250 likes | 321 Views
Securing Frame Communication in Browsers. 17 th USENIX Security Symposium (2008). Adam Barth, Collin Jackson, John C. Mitchell. 2008.11.27. Agenda. Background Problem Definition Goal & Contribution Frame Isolation Frame Communication Related Work Conclusion. Background : Mashup.
E N D
Securing Frame Communication in Browsers 17th USENIX Security Symposium (2008) Adam Barth, Collin Jackson, John C. Mitchell 2008.11.27
Agenda Background Problem Definition Goal & Contribution Frame Isolation Frame Communication Related Work Conclusion
Background : Mashup From Daum From Google From NASA • A Web site combining content from multiple sources • Integrator • Combining the contents • Gadget • Integrated contents
Background : Mashup • Mashup use two method for implementation • Insert JavaScript • The integrator embeds a <script> tags • The script runs with all of the integrator’sprivileges • Iframe element • Can represent different principal • Frame can draw only on its own rectangle
Problem Definition • The frames can contain untrusted content • Try to access the other frames for malicious action • Web attacker • Owns an attacker.com • User visits attacker.com • Optional assumption • Gets to embeds a malicious gadget on integrator site
Goal & Contribution • Enhance the security on Mashup included untrusted gadget • Isolation between each frames • Propose the security policy. • Secure frame communication • Make up for the weak points in existing approaches
Frame Isolation : Navigation Policy • Permissive Policy • A frame can navigate any other frame • Cross-Window Attacks
Frame Isolation : Navigation Policy Gadget Hijacking • Window Policy • A frame can navigate only frames in its window
Frame Isolation : Navigation Policy • Child Policy • A frame can navigate only its direct children • Reduce the policy’s compatibility with existing sites • Descendant Policy • A frame can navigate only its descendants • Provide the most attractive trade-off between security and compatibility
Frame Isolation : Navigation Policy Policy Behavior
Frame Isolation : Deployment • Safari • Apple accepted author’s patch about descendant policy • Firefox • Mozilla accepted author’s patch in Firefox 3 • Flash • Adobe agreed about descendant policy • Opera • They plan to fix these vulnerabilities
Frame Communication • Security Properties • Confidentiality • A message can be read only by its intended recipient • Authentication • The Ability of the recipient to unambiguously determine the sender of a message • Some Mashup need to communication method for providing rich content • The fragment Identifier channel • postMessage Channel
Frame Communication : The Fragment Identifier Channel Frame 2 SetInterval(checkForMessge,200); Frame 1 Parent.location=http://aaa.com/#Message_1230483 • The fragment identifier • http://aaa.com/#hello • Send short information to other frame using the fragment identifier • Doesn’t reload content in the frame • No network traffic, but frame can read its fragment
Frame Communication : The Fragment Identifier Channel • Security properties • Confidentiality : Yes • Authentication : No • Not a secure channel • Windows Live channel • Attempts to build a secure channel over the fragment identifier channel • Smesh and Open Ajax 1.1
Frame Communication : The Fragment Identifier Channel • Windows Live channel • The Lowe anomaly can be exploited to impersonate the integrator • Smesh and Open Ajax 1.1
Frame Communication : The Fragment Identifier Channel • Secure Fragment Messaging • The fragment identifier channel can be secured using a variant of the Needham-Schroeder-Lowe Protocol • The responder must include his identity in the second message of the protocol
Frame Communication : The Fragment Identifier Channel • Adoption • Microsoft : Windows Live Channels library • IBM : OpenAjax Hub 1.1
Frame Communication : The postMessage Channel • New API for inter-frame communication in the HTML 5 • Supported in latest betas of many browsers • IE 8, Firefox 3,Safari, Opera • To send a message to another frame, the sender calls the postMessage method • frame[0].postMessage(“Hello world.”); • The browser generates a message event in the recipient’s frame • Contain message, the origin of the sender, a JavaScript pointer to sender’s frame
Frame Communication : The postMessage Channel • Security properties • Confidentiality : No • Authentication : Yes • Not a secure channel • Two type attack method • Recursive Mashup Attack • Replay Attack
Frame Communication : The postMessage Channel Attacker • Recursive Mashup attack • The attacker load the integrator inside a frame • Can carry out an attack without violating the descendant frame policy • Attacker hijacks content of postMessage
Frame Communication : The postMessage Channel • Replay attack • Embedding the honest gadget in attacker’s frame • Can intercept postMessage, even under the child frame policy
Frame Communication : The postMessage Channel • Securing postMessage • Let the sending specify the recipient • frame[0].postMessage(“hello”,http://gadget.com) • Can omit argument if confidentiality not required • Adoption • HTML 5.0 • Firefox 3 • Safari • IE 8
Related work • Safe subsets of HTML and Javascript • This approach require gedgets to be written in a “safe subset” of HTML and JavaScript • Writing programs in one of these safe subsets is often awkward • Subspace • This approach used a multi level hierarchy based on document.domain property • The descendant frame navigation policy is required to prevent gadget hijacking. • MashupOS
Conclusion • All proposals deployed to real users • Frame isolation • Improved frame navigation policy • Frame communication • Secured fragment identifier messaging • Secured new postMessage API