DOCSLIB.ORG

Cure53 Browser Security White Paper

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Cure53 Browser Security White Paper Dr.-Ing. Mario Heiderich, Cure53 Bielefelder Str. 14 D 10709 Berlin cure53.de · [email protected] Cure53 Browser Security White Paper Dr.-Ing. Mario Heiderich Alex Inführ, MSc. Fabian Fäßler, BSc. Nikolai Krein, MSc. Masato Kinugawa Tsang-Chi "Filedescriptor" Hong, BSc. Dario Weißer, BSc. Dr. Paula Pustułka Cure53, Berlin · 29.11.17 1/330 Dr.-Ing. Mario Heiderich, Cure53 Bielefelder Str. 14 D 10709 Berlin cure53.de · [email protected] List of Tables .............................................................................................................................. 3 List of Figures ............................................................................................................................ 5 Chapter 1. Introducing Cure53 BS White Paper ......................................................................... 7 Browser Security Landscape: An Overview ............................................................................ 9 The Authors .......................................................................................................................13 The Sponsor ......................................................................................................................15 Earlier Projects & Related Work .........................................................................................15 Research Scope ................................................................................................................16 Version Details ...................................................................................................................19 Research Methodology, Project Schedule & Teams ...........................................................19 Security Features ...............................................................................................................24 Chapter 2. Memory Safety Features .........................................................................................28 Process Level Sandboxing .................................................................................................45 Chapter 3. CSP, XFO, SRI & Other Security Features ..............................................................53 Chapter 4. DOM Security Features ......................................................................................... 115 Chapter 5. Security Features of Browser Extensions & Plugins ............................................. 168 Chapter 6. UI Security Features .............................................................................................. 216 Other Features, Security Response & Observations ........................................................ 268 Chapter 7. Conclusions & Final Verdict ................................................................................... 281 Microsoft MSIE11 ............................................................................................................. 281 Microsoft Edge ................................................................................................................. 284 Google Chrome................................................................................................................ 287 Scoring Tables ..................................................................................................................... 290 Memory Safety Features Meta-Table ................................................................................... 291 CSP, XFO, SRI & other Security Features Meta-Table ......................................................... 292 DOM Security Features Meta-Table ..................................................................................... 294 Browser Extension & Plugin Security Meta-Table ................................................................ 297 UI Security Features & Other Aspects Meta-Table ............................................................... 298 Appendix ................................................................................................................................. 300 Cure53, Berlin · 29.11.17 2/330 Dr.-Ing. Mario Heiderich, Cure53 Bielefelder Str. 14 D 10709 Berlin cure53.de · [email protected] List of Tables Table 1. Chrome Process List ...................................................................................................33 Table 2. MSIE Process List .......................................................................................................34 Table 3. Edge Process List ........................................................................................................36 Table 4. ASLR Policies ..............................................................................................................39 Table 5. CFG Policies ................................................................................................................40 Table 6. Font Loading Policies ..................................................................................................41 Table 7. Dynamic Code Policies ................................................................................................42 Table 8. Image Load Policies ....................................................................................................43 Table 9. Binary Signature Policies .............................................................................................44 Table 10 System Call Disable Policies ......................................................................................48 Table 11. Directory Access Test Results ....................................................................................49 Table 12. File Access Test Results ............................................................................................50 Table 13. Registry Access Test Results .....................................................................................51 Table 14.Network Access Test Results ......................................................................................52 Table 15. XFO Browser Support ................................................................................................64 Table 16. X-UA-Compatible Browser Support ...........................................................................69 Table 17. Content Sniffing Behavior across Browsers ...............................................................73 Table 18. Content-Type forcing across browsers .......................................................................74 Table 19. Number of supported non-standard Charsets ............................................................80 Table 20. BOM support in the tested browsers ..........................................................................81 Table 21. Priority of BOM over Content-Type ............................................................................81 Table 22. XSS Filter enables Charset XSS ................................................................................82 Table 23. X-XSS-Protection Filter Browser Support ..................................................................84 Table 24. Chances and outcomes of bypassing XSS Filters ......................................................89 Table 25. XXN can introduce XSS .............................................................................................92 Table 26. XSS Filters can introduce Infoleaks ...........................................................................94 Table 27.Overview of CSP Directives by CSP Version ..............................................................96 Table 28. CSP Directive Support ...............................................................................................97 Table 29. Subresource Integrity Browser Support ................................................................... 100 Table 30. Service Worker Browser Support ............................................................................. 102 Table 31. Security Zones Support ........................................................................................... 110 Table 32. Plans for future Security Features ............................................................................ 111 Table 33. Number of DOM Properties exposed in window ....................................................... 120 Table 34. SOP implementation flaws ....................................................................................... 122 Table 35. Proper handling of document.domain ...................................................................... 123 Table 36. Browser Support of PSL .......................................................................................... 124 Table 37. Browser Support of Secure Cookies ........................................................................ 128 Table 38. Browser Support of HttpOnly Cookies ...................................................................... 129 Cure53, Berlin · 29.11.17 3/330 Dr.-Ing. Mario Heiderich, Cure53 Bielefelder Str. 14 D 10709 Berlin cure53.de · [email protected] Table 39. Requests being considered top-level ....................................................................... 131 Table 40. Browser Support of SameSite Cookies .................................................................... 131 Table 41. Browser Support of Cookie Prefixes ........................................................................ 133 Table 42. Cookie ordering across browsers ............................................................................
Load more

Recommended publications
  • Browser Security Information
    Browser Security Information Customer security is important to us. Our top priority is to protect the privacy of your personal account information and your financial transactions FirstLine Mortgages is leading the way in Internet banking services and uses several layers of robust security technology to help ensure the confidentiality of transactions across the Internet. The first security level begins with your Web browser. When you access FirstLine Mortgages Internet Site , your browser is checked to ensure that it meets our minimum requirements. Additionally, we only allow customers with browsers that use 128-bit encryption (one of the highest levels of browser security available today) to bank on our web site. But, even with this validation, there are other precautions you should follow to maximize your protection. You have a responsibility to ensure your own security. The browser validation will verify the browser type you are using, your browser encryption level, the version of Netscape or Microsoft browser, as well as Javascript and cookies being enabled. To access -FirstLine Mortgages Internet site , you need to use: • a Netscape browser version 4.06 or better with a minimum 128-bit encryption technology • a Microsoft browser version 4.01 SP2 or better with a minimum 128-bit encryption technology • Javascript (please see below for more information about how to check and enable Javascript support) • Cookies (see below) If your browser does not meet all of these requirements, you will need to upgrade your browser to access the FirstLine Internet Site . To upgrade your browser, select the Netscape or Microsoft button below and download the latest browser version.
    [Show full text]
  • BUGS in the SYSTEM a Primer on the Software Vulnerability Ecosystem and Its Policy Implications
    ANDI WILSON, ROSS SCHULMAN, KEVIN BANKSTON, AND TREY HERR BUGS IN THE SYSTEM A Primer on the Software Vulnerability Ecosystem and its Policy Implications JULY 2016 About the Authors About New America New America is committed to renewing American politics, Andi Wilson is a policy analyst at New America’s Open prosperity, and purpose in the Digital Age. We generate big Technology Institute, where she researches and writes ideas, bridge the gap between technology and policy, and about the relationship between technology and policy. curate broad public conversation. We combine the best of With a specific focus on cybersecurity, Andi is currently a policy research institute, technology laboratory, public working on issues including encryption, vulnerabilities forum, media platform, and a venture capital fund for equities, surveillance, and internet freedom. ideas. We are a distinctive community of thinkers, writers, researchers, technologists, and community activists who Ross Schulman is a co-director of the Cybersecurity believe deeply in the possibility of American renewal. Initiative and senior policy counsel at New America’s Open Find out more at newamerica.org/our-story. Technology Institute, where he focuses on cybersecurity, encryption, surveillance, and Internet governance. Prior to joining OTI, Ross worked for Google in Mountain About the Cybersecurity Initiative View, California. Ross has also worked at the Computer The Internet has connected us. Yet the policies and and Communications Industry Association, the Center debates that surround the security of our networks are for Democracy and Technology, and on Capitol Hill for too often disconnected, disjointed, and stuck in an Senators Wyden and Feingold. unsuccessful status quo.
    [Show full text]
  • But Were Afraid to Ask!)
    05_576593 ch01.qxd 10/12/04 9:55 PM Page 9 Chapter 1 All You Ever Wanted to Know about JavaScript (But Were Afraid to Ask!) In This Chapter ᮣ Understanding a working definition of JavaScript ᮣ Dispelling common JavaScript misconceptions ᮣ Getting started with JavaScript tools ᮣ Finding information online aybe you’ve surfed to a Web site that incorporates really cool features, Msuch as ߜ Images that change when you move your mouse over them ߜ Slideshow animations ߜ Input forms with pop-up messages that help you fill in fields correctly ߜ Customized messages that welcome repeat visitors By using JavaScript and the book you’re reading right now you can create all these effects and many more! The Web page in Figure 1-1 shows you an example COPYRIGHTEDof the kinds of things that you canMATERIAL look forward to creating for your own site. A lot has changed since the previous edition of JavaScript For Dummies came out. Perhaps the biggest change is the evolution of DHTML, or dynamic HTML. DHTML refers to JavaScript combined with HTML and cascading style sheets, and it’s a powerful combination you can use to create even more breathtak- ingly cool Web sites than ever before. 05_576593 ch01.qxd 10/12/04 9:55 PM Page 10 10 Part I: Building Killer Web Pages for Fun and Profit Figure 1-1: JavaScript lets you add interactive features to your Web site quickly and easily. Along with this increased power comes increased complexity, unfortunately — but that’s where this new, improved, better-tasting edition of JavaScript For Dummies comes in! Even if you’re not a crackerjack programmer, you can use the techniques and sample scripts in this book to create interactive Web pages bursting with animated effects.
    [Show full text]
  • Towards a Verified Range Analysis for Javascript Jits
    Towards a Verified Range Analysis for JavaScript JITs Fraser Brown John Renner Andres Nötzli Stanford, USA UC San Diego, USA Stanford, USA Sorin Lerner Hovav Shacham Deian Stefan UC San Diego, USA UT Austin, USA UC San Diego, USA Abstract Earlier this year, Google’s Threat Analysis Group identi- We present VeRA, a system for verifying the range analysis fied websites, apparently aimed at people “born in a certain pass in browser just-in-time (JIT) compilers. Browser devel- geographic region” and “part of a certain ethnic group,” that opers write range analysis routines in a subset of C++, and would install a malicious spyware implant on any iPhone verification developers write infrastructure to verify custom used to visit them. Two bugs exploited in this campaign, analysis properties. Then, VeRA automatically verifies the according to analysis by Google’s Project Zero [41, 68], were range analysis routines, which browser developers can in- in the JIT component of Safari’s JavaScript engine [5, 34]. tegrate directly into the JIT. We use VeRA to translate and The JavaScript JITs shipped in modern browsers are ma- verify Firefox range analysis routines, and it detects a new, ture, sophisticated systems developed by compilers experts. confirmed bug that has existed in the browser for six years. Yet bugs in JIT compilers have emerged in recent months as the single largest threat to Web platform security, and the CCS Concepts: • Security and privacy ! Browser se- most dangerous attack surface of Web-connected devices. curity; • Software and its engineering ! Just-in-time Unlike other compilers, browser JITs are exposed to adver- compilers; Software verification and validation; Domain sarial program input.
    [Show full text]
  • Understanding the Attack Surface and Attack Resilience of Project Spartan’S (Edge) New Edgehtml Rendering Engine
    Understanding the Attack Surface and Attack Resilience of Project Spartan’s (Edge) New EdgeHTML Rendering Engine Mark Vincent Yason IBM X-Force Advanced Research yasonm[at]ph[dot]ibm[dot]com @MarkYason [v2] © 2015 IBM Corporation Agenda . Overview . Attack Surface . Exploit Mitigations . Conclusion © 2015 IBM Corporation 2 Notes . Detailed whitepaper is available . All information is based on Microsoft Edge running on 64-bit Windows 10 build 10240 (edgehtml.dll version 11.0.10240.16384) © 2015 IBM Corporation 3 Overview © 2015 IBM Corporation Overview > EdgeHTML Rendering Engine © 2015 IBM Corporation 5 Overview > EdgeHTML Attack Surface Map & Exploit Mitigations © 2015 IBM Corporation 6 Overview > Initial Recon: MSHTML and EdgeHTML . EdgeHTML is forked from Trident (MSHTML) . Problem: Quickly identify major code changes (features/functionalities) from MSHTML to EdgeHTML . One option: Diff class names and namespaces © 2015 IBM Corporation 7 Overview > Initial Recon: Diffing MSHTML and EdgeHTML (Method) © 2015 IBM Corporation 8 Overview > Initial Recon: Diffing MSHTML and EdgeHTML (Examples) . Suggests change in image support: . Suggests new DOM object types: © 2015 IBM Corporation 9 Overview > Initial Recon: Diffing MSHTML and EdgeHTML (Examples) . Suggests ported code from another rendering engine (Blink) for Web Audio support: © 2015 IBM Corporation 10 Overview > Initial Recon: Diffing MSHTML and EdgeHTML (Notes) . Further analysis needed –Renamed class/namespace results into a new namespace plus a deleted namespace . Requires availability
    [Show full text]
  • Bibliography of Erik Wilde
    dretbiblio dretbiblio Erik Wilde's Bibliography References [1] AFIPS Fall Joint Computer Conference, San Francisco, California, December 1968. [2] Seventeenth IEEE Conference on Computer Communication Networks, Washington, D.C., 1978. [3] ACM SIGACT-SIGMOD Symposium on Principles of Database Systems, Los Angeles, Cal- ifornia, March 1982. ACM Press. [4] First Conference on Computer-Supported Cooperative Work, 1986. [5] 1987 ACM Conference on Hypertext, Chapel Hill, North Carolina, November 1987. ACM Press. [6] 18th IEEE International Symposium on Fault-Tolerant Computing, Tokyo, Japan, 1988. IEEE Computer Society Press. [7] Conference on Computer-Supported Cooperative Work, Portland, Oregon, 1988. ACM Press. [8] Conference on Office Information Systems, Palo Alto, California, March 1988. [9] 1989 ACM Conference on Hypertext, Pittsburgh, Pennsylvania, November 1989. ACM Press. [10] UNIX | The Legend Evolves. Summer 1990 UKUUG Conference, Buntingford, UK, 1990. UKUUG. [11] Fourth ACM Symposium on User Interface Software and Technology, Hilton Head, South Carolina, November 1991. [12] GLOBECOM'91 Conference, Phoenix, Arizona, 1991. IEEE Computer Society Press. [13] IEEE INFOCOM '91 Conference on Computer Communications, Bal Harbour, Florida, 1991. IEEE Computer Society Press. [14] IEEE International Conference on Communications, Denver, Colorado, June 1991. [15] International Workshop on CSCW, Berlin, Germany, April 1991. [16] Third ACM Conference on Hypertext, San Antonio, Texas, December 1991. ACM Press. [17] 11th Symposium on Reliable Distributed Systems, Houston, Texas, 1992. IEEE Computer Society Press. [18] 3rd Joint European Networking Conference, Innsbruck, Austria, May 1992. [19] Fourth ACM Conference on Hypertext, Milano, Italy, November 1992. ACM Press. [20] GLOBECOM'92 Conference, Orlando, Florida, December 1992. IEEE Computer Society Press. http://github.com/dret/biblio (August 29, 2018) 1 dretbiblio [21] IEEE INFOCOM '92 Conference on Computer Communications, Florence, Italy, 1992.
    [Show full text]
  • Reforming Vulnerability Disclosure Programs in the Private Sector
    Debugging the System: Reforming Vulnerability Disclosure Programs in the Private Sector Jasmine Arooni* TABLE OF CONTENTS I. INTRODUCTION ..................................................................................... 445 II. VULNERABILITY DISCLOSURE PROGRAMS IN PRACTICE: HOW DO THEY WORK? .............................................................................................. 448 III. THE CURRENT LEGAL LANDSCAPE: LEGAL RISKS FACED BY VDP SECURITY RESEARCHERS .................................................................. 450 A. The Computer Fraud and Abuse Act and Its Impact on Security Research ..................................................................................... 451 B. The DMCA and Its Impact on Security Research ....................... 453 C. Safe Harbor Language: A Superficial Fix, Not a Complete Solution ....................................................................................... 454 IV. THE DOJ’S DISCRETIONARY GUIDANCE FOR PRIVATE VDPS ............. 455 V. THE U.S. GOVERNMENT’S INFLUENTIAL ROLE IN VDP GOVERNANCE .................................................................................................... 456 A. The U.S. Government as a “Crowdsourcer”: Validating the Importance of Public Engagement to Cybersecurity ................. 457 B. The U.S. Government as a “Rule Maker”: The DHS’ Compulsory Authority over Government VDPs .............................................. 458 C. The Government as an “Example”: The Impact of Government VDPs on the Private Sector, as Evidenced Through
    [Show full text]
  • Platform Support Matrix for SAP Business
    Platform Support Matrix PUBLIC SAP Business One Document Version: 1.28 – 2021-05-07 SAP Business One Platform Support Matrix Release 9.0 and higher Typographic Conventions Type Style Description Example Words or characters quoted from the screen. These include field names, screen titles, pushbuttons labels, menu names, menu paths, and menu options. Textual cross-references to other documents. Example Emphasized words or expressions. EXAMPLE Technical names of system objects. These include report names, program names, transaction codes, table names, and key concepts of a programming language when they are surrounded by body text, for example, SELECT and INCLUDE. Example Output on the screen. This includes file and directory names and their paths, messages, names of variables and parameters, source text, and names of installation, upgrade and database tools. Example Exact user entry. These are words or characters that you enter in the system exactly as they appear in the documentation. <Example> Variable user entry. Angle brackets indicate that you replace these words and characters with appropriate entries to make entries in the system. EXAMPLE Keys on the keyboard, for example, F2 or ENTER. PUBLIC © 2021 SAP SE or an SAP affiliate company. All SAP Business One Platform Support Matrix 2 rights reserved. Typographic Conventions Document History Version Date Change 1.0 2014-02-12 Release Version 1.01 2014-05-08 SAP Note 1787431 link added on XL Reporter platform support restrictions 1.02 2014-07-08 SAP Business One 9.1 added to the overview
    [Show full text]
  • A Novel Approach of MIME Sniffing Using
    ISSN: 2277-3754 ISO 9001:2008 Certified International Journal of Engineering and Innovative Technology (IJEIT) Volume 4, Issue 11, May 2015 A Novel Approach of MIME Sniffing using AES Ankita Singh, Amit Saxena, Dr.Manish Manoria TRUBA Institute of Engineering and Information Technology (TIEIT), Bhopal (M.P) We discuss some web application attacks which can be Abstract— In today’s scenario communication is rely on possible over browser also discuss security concern can be web, users can access these information from web with the use applied in future for security on web application of browsers, as the usage of web increases the security of data is required. If browser renders malicious html contents or environment. JavaScript code block, the content sniffing attack may occur. The contents are divided in different sections. In section In this paper we provide a framework with AES algorithm to 2 we mention different types of attacks. Related work is secure the content sniffing for the web browsers with text, discussed in section 3. Proposed work is discussed in image and PDF files. In this work the data files having section 4. Result analysis in section 5. Conclusion and encryption then partition in multiple parts for reducing the future direction in Section 6, and then references are duration of file transmission and transferring with parity bit checking to identify the attack. mention. II. ATTACKS Index Terms— Cross-Site Scripting, Web Application We discuss about some attacks, associated with this Security, Content Sniffing, MIME, AES. work. ClickJacking[11] - The purpose of this attack is to open I.
    [Show full text]
  • A Dropbox Whitepaper Dropbox for Business Security
    Dropbox for Business security A Dropbox whitepaper Dropbox for Business security Contents Introduction 3 Product features (security, control, and visibility) 3 Under the hood 7 Application security 10 Apps for Dropbox 12 Network security 13 Vulnerability management 14 Dropbox information security 16 Physical security 17 Compliance 17 Privacy 19 Dropbox Trust Program 20 Summary 21 Dropbox for Business security Millions of users trust Dropbox to easily and reliably store, sync, and share photos, videos, docs, and other files across devices. Dropbox for Business brings that same simplicity to the workplace, with advanced features that help teams share instantly across their organizations and give admins the visibility and control they need. But more than just an easy-to-use tool for storage and sharing, Dropbox for Business is designed to keep important work files secure. To do this, we’ve created a sophisticated infrastructure onto which account administrators can layer and customize policies of their own. In this paper, we’ll detail the back-end policies, as well as options available to admins, that make Dropbox the secure tool for getting work done. Product features (security, control, and visibility) Dropbox provides the administrative control and visibility features that empower both IT and end users to effectively manage their businesses and data. Below is a sampling of features available to team admins and users, as well as third-party integrations for managing core IT processes. Admin management features No two organizations are exactly alike, so we’ve developed a number of tools that empower admins to customize Dropbox for Business to their teams’ particular needs.
    [Show full text]
  • Browser Security Features
    Browser Security features Michael Sonntag Institute of Networks and Security Cookies: Securing them Attention: These are “requests” by the server setting the cookie Browsers will follow them, but applications not necessarily Secure/HTTPS-only: Do not send unencrypted This is an element of the Cookie header itself “Set-Cookie: “ …content, domain, expiration… “;Secure” Often the application contains an option to set this automatically HTTP-only: No access by JavaScript This is an element of the Cookie header itself “Set-Cookie: “ …content, domain, expiration… “;HttpOnly” Host-only: Do not set the “Domain” attribute Not set: Send to exactly this host only Domain set: Send to every host at or under this domain Priority: When too many cookies from a single domain, delete those of low priority first Not really a security feature! 2 Cookies: Securing them SameSite: Cookie should not be sent with cross-site requests (some CSRF-prevention; prevent cross-origin information leakage) “Strict” : Never cross origin; not even when clicking on a link on site A leading to B the Cookie set from B is actually sent to B “Lax” (default): Sent when clicking on most links, but not with POST requests: “Same-Site” and “cross-site top-level navigation” Not as good as strict: E.g. “<link rel='prerender’>” is a same-site request fetched automatically (and kept in the background!) Sent: GET requests leading to a top-level target (=URL in address bar changes; but may contain e.g. path) I.e.: Will not be sent for iframes, images, XMLHttpRequests
    [Show full text]
  • Javascript Security
    Color profile: Generic CMYK printer profile Composite Default screen Complete Reference / JavaScript: TCR / Powell & Schneider / 225357-6 / Chapter 22 Blind Folio 679 22 JavaScript Security ownloading and running programs written by unknown parties is a dangerous proposition. A program available on the Web could work as advertised, but then Dagain it could also install spyware, a backdoor into your system, or a virus, or exhibit even worse behavior such as stealing or deleting your data. The decision to take the risk of running executable programs is typically explicit; you have to download the program and assert your desire to run it by confirming a dialog box or double-clicking the program’s icon. But most people don’t think about the fact that nearly every time they load a Web page, they’re doing something very similar: inviting code—in this case, JavaScript—written by an unknown party to execute on their computer. Since it would be phenomenally annoying to have to confirm your wish to run JavaScript each time you loaded a new Web page, the browser implements a security policy designed to reduce the risk such code poses to you. A security policy is simply a set of rules governing what scripts can do, and under what circumstances. For example, it seems reasonable to expect browsers’ security policies to prohibit JavaScript included on Web pages downloaded from the Internet from having access to the files on your computer. If they didn’t, any Web page you visited could steal or destroy all of your files! In this chapter we examine the security policies browsers enforce on JavaScript embedded in Web pages.
    [Show full text]