Science of Web Security and Third-party tracking
description
Transcript of Science of Web Security and Third-party tracking
![Page 1: Science of Web Security and Third-party tracking](https://reader036.fdocuments.in/reader036/viewer/2022081520/56816935550346895de08e8f/html5/thumbnails/1.jpg)
Science of Web Security and Third-party tracking
John Mitchell
Dagstuhl October 2012
![Page 2: Science of Web Security and Third-party tracking](https://reader036.fdocuments.in/reader036/viewer/2022081520/56816935550346895de08e8f/html5/thumbnails/2.jpg)
This talk will cover a few topics
Science of securityWeb modelingExperimental web security studyPrivacy and third-party tracking
![Page 3: Science of Web Security and Third-party tracking](https://reader036.fdocuments.in/reader036/viewer/2022081520/56816935550346895de08e8f/html5/thumbnails/3.jpg)
Security modeling and analysis
System of interestProperties desired of the system Can include intended purpose or function Or just that failure should not be
catastrophicAttacker actions and interface to system aka Threat model
Security: the attacker cannot cause the desired properties to fail
![Page 4: Science of Web Security and Third-party tracking](https://reader036.fdocuments.in/reader036/viewer/2022081520/56816935550346895de08e8f/html5/thumbnails/4.jpg)
System
AttackerAlice
General picture
Users interact with the systemSystem is intended to serve them in some way
If users enter expected input, system will deliver desired output
Attacker may have a different interface and capabilities. Disrupt honest user’s use of the system Learns information intended for others only
![Page 5: Science of Web Security and Third-party tracking](https://reader036.fdocuments.in/reader036/viewer/2022081520/56816935550346895de08e8f/html5/thumbnails/5.jpg)
Network Attacker
May intercept and alter network traffic; cannot break cryptoAlice
System
Network security
![Page 6: Science of Web Security and Third-party tracking](https://reader036.fdocuments.in/reader036/viewer/2022081520/56816935550346895de08e8f/html5/thumbnails/6.jpg)
Web Attacker
Sets up malicious site visited by
victim; no control of network
Alice
System
Web security
![Page 7: Science of Web Security and Third-party tracking](https://reader036.fdocuments.in/reader036/viewer/2022081520/56816935550346895de08e8f/html5/thumbnails/7.jpg)
Measurement?Threat models can be compared Every mechanism that is secure against a
stronger threat model is secure against a weaker one
Properties can be compared Every mechanism that guarantees a
stronger property also guarantees a weaker one
![Page 8: Science of Web Security and Third-party tracking](https://reader036.fdocuments.in/reader036/viewer/2022081520/56816935550346895de08e8f/html5/thumbnails/8.jpg)
Experiments?Some properties amenable to experiment Do users find system convenient? Do known attacks cause harm? Which design process appear to produce
more secure systems?Some properties inherently analytical Does system resist all attacks against a
certain property, within a given threat model?
![Page 9: Science of Web Security and Third-party tracking](https://reader036.fdocuments.in/reader036/viewer/2022081520/56816935550346895de08e8f/html5/thumbnails/9.jpg)
OutlineScience of securityWeb modelingExperimental web security studyPrivacy and third-party tracking
![Page 10: Science of Web Security and Third-party tracking](https://reader036.fdocuments.in/reader036/viewer/2022081520/56816935550346895de08e8f/html5/thumbnails/10.jpg)
Goals of web securitySafely browse the web Users should be able to visit a variety of
web sites, without incurring harm: No stolen information (without user’s permission) Site A cannot compromise session at Site B
Secure web applications Applications delivered over the web should
have the same security properties we require for stand-alone applications
Other ideas?
![Page 11: Science of Web Security and Third-party tracking](https://reader036.fdocuments.in/reader036/viewer/2022081520/56816935550346895de08e8f/html5/thumbnails/11.jpg)
A formal model of the web
Includes browser, servers, and networkThreat models include: web attacker with no special network
privilege network attacker that can eavesdrop
and/or modify unencrypted traffic at will
Security goals include: Security invariants
Assumptions about how today’s Web works
Example: no DELETE in cross-origin HTTP requests
Session integrity Attacker does not participate in the HTTP
transaction
![Page 12: Science of Web Security and Third-party tracking](https://reader036.fdocuments.in/reader036/viewer/2022081520/56816935550346895de08e8f/html5/thumbnails/12.jpg)
Alloy [Jackson]
Concepts expressed by relations General logical language
User inputs “scope” to determine precision Tool converts logical expressions to finitary
form by allocating specific number of bits to each possible value
SAT-based analysis Satisfiability checker used to see if formula
is satisfiable Leverage large community working on
efficient SAT checkers
![Page 13: Science of Web Security and Third-party tracking](https://reader036.fdocuments.in/reader036/viewer/2022081520/56816935550346895de08e8f/html5/thumbnails/13.jpg)
Web modeling examplesabstract sig NetworkEvent extends Event {
from: NetworkEndpoint, to: NetworkEndpoint }abstract sig HTTPEvent extends NetworkEvent {
host: Origin }sig HTTPRequest extends HTTPEvent {
method: Method,path: Path,headers: set HTTPRequestHeader }
sig HTTPResponse extends HTTPEvent {statusCode: Status,headers: set HTTPResponseHeader
}
![Page 14: Science of Web Security and Third-party tracking](https://reader036.fdocuments.in/reader036/viewer/2022081520/56816935550346895de08e8f/html5/thumbnails/14.jpg)
PrincipalsA Principal is an entity that controls a set of NetworkEndpoints and owns a set of DNSLabels, which represent fully qualified host names:
abstract sig Principal {servers: set NetworkEndpoint,dnslabels: set DNS
}abstract sig PassivePrincipal
extends Principal{} {servers in HTTPConformist
}
![Page 15: Science of Web Security and Third-party tracking](https://reader036.fdocuments.in/reader036/viewer/2022081520/56816935550346895de08e8f/html5/thumbnails/15.jpg)
BrowsersA Browser is an HTTPClient together with a set of trusted CertificateAuthorites and a set of ScriptContexts. (For technical convenience, we store the Browser as a property of a ScriptContext.)
abstract sig Browserextends HTTPClient {trustedCA: set CertificateAuthority
}sig ScriptContext {
owner: Origin,location: Browser,transactions: set HTTPTransaction
}
![Page 16: Science of Web Security and Third-party tracking](https://reader036.fdocuments.in/reader036/viewer/2022081520/56816935550346895de08e8f/html5/thumbnails/16.jpg)
Cookies (modeled as a fact)Idea: HTTPRequests from Browsers contain only appropriate cookies from previous SetCookieHeaders
fact { all areq:HTTPRequest | {
areq.from in BrowserhasCookie[areq]
} implies all acookie: reqCookies[areq] |some aresp: getBrowserTrans[areq].resp | {aresp.host.dnslabel = areq.host.dnslabelacookie in respCookies[aresp]happensBeforeOrdering[aresp,areq]}
}
![Page 17: Science of Web Security and Third-party tracking](https://reader036.fdocuments.in/reader036/viewer/2022081520/56816935550346895de08e8f/html5/thumbnails/17.jpg)
Property: session integrityfun involvedServers[t:HTTPTransaction] :
set NetworkEndpoint { (t.*cause &
HTTPTransaction).resp.from + getTransactionOwner[t].servers
}
pred webAttackerInCausalChain[t:HTTPTransaction] { some (WEBATTACKER.servers & involvedServers[t]) }
![Page 18: Science of Web Security and Third-party tracking](https://reader036.fdocuments.in/reader036/viewer/2022081520/56816935550346895de08e8f/html5/thumbnails/18.jpg)
Alloy metamodel
![Page 19: Science of Web Security and Third-party tracking](https://reader036.fdocuments.in/reader036/viewer/2022081520/56816935550346895de08e8f/html5/thumbnails/19.jpg)
Sample case studies
HTML5 FormsReferer validationWebAuth protocol
![Page 20: Science of Web Security and Third-party tracking](https://reader036.fdocuments.in/reader036/viewer/2022081520/56816935550346895de08e8f/html5/thumbnails/20.jpg)
Referer Validation
A proposed defense against Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS) [F. Kerschbaum, 2007]
Websites reject a request unless the referer header is from the same
site, or the request is directed at an “entry”
page vetted for CSRF and XSS vulnerabilities
![Page 21: Science of Web Security and Third-party tracking](https://reader036.fdocuments.in/reader036/viewer/2022081520/56816935550346895de08e8f/html5/thumbnails/21.jpg)
ModelingReferer header already part of modelAdd check: RefererProtected principals allow HTTP requests with external Referers only on the “LOGIN” page:fact {
all aReq:HTTPRequest | {(getTransaction[aReq].resp.fromin RefererProtected.servers )and isCrossOrigin[aReq]
} implies aReq.path = LOGIN}
![Page 22: Science of Web Security and Third-party tracking](https://reader036.fdocuments.in/reader036/viewer/2022081520/56816935550346895de08e8f/html5/thumbnails/22.jpg)
Referer header and redirectsreferer: http://www.site.com
referer: http://www.site.com
![Page 23: Science of Web Security and Third-party tracking](https://reader036.fdocuments.in/reader036/viewer/2022081520/56816935550346895de08e8f/html5/thumbnails/23.jpg)
![Page 24: Science of Web Security and Third-party tracking](https://reader036.fdocuments.in/reader036/viewer/2022081520/56816935550346895de08e8f/html5/thumbnails/24.jpg)
Referer Validation - Countermeasure
Exploitation CSRF and XSS can be carried out on
websites protected with Referer Validation
Countermeasure This vulnerability is difficult to correct
as Referer header has been widely deployed
Websites can try to suppress all outgoing Referer headers using, for example, the noreferrer relation attribute on hyperlinks.
Web extension Origin header records path of
redirects
![Page 25: Science of Web Security and Third-party tracking](https://reader036.fdocuments.in/reader036/viewer/2022081520/56816935550346895de08e8f/html5/thumbnails/25.jpg)
WebAuth
Web-based Single Sign-On protocolWebAuth and a similar protocol, Central Authentication Service (CAS), are deployed at over 80 universities worldwideAlthough we analyze WebAuth specifically, we have verified the same vulnerability exists in CAS
![Page 26: Science of Web Security and Third-party tracking](https://reader036.fdocuments.in/reader036/viewer/2022081520/56816935550346895de08e8f/html5/thumbnails/26.jpg)
WebAuth Analysis
Attack An insider can share privileged web
resources with unprivileged users without sharing login credentials
Attacker can steal sensitive user information by logging users into attacker’s account
Countermeasure Store a nonce in a host cookie to
bind messages 3 and 9, and splice in messages in between by including the nonce in the request and id tokens.
Verified the fix up to a finite size in our model
![Page 27: Science of Web Security and Third-party tracking](https://reader036.fdocuments.in/reader036/viewer/2022081520/56816935550346895de08e8f/html5/thumbnails/27.jpg)
ChallengeDoes CSP prevent XSS?
![Page 28: Science of Web Security and Third-party tracking](https://reader036.fdocuments.in/reader036/viewer/2022081520/56816935550346895de08e8f/html5/thumbnails/28.jpg)
Statistics for the case studiesCase Study
Lines of new code
No. of CNF
clausesCNF gen. time (sec)
CNF solve time (sec)
HTML5 Form 20 976,174 27.67 73.54
Referer Validation 35 974,924 30.75 9.06
WebAuth 214 355,093 602.4 35.44
• The base model contains some 2,000 lines of code
• Tests were performed on an Intel Core 2 Duo 3.16GHz CPU with 3.2 GB memory
![Page 29: Science of Web Security and Third-party tracking](https://reader036.fdocuments.in/reader036/viewer/2022081520/56816935550346895de08e8f/html5/thumbnails/29.jpg)
Conclusion of case studies
Identified previously unknown attacks in HTML5 Forms, Referer validation, and WebAuth Proposed countermeasures to the attacks These attacks are identified based on a formal model the Web that is implemented in Alloy Modeling approach can discover practical new attacks and verify the security of alternate designs, up to a certain size of the model
![Page 30: Science of Web Security and Third-party tracking](https://reader036.fdocuments.in/reader036/viewer/2022081520/56816935550346895de08e8f/html5/thumbnails/30.jpg)
OutlineScience of securityWeb modelingExperimental web security studyPrivacy and third-party tracking
![Page 31: Science of Web Security and Third-party tracking](https://reader036.fdocuments.in/reader036/viewer/2022081520/56816935550346895de08e8f/html5/thumbnails/31.jpg)
Experimental StudyWhat factors most strongly influence the likely security of a new web site? Developer training? Developer team and commitment?
freelancer vs stock options in startup? Programming language? Library, development framework?
How do we tell? Can we use automated tools to reliably measure
security in order to answer the question above?
![Page 32: Science of Web Security and Third-party tracking](https://reader036.fdocuments.in/reader036/viewer/2022081520/56816935550346895de08e8f/html5/thumbnails/32.jpg)
ApproachDevelop a web application vulnerability metric Combine reports of 4 leading commercial black box
vulnerability scanners and Evaluate vulnerability metric Using historical benchmarks and our new sample of
applicationsUse vulnerability metric to examine the impact of three factors on web application security: developed by startup company or freelancers developer security knowledge Programming language framework
![Page 33: Science of Web Security and Third-party tracking](https://reader036.fdocuments.in/reader036/viewer/2022081520/56816935550346895de08e8f/html5/thumbnails/33.jpg)
Data Collection and AnalysisEvaluate 27 web applications from 19 Silicon Valley startups and 8
outsourcing freelancers using 5 programming languages.
Correlate vulnerability rate with developed by startup company or freelancers developer security knowledge (assessed by a
simple quiz programming language used
![Page 34: Science of Web Security and Third-party tracking](https://reader036.fdocuments.in/reader036/viewer/2022081520/56816935550346895de08e8f/html5/thumbnails/34.jpg)
Comparison of scanner vulnerability detection
![Page 35: Science of Web Security and Third-party tracking](https://reader036.fdocuments.in/reader036/viewer/2022081520/56816935550346895de08e8f/html5/thumbnails/35.jpg)
Developer security self-assessment
![Page 36: Science of Web Security and Third-party tracking](https://reader036.fdocuments.in/reader036/viewer/2022081520/56816935550346895de08e8f/html5/thumbnails/36.jpg)
Language usage in sampleNu
mbe
r of a
pplic
atio
ns
![Page 37: Science of Web Security and Third-party tracking](https://reader036.fdocuments.in/reader036/viewer/2022081520/56816935550346895de08e8f/html5/thumbnails/37.jpg)
Summary of ResultsSecurity scanners are useful but not perfect
Tuned to current trends in web application development Tool comparisons performed on single testbeds are not predictive in a
statistically meaningful way Combined output of several scanners is a reasonable comparative measure
of code security, compared to other quantitative measuresBased on scanner-based evaluation
Freelancers are more prone to introducing injection vulnerabilities than startup developers, in a statistically meaningful way
PHP applications have statistically significant higher rates of injection vulnerabilities than non-PHP applications; PHP applications tend not to use frameworks
Startup developers are more knowledgeable about cryptographic storage and same-origin policy compared to freelancers, again with statistical significance.
Low correlation between developer security knowledge and the vulnerability rates of their applications
Warning: don’t hire freelancers to build secure web site in PHP.
![Page 38: Science of Web Security and Third-party tracking](https://reader036.fdocuments.in/reader036/viewer/2022081520/56816935550346895de08e8f/html5/thumbnails/38.jpg)
OutlineScience of securityWeb modelingExperimental web security studyPrivacy and third-party tracking
![Page 39: Science of Web Security and Third-party tracking](https://reader036.fdocuments.in/reader036/viewer/2022081520/56816935550346895de08e8f/html5/thumbnails/39.jpg)
![Page 40: Science of Web Security and Third-party tracking](https://reader036.fdocuments.in/reader036/viewer/2022081520/56816935550346895de08e8f/html5/thumbnails/40.jpg)
Current Page
![Page 41: Science of Web Security and Third-party tracking](https://reader036.fdocuments.in/reader036/viewer/2022081520/56816935550346895de08e8f/html5/thumbnails/41.jpg)
Browsing History
Financial InformationHealth Information
Shopping History. . .
![Page 42: Science of Web Security and Third-party tracking](https://reader036.fdocuments.in/reader036/viewer/2022081520/56816935550346895de08e8f/html5/thumbnails/42.jpg)
80+%third-party tracking
should be illegal
Source: Turow et al. 2009
90+%opt outs should be
legally binding
Public opinion on Web tracking
![Page 43: Science of Web Security and Third-party tracking](https://reader036.fdocuments.in/reader036/viewer/2022081520/56816935550346895de08e8f/html5/thumbnails/43.jpg)
stateful tracking
stateless tracking
tagging
fingerprinting
Tracking technology
![Page 44: Science of Web Security and Third-party tracking](https://reader036.fdocuments.in/reader036/viewer/2022081520/56816935550346895de08e8f/html5/thumbnails/44.jpg)
HTTP cookiesFlash Local Shared Objects
Silverlight Isolated Storage
content cache
HTTP ETags
window.nameIE userData
HTML5 session/local/global/database storage
TLS session ID & resume
HTTP authentication
browsing history
HTML5 protocol & content handlersHTTP STS
DNS cacheSource:
[Aggrawal10]
![Page 45: Science of Web Security and Third-party tracking](https://reader036.fdocuments.in/reader036/viewer/2022081520/56816935550346895de08e8f/html5/thumbnails/45.jpg)
link
this is blue
![Page 46: Science of Web Security and Third-party tracking](https://reader036.fdocuments.in/reader036/viewer/2022081520/56816935550346895de08e8f/html5/thumbnails/46.jpg)
link
this is purple
![Page 47: Science of Web Security and Third-party tracking](https://reader036.fdocuments.in/reader036/viewer/2022081520/56816935550346895de08e8f/html5/thumbnails/47.jpg)
User Agent
HTTP ACCEPT Headerscookies enabled?
screen resolution
browser plug-ins
MIME support
installed fonts
browser add-ons
clock skewSources: [Eckersley10],
[Mayer09]
![Page 48: Science of Web Security and Third-party tracking](https://reader036.fdocuments.in/reader036/viewer/2022081520/56816935550346895de08e8f/html5/thumbnails/48.jpg)
Anti-tracking efforts
Black lists are difficult to produce and maintain
![Page 49: Science of Web Security and Third-party tracking](https://reader036.fdocuments.in/reader036/viewer/2022081520/56816935550346895de08e8f/html5/thumbnails/49.jpg)
≈70 companies
![Page 50: Science of Web Security and Third-party tracking](https://reader036.fdocuments.in/reader036/viewer/2022081520/56816935550346895de08e8f/html5/thumbnails/50.jpg)
opt out
= Do Not Target Ads
![Page 51: Science of Web Security and Third-party tracking](https://reader036.fdocuments.in/reader036/viewer/2022081520/56816935550346895de08e8f/html5/thumbnails/51.jpg)
Do Not TrackHTTP header DNT: 1
Advantages universal no updating one click
Adopted by major browsers
![Page 52: Science of Web Security and Third-party tracking](https://reader036.fdocuments.in/reader036/viewer/2022081520/56816935550346895de08e8f/html5/thumbnails/52.jpg)
10+ million users(≈100x opt-out cookie
users)
![Page 53: Science of Web Security and Third-party tracking](https://reader036.fdocuments.in/reader036/viewer/2022081520/56816935550346895de08e8f/html5/thumbnails/53.jpg)
Consensus about Do Not Track
![Page 54: Science of Web Security and Third-party tracking](https://reader036.fdocuments.in/reader036/viewer/2022081520/56816935550346895de08e8f/html5/thumbnails/54.jpg)
Tracking third-party tracking
Stanford DoNotTrack and FourthParty www.donottrack.us cyberlaw.stanford.edu
observe suspicious behaviormonitor ad distributions✓
![Page 55: Science of Web Security and Third-party tracking](https://reader036.fdocuments.in/reader036/viewer/2022081520/56816935550346895de08e8f/html5/thumbnails/55.jpg)
![Page 56: Science of Web Security and Third-party tracking](https://reader036.fdocuments.in/reader036/viewer/2022081520/56816935550346895de08e8f/html5/thumbnails/56.jpg)
13emailfirst name
![Page 57: Science of Web Security and Third-party tracking](https://reader036.fdocuments.in/reader036/viewer/2022081520/56816935550346895de08e8f/html5/thumbnails/57.jpg)
7email
![Page 58: Science of Web Security and Third-party tracking](https://reader036.fdocuments.in/reader036/viewer/2022081520/56816935550346895de08e8f/html5/thumbnails/58.jpg)
25+username
(> 100 million users)
![Page 59: Science of Web Security and Third-party tracking](https://reader036.fdocuments.in/reader036/viewer/2022081520/56816935550346895de08e8f/html5/thumbnails/59.jpg)
![Page 60: Science of Web Security and Third-party tracking](https://reader036.fdocuments.in/reader036/viewer/2022081520/56816935550346895de08e8f/html5/thumbnails/60.jpg)
SummaryScience of securityWeb modelingExperimental web security studyPrivacy and third-party tracking