On the Incoherencies in Web Browser Access Control Policies.ppt

OntheIncoherenciesinWebBrowserAccessControlPolicies Presentedby张超 About S P2010AuthorsKapilSinghAlexanderMoshchukHelenJ WangWenkeLee 2010 6 2 2 Contents BrowserAccessControlpolicyAnalysisofBACincoherenciesWebAnalyzerMeasurementFrameworkExperimentalResultsConclusions 2010 6 2 3 Contents BrowserAccessControlpolicySharedResourcesNon sharedResourcesAnalysisofBACincoherenciesWebAnalyzerMeasurementFrameworkExperimentalResultsConclusions 2010 6 2 4 Browseraccesscontrolpolicy SharedResources DOMCookieslocalStoragesessionStoragedisplay position dimensions pixels URLNon sharedResources XMLHttpRequestPostMessageclipboardgeolocationbrowserhistorycamara microphonecurrenttab 2010 6 2 5 WhatisaPrincipal IntheWebenvironment principal domain Principalanddomainareinterchangeable H Wang et al SOSP 07 Differentlabelingforresources fortheDOM memory resource aprincipalislabeledby forthecookieresource aprincipalislabeledby 2010 6 2 6 SharedResources DOM SameOriginPolicy SOP DocumentObjectModeltheplatform andlanguage neutralinterfacethatallowsscriptstodynamicallyaccessandupdatethecontent structureandstyleofadocumentDOMobjectsmemoryresourcessharedbetweenprincipalsAccessControlPolicyeachprincipalislabeledwithanorigin twodocumentsfromdifferentoriginscannotaccesseachother sHTMLdocumentusingDOMframeA 中的js 不能通过DOM访问frameB 的document等示例 2010 6 2 7 SharedResources Cookie HttpServerisstatelesstreatseachrequestasanindependenttransactionthatisunrelatedtoanypreviousrequestHttpCookieatextstringstoredbyauser swebbrowser consistsofoneormorename valuepairs maybeencryptedissentasanHTTPheaderbyawebservertoawebbrowserandthensentbackunchanged bythebrowsereachtimeitaccessesthatservercanbeusedforauthentication sessiontracking statemaintenance storingsitepreferences shoppingcartcontents theidentifierforaserver basedsessionAccessControlasitecanonlysetitsowncookie cookiecanonlybesentbacktoitsoriginalservercookieislabeledwith withoutprotocolandport itcanbeaccessedbypagesinthesubdirectoriesorsubdomain 2010 6 2 8 SharedResources Cookie 2 ServersendscookietoclientSet Cookie expires domain path secure HttpOnly ClientsetsandreadsCookieusingjssetcookie 每次一个cookie name value及属性document cookie name1 value1 expires TIME domain path sub path secure HttpOnly document cookie name2 value2 expires TIME domain path path secure HttpOnly readcookie 一次读出所有可见的cookie 没有属性document cookie name1 value1 name2 value2 属性 secure 只能被https使用 实际上 http页面仍可设置其内容 HttpOnly 不允许js访问cookie IE提出 目的是阻止xss 实际效果 2010 6 2 9 SharedResources Storage 参考window localStorage persistentclient sidestoragewindow localStorage name valueSOPIE8允许subdomain与parentdomain互相访问对方的localStoragewindow sessionStoragestorageforatab itslifetimeissameasthatofthetabwindow localStorage name valuesametabandSOPHere HTTPandHTTPSareconsideredthesameprotocol IE8 2010 6 2 10 SharedResources Display SOPanddualownership现有浏览器没有很好的定义其访问控制建议tenant不能干扰landlord的displaylandlord能访问tenant的部分display属性 但是tenant的pixels DOM对象 导航历史都是私有的 2010 6 2 11 Non sharedResources XMLHttpRequest 允许客户端通过js访问文档origin网站上的数据 同步或者异步的http请求 XMLHttpRequest setRequestHeader 设置HTTP报文头来设置cookie值XMLHttpRequest getResponseHeader 读取服务器返回的set cookie报文头XMLHttpRequest2及XDomainRequest新提出的 允许与cross domain远程服务器通信 不发送authentication和cookie数据给服务器 2010 6 2 12 Non sharedResources PostMessage 客户端页面之间cross domain通信SOP 2010 6 2 13 Non sharedResources UserPrivateData Clipboardwindow clipboardData getData Text geolocationnavigator geolocationbrowserhistoryback forward 2010 6 2 14 SummaryonResources 2010 6 2 15 Contents BrowserAccessControlpolicyAnalysisofBACincoherenciestheinterplayoftheresourcesruntimeEffectivePrincipalIDtheUserPrincipalWebAnalyzerMeasurementFrameworkExperimentalResultsConclusions 2010 6 2 16 Contents BrowserAccessControlpolicyAnalysisofBACincoherenciestheinterplayoftheresourcesruntimeEffectivePrincipalIDtheUserPrincipalWebAnalyzerMeasurementFrameworkExperimentalResultsConclusions 2010 6 2 17 InterplayofResources 1 DOM cookiedocument cookie name value expires TIME domain 脆弱服务器被攻破 或者托管在iGoogle第三方内容 2010 6 2 18 InterplayofResources 2 如果cookie带有HttpOnly标志js不能直接访问cookie 但是Cookies XMLHttpRequestXMLHttpRequest setRequestHeader XMLHttpRequest getResponseHeader 防范IE8preventsbothreadandwritetocookiesvia Set cookie header butstillallowsaccessvia Set cookie2 headerFF3preventsXMLHttpRequestfromaccessingcookieheadersofanyresponse whetherornottheHttpOnlyflagwassetforthosecookies冒险 很多网站还在用XMLHttpRequest来读取cookie 2010 6 2 19 InterplayofResources 3 DOM Display URLNavigationlandlord可以无条件导航tenant 即使它们不同源攻击场景 攻击页面A内嵌交易网站B B内嵌咨询网站C B与C交互并提交交易到服务器 A可以导航CPixels如果tenant页面透明地层叠在landlord上 landlord可以在该区域画pixelsclickjackingattacks 2010 6 2 20 Contents BrowserAccessControlpolicyAnalysisofBACincoherenciestheinterplayoftheresourcesruntimeEffectivePrincipalIDtheUserPrincipalWebAnalyzerMeasurementFrameworkExperimentalResultsConclusions 2010 6 2 21 runtimeEffectivePrincipalID 背景 SOP限制两个子域名之间无法通信如和新提出的PostMessage可以解决这个问题之前的解决方案是修改document domain只能改为suffixesofitsorigindomainEffectivePrincipalID只限制了DOM访问改为之后 该页面不能再访问的DOM但是 其它所有资源的PrincipalID都没有把这个EffectivePrincipalID考虑进去 双重身份 2010 6 2 22 Cookie 2010 6 2 23 XMLHttpRequest 2010 6 2 24 PostMessage 2010 6 2 25 Contents BrowserAccessControlpolicyAnalysisofBACincoherenciestheinterplayoftheresourcesruntimeEffectivePrincipalIDtheUserPrincipalWebAnalyzerMeasurementFrameworkExperimentalResultsConclusions 2010 6 2 26 UserPrincipal Useractions window focus和window blur在其打开的窗口间获取 设置焦点 不考虑origin后果 用户动作发送到不期望的窗口window history数组中的URL记录不能被直接访问 但是back forward 可以在用户访问历史中前后导航更有甚者 tenant可以导航landlord 不考虑origin后果 欺骗用户进行多次网络交易 2010 6 2 27 UserPrincipal BrowserUI 任何窗口的任何站点可以通过top level窗口的属性moveTo moveBy resizeTo resizeBy来调整top level窗口的位置和大小 从而改变整个浏览器显示的大小用open 和close 方法打开和关闭窗口打开窗口有内建的blocker阻止IE8支持关闭顶层窗口 2010 6 2 28 UserPrincipal Userprivatedata 链接的颜色剪贴板window clipboardData getData Text 适当的浏览器设置下 会弹窗提示 但是不显示站点origin信息后果 内嵌的恶意站点访问时 用户以为是顶层站点在访问 从而放行HTML5地理位置navigator geolocationFF3 5会征询用户意见 显示origin信息 但是不会根据runtimeeffectiveID变化 可以用phish方式伪装origin从而让用户放行地理信息对话框一次只对一个origin激活 同一个页面上如果有多个origin想访问的话会冲突 DOS攻击 2010 6 2 29 Contents BrowserAccessControlpolicyAnalysisofBACincoherenciesWebAnalyzerMeasurementFrameworkExperimentalResultsConclusions 2010 6 2 30 WebAnalyzerMeasurementFramework 为了实现AccessControl的一致 必须修改 移除浏览器的一些特征 disallowdomain settingforcookieseliminatdocument domain andremovesupportforaccessinguserprincipalresources但是 可能带来兼容问题 兼容问题在现在浏览器竞争激烈的大环境下很容易失去用户设计一个框架来统计移除这些特征的costtheprevalenceofunsafebrowserfeatures 2010 6 2 31 WebAnalyzerMeasurementFramework 2010 6 2 32 heuristics drivenautomatedcrawling It shardtofullystudyallpossiblewebsitefeatures Simpleheuristicstosimulateuserinteraction findandclickatmost5randomlinks produce5randomnavigationevents checksearchform fillitandsubmitit 2010 6 2 33 Contents BrowserAccessControlpolicyAnalysisofBACincoherenciesWebAnalyzerMeasurementFrameworkExperimentalResultsConclusions 2010 6 2 34 ExperimentalResults ExperimentalGoal studytheprevalenceofunsafebrowserfeaturesonalargesetofpopularwebsite Overview100 000mostpopularwebsitesrankedbyAlexa 89 222websitesareavailable 404notfoundover2minutesnojscodeCostofremovingafeaturetobethenumberofAlexa ranked top100 000sitesthatusetheunsafefeature 2010 6 2 35 Interplayofbrowserresources summaryofdisplay 2010 6 2 36 ChangingeffectivePrincipalID Su