200 likes | 210 Views
This paper presents a systematic approach to identify and uncover security flaws in GUI logic, focusing on visual and address bar spoofing. The authors use a formal methodology and reasoning engine to proactively detect browser spoofing bugs.
E N D
A Systematic Approach to Uncover Security Flaws in GUI Logic 2008. 03. 31 Distributed Multimedia Computing Lab. Minjae Cho popeye@ece.hanyang.ac.kr
Paper Information Title A Systematic Approach to Uncover Security Flaws in GUI Logic Authors Shuo Chen†, José Meseguer‡, Ralf Sasse† ‡, Helen J. Wang†, Yi-Min Wang† †Systems and Networking Group, Microsoft Research ‡Dept. of Computer Science, University of Illinois at Urbana-Champaign Published IEEE Symposium on Security and Privacy 2007(SP ’07)
The Conference Information Claremont Resort, Berkeley, Oakland, CA 2007/05/20 ~ 2007/05/23 http://www.ieee-security.org/TC/SP2007/oakland07.html
Contents Introduction Visual Spoofing Motivation and Goal Overview of Methodology Status bar Spoofing Address bar Spoofing Conclusions Contributions Bug reporting for IE7
Visual Spoofing: A Serious Security Problem • A simple equation 1000 miles × trusted + 20 inches × untrusted = untrusted • Examples: status bar spoofing and address bar spoofing • IE, Firefox and Netscape all have security flaws in GUI. 20 inches, Untrusted Web server 1000 miles, trusted
Research motivation and goal • GUI behaviors are driven by complex logic • E.g., how to handle mouse messages and update the status bar, how to update the address bar during navigations • Need a systematic approach to examine its correctness • Goal: to apply formal methods to reason about GUI logic in order to proactively uncover browser spoofing bugs.
Overview of Our Approach Real spoofing scenarios Source code of browser GUI Visual invariant (b) Real world Formal world (a) Program Logic (pseudo code) (d) (f) User’s action sequence violation Potential spoofing scenarios Program invariant (e) (c) Execution context System state The modeled system Reasoning Engine (The Maude System: a rewriting logic engine)
Case study: status bar spoofing: basic concepts Document Object Model Tree (DOM Tree) <html> <head><title>Page</title></head> <body> <a href="http://paypal.com"> <img src="a.jpg"> </a> <button> My button </button> </body> </html> <html> <body> <head> <a> <button> <title> <img> Page layout Element stacks Toward the user <button> <img> <img> <button> <body> <a> <button> <a> <body> status bar
Case Study: status bar spoofing: mouse handling logic • In status bar spoofing, only three raw mouse messages are relevant • MouseMove, LeftButtonDown, LeftButtonUp • Each HTML element has three virtual methods • HandleMessage, DoClick, ClickAction • Pseudo code in the paper • Every element has different behavior about updating the status bar (SetStatusText) and navigating to the target URL (FollowHyperlink). • Message bubbling (passing the mouse message to the parent element) • Every element can decide whether to continue the bubbling or cancel the bubbling • We used Maude to model the source code of the mouse handling logic
Case Study: status bar spoofing: finding attacks • System state: status bar URL, user memorized URL • User action sequence: MouseMove, MouseMove, Inspection, LeftButtonDown, LeftButtonUp (only need two MouseMoves because status bar is memoryless, a sequence of MouseMoves is equivalent to one MouseMove) (canonicalized) • Execution context: DOM tree structures (canonicalized) (at most two branches, corresponding to two MouseMoves) • Program invariant: at the time of the function call FollowHyperlink(targetURL), targetURL = user memorized URL • Use Maude to search for spoofing scenarios
Examples of Status Bar Spoofs Element stack Element layouts Element stack Element layouts • All because of unexpected combinations of element behaviors input field image paypal.com paypal.com button anchor form form form target = foo.com image target = paypal.com form target = foo.com anchor target = paypal.com image label label anchor img’s target = paypal.com label’s target = foo.com label’s target = foo.com anchor’s target = paypal.com
Case Study: address bar spoofing: basic concepts(browser, renderer, frame, markup) Browser Current Markup http://MySite.com Renderer . PrimaryFrame from MySite.com Pending Markup Frame1 from PayPal Frame2 from MSN
Pseudo code model: loading a new page Posting an event SetAddressBar Calling a function Invoking a handler SwitchMarkup NavigationComplete FollowHyperlink RenderView SetInteractive EnsureView PostMan Eventqueue start navigation ready ensure onPaint (Posted by OS)
Pseudo code model: history travel Posting an event SetAddressBar Calling a function Invoking a handler SwitchMarkup NavigationComplete LoadHistory RenderView SetInteractive Travel EnsureView PostMan History_Back Eventqueue start navigation ready ensure onPaint (Posted by OS)
Pseudo code model: opening a page in a new window InitDocHost SwitchMarkup CreateMarkup SetClientSite LoadFromInfo CreateRenderer SetAddressBar Load CreatePendingDocObject LoadDocument PostMan WindowOpen download-content Eventqueue start-loading
Case Study: Address Bar Spoofing • System state: PrimaryFrame, other frames, current markups, pending markups, address bar URL ... • User action sequence: Page loading, history traveling and window opening • Execution context: A set of Boolean conditions affecting the execution path • Program invariant: The address bar should display the URL of the current markup of the primary frame.
Discovered Address Bar Spoof (An Atomicity Bug) Load a real paypal page, then loads a page from evil.com > 4000 characters (=buffer size) https://evil.com#xxxxx...xxxxxxx Evil.com https://paypal.com 2. When switched in new page, browser cannot update the address bar because the URL is longer than buffer size.
Discovered address bar spoof (a race condition) Load a new page History back https://evil.com https://paypal.com https://evil.com c:\windows\system32\shdoclc.dl l?http 3. Exploiting Race condition to history back and new page at the same time • Load evil page • Then load error page
Conclusions • Contributions • Formulated GUI logic correctness as a new research problem • Proposed a systematic approach to proactively uncover security flaws in browser GUI • Demonstrated the benefit of the systematic approach to the GUI implementation. • The approach is not IE specific. • Other browsers (e.g., Firefox, Opera, Netscape, etc) • Non-browser applications (e.g., Outlook, Outlook Express)
Summary of bug reporting for IE 7 • Found many new scenarios for the status bar spoofing, filed them as 9 bugs against IE. • All fixed before IE7 RC 1 (release candidate 1). • 4 new scenarios of the address bar spoofing • Non-atomic update of the address bar (2 bugs) • Non-atomic update of the content area • Race condition: multiple frames compete to be the primary • IE team has fixed two, and proposed the fixes for the other 2 to go into the next version.