noncespaces using randomization to enforce information
play

Noncespaces: Using Randomization to Enforce Information Flow - PowerPoint PPT Presentation

Oct 13, 2022 •270 likes •1.08k views

Noncespaces: Using Randomization to Enforce Information Flow Tracking and Thwart Cross-Site Scripting Attacks Matthew Van Gundy and Hao Chen University of California, Davis 16th Annual Network & Distributed System Security Symposium

  1. Noncespaces: Using Randomization to Enforce Information Flow Tracking and Thwart Cross-Site Scripting Attacks Matthew Van Gundy and Hao Chen University of California, Davis 16th Annual Network & Distributed System Security Symposium Noncespaces NDSS ’09

  2. Cross-Site Scripting (XSS) Vulnerabilities Noncespaces NDSS ’09

  3. Cross-Site Scripting (XSS) Vulnerabilities <p class=’comment’> { $comment } </p> Noncespaces NDSS ’09

  4. Cross-Site Scripting (XSS) Vulnerabilities <p class=’comment’> Great Article! </p> Noncespaces NDSS ’09

  5. Cross-Site Scripting (XSS) Vulnerabilities <p class=’comment’> <script>p0wn()</script> </p> Noncespaces NDSS ’09

  6. Cross-Site Scripting (XSS) Vulnerabilities <p class=’comment’> </p> <script>p0wn()</script> <p> </p> Noncespaces NDSS ’09

  7. Threat Model ◮ An attacker can submit arbitrary content to XSS-vulnerable applications ◮ An attacker cannot compromise web server or browser directly ◮ Malicious content must contain XHTML tags and attributes Noncespaces NDSS ’09

  8. Limitations of Existing Solutions Server-side ◮ Server sanitizes untrusted data before sending it to the client ◮ Client may interpret data in an unexpected way ◮ E.g. Server replaces "<script>" with "" But attacker injects <script/xss> Client-side ◮ Client enforces a server-specified policy Challenges ◮ The client must know whether to trust content ◮ Attacker must not be able to forge trust metadata Noncespaces NDSS ’09

  9. Noncespaces Architecture ◮ Server partitions content into trust classes ◮ Server randomizes document to prevent forging of trust classification ◮ Server specifies policy of content permitted for each trust class ◮ Client displays the document only if it conforms to the policy Noncespaces NDSS ’09

  10. Namespaces in XML ◮ In (X)HTML: <q> = quote, <a> = anchor Noncespaces NDSS ’09

  11. Namespaces in XML ◮ In (X)HTML: <q> = quote, <a> = anchor ◮ In FAQML: <q> = question, <a> = answer Noncespaces NDSS ’09

  12. Namespaces in XML ◮ In (X)HTML: <q> = quote, <a> = anchor ◮ In FAQML: <q> = question, <a> = answer ◮ XHTML quote = ( "http://www.w3.org/1999/xhtml" , "q" ) Noncespaces NDSS ’09

  13. Namespaces in XML ◮ In (X)HTML: <q> = quote, <a> = anchor ◮ In FAQML: <q> = question, <a> = answer ◮ XHTML quote = ( "http://www.w3.org/1999/xhtml" , "q" ) ◮ FAQML question = ( "urn:FAQML" , "q" ) Noncespaces NDSS ’09

  14. Namespaces in XML ◮ In (X)HTML: <q> = quote, <a> = anchor ◮ In FAQML: <q> = question, <a> = answer ◮ XHTML quote = ( "http://www.w3.org/1999/xhtml" , "q" ) ◮ FAQML question = ( "urn:FAQML" , "q" ) ◮ < x ���� xmlns : x = ” http : // www . w3 . org / 1999 / xhtml � ” > ���� : q � �� Noncespaces NDSS ’09

  15. Namespaces in XML ◮ In (X)HTML: <q> = quote, <a> = anchor ◮ In FAQML: <q> = question, <a> = answer ◮ XHTML quote = ( "http://www.w3.org/1999/xhtml" , "q" ) ◮ FAQML question = ( "urn:FAQML" , "q" ) ◮ < x ���� xmlns : x = ” http : // www . w3 . org / 1999 / xhtml ” > ���� : q � �� � NamespaceURI Noncespaces NDSS ’09

  16. Namespaces in XML ◮ In (X)HTML: <q> = quote, <a> = anchor ◮ In FAQML: <q> = question, <a> = answer ◮ XHTML quote = ( "http://www.w3.org/1999/xhtml" , "q" ) ◮ FAQML question = ( "urn:FAQML" , "q" ) ◮ < x ���� xmlns : x = ” http : // www . w3 . org / 1999 / xhtml ” > : q ���� � �� � prefix NamespaceURI Noncespaces NDSS ’09

  17. Namespaces in XML ◮ In (X)HTML: <q> = quote, <a> = anchor ◮ In FAQML: <q> = question, <a> = answer ◮ XHTML quote = ( "http://www.w3.org/1999/xhtml" , "q" ) ◮ FAQML question = ( "urn:FAQML" , "q" ) ◮ < x xmlns : x = ” http : // www . w3 . org / 1999 / xhtml ” > : q ���� ���� � �� � prefix name NamespaceURI Noncespaces NDSS ’09

  18. Namespaces in XML ◮ In (X)HTML: <q> = quote, <a> = anchor ◮ In FAQML: <q> = question, <a> = answer ◮ XHTML quote = ( "http://www.w3.org/1999/xhtml" , "q" ) ◮ FAQML question = ( "urn:FAQML" , "q" ) ◮ < x xmlns : x = ” http : // www . w3 . org / 1999 / xhtml ” > : q ���� ���� � �� � prefix name NamespaceURI ◮ <f:q xmlns:f="urn:FAQML"> Noncespaces NDSS ’09

  19. Namespaces in XML ◮ In (X)HTML: <q> = quote, <a> = anchor ◮ In FAQML: <q> = question, <a> = answer ◮ XHTML quote = ( "http://www.w3.org/1999/xhtml" , "q" ) ◮ FAQML question = ( "urn:FAQML" , "q" ) ◮ < x xmlns : x = ” http : // www . w3 . org / 1999 / xhtml ” > : q ���� ���� � �� � prefix name NamespaceURI ◮ <f:q xmlns:f="urn:FAQML"> ◮ <faq:q xmlns:faq="urn:FAQML"> Noncespaces NDSS ’09

  20. Defeating Node Splitting ◮ <x:a>...</x:a> Noncespaces NDSS ’09

  21. Defeating Node Splitting ◮ <x:a>...</x:a> ◮ <x:a>... </a> Noncespaces NDSS ’09

  22. Defeating Node Splitting ◮ <x:a>...</x:a> ◮ <x:a>... </a> ◮ <x:a>... </y:a> Noncespaces NDSS ’09

  23. Encoding Trust Classifications ◮ Trusted <a> Noncespaces NDSS ’09

  24. Encoding Trust Classifications ◮ Trusted <a> ⇒ <t:a> Noncespaces NDSS ’09

  25. Encoding Trust Classifications ◮ Trusted <a> ⇒ <t:a> ◮ Untrusted <a> Noncespaces NDSS ’09

  26. Encoding Trust Classifications ◮ Trusted <a> ⇒ <t:a> ◮ Untrusted <a> ◮ Randomly choose trusted prefixes to prevent forgery Noncespaces NDSS ’09

  27. Web Page Before Noncespaces <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>nile.com : ++Shopping</title> </head> <body> <h1 id="title"> { $item->name } </h1> <h2>Reviews</h2> <p class=’review’> { $review } </p> </body> </html> Noncespaces NDSS ’09

  28. Node Splitting Attack After Noncespaces <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <r617:html xmlns="http://www.w3.org/1999/xhtml" xmlns:r617="http://www.w3.org/1999/xhtml"> <r617:head> <r617:title>nile.com : ++Shopping</r617:title> </r617:head> <r617:body> <r617:h1 r617:id="title">Useless Do-dad</r617:h1> <r617:h2>Reviews</r617:h2> <r617:p r617:class=’review’> </p> <script>p0wn()</script> <p> </r617:p> </r617:body> </r617:html> Noncespaces NDSS ’09

  29. XSS Attack After Noncespaces <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <r617:html xmlns="http://www.w3.org/1999/xhtml" xmlns:r617="http://www.w3.org/1999/xhtml"> <r617:head> <r617:title>nile.com : ++Shopping</r617:title> </r617:head> <r617:body> <r617:h1 r617:id="title">Useless Do-dad</r617:h1> <r617:h2>Reviews</r617:h2> <r617:p r617:class=’review’> <script src=’http://badguy.com/p0wn.js’ /> </r617:p> </r617:body> </r617:html> Noncespaces NDSS ’09

  30. Need for a client-side policy Innocuous Input <b>WARNING:</b> Noncespaces NDSS ’09

  31. Need for a client-side policy Innocuous Input <b>WARNING:</b> <em>very</em> important Noncespaces NDSS ’09

  32. Need for a client-side policy Innocuous Input <b>WARNING:</b> <em>very</em> important <a href=’http://useful.com/’>[1]</a> Noncespaces NDSS ’09

  33. Need for a client-side policy Innocuous Input <b>WARNING:</b> <em>very</em> important <a href=’http://useful.com/’>[1]</a> Malicious Input <b onmouseover=’...’ >WARNING:</b> Noncespaces NDSS ’09

  34. Need for a client-side policy Innocuous Input <b>WARNING:</b> <em>very</em> important <a href=’http://useful.com/’>[1]</a> Malicious Input <b onmouseover=’...’ >WARNING:</b> <em onclick=’...’ >very</em> important Noncespaces NDSS ’09

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Randomization Algorithm Theory WS 2012/13 Fabian Kuhn Randomization Randomized Algorithm: An

Randomization Algorithm Theory WS 2012/13 Fabian Kuhn Randomization Randomized Algorithm: An

Chapter 6 Randomization Algorithm Theory WS 2012/13 Fabian Kuhn Randomization Randomized Algorithm: An algorithm that uses (or can use) random coin flips in order to make decisions We will see: randomization can be a powerful tool to Make

497 views • 21 slides
Using Encryption to Enforce an Information Flow Policy Research Directions Jason Crampton

Using Encryption to Enforce an Information Flow Policy Research Directions Jason Crampton

Using Encryption to Enforce an Information Flow Policy Research Directions Jason Crampton Using Encryption to Enforce an Information Flow Policy Research Directions Jason Crampton Information Security Group Royal Holloway, University

472 views • 35 slides
HOMEOWNER INFORMATION MEETING PROPERTY MANAGEMENT Manage common elements Enforce

HOMEOWNER INFORMATION MEETING PROPERTY MANAGEMENT Manage common elements Enforce

HOMEOWNER INFORMATION MEETING PROPERTY MANAGEMENT Manage common elements Enforce Declaration, By-Laws and Rules as directed by Board of Directors Provide financial, administration, customer service and 24-hour emergency service

808 views • 36 slides
Address Space Randomization A n E f f e c t i v e I m p l e m e n t a t i o n Michael Cloppert

Address Space Randomization A n E f f e c t i v e I m p l e m e n t a t i o n Michael Cloppert

Address Space Randomization A n E f f e c t i v e I m p l e m e n t a t i o n Michael Cloppert May, 2006 Address Space Randomization Theory Randomize location of memory objects Libraries Heap User, kernel-space stack Foils attacks like

560 views • 15 slides
1 2 In stat. people may call these multistage trials (the randomization at each stage is

1 2 In stat. people may call these multistage trials (the randomization at each stage is

1 2 In stat. people may call these multistage trials (the randomization at each stage is assumed) 3 4 Hypothetical trial: Outcome is not shown but is on far right. The randomizations can take place up front. Equal randomization Usual

587 views • 36 slides
Test statistics and randomization distributions Applied Statistics and Experimental Design

Test statistics and randomization distributions Applied Statistics and Experimental Design

Summaries of sample populations Hypothesis testing via randomization Sensitivity to the alternative Basic decision theory Test statistics and randomization distributions Applied Statistics and Experimental Design Chapter 2 Peter Hoff

1.49k views • 126 slides
Gov 2002: 3. Randomization Inference Matthew Blackwell September 10, 2015 Where are we? Where

Gov 2002: 3. Randomization Inference Matthew Blackwell September 10, 2015 Where are we? Where

Gov 2002: 3. Randomization Inference Matthew Blackwell September 10, 2015 Where are we? Where are we going? Last week: What can we identify using randomization? Estimators were justifjed via unbiasedness and consistency. Standard

728 views • 54 slides
Stage III of Social Subprojects Selection, Youth Corps Project Randomization (computer-based

Stage III of Social Subprojects Selection, Youth Corps Project Randomization (computer-based

Stage III of Social Subprojects Selection, Youth Corps Project Randomization (computer-based random selection). 2018 What is randomization? Computer-based randomization is a process of random resources allocation that Excludes any human

376 views • 8 slides
What About Randomization Tests? Strengths Gail et al. (1996) reported nominal Type I and II

What About Randomization Tests? Strengths Gail et al. (1996) reported nominal Type I and II

What About Randomization Tests? Strengths Gail et al. (1996) reported nominal Type I and II error rates across a variety of conditions common to GRTs. Programs for randomization tests are available. Weaknesses The unadjusted

281 views • 6 slides
Beyond Domain Randomization Josh Tobin 6/23/19 Goals for this talk Understand domain

Beyond Domain Randomization Josh Tobin 6/23/19 Goals for this talk Understand domain

Beyond Domain Randomization Josh Tobin 6/23/19 Goals for this talk Understand domain randomization &amp; how it is being used today Discuss its limitations and what solutions could look like Josh Tobin Beyond Domain Randomization

651 views • 47 slides
The CCPC and Waste Markets in Ireland Fergal O Leary - Member The CCPC Protect &amp; Inform

The CCPC and Waste Markets in Ireland Fergal O Leary - Member The CCPC Protect &amp; Inform

The CCPC and Waste Markets in Ireland Fergal O Leary - Member The CCPC Protect &amp; Inform Enforce Regulate Enforce competition Monitor compliance Inform consumers about law with Grocery sector their rights regulations Enforce

580 views • 13 slides
Topic III.1: Swap Randomization Discrete Topics in Data Mining Universitt des Saarlandes,

Topic III.1: Swap Randomization Discrete Topics in Data Mining Universitt des Saarlandes,

Topic III.1: Swap Randomization Discrete Topics in Data Mining Universitt des Saarlandes, Saarbrcken Winter Semester 2012/13 T III.1- 1 Topic III.1: Swap Randomization 1. Motivation &amp; Basic Idea 2. Markov Chains and Sampling 2.1.

555 views • 34 slides
Br Breaking Kern rnel Ad Address ss Space La Layout Randomization (KASLR LR) wi with th

Br Breaking Kern rnel Ad Address ss Space La Layout Randomization (KASLR LR) wi with th

Br Breaking Kern rnel Ad Address ss Space La Layout Randomization (KASLR LR) wi with th Intel TSX Yeongjin Jang , Sangho Lee, and Taesoo Kim Georgia Institute of Technology Kernel Address Space Layout Randomization (KASLR) A

1.2k views • 102 slides
Experience with MAC Address Randomization in Windows 10 Christian Huitema Huitema@microsoft.com

Experience with MAC Address Randomization in Windows 10 Christian Huitema Huitema@microsoft.com

Experience with MAC Address Randomization in Windows 10 Christian Huitema Huitema@microsoft.com IETF 93, Prague, July 2015 MAC Randomization in WIndows 10 - 7/20/2015 1 IETF 93 MAC Address Randomization controlled from Windows 10 Wi-Fi UI

311 views • 6 slides
LR 2 : LR : Le Leakage-Re Resilient La Layout t Ra Randomization fo for Mo Mobile

LR 2 : LR : Le Leakage-Re Resilient La Layout t Ra Randomization fo for Mo Mobile

LR 2 : LR : Le Leakage-Re Resilient La Layout t Ra Randomization fo for Mo Mobile Devices Kjell Braden , Stephen Crane, Lucas Davi , Michael Franz , Per Larsen , Christopher Liebchen , Ahmad- Reza Sadeghi

578 views • 38 slides
Randomization and Restarts Remember the PLS? It has two very intriguing properties 1. A phase

Randomization and Restarts Remember the PLS? It has two very intriguing properties 1. A phase

Randomization and Restarts Remember the PLS? It has two very intriguing properties 1. A phase transition 2. A heavy-tailed distribution in performance profiles Let's start from property #1... HP: we generate PLS instances by randomly filling

771 views • 75 slides
8. Average-Case Analysis of Algorithms + Randomized Algorithms 1 insertion sort Array A[1]

8. Average-Case Analysis of Algorithms + Randomized Algorithms 1 insertion sort Array A[1]

CSE 312, Autumn 2012, W.L.Ruzzo 8. Average-Case Analysis of Algorithms + Randomized Algorithms 1 insertion sort Array A[1] A[n] Sorted for i = 2 n-1 { T = A[i] j j = i-1 compare i Unsorted while j &gt;= 0 &amp;&amp; T

638 views • 17 slides
Verifiable Elections That Scale for Free Melissa Chase (MSR Redmond) Markulf Kohlweiss (MSR

Verifiable Elections That Scale for Free Melissa Chase (MSR Redmond) Markulf Kohlweiss (MSR

Verifiable Elections That Scale for Free Melissa Chase (MSR Redmond) Markulf Kohlweiss (MSR Cambridge) Anna Lysyanskaya (Brown University) Sarah Meiklejohn (UC San Diego) 1 10,000-foot view of cryptographic voting 2 10,000-foot view of

2.01k views • 146 slides
Adaptive partitioning Dennis Hofheinz (KIT, Karlsruhe) Public-Key Encryption Public-Key

Adaptive partitioning Dennis Hofheinz (KIT, Karlsruhe) Public-Key Encryption Public-Key

Adaptive partitioning Dennis Hofheinz (KIT, Karlsruhe) Public-Key Encryption Public-Key Encryption Accepted security notion: chosen-ciphertext security (IND-CCA) Public-Key Encryption Accepted security notion: chosen-ciphertext security

1.16k views • 83 slides
Preventing Shoulder Surfing using Randomized Augmented Reality Keyboards Anindya Maiti, Murtuza

Preventing Shoulder Surfing using Randomized Augmented Reality Keyboards Anindya Maiti, Murtuza

Preventing Shoulder Surfing using Randomized Augmented Reality Keyboards Anindya Maiti, Murtuza Jadliwala, and Chase Weber March 13, 2017 Table of Contents 1. Introduction 2. Related Work 3. Adversary Model 4. Proposed Defense Model 5.

920 views • 26 slides
How to Make ASLR Win the Clone Wars: Runtime Re-Randomization Kangjie Lu , Stefan Nrnberger,

How to Make ASLR Win the Clone Wars: Runtime Re-Randomization Kangjie Lu , Stefan Nrnberger,

How to Make ASLR Win the Clone Wars: Runtime Re-Randomization Kangjie Lu , Stefan Nrnberger, Michael Backes, and Wenke Lee Georgia Tech, CISPA, Saarland University, MPI-SWS, DFKI RuntimeASLR 1 What did we do? We re-randomize the memory

833 views • 44 slides
under Modular Updates Shachar Lovett (UCSD) Kaave Hosseini (UCSD CMU), Grigory Yaroslavtsev

under Modular Updates Shachar Lovett (UCSD) Kaave Hosseini (UCSD CMU), Grigory Yaroslavtsev

Optimality of Linear Sketching under Modular Updates Shachar Lovett (UCSD) Kaave Hosseini (UCSD CMU), Grigory Yaroslavtsev (Indiana) Streaming and sketching Streaming with binary updates Counters 1 , , 2

610 views • 28 slides
To Randomize or Not To Randomize: Space Optimal Summaries for Hyperlink Analysis Tam as

To Randomize or Not To Randomize: Space Optimal Summaries for Hyperlink Analysis Tam as

Fully Personalized PageRank Similarity Search To Randomize or Not To Randomize: Space Optimal Summaries for Hyperlink Analysis Tam as Sarl os, E otv os University and Computer and Automation Institute, Hungarian Academy of

571 views • 22 slides
Randomized methods for machine learning David Lopez-Paz, FAIR May 17, 2016

Randomized methods for machine learning David Lopez-Paz, FAIR May 17, 2016

Randomized methods for machine learning David Lopez-Paz, FAIR May 17, 2016 http://tinyurl.com/randomized-practical Some random examples Building atomic bombs Truncated SVD Dimensionality reduction Kernel methods for big data Nonlinear

970 views • 81 slides

More recommend