Residue Objects: A Challenge to Web Browser Security Robert - - PowerPoint PPT Presentation

residue objects a challenge to web browser security
SMART_READER_LITE
LIVE PREVIEW

Residue Objects: A Challenge to Web Browser Security Robert - - PowerPoint PPT Presentation

Aug 05, 2023 872 likes •1.38k views

Residue Objects: A Challenge to Web Browser Security Robert Rosolek University of Warsaw Agenda Introduction Background for object management in Internet Explorer Testing and studying residue objects Conclusions and Future Work Part 1

slide-1
SLIDE 1

Residue Objects: A Challenge to Web Browser Security

Robert Rosolek University of Warsaw

slide-2
SLIDE 2

Agenda

Introduction Background for object management in Internet Explorer Testing and studying residue objects Conclusions and Future Work

slide-3
SLIDE 3

Introduction

Part 1 Part 2 Part 3 Part 4

slide-4
SLIDE 4

Managing the lifetimes of objects in memory

nontrivial task in complex systems especially tricky for browsers page may navigate away

Introduction

slide-5
SLIDE 5

Correct navigation semantics for page being

navigated away: the page is 'gone' all it's objects disappear

  • bjects no longer usable

Crucial for security.

Introduction

slide-6
SLIDE 6

So can we just destroy all objects of the page that is navigated away?

Introduction

slide-7
SLIDE 7

Introduction

slide-8
SLIDE 8

Introduction

Dilemma Object garbage collected dangling references, → memory corruption Object not collected invalid object residing in → memory

slide-9
SLIDE 9

Residue object - the object in the old page that still resides in the memory after the navigation

Residue objects

slide-10
SLIDE 10

Visual Spoofing

slide-11
SLIDE 11

Involuntary navigation

slide-12
SLIDE 12

Cross-domain access

same-origin policy difficulties with secure implementation hack opportunities

slide-13
SLIDE 13

Memory corruption

dangling references possibility of changing the control flow

slide-14
SLIDE 14

Protection

  • bject invalidation

seemingly simple mechanism

is_valid : bool . . .

Object

slide-15
SLIDE 15

Bugs

slide-16
SLIDE 16

Exploit example

slide-17
SLIDE 17

Bugs

Various logic errors: residue object object not marked dead visible 'dead' objects premature release of reference

slide-18
SLIDE 18

Main questions

Reasons for implementation problems small public attention

slide-19
SLIDE 19

Background for object management in Internet Explorer

Part 1 Part 2 Part 3 Part 4

slide-20
SLIDE 20

ActiveX objects

COM framework AddRef, Release – refcounting properties sub-objects

slide-21
SLIDE 21

ActiveX objects

HTML elements Javascript variables HTML and Javascript engines Hosting ActiveX objects: <object> tag in HTML new ActiveXObject(id) in Javascript nesting of HTML and JavaScript engines

slide-22
SLIDE 22

Window and Document

Document – HTML Document corresponding to HTML file Window – tab, frame, iframe, dialog box CWindow and CDocument COM classes

Document 1 Window 1 Document 2 Window 1

navigation

slide-23
SLIDE 23

CWinProxy

Document – same-domain accessibility Window - can be referenced from a different domain Proxy object necessary to comply with same-origin policy CWindow CWinProxy external ref

slide-24
SLIDE 24

Testing and studying Residue Objects

Part 1 Part 2 Part 3 Part 4

slide-25
SLIDE 25

Tactic for generating Residue Objects

slide-26
SLIDE 26

Enumerative Approach

Various: inner objects documents, windows, methods etc.

slide-27
SLIDE 27

Enumerative Approach

Various: inner objects ways of object hosting

slide-28
SLIDE 28

Enumerative Approach

Various: inner objects ways of object hosting ways of navigation

Navigate window NavWin to page.html:

  • pen(“page.html”,”NavWin”)

NavWin.location = “page.html” NavWin.Navigate(“page.html”)

slide-29
SLIDE 29

Analysis

Augmentation of browser code by logging important events about CWindow / CWinProxy / CDocument: construction destruction AddRef Release validation invalidation

slide-30
SLIDE 30

Analysis

call stack for every event to identify caller filtering out matching AddRef and Release events

slide-31
SLIDE 31

Analysis tool

Object chart

  • bjects in the memory after navigation

reference owners

slide-32
SLIDE 32

Pitfall 1 Invalidated Invisible

CWindow object of inner window is invalidated inner window visible when created by createPopup()

ref = innerWindow

slide-33
SLIDE 33

Pitfall 1 Invalidated Invisible

slide-34
SLIDE 34

Pitfall 1 Invalidated Invisible

slide-35
SLIDE 35

Pitfall 1 Invalidated Invisible

IE 8.0.6001 fixed in IE 9

slide-36
SLIDE 36

Pitfall 2 Confusion due to polymorphism

Method of the window

ref = innerWindow.setTimeout

CWindow object of inner window is invalidated CFuncPointer object of innerWindow.setTimeout points to not invalidated CWinProxy delayed script can be run after navigation

slide-37
SLIDE 37

Pitfall 2 Confusion due to polymorphism

Method of the window

ref = innerWindow.setTimeout

CWindow object of inner window is invalidated CFuncPointer object of innerWindow.setTimeout points to not invalidated CWinProxy delayed script can be run after navigation

fixed in IE 8.0.6001 acess denied error

slide-38
SLIDE 38

Pitfall 3 Cross-engine invalidation

inner window hosted in different HTML engine CWindow object of inner window not invalidated

different HTML engine

ref = innerWindow

slide-39
SLIDE 39

Pitfall 3 Cross-engine invalidation

inner window hosted in different HTML engine CWindow object of inner window not invalidated

different HTML engine

still an issue in IE9

ref = innerWindow

slide-40
SLIDE 40

Pitfall 4 Erroneous refcounting

  • ne refcount is lost

navigation of persistent window removes nav window dangling reference corruption of EIP register heap spray attack possible

Method of the window

ref = NavWin.setTimeout

slide-41
SLIDE 41

Pitfall 4 Erroneous refcounting

  • ne refcount is lost

navigation of persistent window removes nav window dangling reference corruption of EIP register heap spray attack possible

Method of the window

ref = NavWin.setTimeout

Fixed by Microsoft in February 2009 security hot fix

slide-42
SLIDE 42

Pitfall 5 Partially destroyed data structures inside valid objects

same scenario as in pitfall 3 a script in child window of inner window CWindow object is valid broken internal data structures memory violations

slide-43
SLIDE 43

Pitfall 5 Partially destroyed data structures inside valid objects

same scenario as in pitfall 3 a script in child window of inner window CWindow object is valid broken internal data structures memory violations

still an issue in IE 8

slide-44
SLIDE 44

Conclusions and Future Work

Part 1 Part 2 Part 3 Part 4

slide-45
SLIDE 45

Possible responses to the residue

  • bject problem

automatic garbage collectors different processes

  • IE8 multi-proccess achitecture to render different windows
  • seperation of different web contents
  • prevents from direct overwriting of memory
  • objects can still be acessed through references in DCOM

revision of DOM access policies and their implementation

slide-46
SLIDE 46

New generation of browsers

OP from University of Illinois Gazelle from Microsoft Research focus on security multi-process architecture acess control policies formal methods (OP) OS principles in browser (Gazelle)

slide-47
SLIDE 47

Conclusions

all browsers have to deal with residue objects problems need to be recognised as residue object problems and not individual bugs a lot of undiscovered bugs left

slide-48
SLIDE 48

Future work

Other document types:

  • XML
  • Flash
  • Microsoft Silverlight

Other browsers:

  • Firefox
  • Safari
slide-49
SLIDE 49

Thank you!