WebSpec, a formal framework for browser security analysis, reveals new cookie attack

Folks at Technische Universität Wien in Austria have devised a formal security framework called WebSpec to analyze browser security.

And they’ve used it to identify multiple logical flaws affecting web browsers, revealing a new cookie-based attack and an unresolved Content Security Policy contradiction.

These logical flaws are not necessarily security vulnerabilities, but they can be. They’re inconsistencies between Web platform specifications and the way these specs actually get implemented within web browsers.

WebSpec was developed by Lorenzo Veronese, Benjamin Farinier, Mauro Tempesta, Marco Squarcina, Matteo Maffei in an effort to bring rigor to web security through automated, verifiable rule checking rather than manual evaluation.

Browsers, as they explain in an academic paper, “WebSpec: Towards Machine-Checked Analysis of Browser Security Mechanisms,” have become tremendously complex and continue to become more so as additional components get added to the web platform.

New web platform components undergo compliance testing, the researchers say, but their specifications get reviewed manually by technical experts to understand how new technologies interact with legacy APIs and individual browser implementations.

“Unfortunately, manual reviews tend to overlook logical flaws, eventually leading to critical security vulnerabilities,” the computer scientists explain, pointing to how eight years after the introduction of the HttpOnly flag in Internet Explorer 6 – as a way to keep cookies confidential from client-side scripts – researchers discovered the flag could be bypassed by scripts accessing the response headers of an AJAX request using the getResponseHeader function.

WebSpec uses the Coq theorem proving language to subject the interplay of browsers and their specified behavior to formal testing. It makes browser security a matter of machine-checkable Satisfiability Modulo Theories (SMT) proofs .

To test for inconsistencies between web specs and browsers, the researchers defined ten “invariants,” each of which describes “a property of the Web platform that is expected to hold across its updates and independently on how its components can possibly interact with each other.”

These invariants or rules represent testable conditions that should hold true, such as “Cookies with the Secure attribute can only be set (using the Set-Cookie header) over secure channels,” as defined in RFC 6265, Section 4.1.2.5.

Of the ten invariants evaluated, three failed.

“In particular, we show how WebSpec is able to discover a new attack on the __Host- prefix for cookies as well as a new inconsistency between the inheritance rules for the Content Security Policy and a planned change in the HTML standard,” the paper explains.

HTTP cookies prefixed with “__Host-” are supposed to only be set by the host domain or scripts included on pages on that domain. WebSpec, however, found an attack to break the related invariant test.

“A script running on a page can modify at runtime the effective domain used for SOP [Same-Origin Policy] checks through the document.domain API,” the paper explains, noting that the mismatch between access control policies in the Document Object Model and the cookie jar lets a script running in an iframe access the document.cookie property on a parent page if both pages set document.domain to the same value.

The researchers note that while the current web platform remains vulnerable to this attack, eventually it won’t be: The document.domain property has been deprecated, meaning future browser updates will omit support, some day.

The authors also used WebSpec to discover an inconsistency with the way Blob objects – objects containing data that can be read as text, binary, or streams using built-in object methods – inherit their Content Security Policy.

Lorenzo Veronese, a doctoral student at TU Wien, raised the issue last July to the working group of the HTML standard, but the different behaviors described in the CSP spec and the policy container explainer have yet to be reconciled.

Antonio Sartori, a Google software engineer, has developed a fix but it has yet to be integrated into the HTML standard.

In any event, the availability of WebSpec as a tool to formally evaluate browser behavior should make life a bit easier for those struggling to maintain sprawling browser codebases. ®

Note: This article have been indexed to our site. We do not claim legitimacy, ownership or copyright of any of the content above. To see the article at original source Click Here

Related Posts
Apple AirPods Pro 2 to be delayed until Q3 of 2022 thumbnail

Apple AirPods Pro 2 to be delayed until Q3 of 2022

If you’ve been holding out for the upcoming Apple AirPods Pro 2, you may have to wait till Q3 of 2022 in order to buy it.  LeaksApplePro – who’s been notorious for disclosing secret Apple-centric updates – says that the fruit company’s latest earbuds are expected to cost $249 (about RM1,041), and will offer better battery…
Read More
Valve Spills Steam Deck Release Day Details At Last thumbnail

Valve Spills Steam Deck Release Day Details At Last

We're just a couple of days out from the release of the Steam Deck, and by now a lot of people who pre-ordered are wondering what happens when launch day rolls around. Valve has finally revealed those details, announcing what its customers can expect on February 25, 2022, and beyond. If you were one of…
Read More
MSI Summit MS321UP review: 4K premium color at a lower price thumbnail

MSI Summit MS321UP review: 4K premium color at a lower price

At a glanceExpert's Rating ProsSharp, bright, and color-accurate imageMany image customization optionsWide range of connectivityConsColor temperature, gamma could be more accurateOn-screen menu can be slow and unreliableUSB-C port only delivers 15 watts of powerOur VerdictThe MSI Summit MS321UP tries to undercut the higher-end competition while still offering the same feature sets with largely hit-or-miss results.
Read More
除了夫妻相还有心灵共振 “老夫老妻”靠近时心率也会同步 thumbnail

除了夫妻相还有心灵共振 “老夫老妻”靠近时心率也会同步

随着一起变老,夫妻之间的相互依赖度提高,通常会成为彼此身体和情感支持的主要来源。我们都知道,长期婚姻对健康和幸福有深远的影响,但具体益处取决于关系的质量。不久前,来自伊利诺伊大学(University of Illinois)的研究人员通过动态研究发现,当老年夫妇彼此靠近时,他们的心率会以复杂的相互作用模式同步。 该研究的第一作者Brian Ogolsky教授说道:“人际关系研究人员通常会询问人们的情况,并假定他们能够正确回忆,并给出有意义的答案。但随着夫妻年龄的增长,和在一起的时间延长,当我们问他们对之间关系有多满足或者多忠诚时,他们会笑。因为他们觉得已经结婚了30年或40,本身就表明了承诺。”研究人员一直在寻找更客观的方法来衡量伴侣的动态关系,当意识到与他人具有良好关系会产生心理益处时,生理上的接近或许是一个不错的突破口。值得注意的是,仅仅与另一个人亲近并不总是有益的,这取决于互动的性质。冲突背景下的亲密度与爱情互动背景下的亲密性差异很大。同样,心率的变化可以是正的,也可以是负的。“我们并不关注两人心率变化的因果关系,而注重协同调节作用。当双方心率以同步模式振动时,就会发生这种情况。也就是说,当伴侣关系密切时,他们的心率模式表明,这种相互作用在某种程度上是有意义的。”Ogolsky教授解释道。这项研究包括10对年龄在64-88岁间的已婚夫妇,婚龄范围从14年到65年不等。研究人员对这些夫妇进行了为期两周的随访调查,持续跟踪他们的心率、以及他们在家时彼此的亲密程度。试验中,志愿者会佩戴智能手表Fitbit测量心率,和一款小型近端传感装置。研究人员还在他们家中安装了传感器并进行设备监测,并实时观察配偶之间的身体接触情况,通过三个指标进行评估:双方各自的心率和夫妇的物理接近度。Ogolsky教授表示:“第一步是观察双方的心率和接近度是否随着时间的推移而相关。我们想知道,这三个时间指标是一起工作的吗?我们能用其中的任何一个来预测其他指标吗?答案是我们必须同时通过它们才能做出最佳预测,因为它们之间是动态交织的。”交叉相关性分析表明,身体接近度与伴侣的心率同步相关,存在先导-滞后(lead-lag)关系,其中一个引导,另一个跟随。有时妻子的心率会导致这种变化,而有时是丈夫的心率先发生变化,妻子的心率再随之变化。这表明了一种微妙的平衡,当一个伴侣靠近另一人时,他们就产生了一种独特的相互作用模式,影响他们一整天的生理机能和行为模式。但这种相关性的大小和顺序因每日而异,是动态的。由于受试者数量较少,这项试验不包括不同夫妇之间的比较。但即使在同一对夫妻之间,也没有表示出明确的模式。“夫妻间互动,他们的态度、行为,不管是亲近还是远离,都会时时改变。即使在14天的时间里,夫妻在这些客观模式上也不够一致,无法让我们得出任何基于夫妻水平的结论,只能进行每日水平的预测。”Ogolsky教授总结道,“如果我们真的想了解夫妻之间相互作用的独特模式,我们需要开始将注意力集中在微观过程上。”
Read More
Index Of News
Total
0
Share