Securing Brow ser Frame Navigation and Communication Collin Jackson - - PowerPoint PPT Presentation

securing brow ser frame navigation and communication
SMART_READER_LITE
LIVE PREVIEW

Securing Brow ser Frame Navigation and Communication Collin Jackson - - PowerPoint PPT Presentation

Oct 31, 2022 128 likes •330 views

Securing Brow ser Frame Navigation and Communication Collin Jackson Joint work with Adam Barth and John C. Mitchell Why use frames? Modularity src = google.com/ name = awglogin Brings together content from multiple sources

slide-1
SLIDE 1

Securing Brow ser Frame Navigation and Communication

Collin Jackson

Joint work with Adam Barth and John C. Mitchell

slide-2
SLIDE 2

Why use frames?

  • Modularity

– Brings together content from multiple sources – Client-side aggregation

  • Isolation

– Different frames can represent different principals – Can’t script each other – Frame can draw only on its

  • wn rectangle

– Easier than sanitization

src = 7.gmodules.com/... name = remote_iframe_7 src = google.com/… name = awglogin

slide-3
SLIDE 3

Threat Model

  • Web attacker

– Controls attacker.com ($5) – Can obtain SSL/TLS certificate for attacker.com ($0) – User visits attacker.com – Optional additional assumption: Gets to embeds a malicious gadget (ad) on integrator site

  • Stronger threat models

– Network attacker: Can inspect or corrupt traffic – Malware attacker: Already escaped the from browser

slide-4
SLIDE 4

A frame can navigate any frame.

Frame Navigation

  • Who decides a frame’s content?

Permissive Policy

slide-5
SLIDE 5

Guninski Attack

window.open("https://www.google.com/...") window.open("https://www.attacker.com/...", "awglogin") awglogin

slide-6
SLIDE 6

A frame can navigate frames in its own window.

Window Policy

slide-7
SLIDE 7

Gadget Hijacking

top.frames[1].location = "http:/www.attacker.com/...“; top.frames[2].location = "http:/www.attacker.com/...“; ...

slide-8
SLIDE 8

Gadget Hijacking

slide-9
SLIDE 9

Policy Testing

slide-10
SLIDE 10

A frame can navigate its children.

Parent Policy

A frame can navigate its descendants.

Ancestor Policy

slide-11
SLIDE 11

Frame Navigation Policies

Browser Policy Propagation IE 6 (default) Permissive N/A IE 6 (option) Parent No IE7 (no Flash) Ancestor Yes IE7 (with Flash) Permissive N/A Firefox 2 Window Sometimes Safari 2 Permissive N/A

slide-12
SLIDE 12

Frame Navigation Policies

Browser Policy Propagation IE7 (no Flash) Ancestor Yes IE7 (with Flash) Ancestor Yes Firefox 3 Ancestor Yes Safari 3 Ancestor Yes

slide-13
SLIDE 13

Frame Communication

slide-14
SLIDE 14

Fragment Identifier Messaging

  • Send information by navigating a frame

– http://gadget.com/#hello

  • Navigating to fragment doesn’t reload frame

– No network traffic, but frame can read its fragment

  • Not a secure channel

– Confidentiality – Integrity – Authentication

slide-15
SLIDE 15

Fix: Improve the protocol

  • Proposed Needham-Schroeder-Lowe
  • Adoption

– Microsoft: Windows Live Channels library – IBM: OpenAjax Hub 1.1

slide-16
SLIDE 16

postMessage

  • New API for inter-frame communication
  • Supported in latest betas of many browsers
  • Not a secure channel

– Confidentiality – Integrity – Authentication

slide-17
SLIDE 17

Reply Attack

slide-18
SLIDE 18

Fix: Improve the API

  • Let the sending specify the recipient

– frame[0].postMessage(“Hello”, “http://gadget.com”) – Can omit argument if confidentiality not required

  • Adoption

– Firefox 3 – Internet Explorer 8 – Safari 3.1

slide-19
SLIDE 19

Conclusion

  • All proposals deployed to real users
  • Frame isolation

– Improved frame navigation policy

  • Fixed Guninski and Gadget Hijacking

– Drive-by-downloads still a concern…

  • Frame communication

– Secured fragment identifier messaging – Secured new postMessage API