Securing Browser Frame Navigation and Communication

1
Securing Browser Frame Navigation and
Communication

• Adam Barth
• Collin Jackson
• John C. Mitchell
• Stanford University

2
Outline

• Frame Isolation
• Improving the frame navigation policy
• Frame Communication
• Fragment identifier messaging authentication
• postMessage confidentiality

3
FRAME ISOLATION

• Part I

4
Cross-Window Attack
window.open(https//attacker.com/, awglogin)
5
Experiment to Determine Policy

• Frame navigation policy not documented
• Some comments in Firefox source code, but
  misleading
• No source code available for IE or Opera
• Uber frame navigation test case
• Assumes policy invariants (e.g., left/right
  symmetric)
• Attempts 176 navigations, records results
• Extracted policy for Internet Explorer, Firefox,
  and Safari

6
Policy Behavior
7
Browser Frame Navigation Policies
8
Window Policy Anomaly
top.frames1.location http//www.attacker.com/
... top.frames2.location http//www.attacke
r.com/... ...
9
Principle Pixel Delegation

• Frames delegate screen pixels
• Child cannot draw outside its frame
• Parent can draw over the childs pixels
• Navigation similar to drawing
• Navigation replaces frame contents
• Simulate by drawing over frame
• Policy ought to match pixel delegation
• Navigate a frame if can draw over the frame

10
Solution Descendant Policy

• Best security / compatiblity trade-off
• Security Respects pixel delegation
• Compatibility Least restrictive such policy
• Implementation
• Wrote patches for Firefox and Safari
• Wrote over 1000 lines of regression tests
• Deployment
• Apple released patch as security update
• Mozilla will ship policy in Firefox 3

11
Adoption of Descendant Policy
12
Subtlety Scripting Policy Interaction

• Is this permissible?
• Target is not descendant
• Can draw over pixels
• Inject script into parent
• Parent draws the pixels
• Allow navigation
• canScript o canDraw
• Large compatibility win
• No security loss

a.com
a.com
b.com
13
FRAME COMMUNICATION

• Part II

14
Fragment Identifier Messaging

• Send information by navigating a frame
• http//gadget.com/hello
• Navigating to fragment doesnt reload frame
• No network traffic, but frame can read its
  fragment
• Not a secure channel
• Confidentiality
• Integrity
• Authentication

?
?
?
15
Fix Improve the protocol

• Proposed Needham-Schroeder-Lowe
• Adoption
• Microsoft Windows Live Channels library
• IBM OpenAjax Hub 1.1

16
postMessage

• New API for inter-frame communication
• Supported in latest betas of many browsers
• Not a secure channel
• Confidentiality
• Integrity
• Authentication

?
?
?
17
Reply Attack
18
Fix Improve the API

• Let the sending specify the recipient
• frame0.postMessage("Hello", "http//gadget.com"
  )
• Can use "" if confidentiality not required
• Adoption
• Firefox 3
• Internet Explorer 8
• Safari 3.1

19
Summary

• All proposals deployed to real users
• Frame isolation
• Improved frame navigation policy
• Fixed Guninski and Gadget Hijacking
• Drive-by-downloads still a concern
• Frame communication
• Secured fragment identifier messaging
• Secured new postMessage API