wpse f ortifying w eb p rotocols
play

WPSE: F ORTIFYING W EB P ROTOCOLS VIA B ROWSER -S IDE S ECURITY M - PowerPoint PPT Presentation

Jun 16, 2023 •231 likes •585 views

WPSE: F ORTIFYING W EB P ROTOCOLS VIA B ROWSER -S IDE S ECURITY M ONITORING Marco Squarcina Joint work w. Stefano Calzavara, Riccardo Focardi, Matteo Ma ff ei, Clara Schneidewind, Mauro Tempesta 4th OAuth Security Workshop 2019 March 21,

  1. WPSE: F ORTIFYING W EB P ROTOCOLS 
 VIA B ROWSER -S IDE S ECURITY M ONITORING Marco Squarcina Joint work w. Stefano Calzavara, Riccardo Focardi, Matteo Ma ff ei, 
 Clara Schneidewind, Mauro Tempesta 4th OAuth Security Workshop 2019 March 21, 2019 - Stuttgart/Germany

  2. O VERVIEW OF A W EB P ROTOCOL RP IdP

  3. O VERVIEW OF A W EB P ROTOCOL RP IdP

  4. O VERVIEW OF A W EB P ROTOCOL RP IdP

  5. O VERVIEW OF A W EB P ROTOCOL user = lavish, pwd = ●●●●●●● RP IdP

  6. M OTIVATIONS Designing and implementing web protocols is HARD! • Bansal et al ., Discovering Concrete Attacks on Website Authorization by Formal Analysis ( S&P ’12 ) • Wang et al., Signing Me onto Your Accounts through Facebook and Google: A Tra ffi c- Guided Security Study of Commercially Deployed Single-Sign-On Web Services ( S&P’12 ) • Sun and Beznosov, The Devil is in the (Implementation) Details: An Empirical Analysis of OAuth SSO Systems ( CCS’12 ) • Fett et al., A Comprehensive Formal Security Analysis of OAuth 2.0 ( CCS’16 ) • …

  7. M OTIVATIONS Designing and implementing web protocols is HARD! • Bansal et al ., Discovering Concrete Attacks on Website Authorization by Formal Analysis ( S&P ’12 ) • Wang et al., Signing Me onto Your Accounts through Facebook and Google: A Tra ffi c- Guided Security Study of Commercially Deployed Single-Sign-On Web Services ( S&P’12 ) • Sun and Beznosov, The Devil is in the (Implementation) Details: An Empirical Analysis of OAuth SSO Systems ( CCS’12 ) • Fett et al., A Comprehensive Formal Security Analysis of OAuth 2.0 ( CCS’16 ) • … WHY?

  8. M OTIVATIONS Designing and implementing web protocols is HARD! • Bansal et al ., Discovering Concrete Attacks on Website Authorization by Formal Analysis ( S&P ’12 ) • Wang et al., Signing Me onto Your Accounts through Facebook and Google: A Tra ffi c- Guided Security Study of Commercially Deployed Single-Sign-On Web Services ( S&P’12 ) • Sun and Beznosov, The Devil is in the (Implementation) Details: An Empirical Analysis of OAuth SSO Systems ( CCS’12 ) • Fett et al., A Comprehensive Formal Security Analysis of OAuth 2.0 ( CCS’16 ) • … The browser is not aware of the existence of WHY? web protocols and of their semantics!

  9. O UR P ROPOSAL - WPSE Extend the browser with a lightweight security monitor that enforces the compliance of the browser behaviors with 
 respect to the web protocol specifications

  10. O UR P ROPOSAL - WPSE Implemented as a Google Chrome extension Extend the browser with a lightweight security monitor that enforces the compliance of the browser behaviors with 
 respect to the web protocol specifications

  11. O UR P ROPOSAL - WPSE Implemented as a Google Chrome extension Extend the browser with a lightweight security monitor that enforces the compliance of the browser behaviors with 
 respect to the web protocol specifications Advantages 1. users of vulnerable websites are automatically protected against a large class of attacks 2. specifications can be written once and enforced on several sites

  12. C HALLENGES IN W EB P ROTOCOLS Compliance with the protocol flow 1 • Preserve the intended sequence of messages 2 exchanged by honest participants • Perform integrity checks on the contents of protocol 3 messages Secrecy of message components • Enforce the confidentiality of protocol secrets like tokens and credentials to avoid leaks to 3rd parties

  13. T ACKLING THE C HALLENGES IN WPSE WPSE protocol specification : • Structure and order of messages • Desired security policies (confidentiality and integrity)

  14. T ACKLING THE C HALLENGES IN WPSE 1 Protocol messages are blocked if • not in the correct order 2 • integrity constraints on messages are not satisfied 3 Always allow protocol unrelated messages Secrets in incoming messages are substituted with random placeholders before they enter the DOM Placeholders in outgoing requests are replaced with secrets only if sent to origins entitled to learn them

  15. F ORTIFYING OA UTH 2.0 1 2 RP_id, rdr_uri, state Login form 3 user = lavish, pwd = ●●●●●●● auth_code, state 4 rdr_uri auth_code, RP_id, rdr_uri 5 access_token 6 access_token 7 U resource 8 RP IdP

  16. F ORTIFYING OA UTH 2.0 1 WPSE 2 RP_id, rdr_uri, state Protocol Flow Login form 2 → 3 → 4 3 user = lavish, pwd = ●●●●●●● with same rdr_uri and state auth_code, state in steps 2, 4 4 rdr_uri auth_code, RP_id, rdr_uri 5 access_token 6 access_token 7 U resource 8 RP IdP

  17. F ORTIFYING OA UTH 2.0 1 WPSE 2 RP_id, rdr_uri, state Protocol Flow Login form 2 → 3 → 4 3 user = lavish, pwd = ●●●●●●● with same rdr_uri and state auth_code, state in steps 2, 4 4 Secrecy rdr_uri RP < auth_code, state > IdP auth_code, RP_id, rdr_uri 5 access_token 6 access_token 7 U resource 8 RP IdP

  18. S ESSION S WAPPING [SB12] 1 A 2 RP_id, rdr_uri Login form 3 user = h4ckerb0y, pwd = ●●●●●●● A auth_code U RP IdP � 8

  19. S ESSION S WAPPING [SB12] 1 A 2 RP_id, rdr_uri Login form 3 user = h4ckerb0y, pwd = ●●●●●●● Gimme A auth_code torrents plz! U RP IdP � 8

  20. S ESSION S WAPPING [SB12] 1 A 2 RP_id, rdr_uri Login form 3 user = h4ckerb0y, pwd = ●●●●●●● Gimme A auth_code torrents plz! 4 A auth_code rdr_uri A auth_code, RP_id, rdr_uri 5 A access_token 6 U A access_token 7 A resource 8 RP IdP � 8

  21. S ESSION S WAPPING [SB12] 1 A 2 RP_id, rdr_uri Login form 3 user = h4ckerb0y, pwd = ●●●●●●● Gimme A auth_code torrents plz! 4 A auth_code rdr_uri A auth_code, RP_id, rdr_uri ! 5 n o i t a l o i v E S w P A access_token o W fl 6 l o y U c b o d t o e k r P c o l A access_token b t 7 s e u q e R A resource 8 RP IdP � 8

  22. S TATE L EAK A TTACK [FKS16] 1 2 RP_id, rdr_uri, state U Login form 3 user = lavish, pwd = ●●●●●●● auth_code, state 4 rdr_uri auth_code, RP_id, rdr_uri 5 access_token 6 access_token 7 resource 8 RP IdP � 9

  23. S TATE L EAK A TTACK [FKS16] 1 2 RP_id, rdr_uri, state U Login form 3 user = lavish, pwd = ●●●●●●● auth_code, state 4 rdr_uri auth_code, RP_id, rdr_uri 5 access_token Referer header 6 auth_code, state access_token 7 resource 8 Attacker’s website RP IdP � 9

  24. S TATE L EAK A TTACK [FKS16] 1 2 RP_id, rdr_uri, state U Login form 3 user = lavish, pwd = ●●●●●●● auth_code, state W 4 P S rdr_uri ? w E i t r h e ? p r a l a auth_code, RP_id, rdr_uri n c ? d 5 e o s m s e p access_token c l Referer header 6 r a e c t e d h auth_code, state a access_token o t a 7 l d e r s resource 8 Attacker’s website RP IdP � 9

  25. E XPERIMENTAL E VALUATION • Manual investigation of 30 RPs for each IdP from Alexa top 100K • Analyzed both authorization code mode and implicit mode of OAuth 2.0 Security Compatibility • Leakage of sensitive data due to Problems due to security critical tracking/ads libraries (4 RPs) deviations in the protocol flow 
 • Lack or misuse of the state (7 RPs), e.g. auth code is sent twice, parameter (55 RPs) second time over HTTP

  26. A TTACKING G OOGLE I MPLEMENTATION OF SAML 2.0 URI 1 A 2 SAMLRequest, RelayState = URI Login form 3 User credentials SAMLResponse, RelayState = URI 4 SAMLResponse, RelayState = URI Lack of contextual binding between steps 2 and 4. 5 SAMLResponse and URI RelayState are su ffi cient to U A resource 6 allow U to access the resource at URI. SP IdP � 11

  27. N EW A TTACK A GAINST G OOGLE SAML 2.0 • Similar to the session swapping attack presented before • Login CSRF against Google Suite applications (Drive, Gmail, Keep, …)

  28. N EW A TTACK A GAINST G OOGLE SAML 2.0 • Similar to the session swapping attack presented before • Login CSRF against Google Suite applications (Drive, Gmail, Keep, …) Feb 4, 2018 Report to Google

  29. N EW A TTACK A GAINST G OOGLE SAML 2.0 • Similar to the session swapping attack presented before • Login CSRF against Google Suite applications (Drive, Gmail, Keep, …) Feb 27, 2018 Feb 4, 2018 Report to Google

  30. N EW A TTACK A GAINST G OOGLE SAML 2.0 • Similar to the session swapping attack presented before • Login CSRF against Google Suite applications (Drive, Gmail, Keep, …) Feb 27, 2018 May 7, 2018 Feb 4, 2018 Report to Google

  31. N EW A TTACK A GAINST G OOGLE SAML 2.0 • Similar to the session swapping attack presented before • Login CSRF against Google Suite applications (Drive, Gmail, Keep, …) Feb 27, 2018 May 7, 2018 Feb 4, 2018 And now? Report to Google

  32. S UMMING U P Lightweight policies on the client-side suffice to enforce provable security guarantees in web protocols

  33. S UMMING U P Lightweight policies on the client-side suffice to enforce provable security guarantees in web protocols • Support for additional protocols e.g., e-payments • Automatic techniques to synthesize WPSE policies from protocol specifications / browser tra ffi c • Embed WPSE into real browsers

  34. T HANK Y OU ! Q&A @blueminimal marco.squarcina@tuwien.ac.at https://sites.google.com/site/wpseproject/

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

WPSE: F ORTIFYING W EB P ROTOCOLS VIA B ROWSER -S IDE S ECURITY M ONITORING Stefano Calzavara

WPSE: F ORTIFYING W EB P ROTOCOLS VIA B ROWSER -S IDE S ECURITY M ONITORING Stefano Calzavara

WPSE: F ORTIFYING W EB P ROTOCOLS VIA B ROWSER -S IDE S ECURITY M ONITORING Stefano Calzavara Mauro Tempesta Matteo Ma ff ei Riccardo Focardi Marco Squarcina Clara Schneidewind August 17, 2018 - 27 th Usenix Security Symposium O VERVIEW OF A W

657 views • 34 slides
A VAILABILITY OF ATRA, B LOOD B ANK S UPPORT , T REATMENT P ROTOCOLS AND H EMATOLOGISTS /O

A VAILABILITY OF ATRA, B LOOD B ANK S UPPORT , T REATMENT P ROTOCOLS AND H EMATOLOGISTS /O

A VAILABILITY OF ATRA, B LOOD B ANK S UPPORT , T REATMENT P ROTOCOLS AND H EMATOLOGISTS /O NCOLOGISTS FOR M ANAGEMENT OF APL IN T WO S TATES (M ICHIGAN AND L OUSIANA ) IN THE USA. Sheldon L. Bolds, II, M.R.C. Clinical Data Analyst, Hematology and

371 views • 8 slides
P rudent From ractices &amp; recedents P roper rotocols To rocedures rograms &amp;

P rudent From ractices &amp; recedents P roper rotocols To rocedures rograms &amp;

P rudent From ractices &amp; recedents P roper rotocols To rocedures rograms &amp; olicies Krishnan G Nair CEO, KGN, India TERMS OF REFERENCE 2 WI VES &amp; FI VE ONE HUSBAND 3 What When Where Why Who &amp; How 4

756 views • 21 slides
(S TANDARD O PERATING P ROTOCOLS ) IN H OSPITALS W ORLDWIDE The High 5s Project was launched in

(S TANDARD O PERATING P ROTOCOLS ) IN H OSPITALS W ORLDWIDE The High 5s Project was launched in

S IGNIFICANT I MPROVEMENTS IN P ATIENT S AFETY U SING H IGH 5 S SOP S (S TANDARD O PERATING P ROTOCOLS ) IN H OSPITALS W ORLDWIDE The High 5s Project was launched in 2006 by WHO and the WHO Collaborating Center on Patient Safety TJC to

766 views • 34 slides
Lawrence Berkeley National Laboratory WPSE 2009 Unified Parallel C SPMD

Lawrence Berkeley National Laboratory WPSE 2009 Unified Parallel C SPMD

Costin Iancu Lawrence Berkeley National Laboratory WPSE 2009 Unified Parallel C SPMD programming model, shared memory space abstraction Communication is either implicit or explicit one-sided Memory model:

811 views • 16 slides
Using Lo Using Lock Ser k Server ers t s to Sc Scale ale Re

Using Lo Using Lock Ser k Server ers t s to Sc Scale ale Re

Using Lo Using Lock Ser k Server ers t s to Sc Scale ale Re Real- -Time Locking Pro rotocols: Chasing Ever-Increasing Core Counts C ATHERINE E. N EMITZ , T ANYA A MERT ,

1.05k views • 81 slides
CAF 2.0: A Next-generation Coarray Fortran Laksono Adhianto, John Mellor-Crummey, and Bill

CAF 2.0: A Next-generation Coarray Fortran Laksono Adhianto, John Mellor-Crummey, and Bill

CAF 2.0: A Next-generation Coarray Fortran Laksono Adhianto, John Mellor-Crummey, and Bill Scherer Department of Computer Science, Rice University WPSE Workshop, Tsukuba, Japan 25 March 2009 QuickTime and a decompressor are needed to see

1.75k views • 14 slides
EHSO EXCELLENCE THROUGH INTEGRITY, COOPERATION AND LEADERSHIP S UBMI SSI ON OF B I OSAFETY P

EHSO EXCELLENCE THROUGH INTEGRITY, COOPERATION AND LEADERSHIP S UBMI SSI ON OF B I OSAFETY P

EHSO EHSO EXCELLENCE THROUGH INTEGRITY, COOPERATION AND LEADERSHIP S UBMI SSI ON OF B I OSAFETY P ROTOCOLS USI NG B I O RAFT S EPTEMBER 1 5 , 2 0 1 6 EHSO THE ENVIRONMENTAL HEALTH &amp; SAFETY OFFICE http://www.ehso.emory.edu EHSO RESEARCH

367 views • 17 slides
Spectral Flow Cytometry Definition No Nola lan an and d Condello llo (20 2013) Cur urrent

Spectral Flow Cytometry Definition No Nola lan an and d Condello llo (20 2013) Cur urrent

Spectral Flow Cytometry Definition No Nola lan an and d Condello llo (20 2013) Cur urrent t Pro rotocols ls in n Cytometry ry Spectra of dyes excited by blue (488 nm) laser Cytek Auroras Optical Design Unique Optical Design

336 views • 31 slides
Tuakiri update: eduGAIN &amp; service status Vlad Mencl Wallace Chase 1 Tuakiri update:

Tuakiri update: eduGAIN &amp; service status Vlad Mencl Wallace Chase 1 Tuakiri update:

August 19th, 2020, REANNZ Lunchtime session Tuakiri update: eduGAIN &amp; service status Vlad Mencl Wallace Chase 1 Tuakiri update: eduGAIN and service status, August 19th, 2020 Outline Tuakiri: brief introduction Update:

641 views • 23 slides
Mathematical Logic - 2015 Propositional Logic: exercises Fausto Giunchiglia and Mattia Fumagalli

Mathematical Logic - 2015 Propositional Logic: exercises Fausto Giunchiglia and Mattia Fumagalli

Mathematical Logic - 2015 Propositional Logic: exercises Fausto Giunchiglia and Mattia Fumagalli (ref. Chiara Ghidini slides PL Formalization and Enzo Maltese sleides PL Exercises) Index q From NL to PL q Truth tables q

633 views • 17 slides
OpenRegistry Revisiting the Management of Electronic Identity Benjamin Oshrin Rutgers

OpenRegistry Revisiting the Management of Electronic Identity Benjamin Oshrin Rutgers

OpenRegistry OpenRegistry Revisiting the Management of Electronic Identity Benjamin Oshrin Rutgers University July 2009 LSM 10/7/09 1 OpenRegistry About Rutgers University State University of New Jersey Three Main Campuses

796 views • 26 slides
The Catalan Government Prequalification Strategy for Software Development Suppliers Josep M.

The Catalan Government Prequalification Strategy for Software Development Suppliers Josep M.

The Catalan Government Prequalification Strategy for Software Development Suppliers Josep M. Marco-Sim Joan A. Pastor Collado Rafael Macau Nadal Universitat Oberta de Catalunya / Open University of Catalonia SEAFOOD 2010 Contents 1.

446 views • 15 slides
Analyzing manuscript traditions using constraint-based data mining A case study in declarative

Analyzing manuscript traditions using constraint-based data mining A case study in declarative

Analyzing manuscript traditions using constraint-based data mining A case study in declarative data mining Tara Andrews, Hendrik Blockeel, Bart Bogaerts, Maurice Bruynooghe, Marc Denecker, Stef De Pooter, Caroline Mac, Jan Ramon KU Leuven,

1.08k views • 38 slides
Development of a hardware-abstraction layer for the Baltikum test framework IDP final talk

Development of a hardware-abstraction layer for the Baltikum test framework IDP final talk

Chair of Network Architectures and Services Department of Informatics Technical University of Munich Development of a hardware-abstraction layer for the Baltikum test framework IDP final talk Tobias Betz December 12, 2016 Chair of Network

385 views • 24 slides
Introduction to Identity Federations Brook Schofield eduGAIN Task Leader, GN3 Project &amp;

Introduction to Identity Federations Brook Schofield eduGAIN Task Leader, GN3 Project &amp;

Introduction to Identity Federations Brook Schofield eduGAIN Task Leader, GN3 Project &amp; Project Development Officer, TERENA schofield@terena.org 15 October 2012 Building Federated Identity Policy, GN3 Symposium, Vienna, Austria Innovation

157 views • 12 slides
SPaCIoS Secure Provision and Consumption in the Internet of Services STREP Project number: 257876

SPaCIoS Secure Provision and Consumption in the Internet of Services STREP Project number: 257876

SPaCIoS Secure Provision and Consumption in the Internet of Services STREP Project number: 257876 Objective ICT-2009.1.4 c: Technology and Tools for Trustworthy ICT 01 Oct 2010 30 Sep 2013 www.spacios.eu Alexander Pretschner, POFI 2011,

780 views • 24 slides
ENGR 5770G : Service Computing / Winter 2013 Anwar Abdalbari Outline Introduction.

ENGR 5770G : Service Computing / Winter 2013 Anwar Abdalbari Outline Introduction.

ENGR 5770G : Service Computing / Winter 2013 Anwar Abdalbari Outline Introduction. Identity Systems. Analysis of Identity Systems. Open Trust Frameworks. Shibboleth Approach What are we talking about? Authentication

829 views • 39 slides
Institutional Effectiveness Committee Presentation to College Council Atiya Rashada Mark C.

Institutional Effectiveness Committee Presentation to College Council Atiya Rashada Mark C.

Institutional Effectiveness Committee Presentation to College Council Atiya Rashada Mark C. Fields Updates Program review Timeline Meta ready to go PD day training Training Videos Coaches

56 views • 5 slides
Instruction , ,

Instruction , ,

1 Instruction , , Timetable 2 Open Day: 9:00-16:30, 16 May 2017 @ Seminar Room 9:00-9:05 Welcome Speech (Yoshiaki Ohsumi, Panasonic)

730 views • 6 slides
Input/Output Organization Chapter 19 S. Dandamudi Outline Introduction External

Input/Output Organization Chapter 19 S. Dandamudi Outline Introduction External

Input/Output Organization Chapter 19 S. Dandamudi Outline Introduction External interface Accessing I/O devices Serial transmission An example I/O device Parallel interface Keyboard USB I/O data

1.29k views • 96 slides
An application Protocol for Fast Long Distance Network Katsushi Kobayashi ikob@ni.aist.go.jp

An application Protocol for Fast Long Distance Network Katsushi Kobayashi ikob@ni.aist.go.jp

An application Protocol for Fast Long Distance Network Katsushi Kobayashi ikob@ni.aist.go.jp National Institute of Advanced Industrial Science and Technology Off topic In 1st day panel, Injong Rhee presented high-speed TCP variant issue

504 views • 9 slides
Internet of Things Laurent Toutain June 11, 2013 Caen () IPv6 op erateur June 11, 2013 1 /

Internet of Things Laurent Toutain June 11, 2013 Caen () IPv6 op erateur June 11, 2013 1 /

Internet of Things Laurent Toutain June 11, 2013 Caen () IPv6 op erateur June 11, 2013 1 / 14 Internet of Things ? Internet of Things Caen () IPv6 op erateur June 11, 2013 2 / 14 Internet of Things ? Internet of Things

693 views • 32 slides
Collaborators @ AALborg @UPPsala Real Tim e Kim G Larsen Wang Yi

Collaborators @ AALborg @UPPsala Real Tim e Kim G Larsen Wang Yi

Collaborators @ AALborg @UPPsala Real Tim e Kim G Larsen Wang Yi Informationsteknologi Gerd Behrman Paul Pettersson Arne Skou Model Checking John Hkansson Brian Nielsen Anders Hessel

467 views • 13 slides

More recommend