1 / 19

Securing Browser Frame Navigation and Communication

Securing Browser Frame Navigation and Communication. Adam Barth Collin Jackson John C. Mitchell Stanford University. Outline. Frame Isolation Improving the frame navigation policy Frame Communication Fragment identifier messaging + authentication postMessage + confidentiality. Part I:.

anoki
Download Presentation

Securing Browser Frame Navigation and Communication

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Securing Browser Frame Navigation and Communication Adam Barth Collin Jackson John C. Mitchell Stanford University

  2. Outline • Frame Isolation • Improving the frame navigation policy • Frame Communication • Fragment identifier messaging + authentication • postMessage + confidentiality

  3. Part I: FRAME ISOLATION

  4. Cross-Window Attack window.open(“https://attacker.com/”, “awglogin”);

  5. Experiment to Determine Policy • Frame navigation policy not documented • Some comments in Firefox source code, but misleading • No source code available for IE or Opera • “Uber” frame navigation test case • Assumes policy invariants (e.g., left/right symmetric) • Attempts 176 navigations, records results • Extracted policy for Internet Explorer, Firefox, and Safari

  6. Policy Behavior

  7. Browser Frame Navigation Policies

  8. Window Policy Anomaly top.frames[1].location = “http://www.attacker.com/...”; top.frames[2].location = “http://www.attacker.com/...”; ...

  9. Principle: Pixel Delegation • Frames delegate screen pixels • Child cannot draw outside its frame • Parent can draw over the child’s pixels • Navigation similar to drawing • Navigation replaces frame contents • “Simulate” by drawing over frame • Policy ought to match pixel delegation • Navigate a frame if can draw over the frame

  10. Solution: Descendant Policy • Best security / compatiblity trade-off • Security: Respects pixel delegation • Compatibility: Least restrictive such policy • Implementation • Wrote patches for Firefox and Safari • Wrote over 1000 lines of regression tests • Deployment • Apple released patch as security update • Mozilla will ship policy in Firefox 3

  11. Adoption of Descendant Policy

  12. Subtlety: Scripting Policy Interaction a.com a.com b.com • Is this permissible? • Target is not descendant • Can draw over pixels • Inject script into parent • Parent draws the pixels • Allow navigation • canScript o canDraw • Large compatibility win • No security loss

  13. FRAME COMMUNICATION Part II:

  14. Fragment Identifier Messaging • Send information by navigating a frame • http://gadget.com/#hello • Navigating to fragment doesn’t reload frame • No network traffic, but frame can read its fragment • Not a secure channel • Confidentiality • Integrity • Authentication   

  15. Fix: Improve the protocol • Proposed Needham-Schroeder-Lowe • Adoption • Microsoft: Windows Live Channels library • IBM: OpenAjax Hub 1.1

  16. postMessage    • New API for inter-frame communication • Supported in latest betas of many browsers • Not a secure channel • Confidentiality • Integrity • Authentication

  17. Reply Attack

  18. Fix: Improve the API • Let the sending specify the recipient frame[0].postMessage("Hello", "http://gadget.com") • Can use "*" if confidentiality not required • Adoption • Firefox 3 • Internet Explorer 8 • Safari 3.1

  19. Summary • All proposals deployed to real users • Frame isolation • Improved frame navigation policy • Fixed Guninski and Gadget Hijacking • Drive-by-downloads still a concern… • Frame communication • Secured fragment identifier messaging • Secured new postMessage API

More Related