Noncespaces: Using Randomization to Enforce

Noncespaces: Using Randomization to Enforce
Information Flow Tracking and Thwart Cross-Site
Scripting Attacks
Matthew Van Gundy and Hao Chen
University of California, Davis
16th Annual Network & Distributed System Security Symposium
Noncespaces
NDSS ’09
Cross-Site Scripting (XSS) Vulnerabilities
Noncespaces
NDSS ’09
Cross-Site Scripting (XSS) Vulnerabilities
<p class=’comment’>
{$comment}
</p>
Noncespaces
NDSS ’09
Cross-Site Scripting (XSS) Vulnerabilities
<p class=’comment’>
Great Article!
</p>
Noncespaces
NDSS ’09
Cross-Site Scripting (XSS) Vulnerabilities
<p class=’comment’>
<script>p0wn()</script>
</p>
Noncespaces
NDSS ’09
Cross-Site Scripting (XSS) Vulnerabilities
<p class=’comment’>
</p> <script>p0wn()</script>
</p>
Noncespaces
<p>
NDSS ’09
Threat Model
I
An attacker can submit arbitrary content to XSS-vulnerable
applications
I
An attacker cannot compromise web server or browser directly
I
Malicious content must contain XHTML tags and attributes
Noncespaces
NDSS ’09
Limitations of Existing Solutions
Server-side
I
Server sanitizes untrusted data before sending it to the client
I
Client may interpret data in an unexpected way
I
E.g. Server replaces "<script>" with ""
But attacker injects <script/xss>
Client-side
I
Client enforces a server-specified policy
Challenges
I
The client must know whether to trust content
I
Attacker must not be able to forge trust metadata
Noncespaces
NDSS ’09
Noncespaces Architecture
I
Server partitions content into trust classes
I
Server randomizes document to prevent forging of trust
classification
I
Server specifies policy of content permitted for each trust class
I
Client displays the document only if it conforms to the policy
Noncespaces
NDSS ’09
Namespaces in XML
I
In (X)HTML: <q> = quote, <a> = anchor
Noncespaces
NDSS ’09
Namespaces in XML
I
In (X)HTML: <q> = quote, <a> = anchor
I
In FAQML: <q> = question, <a> = answer
Noncespaces
NDSS ’09
Namespaces in XML
I
In (X)HTML: <q> = quote, <a> = anchor
I
In FAQML: <q> = question, <a> = answer
I
XHTML quote = ("http://www.w3.org/1999/xhtml", "q")
Noncespaces
NDSS ’09
Namespaces in XML
I
In (X)HTML: <q> = quote, <a> = anchor
I
In FAQML: <q> = question, <a> = answer
I
XHTML quote = ("http://www.w3.org/1999/xhtml", "q")
I
FAQML question = ("urn:FAQML", "q")
Noncespaces
NDSS ’09
Namespaces in XML
I
In (X)HTML: <q> = quote, <a> = anchor
I
In FAQML: <q> = question, <a> = answer
I
XHTML quote = ("http://www.w3.org/1999/xhtml", "q")
I
FAQML question = ("urn:FAQML", "q")
I
< |{z}
x : q xmlns : x = ” http : //www.w3.org/1999/xhtml ” >
|{z}
|
{z
}
Noncespaces
NDSS ’09
Namespaces in XML
I
In (X)HTML: <q> = quote, <a> = anchor
I
In FAQML: <q> = question, <a> = answer
I
XHTML quote = ("http://www.w3.org/1999/xhtml", "q")
I
FAQML question = ("urn:FAQML", "q")
I
< |{z}
x : q xmlns : x = ” http : //www.w3.org/1999/xhtml ” >
|{z}
|
{z
}
NamespaceURI
Noncespaces
NDSS ’09
Namespaces in XML
I
In (X)HTML: <q> = quote, <a> = anchor
I
In FAQML: <q> = question, <a> = answer
I
XHTML quote = ("http://www.w3.org/1999/xhtml", "q")
I
FAQML question = ("urn:FAQML", "q")
I
< |{z}
x : q xmlns : x = ” http : //www.w3.org/1999/xhtml ” >
|{z}
|
{z
}
prefix
Noncespaces
NamespaceURI
NDSS ’09
Namespaces in XML
I
In (X)HTML: <q> = quote, <a> = anchor
I
In FAQML: <q> = question, <a> = answer
I
XHTML quote = ("http://www.w3.org/1999/xhtml", "q")
I
FAQML question = ("urn:FAQML", "q")
I
< |{z}
x : q xmlns : x = ” http : //www.w3.org/1999/xhtml ” >
|{z}
|
{z
}
prefix
Noncespaces
name
NamespaceURI
NDSS ’09
Namespaces in XML
I
In (X)HTML: <q> = quote, <a> = anchor
I
In FAQML: <q> = question, <a> = answer
I
XHTML quote = ("http://www.w3.org/1999/xhtml", "q")
I
FAQML question = ("urn:FAQML", "q")
I
< |{z}
x : q xmlns : x = ” http : //www.w3.org/1999/xhtml ” >
|{z}
|
{z
}
prefix
I
name
NamespaceURI
<f:q xmlns:f="urn:FAQML">
Noncespaces
NDSS ’09
Namespaces in XML
I
In (X)HTML: <q> = quote, <a> = anchor
I
In FAQML: <q> = question, <a> = answer
I
XHTML quote = ("http://www.w3.org/1999/xhtml", "q")
I
FAQML question = ("urn:FAQML", "q")
I
< |{z}
x : q xmlns : x = ” http : //www.w3.org/1999/xhtml ” >
|{z}
|
{z
}
prefix
name
NamespaceURI
I
<f:q xmlns:f="urn:FAQML">
I
<faq:q xmlns:faq="urn:FAQML">
Noncespaces
NDSS ’09
Defeating Node Splitting
I
<x:a>...</x:a>
Noncespaces
NDSS ’09
Defeating Node Splitting
I
<x:a>...</x:a>
I
<x:a>...</a>
Noncespaces
NDSS ’09
Defeating Node Splitting
I
<x:a>...</x:a>
I
<x:a>...</a>
I
<x:a>...</y:a>
Noncespaces
NDSS ’09
Encoding Trust Classifications
I
Trusted <a>
Noncespaces
NDSS ’09
Encoding Trust Classifications
I
Trusted <a> ⇒ <t:a>
Noncespaces
NDSS ’09
Encoding Trust Classifications
I
Trusted <a> ⇒ <t:a>
I
Untrusted <a>
Noncespaces
NDSS ’09
Encoding Trust Classifications
I
Trusted <a> ⇒ <t:a>
I
Untrusted <a>
I
Randomly choose trusted prefixes to prevent forgery
Noncespaces
NDSS ’09
Web Page Before Noncespaces
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>nile.com : ++Shopping</title>
</head>
<body>
<h1 id="title">{$item->name}</h1>
<h2>Reviews</h2>
<p class=’review’>
{$review}
</p>
</body>
</html>
Noncespaces
NDSS ’09
Node Splitting Attack After Noncespaces
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<r617:html xmlns="http://www.w3.org/1999/xhtml"
xmlns:r617="http://www.w3.org/1999/xhtml">
<r617:head>
<r617:title>nile.com : ++Shopping</r617:title>
</r617:head>
<r617:body>
<r617:h1 r617:id="title">Useless Do-dad</r617:h1>
<r617:h2>Reviews</r617:h2>
<r617:p r617:class=’review’>
</p> <script>p0wn()</script>
</r617:p>
</r617:body>
</r617:html>
Noncespaces
<p>
NDSS ’09
XSS Attack After Noncespaces
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<r617:html xmlns="http://www.w3.org/1999/xhtml"
xmlns:r617="http://www.w3.org/1999/xhtml">
<r617:head>
<r617:title>nile.com : ++Shopping</r617:title>
</r617:head>
<r617:body>
<r617:h1 r617:id="title">Useless Do-dad</r617:h1>
<r617:h2>Reviews</r617:h2>
<r617:p r617:class=’review’>
<script src=’http://badguy.com/p0wn.js’ />
</r617:p>
</r617:body>
</r617:html>
Noncespaces
NDSS ’09
Need for a client-side policy
Innocuous Input
<b>WARNING:</b>
Noncespaces
NDSS ’09
Need for a client-side policy
Innocuous Input
<b>WARNING:</b>
<em>very</em> important
Noncespaces
NDSS ’09
Need for a client-side policy
Innocuous Input
<b>WARNING:</b>
<em>very</em> important
<a href=’http://useful.com/’>[1]</a>
Noncespaces
NDSS ’09
Need for a client-side policy
Innocuous Input
<b>WARNING:</b>
<em>very</em> important
<a href=’http://useful.com/’>[1]</a>
Malicious Input
<b onmouseover=’...’>WARNING:</b>
Noncespaces
NDSS ’09
Need for a client-side policy
Innocuous Input
<b>WARNING:</b>
<em>very</em> important
<a href=’http://useful.com/’>[1]</a>
Malicious Input
<b onmouseover=’...’>WARNING:</b>
<em onclick=’...’>very</em> important
Noncespaces
NDSS ’09
Need for a client-side policy
Innocuous Input
<b>WARNING:</b>
<em>very</em> important
<a href=’http://useful.com/’>[1]</a>
Malicious Input
<b onmouseover=’...’>WARNING:</b>
<em onclick=’...’>very</em> important
<a href=’javascript:...’>[1]</a>
Noncespaces
NDSS ’09
Need for a client-side policy
XHTML
Policy
<b>
<em>
<a href=’http:...’>
Noncespaces
NDSS ’09
Need for a client-side policy
XHTML
Policy
<b>
allow //untrusted:b
<em>
<a href=’http:...’>
Noncespaces
NDSS ’09
Need for a client-side policy
XHTML
Policy
<b>
allow //untrusted:b
<em>
allow //untrusted:em
<a href=’http:...’>
Noncespaces
NDSS ’09
Need for a client-side policy
XHTML
Policy
<b>
allow //untrusted:b
<em>
allow //untrusted:em
<a href=’http:...’>
allow //untrusted:a/@untrusted:href[
starts-with(normalize-space(.),
"http:")]
Noncespaces
NDSS ’09
Need for a client-side policy
XHTML
Policy
<b>
allow //untrusted:b
<em>
allow //untrusted:em
<a href=’http:...’>
allow //untrusted:a/@untrusted:href[
starts-with(normalize-space(.),
"http:")]
<b onmouseover=’’>
<em onclick=’’>
<a href=’java...’>
Noncespaces
NDSS ’09
Need for a client-side policy
XHTML
Policy
<b>
allow //untrusted:b
<em>
allow //untrusted:em
<a href=’http:...’>
allow //untrusted:a/@untrusted:href[
starts-with(normalize-space(.),
"http:")]
<b onmouseover=’’>
deny //@untrusted:onmouseover
<em onclick=’’>
<a href=’java...’>
Noncespaces
NDSS ’09
Need for a client-side policy
XHTML
Policy
<b>
allow //untrusted:b
<em>
allow //untrusted:em
<a href=’http:...’>
allow //untrusted:a/@untrusted:href[
starts-with(normalize-space(.),
"http:")]
<b onmouseover=’’>
deny //@untrusted:onmouseover
<em onclick=’’>
deny //@untrusted:*
<a href=’java...’>
Noncespaces
NDSS ’09
Need for a client-side policy
XHTML
Policy
<b>
allow //untrusted:b
<em>
allow //untrusted:em
<a href=’http:...’>
allow //untrusted:a/@untrusted:href[
starts-with(normalize-space(.),
"http:")]
<b onmouseover=’’>
deny //@untrusted:onmouseover
<em onclick=’’>
deny //@untrusted:*
<a href=’java...’>
deny //@untrusted:href[
starts-with(normalize-space(.),
"javascript:")]
Noncespaces
NDSS ’09
Determining Trusted Content
I
Design patterns separate presentation and business logic
Templates contain static HTML (presentation)
I
Program creates dynamic content from user input
I
Noncespaces
NDSS ’09
Determining Trusted Content
I
I
Design patterns separate presentation and business logic
Templates contain static HTML (presentation)
I
I
Classify as trusted
Program creates dynamic content from user input
Noncespaces
NDSS ’09
Determining Trusted Content
I
I
Design patterns separate presentation and business logic
Templates contain static HTML (presentation)
I
I
Classify as trusted
Program creates dynamic content from user input
I
Noncespaces
Classify as untrusted
NDSS ’09
Modifications to Smarty
Noncespaces
NDSS ’09
Modifications to Smarty
Noncespaces
NDSS ’09
Modifications to Smarty
Noncespaces
NDSS ’09
Modifications to Smarty
Noncespaces
NDSS ’09
Modifications to Smarty
Noncespaces
NDSS ’09
Modifications to Smarty
Noncespaces
NDSS ’09
Modifications to Smarty
Noncespaces
NDSS ’09
Modifications to Smarty
Noncespaces
NDSS ’09
Modifications to Smarty
Noncespaces
NDSS ’09
Modifications to Smarty
Noncespaces
NDSS ’09
Modifications to Smarty
Noncespaces
NDSS ’09
Modifications to Smarty
Noncespaces
NDSS ’09
Client-side Modifications
Noncespaces
NDSS ’09
Client-side Modifications
Noncespaces
NDSS ’09
Client-side Modifications
Noncespaces
NDSS ’09
Client-side Modifications
Noncespaces
NDSS ’09
Client-side Modifications
Noncespaces
NDSS ’09
Client-side Modifications
Noncespaces
NDSS ’09
Client-side Modifications
Noncespaces
NDSS ’09
Client-side Modifications
Noncespaces
NDSS ’09
Evaluation
I
Tested effectiveness of Noncespaces on 2 applications
I
Developed policy for each application
I
Ensured that Noncespaces stopped a number of XSS attacks
I
Measured performance overhead of both server-side
randomization and client-side policy checking
Noncespaces
NDSS ’09
Evaluation
Baseline
Server randomization w/o proxy
Server randomization w/ proxy
0.8
0.7
Avg. Requests/sec
0.6
0.5
0.4
0.3
0.2
30
10
0
1
0.1
# of concurrent requests
Noncespaces
NDSS ’09
Evaluation
Baseline
Server randomization w/o proxy
Server randomization w/ proxy
0.8
0.7
Avg. Requests/sec
0.6
0.5
0.4
0.3
0.2
30
10
0
1
0.1
# of concurrent requests
Noncespaces
NDSS ’09
Evaluation
Baseline
Server randomization w/o proxy
Server randomization w/ proxy
0.8
0.7
Avg. Requests/sec
0.6
0.5
0.4
0.3
0.2
30
10
0
1
0.1
# of concurrent requests
Noncespaces
NDSS ’09
Evaluation
Baseline
Server randomization w/o proxy
Server randomization w/ proxy
0.8
0.7
Avg. Requests/sec
0.6
0.5
0.4
0.3
0.2
30
10
0
1
0.1
# of concurrent requests
Noncespaces
NDSS ’09
Evaluation
Baseline
Server randomization w/o proxy
Server randomization w/ proxy
0.8
0.7
Avg. Requests/sec
0.6
0.5
0.4
0.3
0.2
30
10
0
1
0.1
# of concurrent requests
Noncespaces
NDSS ’09
Evaluation
Baseline
Server randomization w/o proxy
Server randomization w/ proxy
0.8
0.7
Avg. Requests/sec
0.6
0.5
0.4
0.3
0.2
30
10
0
1
0.1
# of concurrent requests
Noncespaces
NDSS ’09
Evaluation
Baseline
Server randomization w/o proxy
Server randomization w/ proxy
0.8
0.7
Avg. Requests/sec
0.6
0.5
0.4
0.3
0.2
30
10
0
1
0.1
# of concurrent requests
Noncespaces
NDSS ’09
Evaluation
Baseline
Server randomization w/o proxy
Server randomization w/ proxy
0.8
0.7
Avg. Requests/sec
0.6
0.5
0.4
0.3
0.2
30
10
0
1
0.1
# of concurrent requests
Noncespaces
NDSS ’09
Evaluation
Baseline
Server randomization w/o proxy
Server randomization w/ proxy
0.8
0.7
Avg. Requests/sec
0.6
0.5
0.4
0.3
0.2
30
10
0
1
0.1
# of concurrent requests
Noncespaces
NDSS ’09
Related Work
I
Instruction Set Randomization (Kc et al., CCS ’03) and
(Barrantes et al., CCS ’03)
I
BEEP (Jim et al., WWW ’07)
I
Mutation Event Transforms (Erlingsson et al., HotOS ’07)
I
Noxes (Kirda et al., ACM SAC ’06)
I
Cross-Site Scripting Prevention with Dynamic Data Tainting and
Static Analysis (Vogt et al., NDSS ’07)
Noncespaces
NDSS ’09
Conclusion
I
We can achieve security without data sanitization on the server
I
I
I
Servers classify how trustworthy content is
Servers convey trust classifications in a tamper resistant way
Clients interpreting the content enforce the policy
I
Leverage randomization and XML features to thwart XSS attacks
I
Leverage design paradigms to determine trust information
without dynamic information flow tracking
Noncespaces
NDSS ’09
Questions?
Noncespaces
NDSS ’09
Example Noncespaces Policy
1
2
namespace trusted
namespace untrusted
3
4
5
allow //trusted:*
allow //trusted:@*
6
7
8
9
10
11
12
13
14
15
allow //untrusted:b
allow //untrusted:i
allow //untrusted:u
allow //untrusted:a
allow //untrusted:a/@untrusted:href[
starts-with(normalize-space(.), "http:")]
allow //untrusted:img
allow //untrusted:img/@untrusted:src[
starts-with(normalize-space(.), "http:")]
16
17
18
deny //*
deny //@*
Noncespaces
NDSS ’09