Periodic Reporting for period 5 - Browsec (Foundations and Tools for Client-Side Web Security)
Okres sprawozdawczy: 2024-06-01 do 2024-11-30
Web applications play a fundamental role in our everyday life: think of e-commerce, e-banking, social networks, and so on. As such, their security is of paramount importance and the average user would expect that modern web applications are bulletproof. Unfortunately, this is far from reality.
The reason is that the Web has been originally designed to share documens within a restricted scientific community, where everyone trust each other. Hence browsers and web protocols have been largely developed without placing security at the core of their design. As a result, they are extremely fragile and they offer users little protection against common daily threats, such as the prying eyes of trackers willing to collect any type of personal information in order to serve better ads or more in general tailored content, or hackers willing to steal credit card numbers, passwords, and other sensitive data.
The primary goal of Browsec is to design security solutions that provide rigorous security guarantees and can be smoothly deployed by users in their daily life. Specifically, the overall objectives include the design of formal methods to model and rigorously reason about the security of web applications, protocols, and services as well as the design of security enforcement techniques that can be integrated in modern browsers. On the technical level, this encompasses semantics models of the browser and their security mechanisms, ideally formalized in proof assistants, dynamic security enforcement techniques implemented as browser extensions or server-side code as well as static analysis techniques for low-level code and web protocols. Browsec aims at a comprehensive treatment of the subject, covering well established Web standards as well as emerging ones (e.g. mobile browsers and Web3).
These goals have been largely accomplished. By developing a novel analysis methodology based on the combination of formal methods and large-scale measurements and testing, Browsec discovered a number of security vulnerabilities in Web protocols, applications, services, and standards, working in collaboration with the relevant stakeholders to rectify them.
The reason is that the Web has been originally designed to share documens within a restricted scientific community, where everyone trust each other. Hence browsers and web protocols have been largely developed without placing security at the core of their design. As a result, they are extremely fragile and they offer users little protection against common daily threats, such as the prying eyes of trackers willing to collect any type of personal information in order to serve better ads or more in general tailored content, or hackers willing to steal credit card numbers, passwords, and other sensitive data.
The primary goal of Browsec is to design security solutions that provide rigorous security guarantees and can be smoothly deployed by users in their daily life. Specifically, the overall objectives include the design of formal methods to model and rigorously reason about the security of web applications, protocols, and services as well as the design of security enforcement techniques that can be integrated in modern browsers. On the technical level, this encompasses semantics models of the browser and their security mechanisms, ideally formalized in proof assistants, dynamic security enforcement techniques implemented as browser extensions or server-side code as well as static analysis techniques for low-level code and web protocols. Browsec aims at a comprehensive treatment of the subject, covering well established Web standards as well as emerging ones (e.g. mobile browsers and Web3).
These goals have been largely accomplished. By developing a novel analysis methodology based on the combination of formal methods and large-scale measurements and testing, Browsec discovered a number of security vulnerabilities in Web protocols, applications, services, and standards, working in collaboration with the relevant stakeholders to rectify them.
Browsec focuses on enforcing rigorous security guarantees based on semantic models that capture program and adversary behavior, enabling formal security proofs. This innovative approach contrasts with typical Web security research, which often relies solely on experimental evidence without formal assurances.
We demonstrated our approach with WPSE, a browser extension that secures protocol-based web interactions by enforcing security properties on the sequences of network requests, without requiring deep code analysis. This ensures efficiency while providing formal security guarantees. During development, we identified and responsibly disclosed vulnerabilities in protocols like SAML2 (used by Google Single Sign-On) and OAuth2 implementations, which were later fixed. This work led to a collaboration with SAP, integrating similar techniques into server-side code.
The increasing complexity of browsers due to new Web APIs and security mechanisms makes manual security reviews prone to errors. To address this, we developed WebSpec, the first formal security framework for analyzing browser security mechanisms. It uses a comprehensive semantic model in the Coq proof assistant, formalizes Web security invariants, and converts them into SMT-lib formulas for model checking with the Z3 theorem prover. When violations are found, WebSpec generates executable tests to validate the issues across major browsers. This framework successfully discovered new logical flaws and identified previously known issues in Web Security standards, highlighting the importance of automated monitoring to ensure browser security.
A key issue that was left open in the previous work is how to formalize browser models: this process is long and error-prone and hardly feasible in a manual way since browsers evolve at a rapid pace. For this reason, we introduced a complementary approach based on testing the browser code directly. In particular, we introduced a practical framework for formally and automatically detecting security flaws in browser-side security mechanisms using the Web Platform Tests developed by the browser vendors. By matching browser execution traces against security invariants, the study identified 104 violations across Firefox, Chromium, and Safari, resulting in multiple disclosures to browser vendors.
We explored this new methodological approach encompassing formal methods and large-scale measurements and experiments to analyze core Web components, such as cookies, same-site security boundaries, the content security policy (CSP), mixed-content policy, trusted types, and service workers, to name a few. These works resulted in the discovery of severe vulnerabilities in widely deployed Web protocols, services, and applications and led to changes in Web standards. Some of the most impactful highlights include:
· Automated discovery of subdomain takeover vulnerabilities in 887 prominent websites and complete assessment of the ramifications of same-site attacks.
· Identification of critical flaws in the cookie standard that led to violating integrity guarantees of cookie prefixes. This vulnerability is part of a larger class of serialization issues that we reported to the IETF Working Group responsible for the cookie standard and browser vendors.
· Detection of session integrity vulnerabilities in 9 major Web development frameworks (e.g. Express, Flask, CodeIgniter) used by hundreds of thousands of websites.
· Security evaluation of the Custom Tab component on Android. We exploited Custom Tabs for fine-grained information leakage, violation of session integrity, and phishing.
All the identified vulnerabilities have been responsibly disclosed, and we have collaborated with the affected parties to identify possible solutions.
Another fundamental contribution is the line of work on blockchain protocols and smart contracts, which we contributed to with novel formal analysis and design techniques. This line of work has been picked up by industry (e.g. some of our protocols have been integrated in Layer-2 protocols for Bitcoin) and will further contribute to bridging blockchains and web applications, the so-called Web3.
We demonstrated our approach with WPSE, a browser extension that secures protocol-based web interactions by enforcing security properties on the sequences of network requests, without requiring deep code analysis. This ensures efficiency while providing formal security guarantees. During development, we identified and responsibly disclosed vulnerabilities in protocols like SAML2 (used by Google Single Sign-On) and OAuth2 implementations, which were later fixed. This work led to a collaboration with SAP, integrating similar techniques into server-side code.
The increasing complexity of browsers due to new Web APIs and security mechanisms makes manual security reviews prone to errors. To address this, we developed WebSpec, the first formal security framework for analyzing browser security mechanisms. It uses a comprehensive semantic model in the Coq proof assistant, formalizes Web security invariants, and converts them into SMT-lib formulas for model checking with the Z3 theorem prover. When violations are found, WebSpec generates executable tests to validate the issues across major browsers. This framework successfully discovered new logical flaws and identified previously known issues in Web Security standards, highlighting the importance of automated monitoring to ensure browser security.
A key issue that was left open in the previous work is how to formalize browser models: this process is long and error-prone and hardly feasible in a manual way since browsers evolve at a rapid pace. For this reason, we introduced a complementary approach based on testing the browser code directly. In particular, we introduced a practical framework for formally and automatically detecting security flaws in browser-side security mechanisms using the Web Platform Tests developed by the browser vendors. By matching browser execution traces against security invariants, the study identified 104 violations across Firefox, Chromium, and Safari, resulting in multiple disclosures to browser vendors.
We explored this new methodological approach encompassing formal methods and large-scale measurements and experiments to analyze core Web components, such as cookies, same-site security boundaries, the content security policy (CSP), mixed-content policy, trusted types, and service workers, to name a few. These works resulted in the discovery of severe vulnerabilities in widely deployed Web protocols, services, and applications and led to changes in Web standards. Some of the most impactful highlights include:
· Automated discovery of subdomain takeover vulnerabilities in 887 prominent websites and complete assessment of the ramifications of same-site attacks.
· Identification of critical flaws in the cookie standard that led to violating integrity guarantees of cookie prefixes. This vulnerability is part of a larger class of serialization issues that we reported to the IETF Working Group responsible for the cookie standard and browser vendors.
· Detection of session integrity vulnerabilities in 9 major Web development frameworks (e.g. Express, Flask, CodeIgniter) used by hundreds of thousands of websites.
· Security evaluation of the Custom Tab component on Android. We exploited Custom Tabs for fine-grained information leakage, violation of session integrity, and phishing.
All the identified vulnerabilities have been responsibly disclosed, and we have collaborated with the affected parties to identify possible solutions.
Another fundamental contribution is the line of work on blockchain protocols and smart contracts, which we contributed to with novel formal analysis and design techniques. This line of work has been picked up by industry (e.g. some of our protocols have been integrated in Layer-2 protocols for Bitcoin) and will further contribute to bridging blockchains and web applications, the so-called Web3.
The aforementioned achievements constitute breakthroughs that fundamentally go beyond the state-of-the-art and highly impact the society. The fundamental reason is that the vulnerabilities we identified in our works affect well-established, carefully analysed, and widely deployed Web protocols, applications, and services. All of them have undergone a number of manual analysis from academia and industry. Browsec managed to discover new vulnerabilities thanks to its novel research methodology, which by combining formal methods with large-scale testing and measurements enabled the analysis at scale of attack vectors and threat models not considered before (e.g. the interaction between browser security mechanisms). Not only we discovered a number of vulnerabilities in Web protocols, applications, and services, but we also rectified accordingly the corresponding Web standards, thereby contributing to making the Internet a safer place.