Protecting browsers from dns rebinding attacks

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

Protecting browsers from dns rebinding attacks

Full text

Pdf (1.32 MB)

Source

Conference on Computer and Communications Security archive
Proceedings of the 14th ACM conference on Computer and communications security table of contents

Alexandria, Virginia, USA

SESSION: Policies table of contents

Pages: 421 - 431

Year of Publication: 2007

ISBN:978-1-59593-703-2

Authors

Collin Jackson	Stanford University, Stanford, CA
Adam Barth	Stanford University, Stanford, CA
Andrew Bortz	Stanford University, Stanford, CA
Weidong Shao	Stanford University, Stanford, CA
Dan Boneh	Stanford University, Stanford, CA

Sponsors

ACM: Association for Computing Machinery
SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 24, Downloads (12 Months): 198, Citation Count: 8

Additional Information:

abstract references cited by index terms collaborative colleagues

Tools and Actions:	Request Permissions Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/1315245.1315298 What is a DOI?

ABSTRACT

DNS rebinding attacks subvert the same-origin policy of browsers and convert them into open network proxies. We survey new DNS rebinding attacks that exploit the interaction between browsers and their plug-ins, such as Flash and Java. These attacks can be used to circumvent firewalls and are highly cost-effective for sending spam e-mail and defrauding pay-per-click advertisers, requiring less than $100 to temporarily hijack 100,000 IP addresses. We show that the classic defense against these attacks, called "DNS pinning," is ineffective in modern browsers. The primary focus of this work, however, is the design of strong defenses against DNS rebinding attacks that protect modern browsers: we suggest easy-to-deploy patches for plug-ins that prevent large-scale exploitation, provide a defense tool, dnswall, that prevents firewall circumvention, and detail two defense options, policy-based pinning and host name authorization.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Adobe. Flash Player Penetration. http://www.adobe.com/products/player_census/flashplayer/.
	2	Adobe. Adobe flash player 9 security. http://www.adobe.com/devnet/flashplayer/articles/flash_player_9_securit%y.pdf, July 2006.
	3	Alexa. Top sites. http://www.alexa.com/site/ds/top_sites?ts_mode=global.
	4	K. Anvil. Anti-DNS pinning + socket in flash. http://www.jumperz.net/, 2007.
	5	Bill Cheswick , Steven M. Bellovin, A DNS filter and switch for packet-filtering gateways, Proceedings of the 6th conference on USENIX Security Symposium, Focusing on Applications of Cryptography, p.2-2, July 22-25, 1996, San Jose, California
	6	N. Chou, R. Ledesma, Y. Teraguchi, and J. Mitchell. Client-side defense against web-based identity theft. In Proc. NDSS, 2004.
	7	Neil Daswani , Michael Stoppelman, The anatomy of Clickbot.A, Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets, p.11-11, April 10, 2007, Cambridge, MA
	8	D. Dean , Felten , Wallach, Java Security: From HotJava to Netscape and Beyond, Proceedings of the 1996 IEEE Symposium on Security and Privacy, p.190, May 06-08, 1996
	9	D. Edwards. Your MOMA knows best, December 2005. http://xooglers.blogspot.com/2005/12/your-moma-knows-best.html.
	10	Kevin Fenzi , Dave Wreski, Linux Security Howto, iUniverse, Incorporated, 2000
	11	R. Fielding , J. Gettys , J. Mogul , H. Frystyk , L. Masinter , P. Leach , T. Berners-Lee, Hypertext Transfer Protocol -- HTTP/1.1, RFC Editor, 1999
	12	D. Fisher, 2007. Personal communication.
	13	D. Fisher et al. Problems with new DNS cache ("pinning" forever). https://bugzilla.mozilla.org/show_bug.cgi?id=162871.
	14	D. Goodin. Calif. man pleads guilty to felony hacking. Associated Press, Janurary 2005.
	15	Google. dnswall.http://code.google.com/p/google-dnswall/.
	16	Google. Google Safe Browsing for Firefox, 2005. http://www.google.com/tools/firefox/safebrowsing/.
	17	S. Grimm et al. Setting document.domain doesn't match an implicit parent domain. https://bugzilla.mozilla.org/show_bug.cgi?id=183143.
	18	J. Grossman and T. Niedzialkowski. Hacking intranet websites from the outside: JavaScript malware just got a lot more dangerous. In Blackhat USA, August 2006. Invited talk.
	19	I. Hickson et al. HTML 5 Working Draft. http://www.whatwg.org/specs/web-apps/current-work/.
	20	Collin Jackson , Andrew Bortz , Dan Boneh , John C. Mitchell, Protecting browser state from web privacy attacks, Proceedings of the 15th international conference on World Wide Web, May 23-26, 2006, Edinburgh, Scotland [doi>10.1145/1135777.1135884]
	21	M. Johns. (somewhat) breaking the same-origin policy by undermining DNS pinning, August 2006. http://shampoo.antville.org/stories/1451301/.
	22	M. Johns and J. Winter. Protecting the Intranet against "JavaScript Malware" and related attacks. In Proc. DIMVA, July 2007.
	23	Chris Karlof , Umesh Shankar , J. D. Tygar , David Wagner, Dynamic pharming attacks and locked same-origin policies for web browsers, Proceedings of the 14th ACM conference on Computer and communications security, October 28-31, 2007, Alexandria, Virginia, USA [doi>10.1145/1315245.1315254]
	24	V. T. Lam , S. Antonatos , P. Akritidis , K. G. Anagnostakis, Puppetnets: misusing web browsers as a distributed attack infrastructure, Proceedings of the 13th ACM conference on Computer and communications security, October 30-November 03, 2006, Alexandria, Virginia, USA [doi>10.1145/1180405.1180434]
	25	G. Maone. DNS Spoofing/Pinning. http://sla.ckers.org/forum/read.php?6,4511,14500.
	26	G. Maone. NoScript. http://noscript.net/.
	27	C. Masone, K. Baek, and S. Smith. WSKE: web server key enabled cookies. In Proc. USEC, 2007.
	28	A. Megacz. XWT Foundation Security Advisory. http://xwt.org/research/papers/sop.txt.
	29	A. Megacz and D. Meketa. X-RequestOrigin. http://www.xwt.org/x-requestorigin.txt.
	30	Microsoft. Microsoft Web Enterprise Portal, January 2004. http://www.microsoft.com/technet/itshowcase/content/MSWebTWP.mspx.
	31	Microsoft. Microsoft phishing filter: A new approach to building trust in e-commerce content, 2005.
	32	P. V. Mockapetris, Domain names - implementation and specification, RFC Editor, 1987
	33	C. Nuuja (Adobe), 2007. Personal communication.
	34	G. Ollmann. The pharming guide. http://www.ngssoftware.com/papers/ThePharmingGuide.pdf, August 2005.
	35	Y. Rekhter , B. Moskowitz , D. Karrenberg , G. de Groot, Address Allocation for Private Internets, RFC Editor, 1994
	36	J. Roskind. Attacks against the Netscape browser. In RSA Conference, April 2001. Invited talk.
	37	D. Ross. Notes on DNS pinning. http://blogs.msdn.com/dross/archive/2007/07/09/notes-on-dns-pinning.aspx, 2007.
	38	J. Ruderman. JavaScript Security: Same Origin. http://www.mozilla.org/projects/security/components/same-origin.html.
	39	Spamhaus. The spamhaus block list, 2007. http://www.spamhaus.org/sbl/.
	40	S. Stamm, Z. Ramzan, and M. Jakobsson. Drive-by pharming. Technical Report 641, Computer Science, Indiana University, December 2006.
	41	J. Topf. HTML Form Protocol Attack, August 2001. http://www.remote.org/jochen/sec/hfpa/hfpa.pdf.
	42	D. Veditz et al. document.domain abused to access hosts behind firewall. https://bugzilla.mozilla.org/show bug.cgi?id=154930.
	43	W3C. The XMLHttpRequest Object, February 2007. http://www.w3.org/TR/XMLHttpRequest/.
	44	B. Warner. Home PCs rented out in sabotage-for-hire racket. Reuters, July 2004.
	45	J. Winter and M. Johns. LocalRodeo: Client-side protection against JavaScript Malware. http://databasement.net/labs/localrodeo/, 2007.
	46	M. Wong and W. Schlitt. Sender Policy Framework (SPF) for Authorizing Use of Domains in E-Mail. IETF RFC 4408, April 2006.

CITED BY 8

	Dieter Gollmann, Securing Web applications, Information Security Tech. Report, v.13 n.1, p.1-9, January, 2008
	Steven Crites , Francis Hsu , Hao Chen, OMash: enabling secure web mashups via object abstractions, Proceedings of the 15th ACM conference on Computer and communications security, October 27-31, 2008, Alexandria, Virginia, USA
	Adam Barth , Collin Jackson , John C. Mitchell, Securing frame communication in browsers, Proceedings of the 17th conference on Security symposium, p.17-30, July 28-August 01, 2008, San Jose, CA
	Chris Karlof , Umesh Shankar , J. D. Tygar , David Wagner, Dynamic pharming attacks and locked same-origin policies for web browsers, Proceedings of the 14th ACM conference on Computer and communications security, October 28-31, 2007, Alexandria, Virginia, USA
	Adam Barth , Collin Jackson , John C. Mitchell, Robust defenses for cross-site request forgery, Proceedings of the 15th ACM conference on Computer and communications security, October 27-31, 2008, Alexandria, Virginia, USA
	Terri Oda , Glenn Wurster , P. C. van Oorschot , Anil Somayaji, SOMA: mutual approval for included content in web pages, Proceedings of the 15th ACM conference on Computer and communications security, October 27-31, 2008, Alexandria, Virginia, USA
	Adam Barth , Collin Jackson , John C. Mitchell, Securing frame communication in browsers, Communications of the ACM, v.52 n.6, June 2009
	Sebastian Gajek , Mark Manulis , Jorg Schwenk, User-aware provably secure protocols for browser-based mutual authentication, International Journal of Applied Cryptography, v.1 n.4, p.290-308, August 2009