1 / 25

Securing Frame Communication in Browsers

Securing Frame Communication in Browsers. 17 th USENIX Security Symposium (2008). Adam Barth, Collin Jackson, John C. Mitchell. 2008.11.27. Agenda. Background Problem Definition Goal & Contribution Frame Isolation Frame Communication Related Work Conclusion. Background : Mashup.

marshall-porter
Download Presentation

Securing Frame Communication in Browsers

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Securing Frame Communication in Browsers 17th USENIX Security Symposium (2008) Adam Barth, Collin Jackson, John C. Mitchell 2008.11.27

  2. Agenda Background Problem Definition Goal & Contribution Frame Isolation Frame Communication Related Work Conclusion

  3. Background : Mashup From Daum From Google From NASA • A Web site combining content from multiple sources • Integrator • Combining the contents • Gadget • Integrated contents

  4. Background : Mashup • Mashup use two method for implementation • Insert JavaScript • The integrator embeds a <script> tags • The script runs with all of the integrator’sprivileges • Iframe element • Can represent different principal • Frame can draw only on its own rectangle

  5. Problem Definition • The frames can contain untrusted content • Try to access the other frames for malicious action • Web attacker • Owns an attacker.com • User visits attacker.com • Optional assumption • Gets to embeds a malicious gadget on integrator site

  6. Goal & Contribution • Enhance the security on Mashup included untrusted gadget • Isolation between each frames • Propose the security policy. • Secure frame communication • Make up for the weak points in existing approaches

  7. Frame Isolation : Navigation Policy • Permissive Policy • A frame can navigate any other frame • Cross-Window Attacks

  8. Frame Isolation : Navigation Policy Gadget Hijacking • Window Policy • A frame can navigate only frames in its window

  9. Frame Isolation : Navigation Policy • Child Policy • A frame can navigate only its direct children • Reduce the policy’s compatibility with existing sites • Descendant Policy • A frame can navigate only its descendants • Provide the most attractive trade-off between security and compatibility

  10. Frame Isolation : Navigation Policy Policy Behavior

  11. Frame Isolation : Deployment • Safari • Apple accepted author’s patch about descendant policy • Firefox • Mozilla accepted author’s patch in Firefox 3 • Flash • Adobe agreed about descendant policy • Opera • They plan to fix these vulnerabilities

  12. Frame Communication • Security Properties • Confidentiality • A message can be read only by its intended recipient • Authentication • The Ability of the recipient to unambiguously determine the sender of a message • Some Mashup need to communication method for providing rich content • The fragment Identifier channel • postMessage Channel

  13. Frame Communication : The Fragment Identifier Channel Frame 2 SetInterval(checkForMessge,200); Frame 1 Parent.location=http://aaa.com/#Message_1230483 • The fragment identifier • http://aaa.com/#hello • Send short information to other frame using the fragment identifier • Doesn’t reload content in the frame • No network traffic, but frame can read its fragment

  14. Frame Communication : The Fragment Identifier Channel • Security properties • Confidentiality : Yes • Authentication : No • Not a secure channel • Windows Live channel • Attempts to build a secure channel over the fragment identifier channel • Smesh and Open Ajax 1.1

  15. Frame Communication : The Fragment Identifier Channel • Windows Live channel • The Lowe anomaly can be exploited to impersonate the integrator • Smesh and Open Ajax 1.1

  16. Frame Communication : The Fragment Identifier Channel • Secure Fragment Messaging • The fragment identifier channel can be secured using a variant of the Needham-Schroeder-Lowe Protocol • The responder must include his identity in the second message of the protocol

  17. Frame Communication : The Fragment Identifier Channel • Adoption • Microsoft : Windows Live Channels library • IBM : OpenAjax Hub 1.1

  18. Frame Communication : The postMessage Channel • New API for inter-frame communication in the HTML 5 • Supported in latest betas of many browsers • IE 8, Firefox 3,Safari, Opera • To send a message to another frame, the sender calls the postMessage method • frame[0].postMessage(“Hello world.”); • The browser generates a message event in the recipient’s frame • Contain message, the origin of the sender, a JavaScript pointer to sender’s frame

  19. Frame Communication : The postMessage Channel • Security properties • Confidentiality : No • Authentication : Yes • Not a secure channel • Two type attack method • Recursive Mashup Attack • Replay Attack

  20. Frame Communication : The postMessage Channel Attacker • Recursive Mashup attack • The attacker load the integrator inside a frame • Can carry out an attack without violating the descendant frame policy • Attacker hijacks content of postMessage

  21. Frame Communication : The postMessage Channel • Replay attack • Embedding the honest gadget in attacker’s frame • Can intercept postMessage, even under the child frame policy

  22. Frame Communication : The postMessage Channel • Securing postMessage • Let the sending specify the recipient • frame[0].postMessage(“hello”,http://gadget.com) • Can omit argument if confidentiality not required • Adoption • HTML 5.0 • Firefox 3 • Safari • IE 8

  23. Related work • Safe subsets of HTML and Javascript • This approach require gedgets to be written in a “safe subset” of HTML and JavaScript • Writing programs in one of these safe subsets is often awkward • Subspace • This approach used a multi level hierarchy based on document.domain property • The descendant frame navigation policy is required to prevent gadget hijacking. • MashupOS

  24. Conclusion • All proposals deployed to real users • Frame isolation • Improved frame navigation policy • Frame communication • Secured fragment identifier messaging • Secured new postMessage API

  25. Q&A

More Related