Bastian Braun

Control-Flow integrity in web applications

Modern web applications frequently implement complex control flows, which require the users to perform actions in a given order. Users interact with a web application by sending HTTP requests with parameters and in response receive web pages with hyperlinks that indicate the expected next actions. If a web application takes for granted that the user sends only those expected requests and parameters, malicious users can exploit this assumption by crafting harming requests. We analyze recent attacks on web applications with respect to user-defined requests and identify their root cause in the missing explicit control-flow definition and enforcement. Based on this result, we provide our approach, a control-flow monitor that is applicable to legacy as well as newly developed web applications. It expects a control-flow definition as input and provides guarantees to the web application concerning the sequence of incoming requests and carried parameters. It protects the web application against race condition exploits, a special case of control-flow integrity violation. Moreover, the control-flow monitor supports modern browser features like multi-tabbing and back button usage. We evaluate our approach and show that it induces a negligible overhead.

A User-Level Authentication Scheme to Mitigate Web Session-Based Vulnerabilities

After the initial login, web browsers authenticate to web applications by sending the session credentials with every request. Several attacks exist which exploit conceptual deficiencies of this scheme, e.g. Cross-Site Request Forgery, Session Hijacking, Session Fixation, and Clickjacking. We analyze these attacks and identify their common root causes in the browser authentication scheme and the missing user context. These root causes allow the attacker to mislead the browser and misuse the user’s session context. Based on this result, we present a user authentication scheme that prohibits the exploitation of the analyzed vulnerabilities. Our mechanism works by binding image data to individual sessions and requiring submission of this data along with security-critical HTTP requests. This way, an attacker’s exploitation chances are limited to a theoretically arbitrary low probability to guess the correct session image.

A Trusted UI for the Mobile Web

Modern mobile devices come with first class web browsers that rival their desktop counterparts in power and popularity. However, recent publications point out that mobile browsers are particularly susceptible to attacks on web authentication, such as phishing or clickjacking. We analyze those attacks and find that existing countermeasures from desktop computers can not be easily transfered to the mobile world. The attacks’ root cause is a missing trusted UI for security critical requests. Based on this result, we provide our approach, the MobileAuthenticator, that establishes a trusted path to the web application and reliably prohibits the described attacks. With this approach, the user only needs one tool to protect any number of mobile web application accounts. Based on the implementation as an app for iOS and Android respectively, we evaluate the approach and show that the underlying interaction scheme easily integrates into legacy web applications.

A Survey on Control-Flow Integrity Means in Web Application Frameworks

Modern web applications frequently implement complex control flows, which require the users to perform actions in a given order. Users interact with a web application by sending HTTP requests with parameters and in response receive web pages with hyperlinks that indicate the expected next actions. If a web application takes for granted that the user sends only those expected requests and parameters, malicious users can exploit this assumption by crafting harming requests. We analyze recent attacks on web applications with respect to user-defined requests and identify their root cause in the missing explicit control-flow definition and enforcement. Then, we evaluate the most prevalent web application frameworks in order to assess how far real-world web applications can use existing means to explicitly define and enforce intended control flows. While we find that all tested frameworks allow individual retrofit solutions, only one out of ten provides a dedicated control-flow integrity protection feature. Finally, we describe ways to equip web applications with control-flow integrity properties.

LogSec: adaptive protection for the wild wild web

Today, a Web browser is a users gateway to a multitude of Web applications, each with its own balance between confidentiality and integrity versus cross-application content sharing. Modern Web browsers apply the same permissive security policy to all content regardless of its demand for security -- a behavior that enables attacks such as cross-site request forgery (CSRF) or sidejacking. To defend against such attacks, existing countermeasures enforce overly strict policies, which expose incompatibilities with real-world Web applications. As a consequence, users get annoyed by malfunctions. In this paper, we show how browser behavior can be adapted based on the users authentication status. The browser can enforce enhanced security policies, if necessary, and permit modern communication features, if possible. Our approach mitigates CSRF, session hijacking, sidejacking, and session fixation attacks. We present the implementation as a browser extension, named LogSec, that passively detects the users authentication status without server-side support and is transparent for the user.

Ghostrail: Ad Hoc Control-Flow Integrity for Web Applications

Modern web applications frequently implement complex control flows, which require the users to perform actions in a given order. Users interact with a web application by sending HTTP requests with parameters and in response receive web pages with hyperlinks that indicate the expected next actions. If a web application takes for granted that the user sends only those expected requests and parameters, malicious users can exploit this assumption by crafting harming requests. We analyze recent attacks on web applications with respect to user-defined requests and identify their root cause in the missing enforcement of allowed next user requests. Based on this result, we provide our approach, named Ghostrail, a control-flow monitor that is applicable to legacy as well as newly developed web applications. It observes incoming requests and lets only those pass that were provided as next steps in the last web page. Ghostrail protects the web application against race condition exploits, the manipulation of HTTP parameters, unsolicited request sequences, and forceful browsing. We evaluate the approach and show that it neither needs a training phase nor a manual policy definition while it is suitable for a broad range of web technologies.

Angriffe auf OpenID und ihre strafrechtliche Bewertung

ZusammenfassungDie Vision, nach einer einmaligen Authentifikation alle Benutzerkonten im Internet ohne wiederholte Anmeldung nutzen zu können, rückt mit OpenID ein Stück näher. Als erstes Single-Sign-On-System hat es OpenID zu nennenswerter Verbreitung im World Wide Web gebracht. Doch die neue Rollenverteilung, in der sich viele Nutzer bei einem Anbieter für zahlreiche Anwendungen anmelden können, ist nicht hinreichend untersucht. Der Beitrag analysiert das technische Angriffspotenzial und nimmt eine strafrechtliche Bewertung ausgewählter Angriffe auf OpenID-Verfahren vor.

FCPre: Extending the Arora-Kulkarni Method of Automatic Addition of Fault-Tolerance

Synthesizing fault-tolerant systems from fault-intolerant systems simplifies design of fault-tolerance. Arora and Kulkarni developed a method and a tool to synthesize fault-tolerance under the assumption that specifications are not history-dependent (fusion-closed). Later, Gartner and Jhumka removed this assumption by presenting a modular extension of the Arora-Kulkarni method. This paper presents an implementation of the Gartner-Jhumka method which is evaluated on several examples. As additional safety net, we have added automatic verification of the results using the model checker Spin. In the context of this work, a fault in the Gartner-Jhumka method has been found. Though this fault is rare and does not cause incorrect results, there might be no result at all