Sunday, October 9, 2011

Integrity for sessionStorage

There are many different ways to think about security.  I prefer the following approach:
  1. Define a set of threat models that describe the attacker's capabilities.  For example, the "man-in-the-middle" is a classic threat model in network security that represents an attacker who has complete control over the network but who has no control over network endpoints.
  2. Identify a set of security properties that we wish our system to achieve.  Defining good security properties is a tricky business, and we're mostly going to wave our hands in this blog.  If you'd like an example, you should imagine something like "the attacker doesn't learn the contents of the user's email."
  3. Determine whether an attacker with the capabilities described in the threat model could possibly defeat any of the security properties of our system.  We usually assume that the attacker knows exactly how our system works (e.g., because attackers can read W3C specifications).
This approach tends to be somewhat conservative in the sense that we underestimate whether our system is secure.  That's helpful when thinking defensively because being conservative pushes us to design systems that are secure robustly rather than systems that are secure by some happy accident.

So far, this post has been very abstract, but let's get concrete.  Recently, I've been corresponding with a number of Firefox developers about Firefox Bug 495337.  There are a number of technical details, but the issue boils down to the three factors above:
  1. Threat model.  We're concerned with an active network attacker.  (I need to write a "foundations" post introducing the important threat models in web security, but I didn't want to write too many foundations posts in a row.)  Essentially, an active network attacker has full control over the network (e.g., they can intercept and spoof HTTP requests and responses), but have very little power over secure network connections (e.g., they can't mess with TLS connections).
  2. Security property.  Here's where things get interesting.  What are appropriate security properties for sessionStorage (an API for semi-persistently storing data in the browser)?  I claim that the data an origin stores in sessionStorage should have confidentiality and integrity (i.e., other origins should not be able to learn or to alter data stored in sessionStorage).
  3. Could possibly defeat.  That leaves us with the question of whether an active network attacker could possibly defeat the confidentiality or integrity of data in sessionStorage.  I claim that such a thing is possible in Firefox (via a somewhat elaborate sequence of steps) because Firefox's behavior deviates slightly from the specification.  Specifically, in some circumstances that an attacker can provoke, Firefox considers only the host portion of the origin, ignoring the scheme and the port.  By ignoring the scheme, Firefox lets a network attacker leverage his or her ability to control HTTP to disrupt the integrity of HTTPS data in sessionStorage.
Does this represent a "real" security problem?  Well, that's a hard question to answer.  Certainly this issue makes it harder to understand the security of systems that use sessionStorage.  Instead of being able to use clean abstractions like confidentially, integrity, and origin, we need to understand more details of how exactly an attacker can subtly manipulate sessionStorage.

Ultimately, complexity is the enemy of security.  Applied judiciously, threat models and security properties can help you understand the security of your system in simpler terms.

124 comments:

  1. We talked about how a network attacker could inject XSS in our W2SP paper earlier. http://www.cs.berkeley.edu/~devdatta/papers/w2sp10-primitives.pdf

    Maybe you can use this as a concrete example? Maybe adding the word "XSS" in the bug report will result in more impetus for a fix? :D

    ReplyDelete
  2. we read your blog that is very fantastic and thanking for share it.
    Yahoo web hosting coupons

    ReplyDelete
    Replies
    1. How to login gmail account? Gmail register. gmail sign in

      Delete
    2. I am glad to read this helpful post.
      Thanks for sharing and keep sharing

      i will suggest you this article kindly read and rate it :)


      Happy Independence Day images, SMS, Messages, Quotes in Hindi English/

      Delete
  3. This is a great post ! it was very informative. I look forward in reading more of your work. Also, I made sure to bookmark your website so I can come back later. I enjoyed every moment of reading it.
    baju batik modern baju batik baju batik wanita batik pekalongan batik couple batik online batik modern gamis batik

    ReplyDelete
  4. Great post! I am actually getting ready to across this information, is very helpful my friend.
    Vashikaran mantra for love

    ReplyDelete
  5. I like this a lot. Thank you for sharing. I'm always looking for upcycles like this. In the end, you don't know it was a shipping pallet to begin with!
    T20 cricket world cup 2016 Groups List
    ICC World Cup 2016 WC Live

    ReplyDelete
  6. I love it. I hope that more and more Blogger will use this feature in the future, because it just makes the internet better I think!

    watch got fun episodes online free
    watch game of thrones season 6 stream online
    Game of thrones Brasil

    ReplyDelete
  7. Thank you for sharing! I hope to see more update from you in the future :)
    gmail email login

    ReplyDelete
  8. Very useful post. This is my first time i visit here. I found so many interesting stuff in your blog especially its discussion. Really its great article. Keep it up!
    agario unblocked
    atari breakout
    2048
    five nights at freddy's
    geometry dash
    happy wheels
    tank trouble

    ReplyDelete
  9. Religion is an Integral Part of Human Life. It tells us how to worship & Moral Values.
    Role Of Religion

    ReplyDelete
  10. Religion is not an Extra Activity but it is an Integral Part of Human Lives.
    What Is Jihad

    ReplyDelete
  11. Really impressive post. I read it whole and going to share it with my social circules. I enjoyed your article and planning to rewrite it on my own blog.
    list of emoticons | excel | www google search | gta 5

    ReplyDelete
  12. Gameplay’s fun – random shop sucks. Nice idea but it’s just too annoying to try to build the kind of tank trouble unblocked you want with randomness. Also, it’d be nice to be able to replay levels – tank trouble then we could mess with different weapons and stuff and see what’s up more easily.

    ReplyDelete
  13. Well this article that i've been waited for so long. I need this article to complete my assignment in the college, and it has same topic with your article. Thanks, great share.
    dark souls 3 emoji

    ReplyDelete
  14. The information, In my opinion a lot of people tend to be helpful. Extremely lucky to debate this article on your. Look ahead to ones up-dates.
    powerpuff | chinese food | zombies tsunami | mutant fighting | fishdom game | usps tracking | postcode finders | postcode finder | pacquiao | stardew valley | slitherio

    ReplyDelete
  15. Hotmail is an email account of Microsoft Corporation. Like Google's Gmail, it is full of features usually xuyen.Neu of an email you want to register an account please follow these basic steps:
    Hotmail login

    Hotmail review

    Sign in to hotmail

    Login to hotmail

    Recover hotmail password

    Tank Trouble is a very interesting flash game about tanks, about war and about destruction
    TANK TROUBLE | TANK TROUBLE 2

    One Penguin Takes it personally when he is surfing the web and stumbles upon a web site telling him that he cant fly, after that he sets his mind to research and practice flying until he can prove the world that he can..
    Slitherio | LEARN TO FLY | LEARN TO FLY 2

    Strike Force Heroes is a new game action-packed shooter from the creators of Raze; with 3 game modes, 15 campaign missions and over 65 weapons.
    Strike Force Heroes 4

    Strike Force Heroes

    ReplyDelete
  16. The best space for your child to relax!: wingsio | slither io | ya

    ReplyDelete
  17. You’ve written nice post, I am gonna bookmark this page, thanks for info. I actually appreciate your own position and I will be sure to come back here.
    mortal kombat x, a10, roblox, color switch

    ReplyDelete
  18. ما تهتم به شركة كشف تسربات المياه بالرياض هو البحث عن كيفة علاج مشاكل تسريبات المياه التي تطرأ علي المكان فجأة بواسطة اجهزة الكشف الحدية التي تستخدمها شركة كشف تسربات بالرياض والتي تسعي للوصول الي افضل النتائج المثالية القادرة علي حل هذه المشكلة بدون تدمير فالاعتماد علي الاساليب الحديثة يساعدكم في الحصول علي نتيجة مثالية في مصلحة العميل فنحن لا نكتفي بتقديم هذه الاعمال في مدينة الرياض فقط بلا لدينا الفنين المتميزة الذي يقدمون شركة كشف تسربات المياه بالدمام التي تعمل علي حل مشكلة البيت بدون الاعتماد علي ا اساليب تقليدية التي تستخدما بعض مقدمي خدمة شركة كشف تسربات بالدمام فلا تتكايل بشأن هذا العمل بالذات لانه يحل لك الكثير من المشاكل

    ReplyDelete
  19. i think your articles are the best for us. i always read your latest articles. Your website is really awesome. Thanks for providing these posts. I will wait for your next post..
    Friendship Day BFF Status
    Friendship Day 2016 Dp
    Friendship Day 2016 Quotes
    Friendship Day 2016 Profile Pics
    Friendship Day Animated Images

    ReplyDelete
  20. I really appreciate your work. I will share your post on social site… Facebook, Twitter, or Google plus. Thanks for this article.
    Raksha Bandhan Wishes
    Raksha Bandhan Short Status
    Raksha Bandhan Rakhi Images
    Raksha Bandhan Gift Ideas For Sister
    Raksha Bandhan 2016 Quotes

    ReplyDelete
  21. Let’s keep are safe place to play the very best free games for kids! Please click:

    - juegos friv gratis
    - Pokemon GO
    - diep.io
    to play for free!

    ReplyDelete
  22. Get free gmail sign up account from the official site to send an email to other person by sign in google account.

    ReplyDelete
  23. Let’s keep the best falsh games for your child! abc | slither io | pokemon go | wings.io | happy wheels | happy wheels the game free: are safe place to play the very best free games for kids!

    ReplyDelete
  24. Gmail is an free e-mail service provided to Internet users by the giant Google.
    If you are a new user of this service, you can follow the steps below to log in to your Gmail account.
    gmail login | create gmail account
    gmail sign in | change gmail password
    recover gmail password

    ReplyDelete
  25. With a Hotmail account, you can send and receive emails quickly and easily as well as login and use all Microsoft services.
    hotmail sign in | create hotmail account
    hotmail login | change hotmail password
    recover hotmail password

    ReplyDelete
  26. Is there anyone but me concerned about the fact, that the auth tokens (i.e. jwt tokens) are stored in javascript-accessible storage (localStorage/sessionStorage), making them susceptible to XSS (Cross Site Scripting) attacks?

    More info:
    1. stormpath.com/blog
    2. owasp
    3. recommended solution on stackoverflow.com

    Is there a way to prevent satellizer from storing the returned jwt in localStorage (because I would be setting it in a cookie from my backend)? R Programming Training | DataStage Training | SQL Training | SAS Training | Android Training | SharePoint Training

    ReplyDelete
  27. This is nice and amazing information. Thanks for sharing keep it up.
    Examway
    resultstimetable

    ReplyDelete
  28. Thanks for all your information, Website is very nice and informative content
    defend your nuts 2 | happy wheels 3 | cat mario | bloons td

    ReplyDelete
  29. Absolutely nothing is complimentary on earth, but insure that you Buy facebook reviews just from reliable sources for good acceptance on the net. facebook reviews

    ReplyDelete
  30. If you are being guaranteed round-the-clock Customer Support and life long replacement then never think twice when you Buy facebook reviews from a vendor. buy facebook reviews ratings

    ReplyDelete