Post on 25-Dec-2015
Towards a Formal Foundation of Web Security
devdatta akhawe / adam barth / peifung eric lamjohn mitchell / dawn song
motivation
the web is interestingweb security is hardformalization will help
informed abstract models
of the web platform
will be amenable to automation,
reveal practical attacks
and support useful evaluation of
alternate designs.
web security 101abstract model
alloy implementationcase studies
The complete isolation that SOP provides is too coarse for modern applications.
browsers handle code + documents from multiple sources and need to ensure integrity and confidentialityThe security of the whole system is a global property based on invariants at all three components
Network
robber.com
bank.com
Web Browser
robber.com bank.com
Same Origin Policy – code from different websites or “origins” shouldn’t interfere
User
Same Origin Event Cross Origin Event
web security 101
abstract modelalloy implementation
case studies
User
The security of the whole system is a global property based on invariants at all three components
Network
robber.com
bank.com
Web Browser
robber.com bank.com
User
Simple model of user – not confused and follows security indicators
Web Browser Network
Web Browser
Network
network browser
threats goals
network browser
threats goals
•The sandbox in which code runs•what are the semantics of the isolation? Origin, path, http(s)?
Script Context
•Location bar, http(s), lock icon•who decides what is shown ?
User Interface
•Stored passwords/cookies•when to send them?
State Storage
network browser
threats goals
network browser
threats goals
•Connected to network•May break specification (esp. attacker)•Many to many relationship with DNSservers•HTTP Methods, status codes, headers•Integrity – some headers/methods determined by attackerhttp•Different APIs with specific constraints•For example, XHR works only same-origin, Forms only allow GET/POST
network requests
network browser
threats goals
network browser
threats goals
web attacker• robber.com• browser APIs only
gadget attacker• can inject limited form of
content• comments on a blog
network attacker• can modify network
traffic• except encrypted content
• Malicious person with his own site• No special network privileges• Key threat model
threat model hierarchy
Note that any protocol not over HTTPS can be easily subverted by the network attacker
network browser
threats goals
network browser
threats goals
• Session integrity– Any action that an honest server takes should not be
directly/indirectly caused by a dishonest/untrusted principal
– A request caused by robber.com shouldn’t reduce money in my bank account
• Don’t break web invariants– Do not increase attack surface of benign applications– For example, currently cross-origin DELETE/PUT
requests with ambient authorization (cookies) aren’t allowed
security goals• Session integrity– Any action that an honest server takes should not be
directly/indirectly caused by a dishonest/untrusted principal
– A request caused by robber.com shouldn’t reduce money in my bank account
web security 101abstract model
alloy implementationcase studies
Alloy
• An object modeling language• Executable model eased development• Bounded model checker• Translates predicates to SAT instances• Easy visualization of counterexamples
metamodel
session integrity
// a function that for a given transaction// tells the list of servers involved in causing it
fun involvedServers[t:HTTPTransaction]:set NetworkEndpoint{// the ScriptContext origingetTransactionOwner[t].servers // get list of servers involved in redirect chain+ (t.*cause & HTTPTransaction).resp.from
}
pred webAttackerInCausalChain[t:HTTPTransaction]{// see if WebAttacker controlled server in set of involvedsome (WEBATTACKER.servers & involvedServers[t])
}
web security 101abstract model
alloy implementation
case studies
Name Type of vulnerability Previously
Origin Header integrity violation known
Cross Origin Resource Sharing breaks invariant known
HTML5 Form breaks invariant unknown
Referer Validation integrity violation unknown
WebAuth session fixation unknown
Name Type of vulnerability Previously
Origin Header integrity violation known
Cross Origin Resource Sharing breaks invariant known
HTML5 Form breaks invariant unknown
Referer Validation integrity violation unknown
WebAuth session fixation unknown
case studies
case studies
• HTML5 Form vulnerability– Extremely simple vulnerability – Missed completely by many experts until our
study• Referer Validation Vulnerability– Past verification not detailed enough
• WebAuth Vulnerability– More complicated– Hard to find without such analysis
HTML5 Form
HTML5
GET/POSTDELETEPUT
GET/POSTDELETEPUT
robber.com
bank.com
GET/POST
GET/POST
HTML4
Page at robber.com
the attack
HTML5
PUT
PUT ???
cross origin redirect to bank.com
“Don’t break web invariants” violated
robber.com
bank.com
Page at robber.com
Fix is to disable cross-origin redirects for special methods; model doesn’t find any error after fix
alloy counterexample(actual snapshot)
Referer Validation
WebAuth
WebAuth
• Single sign on solution at Stanford– called CalNet at Berkeley– also common in other academic institutions
• Single sign on: one password to rule them all– Provides a service similar to Kerberos, but on web
• At least two parties other than user– The single sign on provider (WebAuth Server)– The application, e.g. library services
Application
WebAuth Server
GET Secret
Access Denied! Login at WebAuth (redirect)
login form
UsernamePassword
Send Secret and Set Cookie identifying user for future
Username/Password ok! Redirect to App with identifier key
Run Crypto Checks on Identifier sentIdentifier Key
This completes the login procedure
the attack
Application
WebAuth Server
GET secret
Access Denied! Login at WebAuth (redirect)
UsernamePassword Username /Password ok!
Redirect to App with identifier key
Run Crypto Checks on Identifier sent
BLOCK and save link
Set cookie identifying user as ATTACKER
Send the link Follow link
attacker
benign user
login form
Attacker’s credentials
that identifies attackerIs this really that bad ?
why this is bad
• At UC Berkeley, I pay my bills via a service that uses CalNet
• Could be fooled into paying someone else’s bill
• Fix is to add a nonce to ensure that the application remembers context – model fails to find attack after fix
conclusion
informed abstract models
of the web platform
will be amenable to automation,
reveal practical attacks
and support useful evaluation of
alternate designs.
informed abstract models
of the web platform
will be amenable to automation,
reveal practical attacks
and support useful evaluation of
alternate designs.
images from sxc.hu
http://bit.ly/csf10-websec
thank you