modern client side defenses
play

Modern client-side defenses Deian Stefan Today How can we build - PowerPoint PPT Presentation

Sep 12, 2023 •132 likes •709 views

CSE 127: Computer Security Modern client-side defenses Deian Stefan Today How can we build flexible and secure client-side web applications (from vulnerable/untrusted components) Modern web sites are complicated Modern web sites are

  1. CSE 127: Computer Security Modern client-side defenses Deian Stefan

  2. Today How can we build flexible and secure client-side web applications (from vulnerable/untrusted components)

  3. Modern web sites are complicated

  4. Modern web sites are complicated Ad code Page code 3rd-party libs 3rd-party frame

  5. Many acting parties on a site • Page developer • Library developers • Service providers • Data provides • Ad providers • CDNs • Network provider

  6. • How do we protect page from ads/services? • How to share data with a cross-origin page? • How to protect one user from another’s content? • How do we protect the page from a library? • How do we protect the page from the CDN? • How do we protect the page from network provider?

  7. 
 
 
 
 
 Recall: Same origin policy Idea: isolate content from different origins ➤ E.g., can’t access document of cross-origin page ➤ E.g., can’t inspect responses from cross-origin 
 ✓ DOM access postMessage ✓ a.com b.com c.com JSON

  8. Why is the SOP not good enough?

  9. The SOP is not strict enough • Third-party libs run with privilege of the page • Code within page can arbitrarily leak data ➤ How? • iframes isolation is limited ➤ Can’t isolate user-provided content from page (why?) ➤ Can’t isolate third-party ad placed in iframe (why?)

  10. The SOP is not strict enough • Third-party libs run with privilege of the page • Code within page can arbitrarily leak data ➤ How? • iframes isolation is limited ➤ Can’t isolate user-provided content from page (why?) ➤ Can’t isolate third-party ad placed in iframe (why?)

  11. The SOP is not strict enough • Third-party libs run with privilege of the page • Code within page can arbitrarily leak data ➤ How? • iframes isolation is limited ➤ Can’t isolate user-provided content from page (why?) ➤ Can’t isolate third-party ad placed in iframe (why?)

  12. The SOP is not flexible enough • Can’t read cross-origin responses ➤ What if we want to fetch data from provider.com? ➤ JSONP To fetch data, insert new script tag: 
 - <script src=“https://provider.com/getData?cb=f”></script> To share data, reply back with script wrapping data 
 - f({ ...data...}) ➤ Why is this a terrible idea? Provider data can easily be leaked (CSRF) - Page is not protected from provider (XSS) -

  13. The SOP is not flexible enough • Can’t read cross-origin responses ➤ What if we want to fetch data from provider.com? ➤ JSONP To fetch data, insert new script tag: 
 - <script src=“https://provider.com/getData?cb=f”></script> To share data, reply back with script wrapping data 
 - f({ ...data...}) ➤ Why is this a terrible idea? Provider data can easily be leaked (CSRF) - Page is not protected from provider (XSS) -

  14. The SOP doesn’t make for some things…

  15. Outline: modern mechanisms • iframe sandbox • Content security policy (CSP) • HTTP strict transport security (HSTS) • Subresource integrity (SRI) • Cross-origin resource sharing (CORS)

  16. iframe sandbox Idea: restrict actions iframe can perform Approach: set sandbox attribute, by default: ➤ disallows JavaScript and triggers (autofocus, autoplay videos etc.) ➤ disallows form submission ➤ disallows popups ➤ disallows navigating embedding page ➤ runs page in unique origin: no storage/cookies

  17. Whitelisting privileges Can enable dangerous features by whitelisting: ➤ allow-scripts: allows JS + triggers (autofocus, autoplay, etc.) ➤ allow-forms: allow form submission ➤ allow-pointer-lock: allow fine-grained mouse moves ➤ allow-popups: allow iframe to create popups ➤ allow-top-navigation: allow breaking out of frame ➤ allow-same-origin: retain original origin

  18. What can you do with iframe sandbox? • Run content in iframe with least privilege ➤ Only grant content privileges it needs • Privilege separate page into multiple iframes ➤ Split different parts of page into sandboxed iframes

  19. 
 Least privilege: twitter button <a class=“twitter-share-button" href="https://twitter.com/share">Tweet</a> <script> window.twttr=(function(d,s,id){var js,fjs=d.getElementsByTagName(s) [0],t=window.twttr||{};if(d.getElementById(id))return t;js=d.createElement(s);js.id=id;js.src="https://platform.twitter.com/ widgets.js";fjs.parentNode.insertBefore(js,fjs);t._e=[];t.ready=function(f) {t._e.push(f);};return t;}(document,"script","twitter-wjs")); </script> ➤ What’s the problem with this embedding approach? • Using iframes 
 <iframe src="https://platform.twitter.com/widgets/tweet_button.html" style="border: 0; width:130px; height:20px;"></iframe> ➤ What’s the problem without sandbox flag?

  20. 
 Least privilege: twitter button <a class=“twitter-share-button" href="https://twitter.com/share">Tweet</a> <script> window.twttr=(function(d,s,id){var js,fjs=d.getElementsByTagName(s) [0],t=window.twttr||{};if(d.getElementById(id))return t;js=d.createElement(s);js.id=id;js.src="https://platform.twitter.com/ widgets.js";fjs.parentNode.insertBefore(js,fjs);t._e=[];t.ready=function(f) {t._e.push(f);};return t;}(document,"script","twitter-wjs")); </script> ➤ What’s the problem with this embedding approach? • Using iframes 
 <iframe src="https://platform.twitter.com/widgets/tweet_button.html" style="border: 0; width:130px; height:20px;"></iframe> ➤ What’s the problem without sandbox flag?

  21. 
 
 
 Least privilege: twitter button • With sandbox: remove all permissions and then enable JS, popups, form submission, etc. 
 <iframe src=“https://platform.twitter.com/widgets/tweet_button.html" sandbox=“allow-same-origin allow-scripts allow-popups allow-forms” style="border: 0; width:130px; height:20px;"></iframe>

  22. 
 
 Privilege separation: blog feed • Typically include user content inline: 
 <div class=“post”> 
 <div class=“author”>{{post.author}}</div> 
 <div class=“body”>{{post.body}}</div> 
 </div> ➤ Problem with this? • With iframe sandbox: 
 <iframe sandbox srcdoc=“... 
 <div class=“post”> 
 <div class=“author”>{{post.author}}</div> 
 <div class=“body”>{{post.body}}</div> 
 </div>...”></iframe> ➤ May need allow-scripts - why? ➤ Is allow-same-origin safe to whitelist?

  23. 
 
 Privilege separation: blog feed • Typically include user content inline: 
 <div class=“post”> 
 <div class=“author”>{{post.author}}</div> 
 <div class=“body”>{{post.body}}</div> 
 </div> ➤ Problem with this? • With iframe sandbox: 
 <iframe sandbox srcdoc=“... 
 <div class=“post”> 
 <div class=“author”>{{post.author}}</div> 
 <div class=“body”>{{post.body}}</div> 
 </div>...”></iframe> ➤ May need allow-scripts - why? ➤ Is allow-same-origin safe to whitelist?

  24. What are some limitations of iframe sandbox?

  25. 
 
 Too strict vs. not strict enough • Consider running library in sandboxed iframes ➤ E.g., password strength checker 
 b.ru/chk.html a.com ➤ Desired guarantee: checker cannot leak password • Problem: sandbox does not restrict exfiltration ➤ Can use XHR to write password to b.ru

  26. Too strict vs. not strict enough • Can we limit the origins that the page (iframe or otherwise) can talk talk to? ➤ Can only leak to a trusted set of origins ➤ Gives us a more fine-grained notion of least privilege • This can also prevent or limit damages due to XSS

  27. Outline: modern mechanisms • iframe sandbox (quick refresher) • Content security policy (CSP) • HTTP strict transport security (HSTS) • Subresource integrity (SRI) • Cross-origin resource sharing (CORS)

  28. Content Security Policy (CSP) • Idea: restrict resource loading to a whitelist ➤ By restricting to whom page can talk to: restrict where data is leaked! • Approach: send page with CSP header that contains fine-grained directives ➤ E.g., allow loads from CDN, no frames, no plugins Content-Security-Policy: default-src https://cdn.example.net; 
 child-src 'none'; object-src 'none'

  29. script-src: where you can load scripts from connect-src: limits the origins you can XHR to font-src: where to fetch web fonts form form-action: where forms can be submitted child-src: where to load frames/workers from img-src: where to load images from … default-src: default fallback

  30. Special keywords • ‘none’ - match nothing • ‘self’ - match this origin • ‘unsafe-inline’ - allow unsafe JS & CSS • ‘unsafe-eval’ - allow unsafe eval (and the like) • http: - match anything with http scheme • https: - match anything with https scheme

  31. How can CSP help with XSS? • If you whitelist all places you can load scripts from: ➤ Only execute code from trusted origins ➤ Remaining vector for attack: inline scripts • CSP by default disallows inline scripts ➤ If scripts are enabled at least it disallows eval

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Modern client-side defenses Deian Stefan Today How can we build flexible and secure client-side

Modern client-side defenses Deian Stefan Today How can we build flexible and secure client-side

CSE 127: Computer Security Modern client-side defenses Deian Stefan Today How can we build flexible and secure client-side web applications (from vulnerable/untrusted components) Modern web sites are complicated Many acting parties on a site

867 views • 62 slides
Modern client-side defenses Deian Stefan Today How can we use sophisticated isolation

Modern client-side defenses Deian Stefan Today How can we use sophisticated isolation

Modern client-side defenses Deian Stefan Today How can we use sophisticated isolation and interaction between components to develop flexible, interesting web applications, while protecting confidentiality and integrity Today

1.46k views • 110 slides
Storing Data Thierry Sans Modern Web Platform Client Side Server Side Web API Database Why

Storing Data Thierry Sans Modern Web Platform Client Side Server Side Web API Database Why

Storing Data Thierry Sans Modern Web Platform Client Side Server Side Web API Database Why using a database Persistency Concurrency (avoid race conditions) Query Scalability SQL vs NoSQL databases Relational database (SQL

475 views • 10 slides
ROP is S(ll Dangerous: Breaking Modern Defenses David Wagner

ROP is S(ll Dangerous: Breaking Modern Defenses David Wagner

ROP is S(ll Dangerous: Breaking Modern Defenses David Wagner Nicholas Carlini Return Oriented Programming Basic ROP Mo(va(ons DEP Data

712 views • 11 slides
CSCC09 Programming on the Web Thierry Sans Architecture of a Web Application Client Side

CSCC09 Programming on the Web Thierry Sans Architecture of a Web Application Client Side

CSCC09 Programming on the Web Thierry Sans Architecture of a Web Application Client Side Server Side Web Server Web Browser Web Technologies Content Resources Presentation management Client Side Processing Multimedia The evolution of

1.24k views • 23 slides
Cookies and Sessions Thierry Security assumptions You have absolutely no control on the client

Cookies and Sessions Thierry Security assumptions You have absolutely no control on the client

Cookies and Sessions Thierry Security assumptions You have absolutely no control on the client Client Side Server Side Web Server Database Web Browser Cookies The big picture key/value pairs data Client Side Server Side HTTP request

783 views • 13 slides
CSE 154 LECTURE 6: JAVASCRIPT Client-side scripting client-side script : code runs in browser

CSE 154 LECTURE 6: JAVASCRIPT Client-side scripting client-side script : code runs in browser

CSE 154 LECTURE 6: JAVASCRIPT Client-side scripting client-side script : code runs in browser after page is sent back from server often this code manipulates the page or responds to user actions What is JavaScript? a lightweight

643 views • 29 slides
Side-Channel Attacks and Defenses for SGX and SEV Yinqian Zhang Associate Professor Computer

Side-Channel Attacks and Defenses for SGX and SEV Yinqian Zhang Associate Professor Computer

Open Source Enclave Workshop 2019 Side-Channel Attacks and Defenses for SGX and SEV Yinqian Zhang Associate Professor Computer Science &amp; Engineering The Ohio State University Userland TEEs on Commodity Processors Application VM VM

154 views • 14 slides
DC3158 Summary Summary Client Side Exploitation Attack Chaining. Client Side

DC3158 Summary Summary Client Side Exploitation Attack Chaining. Client Side

DEFCON DC3158 Summary Summary Client Side Exploitation Attack Chaining. Client Side Exploitation Script Based Attack Powershell,Jscript,Vbscript Vbscript:still people use IE, you can call wmic and powershell script to execute.

428 views • 15 slides
Covert and Side Channel Attacks and Defenses Mengjia Yan Fall 2020 Based on slides from

Covert and Side Channel Attacks and Defenses Mengjia Yan Fall 2020 Based on slides from

Covert and Side Channel Attacks and Defenses Mengjia Yan Fall 2020 Based on slides from Christopher W. Fletcher Reminder Lab assignment will be released 09/21 Monday Recommend to read Cache missing for fun and profit. (2005).

562 views • 38 slides
Covert and Side Channel Attacks and Defenses Mengjia Yan Fall 2020 Based on slides from

Covert and Side Channel Attacks and Defenses Mengjia Yan Fall 2020 Based on slides from

Covert and Side Channel Attacks and Defenses Mengjia Yan Fall 2020 Based on slides from Christopher W. Fletcher Reminder Lab assignment will be released 09/21 Monday Recommend to read Cache missing for fun and profit. (2005).

1.03k views • 66 slides
Client-Side Direct I/O for NFS Mike Kupfer kupfer@Eng.Sun.COM 28 February 1997 1 Client-Side

Client-Side Direct I/O for NFS Mike Kupfer kupfer@Eng.Sun.COM 28 February 1997 1 Client-Side

Client-Side Direct I/O for NFS Mike Kupfer kupfer@Eng.Sun.COM 28 February 1997 1 Client-Side Direct I/O for NFS Connectathon 1997 Disclaimer This is not a product announcement. 2 Client-Side Direct I/O for NFS Connectathon 1997

311 views • 16 slides
CSE392/ISE331 Attacks against the client-side of web applications Nick Nikiforakis

CSE392/ISE331 Attacks against the client-side of web applications Nick Nikiforakis

CSE392/ISE331 Attacks against the client-side of web applications Nick Nikiforakis nick@cs.stonybrook.edu Despite the same origin policy Many things can go wrong at the client-side of a web application Popular attacks Cross-site

266 views • 15 slides
CSE 510 Web Data Engineering Client-Side Programming JavaScript UB CSE 510 Web Data Engineering

CSE 510 Web Data Engineering Client-Side Programming JavaScript UB CSE 510 Web Data Engineering

CSE 510 Web Data Engineering Client-Side Programming JavaScript UB CSE 510 Web Data Engineering Web Programming Paradigms So far we have seen server-side programming Next Enrich user experience, interactivity with client- side

759 views • 24 slides
Cutting-edge Think Tank BLACK HAT EUROPE 2008 CLIENT-SIDE SECURITY Overview of various

Cutting-edge Think Tank BLACK HAT EUROPE 2008 CLIENT-SIDE SECURITY Overview of various

Cutting-edge Think Tank BLACK HAT EUROPE 2008 CLIENT-SIDE SECURITY Overview of various Client-Side Hacking Tricks and Techniques pdp Information Security Researcher, founder of the GNUCITIZEN group OBJECTIVES I was planning to...

948 views • 59 slides
Write Fast, Read in the Past: Causal Consistency for Client-side Apps with SwiftCloud App App

Write Fast, Read in the Past: Causal Consistency for Client-side Apps with SwiftCloud App App

Challenge: Database Access for Client-side Apps Write Fast, Read in the Past: Causal Consistency for Client-side Apps with SwiftCloud App App Presented by Marek Zawirski App App Inria / UPMC-LIP6, Paris (now at Google, Zrich) Marek

469 views • 13 slides
CMSC427 fall 2017 Texture Mapping Majority of slides credit to Dr. Zwicker Today Basic

CMSC427 fall 2017 Texture Mapping Majority of slides credit to Dr. Zwicker Today Basic

CMSC427 fall 2017 Texture Mapping Majority of slides credit to Dr. Zwicker Today Basic shader for texture mapping Texture coordinate assignment Antialiasing Fancy textures Warning: side notes will include history of

543 views • 53 slides
Preference Elicitation for Interface Optimization Krzysztof Gajos and Daniel S. Weld University

Preference Elicitation for Interface Optimization Krzysztof Gajos and Daniel S. Weld University

Preference Elicitation for Interface Optimization Krzysztof Gajos and Daniel S. Weld University of Washington, Seattle Krzysztof Gajos Motivation: Supple Model-Based Interface Renderer Func. Custom Device User + + Interface Interface

809 views • 52 slides
Baumgartner, POLI 203 Spring 2016 The Brief Death of the Death Penalty in 1972 (Furman), its

Baumgartner, POLI 203 Spring 2016 The Brief Death of the Death Penalty in 1972 (Furman), its

Baumgartner, POLI 203 Spring 2016 The Brief Death of the Death Penalty in 1972 (Furman), its Rapid Resurgence, then Confirmation in 1976 (Gregg) Reading: Furman, Gregg, Garland, ch 9 January 13, 2016 Constitutional issues The constitution

620 views • 25 slides
1 Ne w F unds May I . . . Que stio n: Do I ne e d AOS a ppro va l? Answe r: I f it is no t

1 Ne w F unds May I . . . Que stio n: Do I ne e d AOS a ppro va l? Answe r: I f it is no t

How do I re c ord Pre se nte d b y: L o c a l Go ve rnme nt Se rvic e s Disc ussion will inc lude Ne w F unds F E MA mo nie s OPWC/ OWDA pa yme nts De b t I ssua nc e s T ra nsfe rs a nd Adva nc e s F und Ba

633 views • 18 slides
Next Gen Effects ? CryEngine 2: Shading Overview Support shader model 2.0, up to 4.0

Next Gen Effects ? CryEngine 2: Shading Overview Support shader model 2.0, up to 4.0

Next Gen Effects ? CryEngine 2: Shading Overview Support shader model 2.0, up to 4.0 Completely dynamic lighting and shadows Up to 4 point light sources per-pass Wide range of known and DIY shading models Some other

1.02k views • 80 slides
Output: Software Output System Layers Application 1 Application 2 Application 3 ... Swing

Output: Software Output System Layers Application 1 Application 2 Application 3 ... Swing

Output: Software Output System Layers Application 1 Application 2 Application 3 ... Swing SWT UIKit Window System Operating System Hardware (e.g., graphics card) 2 The Window System 3 Window System Basics l Developed to support

905 views • 53 slides
Mobile TEX: Porting TEX to the iPad edit the source file, TEX-8 couldn't access it because of

Mobile TEX: Porting TEX to the iPad edit the source file, TEX-8 couldn't access it because of

Mobile TEX: Porting TEX to the iPad edit the source file, TEX-8 couldn't access it because of Apple's very restrictive policy. There are a number of issues arising from this task, that indeed could be qualified as Herculean. The way programs work

273 views • 6 slides
Output in Window Systems and Toolkits Window Systems v. GUI Toolkits GUI Toolkit: what goes on

Output in Window Systems and Toolkits Window Systems v. GUI Toolkits GUI Toolkit: what goes on

Output in Window Systems and Toolkits Window Systems v. GUI Toolkits GUI Toolkit: what goes on inside a window Components, object models for constructing applications Dispatching events among all of the various listeners in an

657 views • 33 slides

More recommend