A systematic approach to uncover security flaws in gui logic
Download
1 / 18

A Systematic Approach to Uncover Security Flaws in GUI Logic - PowerPoint PPT Presentation


  • 119 Views
  • Uploaded on

A Systematic Approach to Uncover Security Flaws in GUI Logic. Shuo Chen † , José Meseguer ‡ , Ralf Sasse † ‡ , Helen J. Wang † , Yi-Min Wang †. † Systems and Networking Group Microsoft Research. ‡ Dept. of Computer Science University of Illinois at Urbana-Champaign.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'A Systematic Approach to Uncover Security Flaws in GUI Logic' - chogan


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
A systematic approach to uncover security flaws in gui logic l.jpg

A Systematic Approach to Uncover Security Flaws in GUI Logic

Shuo Chen†, José Meseguer‡, Ralf Sasse† ‡, Helen J. Wang†, Yi-Min Wang†

† Systems and Networking Group

Microsoft Research

‡ Dept. of Computer Science

University of Illinois at Urbana-Champaign


Visual spoofing a serious security problem l.jpg
Visual Spoofing: A Serious Security Problem

  • A simple equation

    1000 miles × trusted

    + 20 inches × untrusted

    = untrusted

  • Examples: status bar spoofing and address bar spoofing

  • IE, Firefox and Netscape all have security flaws in GUI.

20 inches, Untrusted

Web server

1000 miles, trusted


Research motivation and goal l.jpg
Research motivation and goal

  • GUI behaviors are driven by complex logic

    • E.g., how to handle mouse messages and update the status bar, how to update the address bar during navigations

    • Need a systematic approach to examine its correctness

  • Goal: to apply formal methods to reason about GUI logic in order to proactively uncover browser spoofing bugs.


Overview of our approach l.jpg
Overview of Our Approach

Real spoofing scenarios

Source code of browser GUI

Visual

invariant

(b)

Real world

Formal world

(a)

Program Logic

(pseudo code)

(d)

(f)

User’s action sequence

violation

Potential spoofing scenarios

Program

invariant

(e)

(c)

Execution context

System state

The modeled system

Reasoning Engine

(The Maude System: a rewriting logic engine)


Case study status bar spoofing basic concepts l.jpg
Case study: status bar spoofing: basic concepts

Document Object Tree (DOM Tree)

<html>

<head><title>Page</title></head>

<body>

<a href="http://paypal.com">

<img src="a.jpg">

</a>

<button> My button </button>

</body>

</html>

<html>

<body>

<head>

<a>

<button>

<title>

<img>

Page layout

Element stacks

Toward the user

<button>

<img>

<img>

<button>

<body>

<a>

<button>

<a>

<body>

status bar


Case study status bar spoofing mouse handling logic l.jpg
Case Study: status bar spoofing: mouse handling logic

  • In status bar spoofing, only three raw mouse messages are relevant

    • MouseMove, LeftButtonDown, LeftButtonUp

  • Each HTML element has three virtual methods

    • HandleMessage, DoClick, ClickAction

    • Pseudo code in the paper

  • Every element has different behavior about updating the status bar (SetStatusText) and navigating to the target URL (FollowHyperlink).

  • Message bubbling (passing the mouse message to the parent element)

    • Every element can decide whether to continue the bubbling or cancel the bubbling

  • We used Maude to model the source code of the mouse handling logic


Case study status bar spoofing finding attacks l.jpg
Case Study: status bar spoofing: finding attacks

  • System state:

    status bar URL, user memorized URL

  • User action sequence:

    MouseMove, MouseMove, Inspection, LeftButtonDown, LeftButtonUp

    (only need two MouseMoves because status bar is memoryless, a sequence of MouseMoves is equivalent to one MouseMove) (canonicalized)

  • Execution context:

    DOM tree structures (canonicalized)

    (at most two branches, corresponding to two MouseMoves)

  • Program invariant:

    at the time of the function call FollowHyperlink(targetURL),

    targetURL = user memorized URL

  • Use Maude to search for spoofing scenarios


Examples of status bar spoofs l.jpg
Examples of Status Bar Spoofs

Element stack Element layouts

Element stack Element layouts

  • All because of unexpected combinations of element behaviors

input field

image

paypal.com

paypal.com

button

anchor

form

form

form target = foo.com

image target = paypal.com

form target = foo.com

anchor target = paypal.com

image

label

label

anchor

img’s target = paypal.com

label’s target = foo.com

label’s target = foo.com

anchor’s target = paypal.com


Case study address bar spoofing basic concepts browser renderer frame markup l.jpg
Case Study: address bar spoofing: basic concepts(browser, renderer, frame, markup)

Browser

Current Markup

http://MySite.com

Renderer

.

PrimaryFrame from MySite.com

Pending Markup

Frame1 from PayPal

Frame2 from MSN


Case study address bar spoofing l.jpg
Case Study: Address Bar Spoofing

  • Program invariant:

    The address bar should display the URL of the current markup of the primary frame.

  • User action sequence:

    Page loading, history traveling and window opening

  • Execution context:

    A set of Boolean conditions affecting the execution path

  • System state:

    PrimaryFrame, other frames, current markups, pending markups, address bar URL ...


Pseudo code model loading a new page l.jpg
Pseudo code model: loading a new page

Posting an event

SetAddressBar

Calling a function

Invoking a handler

Frame::SwitchMarkup

NavigationComplete

FollowHyperlink

Markup::SetInteractive

View::RenderView

View::EnsureView

PostParser

Eventqueue

start

navigation

ready

ensure

onPaint


Pseudo code model history travel l.jpg
Pseudo code model: history travel

Posting an event

SetAddressBar

Calling a function

Invoking a handler

Frame::SwitchMarkup

NavigationComplete

LoadHistory

View::RenderView

Markup::SetInteractive

Travel

View::EnsureView

PostParser

History_Back

Eventqueue

start

navigation

ready

ensure

onPaint


Pseudo code model opening a page in a new window l.jpg
Pseudo code model: opening a page in a new window

InitDocHost

LoadFromInfo

SwitchMarkup

CreateMarkup

SetClientSite

LoadFromInfo

InitNew

SetAddressBar

Load

View::RenderView

CreatePendingDocObject

LoadDocument

PostParser

FollowHyperlink

download-content

Eventqueue

start-loading

onPaint


Discovered address bar spoof an atomicity bug l.jpg
Discovered Address Bar Spoof (An Atomicity Bug)

Evil.com

https://evil.com#xxxxx...xxxxxxx

https://paypal.com


Discovered address bar spoof a race condition l.jpg
Discovered address bar spoof (a race condition)

Load a new page

History back

https://evil.com

https://paypal.com

https://evil.com

c:\windows\system32\shdoclc.dl l?http


Summary of bug reporting for ie 7 l.jpg
Summary of bug reporting for IE 7

  • Found many new scenarios for the status bar spoofing, filed them as 9 bugs against IE.

    • All fixed before IE7 RC 1 (release candidate 1).

  • 4 new scenarios of the address bar spoofing

    • Non-atomic update of the address bar (2 bugs)

    • Non-atomic update of the content area

    • Race condition: multiple frames compete to be the primary

    • IE team has fixed two, and proposed the fixes for the other 2 to go into the next version.


Conclusions l.jpg
Conclusions

  • Formulated GUI logic correctness as a new research problem

  • Proposed a systematic approach to proactively uncover security flaws in browser GUI

  • Demonstrated the benefit of the systematic approach to the GUI implementation.

  • The approach is not IE specific.

    • Other browsers (e.g., Firefox, Opera, Netscape, etc)

    • Non-browser applications (e.g., Outlook, Outlook Express)


Discussions l.jpg
Discussions

  • Are there spoofing bugs that are not logic flaws?

    • Picture-in-picture, pop-up covering, chromeless window, symbol similarities (“vv” vs.“w”, “l” vs. “|”, etc)

  • Should we rely on users’ security awareness for anti-phishing?

    • Ideally, no. An ideal security infrastructure should be transparent!

      • Many users ignore security warnings. [Dhamija-CHI-06][Wu-CHI-06][Schechter-S&P-07]

    • In reality, people have not found a satisfactory way for transparent security

      • White-listing? Sacrifice the openness of the web. Does not scale.

      • Black-listing or intrusion detection? The signature precision and timeliness

    • Anti-phishing will remain a joint effort between browser vendors and users for many years

      • IE 7 has made many the efforts to make the GUI authentic.

      • “Seat belts” are effective only when you “buckle up”! (Not ideal, but … )