A Formal Model of Web Security Showing Malicious Cross Origin Requests and Its Mitigation using CORP

Krishna Chaitanya Telikicherla, Akash Agrawall, Venkatesh Choppella

2017

Abstract

This document describes a web security model to analyse cross origin requests and block them using CORP, a browser security policy proposed for mitigating Cross Origin Request Attacks (CORA) such as CSRF, Click-jacking, Web application timing, etc. CORP is configured by website administrators and sent as an HTTP response header to the browser. A browser which is CORP-enabled will interpret the policy and enforce it on all cross-origin HTTP requests originating from other tabs of the browser, thus preventing malicious crossorigin requests. In this document we use Alloy, a finite state model finder, to formalize a web security model to analyse malicious cross-origin attacks and verify that CORP can be used to mitigate such attacks.

References

  1. Web Application Timing attack. https://codeseekah.com/ 2012/04/29/timing-attacks-in-web-applications/.
  2. (2012). I Know What Websites You Are Logged-In To (Login-Detection via CSRF). https://www.whitehatsec.com/blog/ i-know-what-websites-you-are-logged-in-\ to-login-detection-via-csrf/.
  3. (2016). Cross-site request forgery. https://www.owasp.org/ index.php/Cross-Site Request Forgery (CSRF).
  4. Akhawe, D., Barth, A., Lam, P. E., Mitchell, J., and Song, D. (2010). Towards a formal foundation of web security. In 2010 23rd IEEE Computer Security Foundations Symposium, pages 290-304. IEEE.
  5. Armando, A., Basin, D., Boichut, Y., Chevalier, Y., Compagna, L., Cuéllar, J., Drielsma, P. H., Héam, P.-C., Kouchnarenko, O., Mantovani, J., et al. (2005). The avispa tool for the automated validation of internet security protocols and applications. In International Conference on Computer Aided Verification , pages 281-285. Springer.
  6. Bhargavan, K., Fournet, C., and Gordon, A. D. (2006). Verified reference implementations of ws-security protocols. In International Workshop on Web Services and Formal Methods, pages 88-106. Springer.
  7. Blanchet, B., Abadi, M., and Fournet, C. (2005). Automated verification of selected equivalences for security protocols. In 20th Annual IEEE Symposium on Logic in Computer Science (LICS'05), pages 331- 340. IEEE.
  8. Cao, Y., Rastogi, V., Li, Z., Chen, Y., and Moshchuk, A. (2013). Redefining web browser principals with a configurable origin policy. In2013 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pages 1-12. IEEE.
  9. Carlucci Aiello, L. and Massacci, F. (2001). Verifying security protocols as planning in logic programming. ACM Transactions on Computational Logic (TOCL), 2(4):542-580.
  10. Chen, E. Y., Bau, J., Reis, C., Barth, A., and Jackson, C. (2011). App isolation: get the security of multiple browsers with just one. In Proceedings of the 18th ACM conference on Computer and communications security, pages 227-238. ACM.
  11. Clarke, E. M., Jha, S., and Marrero, W. (2000). Verifying security protocols with brutus. ACM Transactions on Software Engineering and Methodology (TOSEM), 9(4):443-487.
  12. Cremers, C. J. (2008). The scyther tool: Verification, falsification, and analysis of security protocols. In International Conference on Computer Aided Verification , pages 414-418. Springer.
  13. De Ryck, P., Desmet, L., Joosen, W., and Piessens, F. (2011). Automatic and precise client-side protection against csrf attacks. In European Symposium on Research in Computer Security, pages 100-116. Springer.
  14. Gordon, A. D. and Pucella, R. (2005). Validating a web service security abstraction by typing. Formal Aspects of Computing, 17(3):277-318.
  15. Jackson, D. (2012). Software Abstractions: logic, language, and analysis. MIT press.
  16. Telikicherla, K. C. and Choppella, V. (2013). Alloy model for cross origin request policy (corp). Technical report.
  17. Telikicherla, K. C., Choppella, V., and Bezawada, B. (2014). Corp: A browser policy to mitigate web infiltration attacks. In International Conference on Information Systems Security, pages 277-297. Springer.
  18. Zalewski, Michal (2011). Browser Security Handbook. Technical report. https://code.google.com/p/ browsersec/wiki/Part2#Same-origin policy.
Download


Paper Citation


in Harvard Style

Telikicherla K., Agrawall A. and Choppella V. (2017). A Formal Model of Web Security Showing Malicious Cross Origin Requests and Its Mitigation using CORP . In Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, ISBN 978-989-758-209-7, pages 516-523. DOI: 10.5220/0006261105160523


in Bibtex Style

@conference{icissp17,
author={Krishna Chaitanya Telikicherla and Akash Agrawall and Venkatesh Choppella},
title={A Formal Model of Web Security Showing Malicious Cross Origin Requests and Its Mitigation using CORP},
booktitle={Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,},
year={2017},
pages={516-523},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0006261105160523},
isbn={978-989-758-209-7},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,
TI - A Formal Model of Web Security Showing Malicious Cross Origin Requests and Its Mitigation using CORP
SN - 978-989-758-209-7
AU - Telikicherla K.
AU - Agrawall A.
AU - Choppella V.
PY - 2017
SP - 516
EP - 523
DO - 10.5220/0006261105160523