  18. Grant privileges explicitly Can enable dangerous features with: ➤ allow-scripts: allows JS + triggers (e.g., autofocus) ➤ allow-forms: allow form submission ➤ allow-popups: allow iframe to create popups ➤ allow-top-navigation: allow breaking out of frame ➤ allow-same-origin: retain original origin

  19. Grant privileges explicitly

  20. What can you do with iframe sandbox? • Run content in iframe with least privilege ➤ Only grant content privileges it needs • Privilege separate page into multiple iframes ➤ Split different parts of page into sandboxed iframes

  21. Least privilege: twitter button

  22. 
 
 
 
 
 
 Least privilege: twitter button • Let’s embed button on our site ➤ How do they suggest doing it? 
 <a href="https://twitter.com/share?ref_src=twsrc%5Etfw" class="twitter-share-button" data-show-count="false">Tweet</ a><script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script> ➤ What’s the problem with this embedding approach? 


  23. 
 
 
 
 
 
 Least privilege: twitter button • Let’s embed button on our site ➤ How do they suggest doing it? 
 <a href="https://twitter.com/share?ref_src=twsrc%5Etfw" class="twitter-share-button" data-show-count="false">Tweet</ a><script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script> ➤ What’s the problem with this embedding approach? 


  24. 
 Least privilege: twitter button • Better approach: put it in an iframe iframe 
 <iframe src="https://platform.twitter.com/widgets/tweet_button.html" style="border: 0; width:130px; height:20px;"></iframe> ➤ Is this good enough? ➤ What can a malicious/compromised twitter still do?

  25. 
 
 Least privilege: twitter button • Use iframe sandbox: remove all permissions and then enable JavaScript, popups, etc. 
 <iframe src=“https://platform.twitter.com/widgets/tweet_button.html" sandbox=“allow-same-origin allow-scripts allow-popups allow-forms” style="border: 0; width:130px; height:20px;"></iframe> ➤ Is the allow-same-origin unsafe? ➤ Why do you think we need all the other bits?

  26. 
 
 Privilege separation: blog feed • Typically include user content inline: 
 <div class=“post”> 
 <div class=“author”>{{post.author}}</div> 
 <div class=“body”>{{post.body}}</div> 
 </div> ➤ Problem with this? • With iframe sandbox: 
 <iframe sandbox srcdoc=“... 
 <div class=“post”> 
 <div class=“author”>{{post.author}}</div> 
 <div class=“body”>{{post.body}}</div> 
 </div>...”></iframe> ➤ May need allow-scripts - why? ➤ Is allow-same-origin safe too?

  27. 
 
 Privilege separation: blog feed • Typically include user content inline: 
 <div class=“post”> 
 <div class=“author”>{{post.author}}</div> 
 <div class=“body”>{{post.body}}</div> 
 </div> ➤ Problem with this? • With iframe sandbox: 
 <iframe sandbox srcdoc=“... 
 <div class=“post”> 
 <div class=“author”>{{post.author}}</div> 
 <div class=“body”>{{post.body}}</div> 
 </div>...”></iframe> ➤ May need allow-scripts - why? ➤ Is allow-same-origin safe too?

  28. What are some limitations of iframe sandbox?

  29. 
 
 Too strict vs. not strict enough • Consider running library in sandboxed iframes ➤ E.g., password strength checker 
 b.ru/chk.html a.com ➤ Desired guarantee: checker cannot leak password • Problem: sandbox does not restrict exfiltration ➤ Can use XHR to write password to b.ru

  30. Too strict vs. not strict enough • Can we limit the origins that the page (iframe or otherwise) can talk talk to? ➤ Can only leak to a trusted set of origins ➤ Gives us a more fine-grained notion of least privilege • This can also prevent or limit damages due to XSS

  31. Outline: modern mechanisms • iframe sandbox (quick refresher) • Content security policy (CSP) • HTTP strict transport security (HSTS) • Subresource integrity (SRI) • Cross-origin resource sharing (CORS)

  32. Content Security Policy (CSP) • Idea: restrict resource loading to a whitelist ➤ By restricting to whom page can talk to: restrict where data is leaked! • Approach: send page with CSP header that contains fine-grained directives ➤ E.g., allow loads from CDN, no frames, no plugins Content-Security-Policy: default-src https://cdn.example.net; 
 child-src 'none'; object-src 'none'

  33. script-src: where you can load scripts from connect-src: limits the origins you can XHR to font-src: where to fetch web fonts form form-action: where forms can be submitted child-src: where to load frames/workers from img-src: where to load images from … default-src: default fallback

  34. Special keywords • ‘none’ - match nothing • ‘self’ - match this origin • ‘unsafe-inline’ - allow unsafe JS & CSS • ‘unsafe-eval’ - allow unsafe eval (and the like) • http: - match anything with http scheme • https: - match anything with https scheme • * - match anything

  35. How can CSP help with XSS? • If you list all places you can load scripts from: ➤ Only execute code from trusted origins ➤ Remaining vector for attack: inline scripts • CSP by default disallows inline scripts ➤ If scripts are enabled at least it disallows eval

  36. Adoption challenge • Problem: inline scripts are widely-used ➤ Page authors use the ‘unsafe-inline' directive ➤ Is this a problem? • Solution: script nonce and script hash ➤ Allow scripts that have a particular hash ➤ Allow scripts that have a specific nonce

  37. Adoption challenge • Problem: inline scripts are widely-used ➤ Page authors use the ‘unsafe-inline' directive ➤ Is this a problem? • Solution: script nonce and script hash ➤ Allow scripts that have a particular hash ➤ Allow scripts that have a specific nonce

  38. Other adoption challenges • Goal: set most restricting CSP that is permissive enough to not break existing app • How can you figure this out for a large app? ➤ CSP has a report-only header and report-uri directive ➤ Report violations to server; don’t enforce • In practice: devs hardly ever get the policy right

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Modern client-side defenses Deian Stefan Today How can we build flexible and secure client-side

Modern client-side defenses Deian Stefan Today How can we build flexible and secure client-side

CSE 127: Computer Security Modern client-side defenses Deian Stefan Today How can we build flexible and secure client-side web applications (from vulnerable/untrusted components) Modern web sites are complicated Modern web sites are

709 views • 57 slides
Modern client-side defenses Deian Stefan Today How can we use sophisticated isolation

Modern client-side defenses Deian Stefan Today How can we use sophisticated isolation

Modern client-side defenses Deian Stefan Today How can we use sophisticated isolation and interaction between components to develop flexible, interesting web applications, while protecting confidentiality and integrity Today

1.46k views • 110 slides
Storing Data Thierry Sans Modern Web Platform Client Side Server Side Web API Database Why

Storing Data Thierry Sans Modern Web Platform Client Side Server Side Web API Database Why

Storing Data Thierry Sans Modern Web Platform Client Side Server Side Web API Database Why using a database Persistency Concurrency (avoid race conditions) Query Scalability SQL vs NoSQL databases Relational database (SQL

475 views • 10 slides
ROP is S(ll Dangerous: Breaking Modern Defenses David Wagner

ROP is S(ll Dangerous: Breaking Modern Defenses David Wagner

ROP is S(ll Dangerous: Breaking Modern Defenses David Wagner Nicholas Carlini Return Oriented Programming Basic ROP Mo(va(ons DEP Data

712 views • 11 slides
CSCC09 Programming on the Web Thierry Sans Architecture of a Web Application Client Side

CSCC09 Programming on the Web Thierry Sans Architecture of a Web Application Client Side

CSCC09 Programming on the Web Thierry Sans Architecture of a Web Application Client Side Server Side Web Server Web Browser Web Technologies Content Resources Presentation management Client Side Processing Multimedia The evolution of

1.24k views • 23 slides
Cookies and Sessions Thierry Security assumptions You have absolutely no control on the client

Cookies and Sessions Thierry Security assumptions You have absolutely no control on the client

Cookies and Sessions Thierry Security assumptions You have absolutely no control on the client Client Side Server Side Web Server Database Web Browser Cookies The big picture key/value pairs data Client Side Server Side HTTP request

783 views • 13 slides
CSE 154 LECTURE 6: JAVASCRIPT Client-side scripting client-side script : code runs in browser

CSE 154 LECTURE 6: JAVASCRIPT Client-side scripting client-side script : code runs in browser

CSE 154 LECTURE 6: JAVASCRIPT Client-side scripting client-side script : code runs in browser after page is sent back from server often this code manipulates the page or responds to user actions What is JavaScript? a lightweight

643 views • 29 slides
Side-Channel Attacks and Defenses for SGX and SEV Yinqian Zhang Associate Professor Computer

Side-Channel Attacks and Defenses for SGX and SEV Yinqian Zhang Associate Professor Computer

Open Source Enclave Workshop 2019 Side-Channel Attacks and Defenses for SGX and SEV Yinqian Zhang Associate Professor Computer Science &amp; Engineering The Ohio State University Userland TEEs on Commodity Processors Application VM VM

154 views • 14 slides
DC3158 Summary Summary Client Side Exploitation Attack Chaining. Client Side

DC3158 Summary Summary Client Side Exploitation Attack Chaining. Client Side

DEFCON DC3158 Summary Summary Client Side Exploitation Attack Chaining. Client Side Exploitation Script Based Attack Powershell,Jscript,Vbscript Vbscript:still people use IE, you can call wmic and powershell script to execute.

428 views • 15 slides
Covert and Side Channel Attacks and Defenses Mengjia Yan Fall 2020 Based on slides from

Covert and Side Channel Attacks and Defenses Mengjia Yan Fall 2020 Based on slides from

Covert and Side Channel Attacks and Defenses Mengjia Yan Fall 2020 Based on slides from Christopher W. Fletcher Reminder Lab assignment will be released 09/21 Monday Recommend to read Cache missing for fun and profit. (2005).

562 views • 38 slides
Covert and Side Channel Attacks and Defenses Mengjia Yan Fall 2020 Based on slides from

Covert and Side Channel Attacks and Defenses Mengjia Yan Fall 2020 Based on slides from

Covert and Side Channel Attacks and Defenses Mengjia Yan Fall 2020 Based on slides from Christopher W. Fletcher Reminder Lab assignment will be released 09/21 Monday Recommend to read Cache missing for fun and profit. (2005).

1.03k views • 66 slides
Client-Side Direct I/O for NFS Mike Kupfer kupfer@Eng.Sun.COM 28 February 1997 1 Client-Side

Client-Side Direct I/O for NFS Mike Kupfer kupfer@Eng.Sun.COM 28 February 1997 1 Client-Side

Client-Side Direct I/O for NFS Mike Kupfer kupfer@Eng.Sun.COM 28 February 1997 1 Client-Side Direct I/O for NFS Connectathon 1997 Disclaimer This is not a product announcement. 2 Client-Side Direct I/O for NFS Connectathon 1997

311 views • 16 slides
CSE392/ISE331 Attacks against the client-side of web applications Nick Nikiforakis

CSE392/ISE331 Attacks against the client-side of web applications Nick Nikiforakis

CSE392/ISE331 Attacks against the client-side of web applications Nick Nikiforakis nick@cs.stonybrook.edu Despite the same origin policy Many things can go wrong at the client-side of a web application Popular attacks Cross-site

266 views • 15 slides
CSE 510 Web Data Engineering Client-Side Programming JavaScript UB CSE 510 Web Data Engineering

CSE 510 Web Data Engineering Client-Side Programming JavaScript UB CSE 510 Web Data Engineering

CSE 510 Web Data Engineering Client-Side Programming JavaScript UB CSE 510 Web Data Engineering Web Programming Paradigms So far we have seen server-side programming Next Enrich user experience, interactivity with client- side

759 views • 24 slides
Cutting-edge Think Tank BLACK HAT EUROPE 2008 CLIENT-SIDE SECURITY Overview of various

Cutting-edge Think Tank BLACK HAT EUROPE 2008 CLIENT-SIDE SECURITY Overview of various

Cutting-edge Think Tank BLACK HAT EUROPE 2008 CLIENT-SIDE SECURITY Overview of various Client-Side Hacking Tricks and Techniques pdp Information Security Researcher, founder of the GNUCITIZEN group OBJECTIVES I was planning to...

948 views • 59 slides
Write Fast, Read in the Past: Causal Consistency for Client-side Apps with SwiftCloud App App

Write Fast, Read in the Past: Causal Consistency for Client-side Apps with SwiftCloud App App

Challenge: Database Access for Client-side Apps Write Fast, Read in the Past: Causal Consistency for Client-side Apps with SwiftCloud App App Presented by Marek Zawirski App App Inria / UPMC-LIP6, Paris (now at Google, Zrich) Marek

469 views • 13 slides
&lt;/audio&gt; Options: controls autoplay &lt;video controls&gt; &lt;source

&lt;/audio&gt; Options: controls autoplay &lt;video controls&gt; &lt;source

&lt;audio controls&gt; &lt;source src=&quot;h.wav&quot; type=&quot;audio/wav&quot;&gt; &lt;/audio&gt; Options: controls autoplay &lt;video controls&gt; &lt;source src=&quot;m.mp4&quot; type=&quot;video/mp4&quot; /&gt; &lt;/video&gt; Need to

269 views • 5 slides
on Syntax-Guided Synthesis Rajeev Alur, Dana Fisman, Rishabh Singh and Armando Solar-Lezama Talk

on Syntax-Guided Synthesis Rajeev Alur, Dana Fisman, Rishabh Singh and Armando Solar-Lezama Talk

The Second Competition on Syntax-Guided Synthesis Rajeev Alur, Dana Fisman, Rishabh Singh and Armando Solar-Lezama Talk Outline Introduction Motivation: recent trends in program synthesis The big picture Formalization of

803 views • 59 slides
safety-critical cyber-physical systems Federico Aromolo, Cosimo Antonio Prete, Pierfrancesco

safety-critical cyber-physical systems Federico Aromolo, Cosimo Antonio Prete, Pierfrancesco

A model-based monitoring approach for safety-critical cyber-physical systems Federico Aromolo, Cosimo Antonio Prete, Pierfrancesco Foglia, Gabriele Antonio De Vitis Department of Information Engineering University of Pisa, Italy IWES 2017

393 views • 18 slides
Recovering structures from their semigroups of partial automorphisms Jennifer Chubb George

Recovering structures from their semigroups of partial automorphisms Jennifer Chubb George

Recovering structures from their semigroups of partial automorphisms Jennifer Chubb George Washington University jchubb@gwu.edu March 16, 2006 From joint work with Valentina Harizanov, Andrei Morozov, Sarah Pingrey, and Eric Ufferman

467 views • 29 slides
DECLARATIVE AR AND IMAGE PROCESSING ON THE WEB WITH XFLOW Felix Klein, Dmitri Rubinstein,

DECLARATIVE AR AND IMAGE PROCESSING ON THE WEB WITH XFLOW Felix Klein, Dmitri Rubinstein,

DECLARATIVE AR AND IMAGE PROCESSING ON THE WEB WITH XFLOW Felix Klein, Dmitri Rubinstein, Kristian Sons, Farshad Einabadi, Stephan Herhut, Philipp Slusallek 1 MOTIVATION THE WEB IS READY FOR AR Fast JavaScript WebGL, WebCL upcoming

820 views • 44 slides
DESKTOP INTEGRATION MANAGEMENT FOR PORTABLE, ZERO-INSTALL AND VIRTUALIZED APPLICATIONS BACHELOR

DESKTOP INTEGRATION MANAGEMENT FOR PORTABLE, ZERO-INSTALL AND VIRTUALIZED APPLICATIONS BACHELOR

DESKTOP INTEGRATION MANAGEMENT FOR PORTABLE, ZERO-INSTALL AND VIRTUALIZED APPLICATIONS BACHELOR THESIS PRESENTATION BASTIAN EICHER KIT, 2011 Overview What is wrong with current Problem definition installers Improve an existing

575 views • 22 slides
Experience of enriching Tizen HTML5 application Jingfu.Y e@intel.com Outline Background

Experience of enriching Tizen HTML5 application Jingfu.Y e@intel.com Outline Background

Experience of enriching Tizen HTML5 application Jingfu.Y e@intel.com Outline Background introduction Graphics capability Collaboration Real-time communication Concurrent Note Customization for Tizen Summary 2

506 views • 38 slides
Scripting for Multimedia LECTURE 17: PLAYING AUDIO Audio formats The most common formats

Scripting for Multimedia LECTURE 17: PLAYING AUDIO Audio formats The most common formats

Scripting for Multimedia LECTURE 17: PLAYING AUDIO Audio formats The most common formats Ogg/Vorbis (.oga, .ogg extension) MP3 (.mp3 extension) MP4 (.mp4, .mp4a, .aac extension) WAV (.wav extension) The &lt;audio&gt; elements

85 views • 5 slides

More recommend