A Formal Model of Web Security Showing Malicious Cross Origin Requests and Its Mitigation using CORP

This document describes a web security model to analyse cross origin requests and block them using CORP, a browser security policy proposed for mitigating Cross Origin Request Attacks (CORA) such as CSRF, Clickjacking, Web application timing, etc. CORP is configured by website administrators and sent as an HTTP response header to the browser. A browser which is CORP-enabled will interpret the policy and enforce it on all cross-origin HTTP requests originating from other tabs of the browser, thus preventing malicious crossorigin requests. In this document we use Alloy, a finite state model finder, to formalize a web security model to analyse malicious cross-origin attacks and verify that CORP can be used to mitigate such attacks.

[1]  Andrew D. Gordon,et al.  Verified Reference Implementations of WS-Security Protocols , 2006, WS-FM.

[2]  Somesh Jha,et al.  Verifying security protocols with Brutus , 2000, TSEM.

[3]  Wouter Joosen,et al.  Automatic and Precise Client-Side Protection against CSRF Attacks , 2011, ESORICS.

[4]  Andrew D. Gordon,et al.  Validating a web service security abstraction by typing , 2002, XMLSEC '02.

[5]  Yan Chen,et al.  Redefining web browser principals with a Configurable Origin Policy , 2013, 2013 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[6]  Martín Abadi,et al.  Automated verification of selected equivalences for security protocols , 2005, 20th Annual IEEE Symposium on Logic in Computer Science (LICS' 05).

[7]  Daniel Jackson,et al.  Software Abstractions - Logic, Language, and Analysis , 2006 .

[8]  Eric Yawei Chen,et al.  App isolation: get the security of multiple browsers with just one , 2011, CCS '11.

[9]  Sebastian Mödersheim,et al.  The AVISPA Tool for the Automated Validation of Internet Security Protocols and Applications , 2005, CAV.

[10]  Dawn Xiaodong Song,et al.  Towards a Formal Foundation of Web Security , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[11]  Cas J. F. Cremers,et al.  The Scyther Tool: Verification, Falsification, and Analysis of Security Protocols , 2008, CAV.

[12]  Venkatesh Choppella,et al.  CORP: A Browser Policy to Mitigate Web Infiltration Attacks , 2014, ICISS.

[13]  Fabio Massacci,et al.  Verifying security protocols as planning in logic programming , 2001, ACM Trans. Comput. Log..