Towards a Formal Foundation of Web Security devdatta

  • Slides: 37
Download presentation
Towards a Formal Foundation of Web Security devdatta akhawe / adam barth / peifung

Towards a Formal Foundation of Web Security devdatta akhawe / adam barth / peifung eric lam john mitchell / dawn song

motivation the web is interesting web security is hard formalization will help

motivation the web is interesting web security is hard formalization will help

informed abstract models of the web platform will be amenable to automation, reveal practical

informed abstract models of the web platform will be amenable to automation, reveal practical attacks and support useful evaluation of alternate designs.

web security 101 abstract model alloy implementation case studies

web security 101 abstract model alloy implementation case studies

The browsers security handle of thecode whole + documents system is afrom global multiple

The browsers security handle of thecode whole + documents system is afrom global multiple property sources based and need on invariants to ensure at integrity all three and components confidentiality The complete Same Origin Event Policy isolation – code that SOP provides from Cross different Origin Event iswebsites too coarse or for modern “origins” shouldn’t applications. interfere robber. com bank. com User Web Browser Network

web security 101 abstract model alloy implementation case studies

web security 101 abstract model alloy implementation case studies

The security of the whole system is a global property based on invariants at

The security of the whole system is a global property based on invariants at all three components Simple model of user – not confused and follows security indicators robber. com User bank. com Network Web Browser bank. com User Web Browser robber. com Network

network browser threats goals

network browser threats goals

Script Context • The sandbox in which code runs • what are the semantics

Script Context • The sandbox in which code runs • what are the semantics of the isolation? Origin, path, http(s)? User Interface • Location bar, http(s), lock icon • who decides what is shown ? State Storage • Stored passwords/cookies • when to send them?

network browser threats goals

network browser threats goals

servers • Connected to network • May break specification (esp. attacker) • Many to

servers • Connected to network • May break specification (esp. attacker) • Many to many relationship with DNS http • HTTP Methods, status codes, headers • Integrity – some headers/methods determined by attacker network requests • Different APIs with specific constraints • For example, XHR works only sameorigin, Forms only allow GET/POST

network browser threats goals

network browser threats goals

threat model hierarchy web attacker • robber. com • browser APIs only • Malicious

threat model hierarchy web attacker • robber. com • browser APIs only • Malicious person with his own site gadget attacker • No special network privileges • • can Keyinject threatlimited modelform of content • comments on a blog network attacker • can modify network traffic • except encrypted content Note that any protocol not over HTTPS can be easily subverted by the network attacker

network browser threats goals

network browser threats goals

security goals • Session integrity – Any action that an honest server takes should

security goals • Session integrity – Any action that an honest server takes should not be directly/indirectly caused by a dishonest/untrusted principal – A request caused by robber. com shouldn’t reduce money in my bank account • Don’t break web invariants – Do not increase attack surface of benign applications – For example, currently cross-origin DELETE/PUT requests with ambient authorization (cookies) aren’t allowed

web security 101 abstract model alloy implementation case studies

web security 101 abstract model alloy implementation case studies

Alloy • • • An object modeling language Executable model eased development Bounded model

Alloy • • • An object modeling language Executable model eased development Bounded model checker Translates predicates to SAT instances Easy visualization of counterexamples

metamodel

metamodel

session integrity // a function that for a given transaction // tells the list

session integrity // a function that for a given transaction // tells the list of servers involved in causing it fun involved. Servers[t: HTTPTransaction]: set Network. Endpoint{ // the Script. Context origin get. Transaction. Owner[t]. servers // get list of servers involved in redirect chain + (t. *cause & HTTPTransaction). resp. from } pred web. Attacker. In. Causal. Chain[t: HTTPTransaction]{ // see if Web. Attacker controlled server in set of involved some (WEBATTACKER. servers & involved. Servers[t]) }

web security 101 abstract model alloy implementation case studies

web security 101 abstract model alloy implementation case studies

case studies Name Type of vulnerability Previously Origin Header integrity violation known Cross Origin

case studies Name Type of vulnerability Previously Origin Header integrity violation known Cross Origin Resource Sharing breaks invariant known HTML 5 Form breaks invariant unknown Referer Validation integrity violation unknown Web. Auth session fixation unknown

case studies • HTML 5 Form vulnerability – Extremely simple vulnerability – Missed completely

case studies • HTML 5 Form vulnerability – Extremely simple vulnerability – Missed completely by many experts until our study • Referer Validation Vulnerability – Past verification not detailed enough • Web. Auth Vulnerability – More complicated – Hard to find without such analysis

HTML 5 Form

HTML 5 Form

HTML 4 HTML 5 robber. com GET/POST DELETE PUT Page at robber. com GET/POST

HTML 4 HTML 5 robber. com GET/POST DELETE PUT Page at robber. com GET/POST DELETE PUT bank. com

the attack

the attack

HTML 5 robber. com PUT cross origin redirect to bank. com Page at robber.

HTML 5 robber. com PUT cross origin redirect to bank. com Page at robber. com PUT ? ? ? “Don’t break web invariants” violated Fix is to disable cross-origin redirects for special methods; model doesn’t find any error after fix bank. com

alloy counterexample (actual snapshot)

alloy counterexample (actual snapshot)

Referer Validation

Referer Validation

Web. Auth

Web. Auth

Web. Auth • Single sign on solution at Stanford – called Cal. Net at

Web. Auth • Single sign on solution at Stanford – called Cal. Net at Berkeley – also common in other academic institutions • Single sign on: one password to rule them all – Provides a service similar to Kerberos, but on web • At least two parties other than user – The single sign on provider (Web. Auth Server) – The application, e. g. library services

Web. Auth Server Username Password ok! login. Username/Password form Redirect to App with identifier

Web. Auth Server Username Password ok! login. Username/Password form Redirect to App with identifier key Identifier. Access Key Denied! Login at Web. Auth (redirect) Run Crypto Checks on Identifier sent This completes the login GET Secret procedure Send Secret and Set Cookie identifying user for future Application

the attack

the attack

Web. Auth Server Attacker’s credentials Username Password Username /Password ok! login form Redirect to

Web. Auth Server Attacker’s credentials Username Password Username /Password ok! login form Redirect to App with identifier key BLOCK and Access Denied! Login at save link Web. Auth (redirect) that identifies attacker Run Crypto Checks on Identifier sent GET attacker secret Is this really that bad ? Send the link benign user Follow link Set cookie identifying user as ATTACKER Application

why this is bad • At UC Berkeley, I pay my bills via a

why this is bad • At UC Berkeley, I pay my bills via a service that uses Cal. Net • Could be fooled into paying someone else’s bill • Fix is to add a nonce to ensure that the application remembers context – model fails to find attack after fix

conclusion

conclusion

informed abstract models of the web platform will be amenable to automation, reveal practical

informed abstract models of the web platform will be amenable to automation, reveal practical attacks and support useful evaluation of alternate designs.

thank you http: //bit. ly/csf 10 -websec images from sxc. hu

thank you http: //bit. ly/csf 10 -websec images from sxc. hu