securing browser frame navigation and communication n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Securing Browser Frame Navigation and Communication PowerPoint Presentation
Download Presentation
Securing Browser Frame Navigation and Communication

Loading in 2 Seconds...

  share
play fullscreen
1 / 19
anoki

Securing Browser Frame Navigation and Communication - PowerPoint PPT Presentation

157 Views
Download Presentation
Securing Browser Frame Navigation and Communication
An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Securing Browser Frame Navigation and Communication Adam Barth Collin Jackson John C. Mitchell Stanford University

  2. Outline • Frame Isolation • Improving the frame navigation policy • Frame Communication • Fragment identifier messaging + authentication • postMessage + confidentiality

  3. Part I: FRAME ISOLATION

  4. Cross-Window Attack window.open(“https://attacker.com/”, “awglogin”);

  5. Experiment to Determine Policy • Frame navigation policy not documented • Some comments in Firefox source code, but misleading • No source code available for IE or Opera • “Uber” frame navigation test case • Assumes policy invariants (e.g., left/right symmetric) • Attempts 176 navigations, records results • Extracted policy for Internet Explorer, Firefox, and Safari

  6. Policy Behavior

  7. Browser Frame Navigation Policies

  8. Window Policy Anomaly top.frames[1].location = “http://www.attacker.com/...”; top.frames[2].location = “http://www.attacker.com/...”; ...

  9. Principle: Pixel Delegation • Frames delegate screen pixels • Child cannot draw outside its frame • Parent can draw over the child’s pixels • Navigation similar to drawing • Navigation replaces frame contents • “Simulate” by drawing over frame • Policy ought to match pixel delegation • Navigate a frame if can draw over the frame

  10. Solution: Descendant Policy • Best security / compatiblity trade-off • Security: Respects pixel delegation • Compatibility: Least restrictive such policy • Implementation • Wrote patches for Firefox and Safari • Wrote over 1000 lines of regression tests • Deployment • Apple released patch as security update • Mozilla will ship policy in Firefox 3

  11. Adoption of Descendant Policy

  12. Subtlety: Scripting Policy Interaction a.com a.com b.com • Is this permissible? • Target is not descendant • Can draw over pixels • Inject script into parent • Parent draws the pixels • Allow navigation • canScript o canDraw • Large compatibility win • No security loss

  13. FRAME COMMUNICATION Part II:

  14. Fragment Identifier Messaging • Send information by navigating a frame • http://gadget.com/#hello • Navigating to fragment doesn’t reload frame • No network traffic, but frame can read its fragment • Not a secure channel • Confidentiality • Integrity • Authentication   

  15. Fix: Improve the protocol • Proposed Needham-Schroeder-Lowe • Adoption • Microsoft: Windows Live Channels library • IBM: OpenAjax Hub 1.1

  16. postMessage    • New API for inter-frame communication • Supported in latest betas of many browsers • Not a secure channel • Confidentiality • Integrity • Authentication

  17. Reply Attack

  18. Fix: Improve the API • Let the sending specify the recipient frame[0].postMessage("Hello", "http://gadget.com") • Can use "*" if confidentiality not required • Adoption • Firefox 3 • Internet Explorer 8 • Safari 3.1

  19. Summary • All proposals deployed to real users • Frame isolation • Improved frame navigation policy • Fixed Guninski and Gadget Hijacking • Drive-by-downloads still a concern… • Frame communication • Secured fragment identifier messaging • Secured new postMessage API