Page:SoK Exploring Current and Future Research Directions on XS-Leaks through an Extended Formal Model.pdf/1

Session 6B: System and Network Security #2 Tom Van Goethem*, Gertjan Franken*, Iskander Sanchez-Rola†, David Dworken§, Wouter Joosen* †Norton Research Group §Google
 * imec-DistriNet, KU Leuven

A web visit typically consists of the browser rendering a dynamically generated response that is specifically tailored to the user. This generation of responses based on the currently authenticated user, whose authentication credentials are automatically included via cookies in all (including cross-site) requests, have led to a multitude of issues. Through cross-site leaks (XS-Leaks), an adversary can try to circumvent the same-origin policy and extract information about responses, which in turn can reveal potentially sensitive information about the user. As research on this class of vulnerabilities only recently gained traction, and the attacks affect many different components of the web platform, the intrinsic characteristics and underlying causes remain largely unexplored. In this paper we present an abstraction of XS-Leaks attacks and introduce an extended formal model that we use to reason about the cause of different leaks and which strategies the various defense mechanisms employ to defend against them. Furthermore, we provide a classification method for current attacks, and, guided by our model, propose a methodology to comprehensively detect new XS-Leak issues, or indicate their absence. Furthermore, we analyze the current defenses and identify gaps that still require further research to provide extensive solutions for sites that rely on cross-site interactions. Finally, we explore how XS-Leak defenses are currently deployed and which challenges website owners are still facing. As a first step towards facilitating the deployment of XSLeak defenses, we introduce Leakbuster, a dynamic web interface that provides web developers with suggestions based on the insights provided throughout this paper.

For many, the web plays an important part of their daily life, ranging from sharing personal information with friends on social networks, or looking up health-related details. It is well known that people share a lot of sensitive information with trusted websites, and that if this data would be disclosed by adversarial parties, this could have significant consequences. Depending on the attack, there are a myriad of ways that the information could be abused. For instance, information leaked from social networks could be leveraged to identify a user [47, 53], determine what their interests are [25], or infer who they were messaging with [26]. Through similar attacks, the search functionality of web applications has been shown to leak information about undisclosed vulnerabilities [11, 54] or credit card details [10]. This class of vulnerabilities is typically referred to as cross-site leaks, or XS-Leaks, and has received a lot of interest by the security community in recent years. The XS-Leak techniques exploit a large variety of browser mechanisms to leak sensitive information about opaque cross-site responses that are based on the state that the unwitting visitor has with the targeted website. In essence, every mechanism that deals with handling responses may be susceptible to being abused to leak information about these responses. As the causes of XS-Leaks are very diverse, a wide variety of defenses are needed to thwart them. This makes it very difficult for web developers to protect their users. In this paper we aim to improve the understanding of XS-Leaks by studying the root cause of the leaks based on their intrinsic features, and highlight opportunities for future research to capture the entire threat surface that XS-Leaks pose and determine which protections are needed to practically defend against them. To this end, we introduce an extended model of XS-Leaks and show how the state that a victim has with a web application can be transfered to the state of a component that is involved in handling the request and associated response. By later retrieving this state from the component in a the second stage of an XS-Leak attack, the adversary will be able to infer private information that the victim shared with the targeted website. For example, when rendering a page of the targeted website, a specific resource may only be added to the cache when the victim is in application state $$s_{0}$$, and not in state $$s_{1}$$ (the state is based on a secret property unknown to the adversary – this