Shuo Chen
ISRC, MSR
March 2008
1
Browser security is still very broad.
I usually differentiate three types of issues – their causes
and potential solutions are different.
Logic bugs
Usability and
understandability
issues
Over-permissive
high-level policies
Browser security issues
2
Logic bugs exist at every layer in the browser
architecture. (Everything you depend on is buggy)
GUI layer
E.g., logic bugs may result in visual spoofing
HTML and Jscript layer
E.g., cross-domain access due to logic bugs in the domain
isolation mechanism
Communication layer:
E.g., Logic bugs that allow any device that can sniff browser
traffic to break the protection of HTTPS.
(Our recent work “pretty-bad-proxy”)
3
The violated security policies are fairly basic and look simple,
e.g.,
The address bar URL should be the URL of the top level document;
When mouseover a static hyperlink, the status bar should display the target
URL;
A script in a.com context cannot access a document in b.com context
However, an important lesson I learned in browser security
research is:
Implementing correct logic to achieve even the most basic security
requirements in browsers is challenging
The challenges are likely to be understated if we haven’t carefully studied
these bugs.
4
Why logic correctness is challenging in browsers?
A commodity browser is so complex that no human
brain power can verify its correctness with high
confidence.
Most are tricky bugs. Very few “stupid” ones.
5
Even seemingly simple policies are difficult to securely
enforce, due to logic complexity.
6
7
Navigation is not transactional. Can be aborted in
unsafe states. (Fixed in February 2008)
https://evil.com
Navigate to
https://eval.com/
w1=open("https://paypal.com/");
s1 = a string containing unprintable
characters;
w1.location="https://eval.com/"+s1;
w1.document.write("arbitrary
contents!");
Arbitrary
contents written
to the frame
https://paypal.com
The frame is ready for
https://evil.com/
8
History back
https://evil.com
Load a new page
c:\windows\system32\shdoclc.dl l?http
https://paypal.com
Two frames competing. 50:50 chance to go out-ofsync with the address bar.
Fixed in before IE 7 was shipped
9
Our recent work
10
Cryptographic protocols: designed to provide secure
communications over insecure networks.
E.g, HTTPS
Our curiosity: is the same adversary model rigorously
considered when people deploy the protocols in
browser/web systems.
We assume the Pretty-Bad-Proxy adversary model
It is an HTTP proxy that completely controls unencrypted
traffic, but cannot break the cryptography between the
browser and the server.
11
browser
PBP (the bad guy)
server
HTML Engine
(browser security
model)
SSL
SSL
Encrypted traffic
TCP/IP
Faked
TCP/IP
data
TCP/IP
Unencrypted traffic, accessible by PBP
12
We found that a PBP can compromise HTTPSdeployed applications in many ways
Proxy’s malicious error responses
Proxy redirecting javascript requests
Proxy loading HTTP javascript into HTTPS context
Proxy making the browser to display cached certificate
with bogus page contents.
Proxy stealing HTTPS session cookies using HTTP
requests.
13
Proxy’s error pages are rendered in the context of the
target server.
browser
PBP
server
https://paystub
Server
not found
https://paystub
<iframe src=
“https://paystub”>
14
When you stay in a hotel or in an Internet café
When you connect to a free wireless access point on
a bus.
When you use a third-party free anonymizer (an
HTTP proxy)
When the proxy of the corpnet is hacked by an
insider or accidentally infected by a virus.
Don’t trust HTTPS in these scenarios, although
HTTPS is supposed to protect you against untrusted
proxies.
15
It is turned on by default.
You don’t have to connect to an untrusted proxy
intentionally. Attackers can do that for you easily.
Wireless access point (unencrypted or WEP)
Sniffing on Ethernet.
A device that can sniff the traffic can break HTTPS
communications. No security at all.
16
Microsoft has notified other affected browser vendors
(Firefox, Opera). They acknowledged the issues.
Microsoft has fixed IE bugs in IE 8 Beta 1, waiting to
evaluate compatibility impact before shipping patches for
down-level IEs.
Opera has fixed their bugs in December 2007.
Firefox acknowledged these issues and planned to fix.
We are waiting for the resolution of these issues in order to
submit the paper.
17
18
It is almost impossible for developers to
anticipate the possibilities of security attacks,
because:
Tight interactions with other components, e.g., file
system, XML, Flash, etc.
Non-transactional: no guarantee of fail-safe.
Concurrancy: possibility of race conditions
Inter-page scripting is conditionally permitted.
A platform rendering rich contents, e.g., HTML and
Jscript. (compare to Telnet, FTP or SSH)
19
(1) Formal reasoning
If the code logic can be modeled and the high-level security
specification can be formally defined, we can use formal methods to
explore the logic combinations to prove or disprove the
specification.
We proposed this approach to reason about IE’s GUI logic
(2) Runtime enforcement of interface invariants
If the internal logic of a module is too complex to model, we enforce
invariants of its interfaces.
We proposed this approach to defeat cross-domain attacks.
20
Goal: to apply formal methods to reason about
GUI logic in order to proactively uncover visual
spoofing bugs.
Examined the status bar logic and the address
bar logic.
Found 13 spoofing bugs, 11 of them were fixed
before IE 7 was shipped.
21
In human languages, accent is essentially an
identifier of a person’s origin that is carried in
communications
Script accenting
Each domain is associated with an “accent key”.
Scripts and HTML object names are encoded in their
accented forms at the interface between the script engine
and the HTML engine.
Scripts won’t be compiled and executed in a different
domain because of accent mismatch.
22
23
Browser logic correctness is a critical component in
web security
Because of the complexity, to ensure logic
correctness is challenging.
Combinations of low-level behaviors violate high-level
security policies.
Do not understate the challenges
Security policies often look fairly simple
Difficult to see the challenges without in-depth
investigations on real-world bugs.
24
New research opportunities
More effort should be spent simply to understand
logic bugs better
Propose solutions based on the understanding.
It’s fun
To probe the logic and piece together your
knowledge; try to do something that most people
thought impossible …
25
Collaborators
Ziqing Mao (Purdue, Security, Intern)
Jose Meseguer (UIUC, formal methods)
David Ross (MS, Security Tech Unit)
Ralf Sasse (UIUC, formal methods, Intern)
Helen J. Wang (MSR, Security)
Yi-Min Wang (MSR, Internet Services)
Ming Zhang (MSR, Networking)
26