Isolation: The next web application security frontier

by · Nov 6, 2020 · 22 views ·

Application security engineers frequently grapple with the fact that web origins are only incidentally separated from one another; web security rules permit a surprising number of interactions which can be used to modify or infer the state of unrelated applications. The resulting attack surface is -- sadly -- one of the defining characteristics of the web security model, enabling multiple classes of hard-to-fix information leaks. In recent years, the lack of true web isolation has led to problems on three main fronts. First, vulnerabilities exploitable via malicious cross-site interactions, such as CSRF and XSSI have continued to plague major applications. Second, XS-Leaks research has identified practical new attacks that exploit both legacy and new web platform behaviors, and resulted in new avenues to leak cross-origin data. Finally, transient execution vulnerabilities such as Spectre and Meltdown broke the illusion that the web is immune to CPU-level bugs, demonstrating tractable cross-site attacks based on leaking data in the address space of the attacking origin's web renderer process. In response, web browsers have proposed and implemented major security mechanisms that give application developers the ability to lock down their applications from unwanted cross-origin interactions. In this talk, we'll delve into the details of these features, focusing on Fetch Metadata Request Headers and Cross-Origin Opener Policy as means to isolate an application from the rest of the web. We'll use examples from production rollouts of these features at Google to review deployment strategies and potential pitfalls. Finally, we'll brainstorm the types of attacks that may be possible even in light of these restrictions, and discuss application patterns that developers will need to change to more comprehensively defend their sites.