request
Browser Web
reply site
Lecture 5: Browser Security
OS Network
ECE1776 Hardware
David Lie • Web Browser is extremely important!
– The prime method for users to access
remote hosts on the internet
– A great deal of attacks and
vulnerabilities involve web browsers
1 2
1
This Lecture: Browser Security Browser Session Example: Purchasing Online
• Cookies
www.e_buy.com/
– Cookie mechanism, JunkBuster/Privoxy
shopping.cfm?
www.e_buy.com
pID=269&
• Privacy
item1=102030405
– Anonymizer, Crowds
7
http is stateless: 8
Accumulate state information about session in URL
11 12
2
Example: Mortgage Center Cookie issues
• Problems
– Cookies maintain record of your browsing habits
• May include any information a web site knows about you
– 3rd party cookies can be used to track your habits across
different web sites
– Browser attacks could invade your “privacy”
08 Nov 2001
Users of Microsoft's browser and e-mail programs could be
vulnerable to having their browser cookies stolen or modified
due to a new security bug in Internet Explorer (IE), the
company warned today.
• Not just a privacy issue!
<html><title> • Stealing someone’s cookies may allow attacker to impersonate the
victim:
Mortgage Center
– Cross-site Scripting attacks and session high jacking
</title><body>
… http://www.loanweb.com/ad.asp?RLID=0b70at1ep0k9
13 14
• There are many privacy enhancing tools out there such as Norton,
ZoneLabs, Google and even Yahoo themselves.
3
Browsing Anonymizers Related approach to anonymity
www.anonymizer.com/
cgi-bin/redirect.cgi?url=…
Browser
Anonymizer Server
19 20
C3
C C1 C • Probable innocence
pf
C2 C – Probability <50% that the observed source of the message is
C0 1-pf
the actual sender
• Find out what sites know about you • Data is harmless (?)
– Anonymizer.com, other sites will tell you want they can find – Remember that on van Neumann architectures, data and
about your IP address code are the same
– Many other sites offer this too … • Risks come from code received from web
– Scripts in web pages
• Interpreted by the browser
– Applets
• Mobile code that is temporary
www.anonymizer.com
• Interpreted by some other application (JVM)
Try Private Surfing FREE! – Plug-ins (realplayer, flash, etc….)
Make your online activities invisible • Usually installed as applications and are called by browser
and untrackable to online snoops.
• Run with full permissions of user
Just type a URL & click “GO.”
GO
23 24
4
JavaScript ActiveX
• Language executed by browser • ActiveX controls reside on client's machine, activated by HTML
• Used in many attacks (to exploit other vulnerabilities) object tag on the page
– Cookie attack (08 Nov 2001): – ActiveX controls are not interpreted by browser
With the assistance of some JavaScript code, an – Compiled binaries executed by client OS
attacker could construct a Web page or HTML-based e-
– Can be downloaded and installed
mail that could access any cookie in the browser's
memory or those stored on disk ... • Security model relies on three components
• JavaScript runs – Digital signatures to verify source of binary
– Before the HTML is loaded, before the document is viewed – IE policy can reject controls from network zones
– While the document is viewed, or as the browser is leaving – Controls marked by author as safe for initialization, safe for
scripting which affects the way control used
Once accepted, installed and started, no control over execution !
25 26
• MSDN Warning
– An ActiveX control can be an extremely insecure way to
provide a feature.
• Why?
– A COM object, control can do any user action
• read and write Windows registry
• access the local file system
– Other web pages can attack a control
• Once installed, control can be accessed by any page
• Page only needs to know class identifier (CLSID)
• Recommendation: use other means if possible
If you install and run, no further control over the code. http://msdn.microsoft.com/library/default.asp?url=/workshop/c
In principle, browser/OS could apply sandboxing, other omponents/activex/security.asp?frame=true
techniques for containing risks in native code. 27 28
29 30
5
Java Applet Mobile code security mechanisms
• If there is an error in the verifier, an attacker could exploit that to • In addition to verifying byte code:
run unsafe code
• Sandboxing
– Many early attacks based on verifier errors
– Run program in restricted environment
– Adversary can coerce VM to do something unsafe • Analogy: child’s sandbox with only safe toys
– This term refers to
• Formal verification studies prove correctness • Features of loader, verifier, interpreter that restrict program
– Abadi and Stata • Java Security Manager, a special object that acts as access control
– Freund and Mitchell “gatekeeper”
• Found error in initialize-before-use analysis
• Code signing
– Use cryptography to determine who wrote class file
• Info used by security manager
33 34
35 36
6
Beyond JVM security Summary: Browser security
• JVM does not prevent • Because Browser is often the primary point of contact with the
– Denial of service attacks Internet, it poses several security risks:
• Applet creates large windows and ignores mouse – May damage user’s privacy through cookies or web bugs
– Certain network behavior – Mobile Code in the form of plug-ins, controls or scripts may
• Applet can send unauthorized e-mail or forge email (on some allow unauthorized access to system resources
implementations)
– URL spoofing • Solutions usually involve using a sandbox or a proxy that filters
• Applet can write false URL on browser status line content
– Annoying behavior – The difficulty usually involves configuring a policy that is
• Applet can play loud sound, or display images safe, but not too restrictive
• Applet can reload pages in new windows We’ll see many of these issues in other forms when we
discuss OS security, network security
37 38