Browser Security: A New Research Territory
Shuo Chen
Cybersecurity and Systems Management Group
Microsoft Research, Redmond, WA
4/11/2007 and 4/12/2007 Purdue University and University of Illinois at Urbana-Champaign
Outlines
Preamble
A little marketing about our research group
Two browser security projects that I am working on
Browser visual spoofing (with Jose Meseguer, Ralf Sasse,
Helen J. Wang and Yi-Min Wang)
Cross domain security violation (a brief introduction)
Conclusion: Browser/web security research is exciting
4/11/2007 and 4/12/2007 Purdue University and University of Illinois at Urbana-Champaign
Slide: 2
A little marketing about our research group
Cybersecurity and Systems Management Group
http://research.microsoft.com/csm/
Current security projects
HoneyMonkey: client-side honeypots to find malicious websites
SearchRanger: finding spam websites that try to promote junk pages
into top positions in search engines.
Browser security (this talk)
Current systems management projects
FDR (Flight Data Recorder): always-on tracing of all interactions
between Windows apps and configurations. Deployed on MSN
production servers.
WARDEN: machine learning analysis of HTTP logs to troubleshoot
Internet connectivity problems.
AjaxScope: remote monitoring/runtime analysis of web apps on enduser desktops.
4/11/2007 and 4/12/2007 Purdue University and University of Illinois at Urbana-Champaign
Slide: 3
A little marketing about our research group (cont.)
Manager/primary contact: Yi-Min Wang
Recruiting
Researchers:
actively looking for candidates
Ph.D. or graduating Ph.D. with good research record
Research developers:
actively looking for candidates
interested in research prototyping
strong development skills
Regular Ph.D. student interns:
strong passion is required!
look for students who have good chance to be hired by
MSR when they graduate.
4/11/2007 and 4/12/2007 Purdue University and University of Illinois at Urbana-Champaign
Slide: 4
Outlines
Preamble
A little marketing about our research group
Two browser security projects that I am working on
Browser visual spoofing (with Jose Meseguer, Ralf Sasse,
Helen J. Wang and Yi-Min Wang)
To appear in IEEE Symposium on Security and Privacy 2007
Cross domain security violation (a brief introduction)
Conclusion: Browser/web security research is exciting
4/11/2007 and 4/12/2007 Purdue University and University of Illinois at Urbana-Champaign
Slide: 5
Visual Spoofing: A Serious Security Problem
20 inches, Untrusted
Web server
1000 miles, trusted
A simple equation
1000 miles × trusted
+ 20 inches × untrusted
= untrusted
Examples: status bar spoofing and address bar spoofing
IE, Firefox and Netscape all have security flaws in GUI.
4/11/2007 and 4/12/2007 Purdue University and University of Illinois at Urbana-Champaign
Slide: 6
Research motivation
GUI behaviors are driven by complex logic
E.g., how to handle mouse messages and update the status
bar, how to update the address bar during navigations
What are the GUI states that are “spoofing states”?
Need formal definitions.
Goal: to develop a systematic approach to
Check the GUI logic against the definitions of spoofing
states
Using the Maude rewriting engine as the reasoning tool
Uncover GUI logic flaws that can cause spoofing.
4/11/2007 and 4/12/2007 Purdue University and University of Illinois at Urbana-Champaign
Slide: 7
Overview of Our Approach
Source code
of browser GUI
Real
spoofing
scenarios
Visual
invariant
(b)
Real world
Formal world
User’s action
sequence
(a)
Program Logic
(pseudo code)
(f)
(e)
Execution
context
Program
invariant
(c)
violation
(d)
Potential
spoofing
scenarios
System state
The modeled system
Reasoning Engine
4/11/2007 and 4/12/2007 Purdue University and University of Illinois at Urbana-Champaign
Slide: 8
Case study: status bar spoofing: basic concepts
Document Object Tree
(DOM Tree)
<html>
<head><title>Page</title></head>
<body>
<a href="http://paypal.com">
<img src="a.jpg">
</a>
<button> My button </button>
</body>
</html>
<html>
<body>
<head>
<a>
<title>
<button>
<img>
Page layout
Element stacks
Toward the user
<img>
<button>
<a>
<button>
<body>
<img>
<a>
<button>
<body>
status bar
4/11/2007 and 4/12/2007 Purdue University and University of Illinois at Urbana-Champaign
Slide: 9
Case Study: status bar spoofing: mouse handling logic
In status bar spoofing, only three raw mouse messages are relevant
MouseMove, LeftButtonDown, LeftButtonUp
Each HTML element has three virtual methods
HandleMessage, DoClick, ClickAction
Pseudo code in the paper
Every element has different behavior about updating the status bar
(SetStatusText) and navigating to the target URL (FollowHyperlink).
Message bubbling (passing the mouse message to the parent element)
Every element can decide whether to continue the bubbling or cancel the
bubbling
We used Maude to model the source code of the mouse handling logic
4/11/2007 and 4/12/2007 Purdue University and University of Illinois at Urbana-Champaign
Slide: 10
Case Study: status bar spoofing: finding attacks
System state:
status bar URL, user memorized URL
User action sequence:
MouseMove, MouseMove, Inspection, LeftButtonDown, LeftButtonUp
(only need two MouseMoves because status bar is memoryless, a sequence of
MouseMoves is equivalent to one MouseMove) (canonicalized)
Execution context:
DOM tree structures (canonicalized)
(at most two branches, corresponding to two MouseMoves)
Program invariant:
at the time of the function call FollowHyperlink(targetURL),
targetURL = user memorized URL
Use Maude to search for spoofing scenarios
4/11/2007 and 4/12/2007 Purdue University and University of Illinois at Urbana-Champaign
Slide: 11
Examples of Status Bar Spoofs
Element stack
Element layouts
input
field
anchor
Element stack
Element layouts
image
paypal.com
form
form target = foo.com
anchor target = paypal.com
button
form
form target = foo.com
image target = paypal.com
img
label
anchor
label’s target = foo.com
anchor’s target = paypal.com
paypal.com
label
img’s target = paypal.com
label’s target = foo.com
All because of unexpected combinations of element behaviors
4/11/2007 and 4/12/2007 Purdue University and University of Illinois at Urbana-Champaign
Slide: 12
Case Study: address bar spoofing: basic concepts
(browser, renderer, frame, markup)
Browser
Current Markup
Renderer
.
http://MySite.com
PrimaryFrame
from MySite.com
Pending Markup
Frame1 from
PayPal
Frame2 from MSN
4/11/2007 and 4/12/2007 Purdue University and University of Illinois at Urbana-Champaign
Slide: 13
Case Study: Address Bar Spoofing
Program invariant:
The address bar should display the URL of the current markup of the
primary frame.
User action sequence:
Page loading, history traveling and window opening
Execution context:
A set of Boolean conditions affecting the execution path
System state:
PrimaryFrame, other frames, current markups, pending markups,
address bar URL ...
4/11/2007 and 4/12/2007 Purdue University and University of Illinois at Urbana-Champaign
Slide: 14
Pseudo code model: loading a new page
Posting an event
SetAddressBar
Calling a function
Invoking a handler
Frame::SwitchMarkup
NavigationComplete
FollowHyperlink
Markup::SetInteractive
View::EnsureView
Event
queue
PostParser
start
navigation
View::RenderView
ready
4/11/2007 and 4/12/2007 Purdue University and University of Illinois at Urbana-Champaign
ensure
onPaint
Slide: 15
Pseudo code model: history travel
Posting an event
SetAddressBar
Calling a function
Invoking a handler
Frame::SwitchMarkup
NavigationComplete
LoadHistory
Travel
View::RenderView
Markup::SetInteractive
View::EnsureView
PostParser
Event
queue
History_Back
start
navigation
ready
4/11/2007 and 4/12/2007 Purdue University and University of Illinois at Urbana-Champaign
ensure
onPaint
Slide: 16
Pseudo code model: opening a page in a new window
LoadFrom
Info
InitDocHost
CreateMarkup
SetClientSite
SwitchMarkup
LoadFromInfo
InitNew
SetAddressBar
CreatePending
DocObject
Load
LoadDocument
View::RenderView
PostParser
Event
queue
FollowHyperlink
start-loading
downloadcontent
4/11/2007 and 4/12/2007 Purdue University and University of Illinois at Urbana-Champaign
onPaint
Slide: 17
Discovered Address Bar Spoof (An Atomicity Bug)
https://paypal.com
https://evil.com#xxxxx...xxxxxxx
4/11/2007 and 4/12/2007 Purdue University and University of Illinois at Urbana-Champaign
Slide: 18
Discovered address bar spoof (a race condition)
Load a new page
History back
https://evil
c:\windows\system32\shdoclc.dl l?http
4/11/2007 and 4/12/2007 Purdue University and University of Illinois at Urbana-Champaign
https://paypal.com
Slide: 19
Summary of the GUI logic project
Found many new scenarios for the status bar spoofing, filed them as 9
bugs against IE.
All fixed before IE7 RC 1 (release candidate 1).
4 new scenarios of the address bar spoofing
Non-atomic update of the address bar (2 bugs)
Non-atomic update of the content area
Race condition: multiple frames compete to be the primary
IE team has fixed two, and proposed the fixes for the other 2 to go into
the next version.
4/11/2007 and 4/12/2007 Purdue University and University of Illinois at Urbana-Champaign
Slide: 20
Outlines
Preamble
A little marketing about our research group
Two browser security projects that I am working on
Browser visual spoofing (with Jose Meseguer, Ralf Sasse,
Helen J. Wang and Yi-Min Wang)
Cross domain security violation (a brief introduction)
Conclusion: Browser/web security research is exciting
4/11/2007 and 4/12/2007 Purdue University and University of Illinois at Urbana-Champaign
Slide: 21
Browser cross-domain attacks
Browsers need to implement isolation mechanism to make sure that
scripts from http://a.com cannot access the DOM tree from http://b.com
Seemingly simple policy, surprisingly hard to enforce in current browser
implementations
Many bugs have been found in IE, Firefox, Opera, Netscape
Serious consequences:
As long as you visit a malicious site, the script can steal your personal
information in your hotmail, payroll, bank pages, and/or actively
transfer your money.
See some demos on Windows XP
Due to async navigation, aliasing, user event semantics, interactions
with non-browser components, …
Very difficult for developers to anticipate all these scenarios.
4/11/2007 and 4/12/2007 Purdue University and University of Illinois at Urbana-Champaign
Slide: 22
The proposed idea: script accenting
The basic idea is analogous to the accent in human languages
The accent is essentially an identifier of a person’s origin that is carried
in communications
We slightly modified a few functions at the interface of the script engine
and the HTML engine so that
each domain is associated with a random “accent key”,
scripts and DOM object names are in their accented forms at the
interface.
A nice security property
Without needing an explicit check for the domains, the accenting
mechanism naturally implies that two frames cannot
communicate/interfere if they have different accent keys.
4/11/2007 and 4/12/2007 Purdue University and University of Illinois at Urbana-Champaign
Slide: 23
Evaluations of the script accenting mechanism
Prototyped on IE
Protection effectiveness
All cross-domain attacks that we reproduced are defeated
Transparency
Tested on many complex web applications
Virtual earth, Google map, Hotmail, Citi bank, CNN.com, Slashdot, YouOS.com,
etc
Completely transparent to existing IE functionalities
Performance
Near zero performance overhead in real browsing experiences
4/11/2007 and 4/12/2007 Purdue University and University of Illinois at Urbana-Champaign
Slide: 24
Outlines
Preamble
A little marketing about our research group
Two browser security projects that I am working on
Browser visual spoofing (with Jose Meseguer, Ralf Sasse,
Helen J. Wang and Yi-Min Wang)
Cross domain security violation (a brief introduction)
Conclusion: Browser/web security research is exciting
4/11/2007 and 4/12/2007 Purdue University and University of Illinois at Urbana-Champaign
Slide: 25
Conclusion: browser/web security research is exciting
The territory is new, real and big.
Script, AJAX, blog, search engine, web OS, …
Attacks: phishing, spamming, click fraud, cross-site scripting, crossdomain attack, …
The threats are not well understood
Opportunity to do great analysis work
The browser security models are not strictly specified
Opportunity to propose clearer security models
Opportunity to examine existing security models
Browser implementations are still ad-hoc
Opportunity to apply program analysis techniques
Opportunity to invent implementation-level primitives and constructs
Many other emerging security problems for us to catch …
4/11/2007 and 4/12/2007 Purdue University and University of Illinois at Urbana-Champaign
Slide: 26