residue objects a challenge to web browser security
play

Residue Objects: A Challenge to Web Browser Security Robert - PowerPoint PPT Presentation

Aug 05, 2023 •872 likes •1.38k views

Residue Objects: A Challenge to Web Browser Security Robert Rosolek University of Warsaw Agenda Introduction Background for object management in Internet Explorer Testing and studying residue objects Conclusions and Future Work Part 1

  1. Residue Objects: A Challenge to Web Browser Security Robert Rosolek University of Warsaw

  2. Agenda Introduction Background for object management in Internet Explorer Testing and studying residue objects Conclusions and Future Work

  3. Part 1 Part 2 Part 3 Part 4 Introduction

  4. Introduction Managing the lifetimes of objects in memory nontrivial task in complex systems especially tricky for browsers page may navigate away

  5. Introduction Correct navigation semantics for page being navigated away: the page is 'gone' all it's objects disappear objects no longer usable Crucial for security.

  6. Introduction So can we just destroy all objects of the page that is navigated away?

  7. Introduction

  8. Introduction Dilemma → Object garbage collected dangling references, memory corruption → Object not collected invalid object residing in memory

  9. Residue objects Residue object - the object in the old page that still resides in the memory after the navigation

  10. Visual Spoofing

  11. Involuntary navigation

  12. Cross-domain access same-origin policy difficulties with secure implementation hack opportunities

  13. Memory corruption dangling references possibility of changing the control flow

  14. Protection object invalidation seemingly simple mechanism Object is_valid : bool . . .

  15. Bugs

  16. Exploit example

  17. Bugs Various logic errors: residue object object not marke d dead visible 'dead' objects premature release of reference

  18. Main questions Reasons for implementation problems small public attention

  19. Part 1 Part 2 Part 3 Part 4 Background for object management in Internet Explorer

  20. ActiveX objects COM framework AddRef, Release – refcounting properties sub-objects

  21. ActiveX objects HTML elements Javascript variables HTML and Javascript engines Hosting ActiveX objects: <object> tag in HTML new ActiveXObject(id) in Javascript nesting of HTML and JavaScript engines

  22. Window and Document Document – HTML Document corresponding to HTML file Window – tab, frame, iframe, dialog box CWindow and CDocument COM classes Window 1 Window 1 navigation Document 2 Document 1

  23. CWinProxy Document – same-domain accessibility Window - can be referenced from a different domain Proxy object necessary to comply with same-origin policy CWinProxy CWindow external ref

  24. Part 1 Part 2 Part 3 Part 4 Testing and studying Residue Objects

  25. Tactic for generating Residue Objects

  26. Enumerative Approach Various: inner objects documents, windows, methods etc.

  27. Enumerative Approach Various: inner objects ways of object hosting

  28. Enumerative Approach Various: Navigate window NavWin to page.html: inner objects ways of object hosting open(“page.html”,”NavWin”) NavWin.location = “page.html” ways of navigation NavWin.Navigate(“page.html”)

  29. Analysis Augmentation of browser code by logging important events about CWindow / CWinProxy / CDocument: construction destruction AddRef Release validation invalidation

  30. Analysis call stack for every event to identify caller filtering out matching AddRef and Release events

  31. Analysis tool Object chart objects in the memory after navigation reference owners

  32. Pitfall 1 Invalidated Invisible CWindow object of inner window is invalidated inner window visible when created by createPopup() ref = innerWindow

  33. Pitfall 1 Invalidated Invisible

  34. Pitfall 1 Invalidated Invisible

  35. Pitfall 1 Invalidated Invisible IE 8.0.6001 fixed in IE 9

  36. Pitfall 2 Confusion due to polymorphism CWindow object of inner window is invalidated CFuncPointer object of innerWindow.setTimeout points to not invalidated CWinProxy delayed script can be run after navigation ref = innerWindow.setTimeout Method of the window

  37. Pitfall 2 Confusion due to polymorphism CWindow object of inner window is invalidated CFuncPointer object of innerWindow.setTimeout points to not invalidated CWinProxy delayed script can be run after navigation fixed in IE 8.0.6001 ref = innerWindow.setTimeout Method of the acess denied error window

  38. Pitfall 3 Cross-engine invalidation inner window hosted in different HTML engine CWindow object of inner window not invalidated ref = innerWindow different HTML engine

  39. Pitfall 3 Cross-engine invalidation inner window hosted in different HTML engine CWindow object of inner window not invalidated ref = innerWindow different HTML engine still an issue in IE9

  40. Pitfall 4 Erroneous refcounting one refcount is lost navigation of persistent window removes nav window dangling reference corruption of EIP register heap spray attack possible ref = NavWin.setTimeout Method of the window

  41. Pitfall 4 Erroneous refcounting one refcount is lost navigation of persistent window removes nav window dangling reference corruption of EIP register heap spray attack possible ref = NavWin.setTimeout Method of the window Fixed by Microsoft in February 2009 security hot fix

  42. Pitfall 5 Partially destroyed data structures inside valid objects same scenario as in pitfall 3 a script in child window of inner window CWindow object is valid broken internal data structures memory violations

  43. Pitfall 5 Partially destroyed data structures inside valid objects same scenario as in pitfall 3 a script in child window of inner window CWindow object is valid broken internal data structures memory violations still an issue in IE 8

  44. Part 1 Part 2 Part 3 Part 4 Conclusions and Future Work

  45. Possible responses to the residue object problem automatic garbage collectors different processes - IE8 multi-proccess achitecture to render different windows - seperation of different web contents - prevents from direct overwriting of memory - objects can still be acessed through references in DCOM revision of DOM access policies and their implementation

  46. New generation of browsers OP from University of Illinois Gazelle from Microsoft Research focus on security multi-process architecture acess control policies formal methods (OP) OS principles in browser (Gazelle)

  47. Conclusions all browsers have to deal with residue objects problems need to be recognised as residue object problems and not individual bugs a lot of undiscovered bugs left

  48. Future work Other document types: - XML - Flash - Microsoft Silverlight Other browsers: - Firefox - Safari

  49. Thank you!

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

FPRandom: Randomizing core browser objects to break advanced device fingerprinting techniques

FPRandom: Randomizing core browser objects to break advanced device fingerprinting techniques

FPRandom: Randomizing core browser objects to break advanced device fingerprinting techniques Pierre Laperdrix, Benoit Baudry, Vikas Mishra Outline 1) What is fingerprint-based tracking? 2) Randomizing core browser objects a. Generating

245 views • 22 slides
Browser and Network request Browser website CS 4803 reply Network OS Computer and Network

Browser and Network request Browser website CS 4803 reply Network OS Computer and Network

Browser and Network request Browser website CS 4803 reply Network OS Computer and Network Security Hardware Alexandra (Sasha) Boldyreva Browser sends requests May reveal private information (in forms, cookies) Web security.

517 views • 7 slides
WEB AND BROWSER SECURITY Ben Livshits, Microsoft Research Web Application Vulnerabilities &amp;

WEB AND BROWSER SECURITY Ben Livshits, Microsoft Research Web Application Vulnerabilities &amp;

WEB AND BROWSER SECURITY Ben Livshits, Microsoft Research Web Application Vulnerabilities &amp; Defenses 2 Server-side woes Browser mechanisms: Same origin SQL injection Cross-domain request XSS overview Content

738 views • 50 slides
CSCI-UA.9480 Introduction to Computer Security Session 4.1 Browser Security Model Prof. Nadim

CSCI-UA.9480 Introduction to Computer Security Session 4.1 Browser Security Model Prof. Nadim

CSCI-UA.9480 Introduction to Computer Security Session 4.1 Browser Security Model Prof. Nadim Kobeissi Defining 4.1a Browser Security Goals Also before we start: Practical Assignment 2 is now online . 2 CSCI-UA.9480: Introduction to

520 views • 28 slides
Web Security [Browser Security Model] Spring 2020 Franziska (Franzi) Roesner

Web Security [Browser Security Model] Spring 2020 Franziska (Franzi) Roesner

CSE 484 / CSE M 584: Computer Security and Privacy Web Security [Browser Security Model] Spring 2020 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner, John

810 views • 24 slides
Web Security [SSL/TLS and Browser Security Model] Fall 2017 Franziska (Franzi) Roesner

Web Security [SSL/TLS and Browser Security Model] Fall 2017 Franziska (Franzi) Roesner

CSE 484 / CSE M 584: Computer Security and Privacy Web Security [SSL/TLS and Browser Security Model] Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner,

570 views • 43 slides
CS-527 Software Security Browser Security Asst. Prof. Mathias Payer Department of Computer

CS-527 Software Security Browser Security Asst. Prof. Mathias Payer Department of Computer

CS-527 Software Security Browser Security Asst. Prof. Mathias Payer Department of Computer Science Purdue University TA: Kyriakos Ispoglou https://nebelwelt.net/teaching/17-527-SoftSec/ Spring 2017 Web Environment Table of Contents Web

434 views • 16 slides
Lecture 26 Browser Security Stephen Checkoway Oberlin College Some slides from Bailey's ECE

Lecture 26 Browser Security Stephen Checkoway Oberlin College Some slides from Bailey's ECE

Lecture 26 Browser Security Stephen Checkoway Oberlin College Some slides from Bailey's ECE 422 Documents Browser's fundamental role is to display documents comprised of - HTML - JavaScript - Style sheets (CSS) - Images - Sounds - Movies -

1.74k views • 129 slides
Thermanator: Thermanator: Ercan Ozturk Gene Tsudik Thermal Residue Attacks Thermal Residue

Thermanator: Thermanator: Ercan Ozturk Gene Tsudik Thermal Residue Attacks Thermal Residue

5/25/2019 Tyler Kaczmarek Thermanator: Thermanator: Ercan Ozturk Gene Tsudik Thermal Residue Attacks Thermal Residue Attacks University of California, Irvine A Common Scenario: 1. You arrive at work (shared workspace) 2. Go to your desk

431 views • 15 slides
Lecture 17 Browser Security Stephen Checkoway University of Illinois at Chicago CS 487 Fall

Lecture 17 Browser Security Stephen Checkoway University of Illinois at Chicago CS 487 Fall

Lecture 17 Browser Security Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Some slides from Bailey's ECE 422 Documents Browser's fundamental role is to display documents comprised of - HTML - JavaScript - Style

1.67k views • 129 slides
Web Security! Big Picture: Browser and Network request website Browser reply OS Network

Web Security! Big Picture: Browser and Network request website Browser reply OS Network

CSE 484 / CSE M 584: Computer Security and Privacy CSRF and XSS attacks Fall 2016 Ada (Adam) Lerner lerner@cs.washington.edu Thanks to Franzi Roesner, Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John Manferdelli, John Mitchell,

1.29k views • 59 slides
CO CO 447 | LEC EC 4 ADVANCED TOPICS OF WEB SECURITY MODEL AND ITS PITFALLS BROWSER

CO CO 447 | LEC EC 4 ADVANCED TOPICS OF WEB SECURITY MODEL AND ITS PITFALLS BROWSER

CO CO 447 | LEC EC 4 ADVANCED TOPICS OF WEB SECURITY MODEL AND ITS PITFALLS BROWSER VULNERABILITIES Dr. Benjamin Livshits Drive-by malware 3 4 Go Google le patch ches Chrome zero-da day under under active e at attacks 6 Con

920 views • 62 slides
Simple Groups Generated by Involutions Interchanging Residue Classes of the Integers Stefan Kohl

Simple Groups Generated by Involutions Interchanging Residue Classes of the Integers Stefan Kohl

Simple Groups Generated by Involutions Interchanging Residue Classes of the Integers Stefan Kohl Talk. Groups St Andrews 2009 The Group CT( Z ) By r ( m ) we denote the residue class r + m Z . Let r 1 ( m 1 ) and r 2 ( m 2 ) be disjoint residue

352 views • 21 slides
User Defined Objects (UDOs) An Overview Presented by Darrell Kieswetter User Defined Objects

User Defined Objects (UDOs) An Overview Presented by Darrell Kieswetter User Defined Objects

User Defined Objects (UDOs) An Overview Presented by Darrell Kieswetter User Defined Objects (UDOs) New Standardized framework to store &amp; manage several New JDE customisation objects No programming skills required Browser based

717 views • 32 slides
Taylor expansion and the Cauchy Residue Theorem for finite-density QCD Benjamin Jger In

Taylor expansion and the Cauchy Residue Theorem for finite-density QCD Benjamin Jger In

Taylor expansion and the Cauchy Residue Theorem for finite-density QCD Benjamin Jger In collaboration with Philippe de Forcrand (ETH Zrich) Introduction Chebyshev Polynomials Cauchy Residue Theorem I Cauchy Residue Theorem II Phase

580 views • 34 slides
CS419 Spring 2010 Computer Security Vinod Ganapathy Lecture 17: Web Security Slide credits:

CS419 Spring 2010 Computer Security Vinod Ganapathy Lecture 17: Web Security Slide credits:

CS419 Spring 2010 Computer Security Vinod Ganapathy Lecture 17: Web Security Slide credits: Prof. Vitaly Shmatikov, UT-Austin. Browser and Network request website Browser reply Network OS Hardware February 12, 2002 Microsoft Issues

834 views • 62 slides
COMPUTER-INTERNET SECURITY How am I vulnerable? 1 COMPUTER-INTERNET SECURITY Virus

COMPUTER-INTERNET SECURITY How am I vulnerable? 1 COMPUTER-INTERNET SECURITY Virus

COMPUTER-INTERNET SECURITY How am I vulnerable? 1 COMPUTER-INTERNET SECURITY Virus Worm Trojan Spyware Adware Messenger Service 2 VIRUS VIRUS A virus must meet two A computer virus is a small criteria:

525 views • 23 slides
Change Management Board Meeting Bridgeline # 850-414-1711 December 1, 2006 SunGuide Change

Change Management Board Meeting Bridgeline # 850-414-1711 December 1, 2006 SunGuide Change

Change Management Board Meeting Bridgeline # 850-414-1711 December 1, 2006 SunGuide Change Management Board Meeting 1 Welcome and Introductions Steve Corbin, CMB Chairman December 1, 2006 SunGuide Change Management Board Meeting 2 Change

734 views • 57 slides
Microsoft Powerpoint Presentation 2010 For Windows 7 microsoft powerpoint windows 7 free download

Microsoft Powerpoint Presentation 2010 For Windows 7 microsoft powerpoint windows 7 free download

Microsoft Powerpoint Presentation 2010 For Windows 7 microsoft powerpoint windows 7 free download - Microsoft PowerPoint 2013 Microsoft PowerPoint 2013 15.0.4420.1017 PowerPoint Viewer 2010 1.0 received a PowerPoint presentation (in PPT format)

282 views • 4 slides
Embedded PC The modular Industrial PC for mid-range control Stefan Hoppe 14.09.2007 1 Embedded

Embedded PC The modular Industrial PC for mid-range control Stefan Hoppe 14.09.2007 1 Embedded

Embedded PC The modular Industrial PC for mid-range control Stefan Hoppe 14.09.2007 1 Embedded Software - TwinCAT on embedded Systems - HMI solutions on embedded systems Software TwinCAT TwinCAT System TwinCAT in embedded Systemen

290 views • 26 slides
GUI for Operator Control camila lima, 2009 november december january paper mill visit

GUI for Operator Control camila lima, 2009 november december january paper mill visit

Mid-Presentation | Project 1: Professional Product Project GUI for Operator Control camila lima, 2009 november december january paper mill visit introduction research - existing products user analysis brainstorm tutoring group research

444 views • 20 slides
Software In-Security Buffer overflows Overview Web Application security Malware OS

Software In-Security Buffer overflows Overview Web Application security Malware OS

Lecture overview Table of contents: Introduction to SW security Software In-Security Buffer overflows Overview Web Application security Malware OS security topics Code scanning Emmanuel Benoist Taught by Ulrich

479 views • 13 slides
SOFTWARE SERIES OF LECTURES EFIMOV S.V. ACS CONCEPT Automatic Control System (ACS) is a set

SOFTWARE SERIES OF LECTURES EFIMOV S.V. ACS CONCEPT Automatic Control System (ACS) is a set

COMPUTER-AIDED SYSTEM SOFTWARE SERIES OF LECTURES EFIMOV S.V. ACS CONCEPT Automatic Control System (ACS) is a set of hardware and software tools that provide an automated collection, processing, transmission and storage of data necessary

1.47k views • 117 slides
SeeTest Quality Assurance Platform On-premise Digital Assurance Lab On-premise Digital Assurance

SeeTest Quality Assurance Platform On-premise Digital Assurance Lab On-premise Digital Assurance

SeeTest Quality Assurance Platform On-premise Digital Assurance Lab On-premise Digital Assurance Lab Centrally manage browsers &amp; mobile devices (physical/emulated), and allow your team to remotely access them from anywhere at anytime Run

534 views • 17 slides

More recommend