Securing Frame Communication in Browsers by Adam Barth, Collin Jackson, and John C

Securing Frame Communication in Browsers by Adam Barth, Collin Jackson, and John C

DOI:10.1145/1516046.1516066 Securing Frame Communication in Browsers By Adam Barth, Collin Jackson, and John C. Mitchell Abstract map, or a photo album, the site runs the risk of incorporat- Many Web sites embed third-party content in frames, ing malicious content. Without isolation, malicious content relying on the browser’s security policy to protect against can compromise the confidentiality and integrity of the malicious content. However, frames provide insufficient user’s session with the integrator. Although the browser’s isolation in browsers that let framed content navigate well-known “same-origin policy”19 restricts script running other frames. We evaluate existing frame navigation poli- in one frame from manipulating content in another frame, cies and advocate a stricter policy, which we deploy in the browsers use a different policy to determine whether one open-source browsers. In addition to preventing undesir- frame is allowed to navigate (change the location of) another. able interactions, the browser’s strict isolation policy also Although browsers must restrict navigation to provide isola- affects communication between cooperating frames. We tion, navigation is the basis of one form of interframe com- therefore analyze two techniques for interframe communi- munication used by leading companies and navigation cation between isolated frames. The first method, fragment can be used to attack a second interframe communication identifier messaging, initially provides confidentiality with- mechanism. out authentication, which we repair using concepts from a Many recent browsers have overly permissive frame well-known network protocol. The second method, post- navigation policies that lead to a variety of attacks. To pre- Message, initially provides authentication, but we dis- vent attacks, we demonstrate against the Google AdSense cover an attack that breaches confidentiality. We propose login page and the iGoogle gadget aggregator, we propose improvements in the post Message API to provide confi- tightening the browser’s frame navigation policy. Based on dentiality; our proposal has been standardized and adopted a comparison of four policies, we advocate a specific policy in browser implementations. that restricts navigation while maintaining compatibility with existing Web content. We have collaborated with the HTML 5 working group to standardize this policy and with 1. INTRODUCTION browser vendors to deploy this policy in Firefox 3, Safari Web sites contain content from sources of varying trust- 3.1, and Google Chrome. Because the policy is already worthiness. For example, many Web sites contain third- implemented in Internet Explorer 7, our preferred policy party advertising supplied by advertisement networks is now standardized and deployed in the four most-used or their sub-syndicates.3 Other common aggregations browsers. of third-party content include Flickr albums, Facebook With strong isolation, frames are limited in their interac- badges, and personalized home pages offered by the three tions, raising the issue of how isolated frames can cooperate major Web portals (iGoogle, My Yahoo! and Windows Live). as part of a mashup. We analyze two techniques for inter- More advanced uses of third-party components include frame communication: fragment identifier messaging and Yelp’s use of Google Maps to display restaurant locations, postMessage. Table 1 summarizes our results. and the Windows Live Contacts gadget. A Web site combin- ing content from multiple sources is called a mashup, with • Fragment identifier messaging uses frame navigation the party combining the content called the integrator, and to send messages between frames. This channel lacks integrated content called a gadget. In simple mashups, an important security property: messages are confiden- the integrator does not intend to communicate with the tial but senders are not authenticated. These proper- gadgets and requires only that the browser provide isola- ties are analogous to a network channel in which tion. In more sophisticated mashups, the integrator does senders encrypt their messages with the recipi- wish to communicate and requires secure interframe com- ent’s public key. The Microsoft.Live.Channels munication. When a site wishes to provide isolation and library uses fragment identifier messaging to let the communication between content on its pages, the site Windows Live Contacts gadget communicate with its inevitably relies on the browser rendering process and iso- integrator, following an authentication protocol analo- lation policy, because Web content is rendered and viewed gous to the Needham–Schroeder public-key protocol.17 under browser control. In this paper, we study a contemporary Web version of a recurring problem in computer systems: isolating The original version of this paper was published in the untrusted, or partially trusted, components while providing Proceedings of the 17th USENIX Security Symposium, July secure intercomponent communication. Whenever a site 2008. integrates third-party content, such as an advertisement, a JUNE 2009 | VOL. 52 | NO. 6 | COMMUNICATIONS OF THE ACM 83 research highlights Table 1: Security properties of frame communication channels. Confidentiality Authentication Network Analogue Fragment identifier messaging ✓ Public Key Encryption Original postMessage ✓ Public Key Signatures Improved postMessage ✓ ✓ SSL/TLS We discover an attack on this protocol, related to Lowe’s under his or her control, possibly acting as a client or anomaly in the Needham–Schroeder protocol,15 in server in network protocols of the attacker’s choice. which a malicious gadget can impersonate the integra- Typically, the Web attacker uses at least one machine tor to the Contacts gadget. We suggested a solution as an HTTP server, which we refer to as attacker. based on Lowe’s improvement to the Needham– com. The Web attacker has HTTPS certificates for Schroeder protocol15 that Microsoft implemented and domains he or she owns; certificate authorities provide deployed. such certificates for free. The Web attacker’s network • postMessage is a browser API designed for interframe abilities are decidedly weaker than the usual network communication10 that is implemented in Internet attacker considered in network security because the Explorer 8, Firefox 3, Safari 4, Google Chrome, and Web attacker can neither eavesdrop on messages to nor Opera. Although postMessage has been deployed in forge messages from other network locations. For Opera since 2005, we demonstrate an attack on the example, a Web attacker cannot be a network “man-in- channel’s confidentiality using frame navigation. In the-middle.” light of this attack, the postMessage channel pro- • Client Abilities: We assume that the user views vides authentication but lacks confidentiality, analo- attacker.com in a popular browser, rendering the gous to a channel in which senders cryptographically attacker’s content. We make this assumption because sign their messages. To secure the channel, we propose an honest user’s interaction with an honest site should modifying the API. Our proposal has been adopted be secure even if the user visits a malicious site in by the HTML 5 working group and all the major another browser window. The Web attacker’s content is browsers. subject to the browser’s security policy, making the Web attacker decidedly weaker than an attacker who The remainder of the paper is organized as follows. can execute an arbitrary code with the user’s privileges. Section 2 details our threat models. Section 3 surveys exist- For example, a Web attacker cannot install a system- ing frame navigation policies and standardizes a secure wide key logger or botnet client. policy. Section 4 analyzes two frame communication mech- anisms, demonstrates attacks, and proposes defenses. We do not assume that the user treats attacker.com as Section 5 describes related work. Section 6 concludes. a site other than attacker.com. For example, the user never gives a bank.com password to attacker.com. We 2. THREAT MODEL also assume that honest sites are free of cross-site scripting In this section, we define precise threat models so that we vulnerabilities.20 In fact, none of the attacks described in can determine how effectively browser mechanisms defend this paper rely on running malicious JavaScript as an honest against specific classes of attacks. We consider two kinds principal. Instead, we focus on privileges the browser itself of attackers, a “Web attacker” and a slightly more powerful affords the attacker to interact with honest sites. “gadget attacker.” Although phishing 4, 6 can be described In addition to our interest in protecting users that informally as a Web attack, we do not assume that either the visit malicious sites, our assumption that the user visits Web attacker or the gadget attacker can fool the user by using attacker.com is further supported by several techniques a confusing domain name (such as bankofthevvest. for attracting users. For example, an attacker can place Web com) or by other social engineering. Instead, we assume the advertisements, host popular content with organic appeal, user uses every browser security feature, including the loca- or send bulk e-mail encouraging visitors. Typically, simply tion bar and lock icon, accurately and correctly. viewing an attacker’s advertisement (such as on a search page) lets the attacker mount a Web attack. In a previous 2.1. Web attacker study,12 we purchased over 50,000 impressions for $30. A Web attacker

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    9 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us