WPSE: F ORTIFYING W EB P ROTOCOLS VIA B ROWSER -S IDE S ECURITY M - - PowerPoint PPT Presentation

wpse f ortifying w eb p rotocols via b rowser s ide s
SMART_READER_LITE
LIVE PREVIEW

WPSE: F ORTIFYING W EB P ROTOCOLS VIA B ROWSER -S IDE S ECURITY M - - PowerPoint PPT Presentation

Jun 28, 2023 310 likes •658 views

WPSE: F ORTIFYING W EB P ROTOCOLS VIA B ROWSER -S IDE S ECURITY M ONITORING Stefano Calzavara Mauro Tempesta Matteo Ma ff ei Riccardo Focardi Marco Squarcina Clara Schneidewind August 17, 2018 - 27 th Usenix Security Symposium O VERVIEW OF A W

slide-1
SLIDE 1

WPSE: FORTIFYING WEB PROTOCOLS

VIA BROWSER-SIDE SECURITY

MONITORING

Stefano Calzavara Riccardo Focardi Matteo Maffei Clara Schneidewind Marco Squarcina Mauro Tempesta

August 17, 2018 - 27th Usenix Security Symposium

slide-2
SLIDE 2

OVERVIEW OF A WEB PROTOCOL

2

RP IdP

slide-3
SLIDE 3

OVERVIEW OF A WEB PROTOCOL

2

RP IdP

slide-4
SLIDE 4

OVERVIEW OF A WEB PROTOCOL

2

RP IdP

slide-5
SLIDE 5

OVERVIEW OF A WEB PROTOCOL

2

user = MrStorm, pwd = ●●●●●●● RP IdP

slide-6
SLIDE 6

MOTIVATIONS

Designing and implementing web protocols is HARD!

  • Bansal et al. - Discovering Concrete Attacks on Website Authorization by Formal Analysis (S&P ’12)
  • Wang et al. - Signing Me onto Your Accounts through Facebook and Google: A Traffic-Guided

Security Study of Commercially Deployed Single-Sign-On Web Services (S&P ’12)

  • Sun and Beznosov - The Devil is in the (Implementation) Details: An Empirical Analysis of OAuth

SSO Systems (CCS ’12)

  • Fett et al. - A Comprehensive Formal Security Analysis of OAuth 2.0 (CCS ’16)

3

slide-7
SLIDE 7

MOTIVATIONS

Designing and implementing web protocols is HARD!

  • Bansal et al. - Discovering Concrete Attacks on Website Authorization by Formal Analysis (S&P ’12)
  • Wang et al. - Signing Me onto Your Accounts through Facebook and Google: A Traffic-Guided

Security Study of Commercially Deployed Single-Sign-On Web Services (S&P ’12)

  • Sun and Beznosov - The Devil is in the (Implementation) Details: An Empirical Analysis of OAuth

SSO Systems (CCS ’12)

  • Fett et al. - A Comprehensive Formal Security Analysis of OAuth 2.0 (CCS ’16)

3

WHY?

slide-8
SLIDE 8

MOTIVATIONS

Designing and implementing web protocols is HARD!

  • Bansal et al. - Discovering Concrete Attacks on Website Authorization by Formal Analysis (S&P ’12)
  • Wang et al. - Signing Me onto Your Accounts through Facebook and Google: A Traffic-Guided

Security Study of Commercially Deployed Single-Sign-On Web Services (S&P ’12)

  • Sun and Beznosov - The Devil is in the (Implementation) Details: An Empirical Analysis of OAuth

SSO Systems (CCS ’12)

  • Fett et al. - A Comprehensive Formal Security Analysis of OAuth 2.0 (CCS ’16)

3

WHY?

The browser is not aware of the existence of web protocols and of their semantics!

slide-9
SLIDE 9

OUR PROPOSAL - WPSE

4

Extend the browser with a lightweight security monitor that enforces the compliance of the browser behaviors with respect to the web protocol specifications

slide-10
SLIDE 10

OUR PROPOSAL - WPSE

4

Extend the browser with a lightweight security monitor that enforces the compliance of the browser behaviors with respect to the web protocol specifications

Implemented as a Google Chrome extension

slide-11
SLIDE 11

OUR PROPOSAL - WPSE

4

Extend the browser with a lightweight security monitor that enforces the compliance of the browser behaviors with respect to the web protocol specifications Advantages:

  • 1. users of vulnerable websites are automatically protected against a large

class of attacks

  • 2. specifications can be written once and enforced on several sites

Implemented as a Google Chrome extension

slide-12
SLIDE 12

SECURITY CHALLENGES IN WEB PROTOCOLS

5

1 2 3

Compliance with the protocol flow

  • Preserve the intended sequence of messages

exchanged by honest participants

  • Perform integrity checks on the contents of protocol

messages Secrecy of message components

  • Enforce the confidentiality of protocol secrets like

tokens and credentials

slide-13
SLIDE 13

TACKLING THE CHALLENGES IN WPSE

WPSE protocol specification:

  • Structure and order of messages
  • Desired security policies (confidentiality and integrity)
slide-14
SLIDE 14

TACKLING THE CHALLENGES IN WPSE

  • Protocol messages are blocked if
  • not in the correct order
  • integrity constraints on messages are not satisfied
  • Always allow protocol unrelated messages
  • Secrets in incoming messages are substituted with random

placeholders before they enter the DOM

  • Placeholders in outgoing requests are replaced with secrets
  • nly if sent to origins entitled to learn them

1 2 3

slide-15
SLIDE 15

FORTIFYING OAUTH 2.0

user = MrStorm, pwd = ●●●●●●●

7

RP_id, rdr_uri, state

RP IdP U

Login form

1 2 3

auth_code, state rdr_uri

4 5 auth_code, RP_id, rdr_uri 6

access_token

7

access_token

8

resource

slide-16
SLIDE 16

FORTIFYING OAUTH 2.0

user = MrStorm, pwd = ●●●●●●●

7

RP IdP U

Login form

1 2 3 4 5 auth_code, RP_id, rdr_uri 6

access_token

7

access_token

8

resource

WPSE

Protocol Flow 2 → 3 → 4 with same rdr_uri and state in steps 2, 4

RP_id, rdr_uri, state auth_code, state rdr_uri

slide-17
SLIDE 17

FORTIFYING OAUTH 2.0

user = MrStorm, pwd = ●●●●●●●

7

RP IdP U

Login form

1 2 3 4 5 auth_code, RP_id, rdr_uri 6

access_token

7

access_token

8

resource

WPSE

Protocol Flow 2 → 3 → 4 with same rdr_uri and state in steps 2, 4 Secrecy RP < auth_code, state > IdP

RP_id, rdr_uri, state auth_code, state rdr_uri

slide-18
SLIDE 18

SESSION SWAPPING [SB12]

8

user = h4ckerb0y, pwd = ●●●●●●● RP_id, rdr_uri

RP IdP

Login form

1 2 3

A auth_code

8

U A

slide-19
SLIDE 19

SESSION SWAPPING [SB12]

8

user = h4ckerb0y, pwd = ●●●●●●● RP_id, rdr_uri

RP IdP

Login form

1 2 3

A auth_code

8

U A

Gimme torrents plz!

slide-20
SLIDE 20

SESSION SWAPPING [SB12]

8

user = h4ckerb0y, pwd = ●●●●●●● RP_id, rdr_uri

RP IdP

Login form

1 2 3

A auth_code rdr_uri

4 5

A auth_code, RP_id, rdr_uri

6

A access_token

7

A access_token

8

A resource

8

U A

Gimme torrents plz!

A auth_code

slide-21
SLIDE 21

SESSION SWAPPING [SB12]

8

user = h4ckerb0y, pwd = ●●●●●●● RP_id, rdr_uri

RP IdP

Login form

1 2 3

A auth_code rdr_uri

4 5

A auth_code, RP_id, rdr_uri

6

A access_token

7

A access_token

8

A resource

8

U A

Gimme torrents plz!

A auth_code

P r

  • t
  • c
  • l

fl

  • w

v i

  • l

a t i

  • n

! R e q u e s t b l

  • c

k e d b y W P S E

slide-22
SLIDE 22

STATE LEAK ATTACK [FKS16]

9

user = MrStorm, pwd = ●●●●●●● RP_id, rdr_uri, state

RP IdP

Login form

1 2 3

rdr_uri

4 5

auth_code, RP_id, rdr_uri

6

access_token

7

access_token

8

resource

9

U

auth_code, state

slide-23
SLIDE 23

STATE LEAK ATTACK [FKS16]

9

user = MrStorm, pwd = ●●●●●●● RP_id, rdr_uri, state

RP IdP

Login form

1 2 3

rdr_uri

4 5

auth_code, RP_id, rdr_uri

6

access_token

7

access_token

8

resource

9

U Attacker’s website

auth_code, state

Referer header auth_code, state

slide-24
SLIDE 24

STATE LEAK ATTACK [FKS16]

9

user = MrStorm, pwd = ●●●●●●● RP_id, rdr_uri, state

RP IdP

Login form

1 2 3

rdr_uri

4 5

auth_code, RP_id, rdr_uri

6

access_token

7

access_token

8

resource

9

U Attacker’s website

auth_code, state

Referer header auth_code, state

W P S E r e p l a c e s s e c r e t d a t a w i t h r a n d

  • m

p l a c e h

  • l

d e r s

?

? ?

slide-25
SLIDE 25

FORMAL RESULTS

(H1) The protocol fulfills safety property P with a benign webpage (H2) WPSE allows only a subset of the I/O sequences performed by the browser in a honest protocol run (H3) Secrets are not leaked and securely stored by the browser

10

slide-26
SLIDE 26

FORMAL RESULTS

(H1) The protocol fulfills safety property P with a benign webpage (H2) WPSE allows only a subset of the I/O sequences performed by the browser in a honest protocol run (H3) Secrets are not leaked and securely stored by the browser

10

The protocol fulfills P with a compromised browser monitored by WPSE

slide-27
SLIDE 27

EXPERIMENTAL EVALUATION

  • Manual investigation of 30 RPs for each IdP from Alexa top 100K
  • Analyzed both authorization code mode and implicit mode of OAuth 2.0

11

Security

  • Leakage of sensitive data due to

advertisement libraries (4 RPs)

  • Lack or misuse of the state

parameter (55 RPs)

Compatibility

Problems due to security critical deviations in the protocol flow (7 RPs), e.g. auth code is sent twice, second time over HTTP

slide-28
SLIDE 28

A NEW ATTACK AGAINST GOOGLE IMPLEMENTATION OF SAML 2.0

12

  • Similar to the session swapping attack presented before
  • Login CSRF against Google Suite applications (Google Drive, GMail, …)
slide-29
SLIDE 29

A NEW ATTACK AGAINST GOOGLE IMPLEMENTATION OF SAML 2.0

12

Feb 4

Report to Google

  • Similar to the session swapping attack presented before
  • Login CSRF against Google Suite applications (Google Drive, GMail, …)
slide-30
SLIDE 30

A NEW ATTACK AGAINST GOOGLE IMPLEMENTATION OF SAML 2.0

12

Feb 4 Feb 27

Report to Google

  • Similar to the session swapping attack presented before
  • Login CSRF against Google Suite applications (Google Drive, GMail, …)
slide-31
SLIDE 31

A NEW ATTACK AGAINST GOOGLE IMPLEMENTATION OF SAML 2.0

12

Feb 4 Feb 27 Apr 25

Report to Google

  • Similar to the session swapping attack presented before
  • Login CSRF against Google Suite applications (Google Drive, GMail, …)
slide-32
SLIDE 32

SUMMING UP

13

Lightweight policies on the client-side suffice to enforce provable security guarantees in web protocols

slide-33
SLIDE 33

SUMMING UP

  • Support for additional protocols e.g., e-payments
  • Automatic techniques to synthesize WPSE policies

from protocol specifications / browser traffic

  • Embed WPSE into real browsers

13

Lightweight policies on the client-side suffice to enforce provable security guarantees in web protocols

slide-34
SLIDE 34

THANK YOU!

QUESTIONS?

tempesta@unive.it https://sites.google.com/site/wpseproject/