1 / 22

Dynamic Pharming Attacks and Locked Same-Origin Policies For Web Browsers

Dynamic Pharming Attacks and Locked Same-Origin Policies For Web Browsers. Chris Karlof , J.D. Tygar , David Wagner, Umesh Shankar. Overview. Motivation Background Information Attacks and Vulnerabilities Details Accomplishments Conclusion/Summary. Phishing. Pharming.

lefty
Download Presentation

Dynamic Pharming Attacks and Locked Same-Origin Policies For Web Browsers

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Dynamic Pharming Attacks and Locked Same-Origin Policies For Web Browsers Chris Karlof, J.D. Tygar, David Wagner, Umesh Shankar

  2. Overview • Motivation • Background Information • Attacks and Vulnerabilities • Details • Accomplishments • Conclusion/Summary

  3. Phishing

  4. Pharming

  5. Domain Name System • Prior HOSTS.TXT file from SRI

  6. Domain Name System

  7. Vulnerabilities • DNS Cache poisoning • DNS Response forgery

  8. Brief Aside • Secure Sockets Layer (SSL) • Uses X.509 certificate

  9. Meh, idgaf

  10. Same Origin Policy • SOP – access control over web objects, one from A can’t access another from B • Determining origin of A and B • Originating Host • Port • Protocol • http://www.foo.com/index.html • http://www.foo.com/other.html • https://www.foo.com/secure.html • http://www.xyz.com/index.html

  11. Static vs. Dynamic • Static - Consistently bogus query results • Dynamic - Only sometimes bogus!

  12. Dynamic Pharming • Suppose A controls DNS queries for www.vanguard.com • Suppose users authenticate to www.vanguard.com using client side SSL • Suppose user’s machine is initialized with certificates and vanguard knows pkeys • 1) A initializes DNS entry to A’s IP address 6.6.6.6, sets TTL = 0 • 2)V visits https://www.vanguard.com/index.html to authenticate • 3)Browser attempts SSL connection, requires A to present X.509 certificate

  13. Meh, idgaf

  14. Dynamic Pharming • 4)If user blindly goes ahead… this Trojan document is returned

  15. Dynamic Pharming

  16. Dynamic Pharming • 5) A will then update the DNS entry for www.vanguard.com to the legitimate server 1.2.3.4 • 6) Browser then loads legitimate https://www.vanguard.com/index.html document into the iframe • 7) Since over SSL legitimate server requests client authentication, which it does • 8) Javascript in iframe has free access (bad)

  17. Dynamic Pharming • Does not care about authentication system • Exploits browser enforcement of SOP • Since even the URL matches meticulous users may still fall prey

  18. Solutions? • DNS pinning • Browser caches result of DNS query fixed period • Reject connections from victim forces DNS entry refresh • Round robin DNS • Anti-Framing

  19. Root of the problem • Human stupidity – too difficult to address • Browser SOP • If based on domain name -> fail • Try a locked same-origin policy

  20. Locked Same-Origin Policy • Locked web objects are only allowed to access other web objects originating from the same domain • Doesn’t distinguish between spoofed domain names and real ones (ignoring certificate warnings) • Simply augment SOP by tagging each web object with a validity bit • Allow access iff legacy SOP allows it • Validity bits match

  21. Problems? • Server A for xyz.com has a valid cert • Server B for xyz.com does not • Why might this occur in practice • Very low chance .05% in their study

  22. Conclusions • Due to DNS vulnerabilities pharming is a real concern • The legacy SOP not currently equipped to adequately protect against pharming • Locked same origin policy can “break the web” but rarely, and using the validity bit offers protection • Still susceptible however, how?

More Related