Games and the Impossibility of Realizable Ideal Functionality

Download Report

Transcript Games and the Impossibility of Realizable Ideal Functionality 

Winter 2009
CS 142
Frame isolation and the
same origin policy
Collin Jackson
Outline
Security User Interface


Goals of a browser
When is it safe to type my password?
Same-Origin Policy


How sites are isolated
Opting out of isolation
Navigation


Frame hijacking
Navigation policy
Running Remote Code is Risky
Integrity



Compromise your machine
Install malware rootkit
Transact on your accounts
Confidentiality



Read your information
Steal passwords
Read your email
3
Browser Sandbox
Goal


Run remote web applications safely
Limited access to OS, network, and
browser data
Approach


Isolate sites in different security contexts
Browser manages resources, like an OS
4
Security User Interface
When is it safe to type my
password?
5
Safe to type your password?
6
Safe to type your password?
7
Safe to type your password?
8
Safe to type your password?
???
???
9
Safe to type your password?
10
Frames
Modularity


Brings together content
from multiple sources
Client-side aggregation
Delegation

src = google.com/…
name = awglogin
Frame can draw only on its
own rectangle
src = 7.gmodules.com/...
name = remote_iframe_7
Popup windows
With hyperlinks
<a href=“http://www.b.com” target=“foo”>click
here</a>
With JavaScript
mywin = window.open(“http://www.b.com”, “foo”,
“width=10,height=10”)


Navigating named window re-uses existing one
Can access properties of remote window:
mywin.document.body
mywin.location = “http://www.c.com”;
Windows Interact
13
Are all interactions good?
14
Same-Origin Policy
How does the browser isolate
different sites?
15
Policy Goals
Safe to visit an evil web site
Safe to visit two pages at the same time

Address bar
distinguishes them
Allow safe delegation
Same Origin Policy
Origin = protocol://host:port
Site A
Full access to same origin



Full network access
Read/write DOM
Storage (more on Weds.)
Assumptions?
Site A context
Site A context
Library import
<script
src=https://seal.verisign.com/getseal?host_name
=a.com></script>
VeriSign
• Script has privileges of imported page, NOT source server.
• Can script other pages in this origin, load more scripts
• Other forms of importing
Data export
Many ways to send information to other
origins
<form action="http://www.bank.com/">
<input name="data" type="hidden"
value="hello">
</form>
<img src="http://www.b.com/?data=hello"/>
No user involvement required
Cannot read back response
Domain Relaxation
www.facebook.com
www.facebook.com
www.facebook.com
facebook.com
chat.facebook.com
chat.facebook.com
facebook.com
Origin: scheme, host, (port), hasSetDomain
Try document.domain = document.domain
Site B
Site A
Recent Developments
Cross-origin network requests
Site A context
Site B context
Access-Control-Allow-Origin: <list of domains>
Access-Control-Allow-Origin: *
Cross-origin client side communication
Client-side messaging via navigation (older browsers)
postMessage (newer browsers)
window.postMessage
New API for inter-frame communication

Supported in latest betas of many browsers

A network-like channel between frames
Add a contact
Share contacts
postMessage syntax
frames[0].postMessage("Attack at dawn!",
"http://b.com/");
window.addEventListener("message", function (e) {
if (e.origin == "http://a.com") {
... e.data ... }
}, false);
Attack at dawn!
Facebook
Anecdote
Navigation
Who decides what content goes in a
frame?
24
A Guninski Attack
awglogin
window.open("https://attacker.com/", "awglogin");
25
What should the policy be?
Child
Sibling
Frame Bust
Descendant
26
Legacy Browser Behavior
Browser
IE 6 (default)
IE 6 (option)
IE7 (no Flash)
IE7 (with Flash)
Firefox 2
Safari 3
Opera 9
HTML 5
Policy
Permissive
Child
Descendant
Permissive
Window
Permissive
Window
Child
Window Policy Anomaly
top.frames[1].location = "http://www.attacker.com/...";
top.frames[2].location = "http://www.attacker.com/...";
...
Adoption of Descendant Policy
Browser
Policy
IE7 (no Flash)
Descendant
IE7 (with Flash)
Descendant
Firefox 3
Descendant
Safari 3
Descendant
Opera 9
(many policies)
HTML 5
Descendant
Why include “targetOrigin”?
What goes wrong?
frames[0].postMessage("Attack at dawn!");
Messages sent to frames, not principals

When would this happen?
30
Conclusion
Same origin policy is flexible


Address bar reflects the principal that's in control
Content may be affected by other principals
Delegation



Library import
Domain relaxation
Pixel delegation via frames
Communication


Data export
Opt-in messaging
Reading
Securing Browser Frame
Communication. Adam Barth, Collin
Jackson, and John C. Mitchell
http://code.google.com/p/browsersec/w
iki/Part2#Same-origin_policy