web security: securing untrusted web content in browsers
DESCRIPTION
A joint Chicago Chapter ACM / Loyola University Computer Science Department meeting Wednesday, September 10, 2014 Loyola University Water Tower Campus (Chicago/Michigan Area) 111 E. Pearson Street, Chicago IL 60611 Beane Ballroom (13th Floor, Lewis Towers)TRANSCRIPT
![Page 1: Web security: Securing Untrusted Web Content in Browsers](https://reader033.vdocuments.site/reader033/viewer/2022051610/5491cc5cac79591b288b4605/html5/thumbnails/1.jpg)
Web security: Securing untrusted web content at
browsers
Phu H. PhungUniversity of Illinois at Chicago
ACM Chicago Chapter seminarSeptember 10, 2014
Loyola University ChicagoComputer Science Department
![Page 2: Web security: Securing Untrusted Web Content in Browsers](https://reader033.vdocuments.site/reader033/viewer/2022051610/5491cc5cac79591b288b4605/html5/thumbnails/2.jpg)
2
Web page is rendered at browsers
• Web pages contain JavaScript code, a scripting language run at browsers
• JavaScript can provide a lot of functionalities rich interactions
![Page 3: Web security: Securing Untrusted Web Content in Browsers](https://reader033.vdocuments.site/reader033/viewer/2022051610/5491cc5cac79591b288b4605/html5/thumbnails/3.jpg)
92% of all websites use JavaScript [w3techs.com]
3
“88.45% of the Alexa top 10,000 web sites included at least one remote JavaScript
library”CCS’12
![Page 4: Web security: Securing Untrusted Web Content in Browsers](https://reader033.vdocuments.site/reader033/viewer/2022051610/5491cc5cac79591b288b4605/html5/thumbnails/4.jpg)
Web-based mobile applications
• HTML5 + JavaScript is a new trend for mobile developerso Cross-platform development,
“Write one run everywhere”
4
![Page 5: Web security: Securing Untrusted Web Content in Browsers](https://reader033.vdocuments.site/reader033/viewer/2022051610/5491cc5cac79591b288b4605/html5/thumbnails/5.jpg)
Third-party JavaScript is everywhere
• Advertisementso Adhese ad network
• Social webo Facebook Connecto Google+o Twittero Feedsburner
• Trackingo Scorecardresearch
• Web Analyticso Yahoo! Web
Analyticso Google Analytics
• …
5
![Page 6: Web security: Securing Untrusted Web Content in Browsers](https://reader033.vdocuments.site/reader033/viewer/2022051610/5491cc5cac79591b288b4605/html5/thumbnails/6.jpg)
Two basic composition techniques
• Iframe integration
6
<html><body>…<iframe src=“http://3rdparty.com/frame.html”></iframe>…</body></html>
3rd party
![Page 7: Web security: Securing Untrusted Web Content in Browsers](https://reader033.vdocuments.site/reader033/viewer/2022051610/5491cc5cac79591b288b4605/html5/thumbnails/7.jpg)
7
Two basic composition techniques
<html><body>…<script src=“http://3rdparty.com/script.js”></script>…</body></html>
3rd party
Script inclusion
![Page 8: Web security: Securing Untrusted Web Content in Browsers](https://reader033.vdocuments.site/reader033/viewer/2022051610/5491cc5cac79591b288b4605/html5/thumbnails/8.jpg)
Third-party JavaScript issues
• Third-party script inclusion run with the same privilege of the hosting page.
• Security issues:oMalicious third-party codeo Trusted third-party is compromised oConfidentiality, integrity, and other
security risks
8
![Page 9: Web security: Securing Untrusted Web Content in Browsers](https://reader033.vdocuments.site/reader033/viewer/2022051610/5491cc5cac79591b288b4605/html5/thumbnails/9.jpg)
9
Difficult issues with JavaScript
• JavaScript is a powerful language, but the language design is bad for security, e.g.:o Dynamic scripts: document.write, eval, ...o Encapsulation leakageo ...
<script> document.write(‘<scr’);document.write(‘ipt> malic’);var i= 1;document.write(‘ious code; </sc’);document.write(‘ript>’);</script>
<script> malicious code; </script>
A lot of attacks were
launched in practice
![Page 10: Web security: Securing Untrusted Web Content in Browsers](https://reader033.vdocuments.site/reader033/viewer/2022051610/5491cc5cac79591b288b4605/html5/thumbnails/10.jpg)
10
Samy attack on Myspace
• MySpace tries to filter out JavaScript code in user data
• BUT: The malicious code was injected in a “strange” way that escapes the filter
<div id=mycode style="BACKGROUND: url('java script:eval(document.all.mycode.expr)')" expr="var B=String.fromCharCode(34);………">
</div>
![Page 11: Web security: Securing Untrusted Web Content in Browsers](https://reader033.vdocuments.site/reader033/viewer/2022051610/5491cc5cac79591b288b4605/html5/thumbnails/11.jpg)
Another real world attack
• Million Browser Botnet (July 2013)
o Leverage Advertising Networks using JavaScript to launch Application-Level DDoS
o Paid on 2 ad networks for displaying treacherous advertisements on pages visited by hundreds of thousands of people
(Malicious code run automatically without user knowledge)
11
Jeremiah Grossman & Matt JohansenWhiteHat SECURITY
![Page 12: Web security: Securing Untrusted Web Content in Browsers](https://reader033.vdocuments.site/reader033/viewer/2022051610/5491cc5cac79591b288b4605/html5/thumbnails/12.jpg)
A recent attack on Reuter homepage (June 2014)
12
• Reuters website was compromised by the Syrian Electronic Armyo By code injection via a compromised third
party ad network.
![Page 13: Web security: Securing Untrusted Web Content in Browsers](https://reader033.vdocuments.site/reader033/viewer/2022051610/5491cc5cac79591b288b4605/html5/thumbnails/13.jpg)
13
State-of-the-art
• Limit third-party code to safe subset of JavaScripto Facebook JS, ADSafe, ADSafety, ...
• Browser-based sandboxing solutionso ConScript, WebJail, Contego, ...
• Server-side transformations of scripts to be includedo Google Caja, BrowserShield, ...
No compatibility with existing scripts
Browser modifications imply short-term deployment issues
No direct script delivery to browserGreat runtime overhead
![Page 14: Web security: Securing Untrusted Web Content in Browsers](https://reader033.vdocuments.site/reader033/viewer/2022051610/5491cc5cac79591b288b4605/html5/thumbnails/14.jpg)
Our approachLightweight Self-Protecting
JavaScript
• A behavioral sandbox model for JavaScriptoUsing only JS libraries and wrappersoNo browser modification is required o The JS code is keep in originalo Easily dealing with dynamic features of
JavaScript
14
![Page 15: Web security: Securing Untrusted Web Content in Browsers](https://reader033.vdocuments.site/reader033/viewer/2022051610/5491cc5cac79591b288b4605/html5/thumbnails/15.jpg)
15
API call interception
alert implementation
JavaScript execution environment(e.g. browsers)
Native implementations
code pointers User functions
alert(‘Hi!’) window.alert
alert wrapper(+policy code)
Attacker codealert = function(){...};
alert wrapper
unique
(enforced by SPJS)
![Page 16: Web security: Securing Untrusted Web Content in Browsers](https://reader033.vdocuments.site/reader033/viewer/2022051610/5491cc5cac79591b288b4605/html5/thumbnails/16.jpg)
16
Deployment illustration
<html> <head> <script src=“selfprotectingJS.js"></script> <title>Self-protecting JavaScript </title> <meta content=…> <style>…</style> <script>…</script> <!-- more heading setting --> </head> <body> <script type="text/javascript"> (function() {..})(); </script> <!-- the content of page --> </body></html>
Policy code and
enforcement code defined in a text file
The enforcement code can be
deployed anywhere: server side, proxy or browser plug-in, i.e.
no need for a modified browser
The orgininal
code is not syntactically modified
6.33
66.03
0
10
20
30
40
50
60
70
Self-Protecting BrowserShield
Slo
wd
ow
n (t
imes
)
Runtime overhead
![Page 17: Web security: Securing Untrusted Web Content in Browsers](https://reader033.vdocuments.site/reader033/viewer/2022051610/5491cc5cac79591b288b4605/html5/thumbnails/17.jpg)
17
Effectiveness• Defend almost all of the known XSS attacker
vectorso 34 attack vectors over 38 successful attack
vectors
• Provide Security Policy Patterns to build realistic policies e.g. prevent the attack of Firesheep on Facebook
• Defend real-world exploitso phpBB 2.0.18 vulnerabilities – a stored XSS
attacko WebCal vulnerabilities –a reflected XSS attack
![Page 18: Web security: Securing Untrusted Web Content in Browsers](https://reader033.vdocuments.site/reader033/viewer/2022051610/5491cc5cac79591b288b4605/html5/thumbnails/18.jpg)
Lightweight Self-Protecting JavaScript
Lightweight Self-Protecting JavaScript
ASIACCS’09
Safe Wrappers and Sane Policies for Self-Protecting
JavaScriptAppSec Research ’10
![Page 19: Web security: Securing Untrusted Web Content in Browsers](https://reader033.vdocuments.site/reader033/viewer/2022051610/5491cc5cac79591b288b4605/html5/thumbnails/19.jpg)
19
SPJS with Untrusted JavaScript
• No privilege distinguish between hosting code and external code
Self-Protecting JavaScript Code TRUSTED
UNTRUSTEDHosting
codeHosting
codeHosting
code
external code
external code
![Page 20: Web security: Securing Untrusted Web Content in Browsers](https://reader033.vdocuments.site/reader033/viewer/2022051610/5491cc5cac79591b288b4605/html5/thumbnails/20.jpg)
20
Goals• Deploy SPJS in the context of untrusted JS
o Load and execute untrusted code without pre-processing the code
o No browser modification is required
• Enforce modular and fined-grained, stateful security policies for a piece of untrusted codeo Protect the hosting page from untrusted code
• Robust to potential flaws in security policieso Bad written policies might not break security
![Page 21: Web security: Securing Untrusted Web Content in Browsers](https://reader033.vdocuments.site/reader033/viewer/2022051610/5491cc5cac79591b288b4605/html5/thumbnails/21.jpg)
Two-tier Sandbox Architecture
21
Sandbox running
untrusted code, defined in a separate
file e.g. `untrusted.js’
Sandbox running policy code, defined in a separate JS e.g. `policy.js’
Base-line API implementation,in e.g. `api.js’ file
JavaScript environme
nt, e.g. the DOM
The policy code can only access the base-line API and provided wrapper
functions (ensuring no leaks to global)
The untrusted code can only access objects returned by the outer sandbox
![Page 22: Web security: Securing Untrusted Web Content in Browsers](https://reader033.vdocuments.site/reader033/viewer/2022051610/5491cc5cac79591b288b4605/html5/thumbnails/22.jpg)
22
Two-tier sandbox architecture
var api = loadAPI(…);
var outerSandbox = cajaVM.compileModule(policyCode);
var enforcedAPI = outerSandbox(api);
var innerSandbox = cajaVM.compileModule(untrustedCode);
innerSandbox(enforcedAPI);
![Page 23: Web security: Securing Untrusted Web Content in Browsers](https://reader033.vdocuments.site/reader033/viewer/2022051610/5491cc5cac79591b288b4605/html5/thumbnails/23.jpg)
23
The architecture in multiple-principal untrusted code
Policy 2Policy 1
untrusted
Policy 3
untrusted
untrusted
Base-line API implementationin e.g. `api.js’ file
![Page 24: Web security: Securing Untrusted Web Content in Browsers](https://reader033.vdocuments.site/reader033/viewer/2022051610/5491cc5cac79591b288b4605/html5/thumbnails/24.jpg)
24
Sandboxing untrusted code
• Use Secure ECMAScript (SES) library developed by Google Caja teamo Load a piece of code to execute within an
isolated environment• The code can only interact with the outside world via
provided APIs
var api = {...}; //constructingvar makeSandbox = cajaVM.compileModule(untrustedCodeSrc);var sandboxed = makeSandbox(api);
![Page 25: Web security: Securing Untrusted Web Content in Browsers](https://reader033.vdocuments.site/reader033/viewer/2022051610/5491cc5cac79591b288b4605/html5/thumbnails/25.jpg)
Isolation technique: The SES library
Object-capability environment• Scripts can accesso Objects they create themselveso Objects explicitly handed to them
25
APIGlobal context
untrustedCode
sandbox
![Page 26: Web security: Securing Untrusted Web Content in Browsers](https://reader033.vdocuments.site/reader033/viewer/2022051610/5491cc5cac79591b288b4605/html5/thumbnails/26.jpg)
Isolation technique: The SES library
26
![Page 27: Web security: Securing Untrusted Web Content in Browsers](https://reader033.vdocuments.site/reader033/viewer/2022051610/5491cc5cac79591b288b4605/html5/thumbnails/27.jpg)
27
Policy definition
• Base-line APIs implementationo Can enforce coarse-grained, generic policies, e.g.:
• Sanitize HTML• Ensure complete mediation
• Fine-grained policies for multiple untrusted JavaScript codeo Modular, principal-specific, e.g.: script1 is allowed to
read/write reg_A, script2 is allowed to read reg_A o Stafeful, e.g.: limit the number of popups to 3 o Cross-principal stateful policies, e.g: after script1
write to reg_A, disallow access from script2 to reg_A
![Page 28: Web security: Securing Untrusted Web Content in Browsers](https://reader033.vdocuments.site/reader033/viewer/2022051610/5491cc5cac79591b288b4605/html5/thumbnails/28.jpg)
Base-line APIs implementation
• Create a Virtual DOMo Intercepting wrapper around real DOMo Consult security policy on each operationo Use Harmony Proxies to generically intercept
property accesses on objects
• Virtual DOM implementation uses the Membrane Patterno Wrap any object passed from DOM to sandbox
(return values)o Unwrap any object passed from sandbox to DOM
(arguments)28
![Page 29: Web security: Securing Untrusted Web Content in Browsers](https://reader033.vdocuments.site/reader033/viewer/2022051610/5491cc5cac79591b288b4605/html5/thumbnails/29.jpg)
Deployment model
• Untrusted code is loaded into a string variableo Using server-side proxy + XMLHttpRequest (to
overcome same origin policy)o CORS/UMP headers set by the script provider
29
<script src=“http://3rdparty.com/script.js”></script>
<script src=“ses.js”></script><script src=“api.js”></script><script src=“policy0.js”></script><script>var script = get(“http://3rdparty.com/script.js”);ses.execute(script,policy0);</script>
before
after
![Page 30: Web security: Securing Untrusted Web Content in Browsers](https://reader033.vdocuments.site/reader033/viewer/2022051610/5491cc5cac79591b288b4605/html5/thumbnails/30.jpg)
30
Secure dynamic script evaluation
• Special handlers to intercept all methods that allow script tags to be addedo node.appendChild, node.insertBefore,
node.replaceChild, node.insertAftero document.write, …o Event handlers in HTML, e.g. <…onclick=“javascript:xyz(…)”>
1. Parse partial DOM tree/HTML2. Execute scripts in the sandbox
environment
![Page 31: Web security: Securing Untrusted Web Content in Browsers](https://reader033.vdocuments.site/reader033/viewer/2022051610/5491cc5cac79591b288b4605/html5/thumbnails/31.jpg)
Case studies• Single principal code
• Multiple-principal codeo Context-aware ads
31
![Page 32: Web security: Securing Untrusted Web Content in Browsers](https://reader033.vdocuments.site/reader033/viewer/2022051610/5491cc5cac79591b288b4605/html5/thumbnails/32.jpg)
Two-tier Sandbox Architecture
A Two-tier Sandbox Architecture for
Untrusted JavaScript
JSTools’12 JSand: complete client-side sandboxing of
third-party JavaScript without browser
modificationsACSAC’12
![Page 33: Web security: Securing Untrusted Web Content in Browsers](https://reader033.vdocuments.site/reader033/viewer/2022051610/5491cc5cac79591b288b4605/html5/thumbnails/33.jpg)
A recent published workPhu H. Phung, Maliheh Monshizadeh, Meera Sridhar, Kevin W. Hamlen, and V.N. Venkatakrishnan. Between Worlds: Securing Mixed JavaScript/ActionScript Multi-party Web Content. IEEE Transactions on Dependable and Secure Computing (TDSC), forthcoming.
33
![Page 35: Web security: Securing Untrusted Web Content in Browsers](https://reader033.vdocuments.site/reader033/viewer/2022051610/5491cc5cac79591b288b4605/html5/thumbnails/35.jpg)
Extra slides
35
![Page 36: Web security: Securing Untrusted Web Content in Browsers](https://reader033.vdocuments.site/reader033/viewer/2022051610/5491cc5cac79591b288b4605/html5/thumbnails/36.jpg)
Wrapper example
36
![Page 37: Web security: Securing Untrusted Web Content in Browsers](https://reader033.vdocuments.site/reader033/viewer/2022051610/5491cc5cac79591b288b4605/html5/thumbnails/37.jpg)
Different parsing techniques
• Via a sandboxed iframe1. Create sandbox iframe2. Set content via srcdoc attributeo More performanceo Parsed exactly as will be interpreted by
browsero Executed asynchronously
• (Alternative) Via a HTML parsing library in JavaScript
37
![Page 38: Web security: Securing Untrusted Web Content in Browsers](https://reader033.vdocuments.site/reader033/viewer/2022051610/5491cc5cac79591b288b4605/html5/thumbnails/38.jpg)
38
Loading additional code in the sandbox
• Several use cases require external code to be executed in a previously set up sandboxo Loading API + glue codeoDynamic script loading
• Two new operations:o innerEval(code)o innerLoadScript(url)