![Page 1: On the Incoherencies in Web Browser Access Control Policies](https://reader035.vdocuments.site/reader035/viewer/2022081604/56815ff8550346895dcef786/html5/thumbnails/1.jpg)
On the Incoherencies in Web Browser Access Control Policies
Authors: Kapil Singh, et alPresented by Yi Yang
![Page 2: On the Incoherencies in Web Browser Access Control Policies](https://reader035.vdocuments.site/reader035/viewer/2022081604/56815ff8550346895dcef786/html5/thumbnails/2.jpg)
Outline
IntroductionAnalysis of browser access control
incoherenciesWebAnalyzer Measurement FrameworkExperimental ResultsRelated work & Discussion & LimitationsConclusions
![Page 3: On the Incoherencies in Web Browser Access Control Policies](https://reader035.vdocuments.site/reader035/viewer/2022081604/56815ff8550346895dcef786/html5/thumbnails/3.jpg)
Major Access Control Flaws
Inconsistent principal labelingInappropriate handling of principal label
changesDisregard of the user principal
![Page 4: On the Incoherencies in Web Browser Access Control Policies](https://reader035.vdocuments.site/reader035/viewer/2022081604/56815ff8550346895dcef786/html5/thumbnails/4.jpg)
What is a Principal
In the Web environment, principal=domain?
Principal and domain are interchangeable. H. Wang, et.al (SOSP’07)
Different labeling for resources. for the DOM (memory) resource, a principal is labeled by
<protocol, domain, port>; for the cookie resource, a principal is labeled by <domain,
path>.
![Page 5: On the Incoherencies in Web Browser Access Control Policies](https://reader035.vdocuments.site/reader035/viewer/2022081604/56815ff8550346895dcef786/html5/thumbnails/5.jpg)
document.domain
Gets/sets the domain of the current document.
Eg. a script in the document at x.a.com/index.html executes
document.domain = “a.com”. After that statement executes, the page would pass the origin
check with a.com/index.html.However, a.com cannot set
document.domain to b.com
![Page 6: On the Incoherencies in Web Browser Access Control Policies](https://reader035.vdocuments.site/reader035/viewer/2022081604/56815ff8550346895dcef786/html5/thumbnails/6.jpg)
Review of Access Control Flaws
Inconsistent principal labeling Inappropriate handling of principal label
changes: Disregard the “effective” principle IDs set by
document.domain. Disregard of the user principal
eg. clipboard, geolocation, user actions, etc
![Page 7: On the Incoherencies in Web Browser Access Control Policies](https://reader035.vdocuments.site/reader035/viewer/2022081604/56815ff8550346895dcef786/html5/thumbnails/7.jpg)
Contributions
Principal-driven analysis of access control incoherencies in today’s browsers.
User principal concept for the browser setting. Compatibility measurement framework----WebAnalyzer. Measurements on the compatibility cost of coherent
access control policies.
![Page 8: On the Incoherencies in Web Browser Access Control Policies](https://reader035.vdocuments.site/reader035/viewer/2022081604/56815ff8550346895dcef786/html5/thumbnails/8.jpg)
II. Analysis of Browser Access Control IncoherenciesMethodologyBrowser ResourcesThe Interplay of the ResourcesEffective Principal IDThe User Principal
![Page 9: On the Incoherencies in Web Browser Access Control Policies](https://reader035.vdocuments.site/reader035/viewer/2022081604/56815ff8550346895dcef786/html5/thumbnails/9.jpg)
Methodology
Each shared browser resource should have a principal definition and have an access control policy.
For each non-shared browser resource, the resource should have an owner principal with a specific label or be globally accessible.
When two resources interplay, both resources should have the same principal definition.
All access control policies must consider the runtime label of the principals, namely, the “effective” principal ID.
The user principal’s resources should not be accessible by web applications.
![Page 10: On the Incoherencies in Web Browser Access Control Policies](https://reader035.vdocuments.site/reader035/viewer/2022081604/56815ff8550346895dcef786/html5/thumbnails/10.jpg)
Manual Analysis Process
![Page 11: On the Incoherencies in Web Browser Access Control Policies](https://reader035.vdocuments.site/reader035/viewer/2022081604/56815ff8550346895dcef786/html5/thumbnails/11.jpg)
Browser Resources
![Page 12: On the Incoherencies in Web Browser Access Control Policies](https://reader035.vdocuments.site/reader035/viewer/2022081604/56815ff8550346895dcef786/html5/thumbnails/12.jpg)
Browser Resources (cont.)
![Page 13: On the Incoherencies in Web Browser Access Control Policies](https://reader035.vdocuments.site/reader035/viewer/2022081604/56815ff8550346895dcef786/html5/thumbnails/13.jpg)
Interplay of the Resources
DOM and CookiesCookies and XMLHttpRequestDOM and Display
![Page 14: On the Incoherencies in Web Browser Access Control Policies](https://reader035.vdocuments.site/reader035/viewer/2022081604/56815ff8550346895dcef786/html5/thumbnails/14.jpg)
eg. DOM and Cookie
![Page 15: On the Incoherencies in Web Browser Access Control Policies](https://reader035.vdocuments.site/reader035/viewer/2022081604/56815ff8550346895dcef786/html5/thumbnails/15.jpg)
Effective Principal ID
Browsers allow cross-principal sharing for “related” sites by allowing sites to change their principal ID via the document.domain property.
Cookie, XMLHttpRequest, postMessage, etc
![Page 16: On the Incoherencies in Web Browser Access Control Policies](https://reader035.vdocuments.site/reader035/viewer/2022081604/56815ff8550346895dcef786/html5/thumbnails/16.jpg)
Cookie
![Page 17: On the Incoherencies in Web Browser Access Control Policies](https://reader035.vdocuments.site/reader035/viewer/2022081604/56815ff8550346895dcef786/html5/thumbnails/17.jpg)
XMLHttpRequest
![Page 18: On the Incoherencies in Web Browser Access Control Policies](https://reader035.vdocuments.site/reader035/viewer/2022081604/56815ff8550346895dcef786/html5/thumbnails/18.jpg)
postMessage
![Page 19: On the Incoherencies in Web Browser Access Control Policies](https://reader035.vdocuments.site/reader035/viewer/2022081604/56815ff8550346895dcef786/html5/thumbnails/19.jpg)
The User Principal
User actions back(), forward(), history
Browser UI moveTo(), resizeTo(), etc
User-private State Geolocation is one of the latest browser
features. Geolocation dialog is active for only one
origin at a time. DOS attack
![Page 20: On the Incoherencies in Web Browser Access Control Policies](https://reader035.vdocuments.site/reader035/viewer/2022081604/56815ff8550346895dcef786/html5/thumbnails/20.jpg)
WebAnalyzer Measurement FrameworkCrawl the web to look for prevalence of
unsafe browser features on existing web pages.
IEWA , a specially instrumented version of IE, provides dynamic mediation for all browser resources, and detects when a resource invocation matches one of preset policy rules.
![Page 21: On the Incoherencies in Web Browser Access Control Policies](https://reader035.vdocuments.site/reader035/viewer/2022081604/56815ff8550346895dcef786/html5/thumbnails/21.jpg)
Measurement Framework
![Page 22: On the Incoherencies in Web Browser Access Control Policies](https://reader035.vdocuments.site/reader035/viewer/2022081604/56815ff8550346895dcef786/html5/thumbnails/22.jpg)
heuristics-driven automated crawling
It’s hard to fully study all possible website features.
Simple heuristics to simulate user interaction. find and click at most 5 random links; produce 5 random navigation events; check search form, fill it and submit it.
![Page 23: On the Incoherencies in Web Browser Access Control Policies](https://reader035.vdocuments.site/reader035/viewer/2022081604/56815ff8550346895dcef786/html5/thumbnails/23.jpg)
IV. Experimental Results
Experimental Goal: study the prevalence of unsafe browser features on a large set of popular website.
Overview 100,000 most popular websites ranked by Alexa,
89,222 websites are available. Cost of removing a feature to be the number of
Alexa-ranked, top 100,000 sites that use the feature.
![Page 24: On the Incoherencies in Web Browser Access Control Policies](https://reader035.vdocuments.site/reader035/viewer/2022081604/56815ff8550346895dcef786/html5/thumbnails/24.jpg)
Interplay of browser resources
summary of display
![Page 25: On the Incoherencies in Web Browser Access Control Policies](https://reader035.vdocuments.site/reader035/viewer/2022081604/56815ff8550346895dcef786/html5/thumbnails/25.jpg)
Changing effective Principal ID
Summary: while disallowing document.domain completely carries a substantial cost (1.9% of sites), browsers can eliminate its impact on XMLHttpRequest, local storage, and postMessage at a much lower cost.
![Page 26: On the Incoherencies in Web Browser Access Control Policies](https://reader035.vdocuments.site/reader035/viewer/2022081604/56815ff8550346895dcef786/html5/thumbnails/26.jpg)
Resources belonging to the user principal
Overall, we found that 12 of the 16 user-principal APIs we examined can be removed while collectively affecting only 0.80% of unique sites.
![Page 27: On the Incoherencies in Web Browser Access Control Policies](https://reader035.vdocuments.site/reader035/viewer/2022081604/56815ff8550346895dcef786/html5/thumbnails/27.jpg)
Unsafe features & site popularity
![Page 28: On the Incoherencies in Web Browser Access Control Policies](https://reader035.vdocuments.site/reader035/viewer/2022081604/56815ff8550346895dcef786/html5/thumbnails/28.jpg)
Compared with user driven analysis
![Page 29: On the Incoherencies in Web Browser Access Control Policies](https://reader035.vdocuments.site/reader035/viewer/2022081604/56815ff8550346895dcef786/html5/thumbnails/29.jpg)
V. Discussion & Limitations
Benefits of heuristics-driven automated crawling.
Limits of automated crawler-based measurements.
Picking the right browser. Studying other web segments.
![Page 30: On the Incoherencies in Web Browser Access Control Policies](https://reader035.vdocuments.site/reader035/viewer/2022081604/56815ff8550346895dcef786/html5/thumbnails/30.jpg)
VI. Related Work
Previous work has looked at weaknesses in cross-frame communication mechanisms, client-side browser state, cookie path protection, display protection, and other issues.
DOM access checker is a tool designed to automatically validate numerous aspects of domain security policy enforcement to detect common security attacks or information disclosure vectors.
Browserscope is a community-driven project for tracking browser functionality. Its security test suite checks whether new browser security features are implemented by a browser.
![Page 31: On the Incoherencies in Web Browser Access Control Policies](https://reader035.vdocuments.site/reader035/viewer/2022081604/56815ff8550346895dcef786/html5/thumbnails/31.jpg)
VII. Conclusions
incoherencies in access control policiesuser principalmeasured the cost of removing unsafe
policies
![Page 32: On the Incoherencies in Web Browser Access Control Policies](https://reader035.vdocuments.site/reader035/viewer/2022081604/56815ff8550346895dcef786/html5/thumbnails/32.jpg)
Thanks