Provably Sound Browser-Based Enforcement of Web Session Integrity

Enforcing protection at the browser side has recently become a popular approach for securing web authentication. Though interesting, existing attempts in the literature only address specific classes of attacks, and thus fall short of providing robust foundations to reason on web authentication security. In this paper we provide such foundations, by introducing a novel notion of web session integrity, which allows us to capture many existing attacks and spot some new ones. We then propose FF+, a security-enhanced model of a web browser that provides a full-fledged and provably sound enforcement of web session integrity. We leverage our theory to develop Sess Int, a prototype extension for Google Chrome implementing the security mechanisms formalized in FF+. Sess Int provides a level of security very close to FF+, while keeping an eye at usability and user experience.

[1]  Benjamin Flesch,et al.  BetterAuth: web authentication revisited , 2012, ACSAC '12.

[2]  Karthikeyan Bhargavan,et al.  Keys to the Cloud: Formal Analysis and Concrete Attacks on Encrypted Web Storage , 2013, POST.

[3]  Wouter Joosen,et al.  SessionShield: Lightweight Protection against Session Hijacking , 2011, ESSoS.

[4]  Alessandro Armando,et al.  An authentication flaw in browser-based Single Sign-On protocols: Impact and remediations , 2013, Comput. Secur..

[5]  Patrick P. C. Lee,et al.  A Privacy-Preserving Defense Mechanism against Request Forgery Attacks , 2011, 2011IEEE 10th International Conference on Trust, Security and Privacy in Computing and Communications.

[6]  Collin Jackson,et al.  Forcehttps: protecting high-security web sites from network attacks , 2008, WWW.

[7]  Wouter Joosen,et al.  Automatic and Precise Client-Side Protection against CSRF Attacks , 2011, ESORICS.

[8]  Wouter Joosen,et al.  CsFire: Transparent Client-Side Mitigation of Malicious Cross-Domain Requests , 2010, ESSoS.

[9]  Ninghui Li,et al.  Defeating Cross-Site Request Forgery Attacks with Browser-Enforced Authenticity Protection , 2009, Financial Cryptography.

[10]  Cédric Fournet,et al.  Cryptographically sound implementations for typed information-flow security , 2008, POPL '08.

[11]  F. Piessens,et al.  Requestrodeo: Client Side Protection against Session Riding , 2006 .

[12]  Patrick Traynor,et al.  One-time cookies: Preventing session hijacking attacks with stateless authentication tokens , 2012, TOIT.

[13]  Jeremiah Grossman,et al.  XSS Attacks: Cross Site Scripting Exploits and Defense , 2007 .

[14]  Dawn Xiaodong Song,et al.  Towards a Formal Foundation of Web Security , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[15]  Michele Bugliesi,et al.  Quite a mess in my cookie jar!: leveraging machine learning to protect web authentication , 2014, WWW.

[16]  Joachim Posegga,et al.  Reliable protection against session fixation attacks , 2011, SAC.

[17]  Samuel T. King,et al.  Fortifying web-based applications automatically , 2011, CCS '11.

[18]  Andrew C. Myers,et al.  Enforcing Robust Declassification and Qualified Robustness , 2006, J. Comput. Secur..

[19]  Benjamin C. Pierce,et al.  Featherweight Firefox: Formalizing the Core of a Web Browser , 2010, WebApps.

[20]  Per A. Hallgren,et al.  GlassTube: a lightweight approach to web application integrity , 2013, PLAS '13.

[21]  Ben Adida,et al.  Sessionlock: securing web sessions against eavesdropping , 2008, WWW.

[22]  Wouter Joosen,et al.  Serene: Self-Reliant Client-Side Protection against Session Fixation , 2012, DAIS.

[23]  David M. Kristol,et al.  HTTP State Management Mechanism , 1997, RFC.

[24]  Collin Jackson,et al.  Robust defenses for cross-site request forgery , 2008, CCS.

[25]  Benjamin C. Pierce,et al.  Reactive noninterference , 2009, CCS.

[26]  Dominique Devriese,et al.  FlowFox: a web browser with flexible and precise information flow control , 2012, CCS '12.

[27]  Michele Bugliesi,et al.  Automatic and Robust Client-Side Protection for Cookie-Based Sessions , 2014, ESSoS.

[28]  Wouter Joosen,et al.  HProxy: Client-Side Detection of SSL Stripping Attacks , 2010, DIMVA.

[29]  Alessandro Armando,et al.  Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based single sign-on for google apps , 2008, FMSE '08.

[30]  Yuchen Zhou Why Aren ’ t HTTP-only Cookies More Widely Deployed ? , 2010 .

[31]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.1 , 2006, RFC.

[32]  Tim Dierks,et al.  The Transport Layer Security (TLS) Protocol Version 1.2 , 2008 .

[33]  Christopher Krügel,et al.  Noxes: a client-side solution for mitigating cross-site scripting attacks , 2006, SAC '06.

[34]  A. Bortz Origin Cookies : Session Integrity for Web Applications , 2011 .