Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add CORB, CORP and Partitioned Caches Defense Articles to the Wiki #6

Merged
merged 40 commits into from
Sep 17, 2020
Merged
Show file tree
Hide file tree
Changes from 31 commits
Commits
Show all changes
40 commits
Select commit Hold shift + click to select a range
0b5bcf3
Add Double Keyd Cache references and article strucure.
manuelvsousa Aug 4, 2020
9560b17
Add Draft for Partitioned caches.
manuelvsousa Aug 5, 2020
3f5fb99
Fix Partitioned Key Cache Draft.
manuelvsousa Aug 5, 2020
534a24d
Add improved draft for partitioned cache draft.
manuelvsousa Aug 5, 2020
8427bf2
Rename Double Key to Partitioned Cache.
manuelvsousa Aug 6, 2020
f0865ae
Add ITP partitioned cache keys.
manuelvsousa Aug 6, 2020
1c7367a
Add initial drafs for CORB and CORP.
manuelvsousa Aug 6, 2020
0c8a9b2
Add more contents to CORB draft.
manuelvsousa Aug 7, 2020
0ca50f9
Add pre-final drafts for corb and corp.
manuelvsousa Aug 7, 2020
8937d32
Add final drafts for corb and corp.
manuelvsousa Aug 7, 2020
5fef16f
Remove title in CORP.
manuelvsousa Aug 10, 2020
30db5e3
Update content/docs/defenses/browser-intrinsic/corb.md
manuelvsousa Aug 17, 2020
4928c73
Update content/docs/defenses/browser-intrinsic/partitioned-cache.md
manuelvsousa Aug 17, 2020
2497d80
Update content/docs/defenses/browser-intrinsic/partitioned-cache.md
manuelvsousa Aug 17, 2020
cce14c9
Update content/docs/defenses/browser-intrinsic/partitioned-cache.md
manuelvsousa Aug 17, 2020
00c6170
Update content/docs/defenses/browser-intrinsic/partitioned-cache.md
manuelvsousa Aug 17, 2020
4ac4e27
Update content/docs/defenses/browser-intrinsic/partitioned-cache.md
manuelvsousa Aug 17, 2020
b9069ad
Update content/docs/defenses/opt-in/corp.md
manuelvsousa Aug 17, 2020
07eaadc
Update content/docs/defenses/browser-intrinsic/partitioned-cache.md
manuelvsousa Aug 17, 2020
ddbe7ed
Apply Rob suggestion to CORB.
manuelvsousa Aug 18, 2020
a7de532
Add Rob suggestion to Partitioned Cached: Vary Header with Fetch-Meta…
manuelvsousa Aug 18, 2020
b740814
Apply Rob's suggestion to ITP warning.
manuelvsousa Aug 18, 2020
f3d2b3b
Update content/docs/defenses/browser-intrinsic/partitioned-cache.md
manuelvsousa Aug 25, 2020
22cf2cc
Change CORB article with new wording and insights.
manuelvsousa Sep 3, 2020
82d8aa6
Remove old TODO.
manuelvsousa Sep 3, 2020
e59ac50
Add new visual to Partitioned cache article.
manuelvsousa Sep 3, 2020
b20540d
Fix impossible wording in corp/corp
manuelvsousa Sep 3, 2020
2f5e09e
Update content/docs/defenses/browser-intrinsic/partitioned-cache.md
manuelvsousa Sep 3, 2020
3b4c9af
Fix Word in partitioned caches article.
manuelvsousa Sep 3, 2020
7b47c7e
Add warning about impact regarding CORB protection
manuelvsousa Sep 3, 2020
87d18be
Change CORB wording.
manuelvsousa Sep 3, 2020
d4f42cd
Remove firefox is the only with corp deployed message.
manuelvsousa Sep 7, 2020
63ed7bf
Drop mention to CORP in CORB article.
manuelvsousa Sep 7, 2020
fb2eab2
Add CORP hint in CORB article.
manuelvsousa Sep 7, 2020
bcdce5b
Remaster sentence in CORP article.
manuelvsousa Sep 7, 2020
5c18cc7
Change CORB reference from presentation page to explainer
manuelvsousa Sep 7, 2020
306d36e
Fix Plural in a CORB sentence.
manuelvsousa Sep 7, 2020
b7dbc34
Update corb.md
terjanq Sep 8, 2020
733615e
Update content/docs/defenses/browser-intrinsic/partitioned-cache.md
manuelvsousa Sep 9, 2020
aeb7a10
Update content/docs/defenses/browser-intrinsic/partitioned-cache.md
manuelvsousa Sep 9, 2020
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 27 additions & 1 deletion content/docs/defenses/browser-intrinsic/corb.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,4 +6,30 @@ category = "defenses"
menu = "main"
+++

TODO

## Explanation

Cross-Origin Read Blocking (CORB) is a browser defense mechanism that prevents attackers from loading certain cross-origin resources in unlikely scenarios [^1]. This protection was created to prevent speculative side-channel attacks such as Spectre which allow attackers to read the memory of their own process. CORB aims to prevent attackers from loading cross-origin contents which might contain sensitive information into an attacker-controlled process. For instance, if an attacker tries to load an HTML, XML, or JSON as an `img` or `script` tag, CORB will prevent this from happening.

To classify resource types CORB uses the `Content-Type` header if `nosniff` is set. In case the page does not serve a `nosniff` header CORB will, based on heuristics, check if the resource is worth protecting by looking at the beginning of the response body.

{{< hint info >}}
Chrome is the only browser with CORB deployed.
{{< /hint >}}

{{< hint info >}}
[Cross-Origin Resource Policy (CORP)]({{< ref "../opt-in/corp.md" >}}) is a protection with enforces and extends CORB automatically offers.
terjanq marked this conversation as resolved.
Show resolved Hide resolved
{{< /hint >}}

{{< hint warning >}}
Firefox is the only browser with CORP deployed.
manuelvsousa marked this conversation as resolved.
Show resolved Hide resolved
{{< /hint >}}


## Considerations

{{< hint warning >}}
CORB introduced a [new set of XS-Leaks](https://TODO) since attackers are able to observe whether a request was blocked or allowed by CORB. This leads to information leaks when CORB blocks certain requests depending on user information the attacker is after. However, the introduced XS-Leak have a lower impact than a Spectre exploitation of the CORB-protected resources.
terjanq marked this conversation as resolved.
Show resolved Hide resolved
{{< /hint >}}

[^1]: Cross-Origin Read Blocking for Web Developers, [link](https://www.chromium.org/Home/chromium-security/corb-for-developers)
9 changes: 0 additions & 9 deletions content/docs/defenses/browser-intrinsic/double-keyd-cache.md

This file was deleted.

64 changes: 64 additions & 0 deletions content/docs/defenses/browser-intrinsic/partitioned-cache.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
+++
title = "Partitioned HTTP Cache"
description = ""
date = "2020-07-21"
category = "defenses"
menu = "main"
+++

## Explanation

[Cache probing attacks](https://TODO) have been present on the web for a long time mainly because browsers HTTP cache is shared across all the websites visited by a user, allowing attackers to interact with it and infer private information from other origins.

<!--TODO(manuelvsousa): Add reference to cache probing attacks-->

Considering Opt-in solutions, applications can use the [`Vary` Header combined with `Fetch-Metadata`](https://TODO) to prevent cross-origin fetches to be affected by the site cache or use [some workarounds]({{< ref "../design-protections/subresource-protections.md" >}}) to protect resources, which come with downsides. Browsers, however, have been planning a defense mechanism to segregate the cached resources per origin/site, making it impossible for attackers pages to interact with cached contents of different origins[^1] [^2] [^3]. Specifically, browsers tested caching with finer-grained keys such as the tuple <`top-frame origin`, URL> or even triples of values.

{{< hint info >}}
Chrome [^1] and Firefox [^2] are still discussing an implementation for a Multi-Keyed Cache while Safari [^3] already runs a version of it since 2013.
terjanq marked this conversation as resolved.
Show resolved Hide resolved

[^1]: Split Disk Cache Meta Bug (Blink), [link](https://bugs.chromium.org/p/chromium/issues/detail?id=910708)
[^2]: Top-level site partitioning (Gecko), [link](https://bugzilla.mozilla.org/show_bug.cgi?id=1590107)
[^3]: Optionally partition cache to prevent using cache for tracking (Webkit), [link](https://bugs.webkit.org/show_bug.cgi?id=110269)
{{< /hint >}}


## Relevant Projects

### Intelligent Tracking Prevention

[Intelligent Tracking Prevention](https://webkit.org/tracking-prevention/) (ITP) is a privacy feature part of WebKit. It's a conjunction of several tracking prevention features containing a partitioned HTTP Cache which originated from the initial [WebKit Keyed cache from 2013](https://bugs.webkit.org/show_bug.cgi?id=110269). The used keys for the cache are the top frame's eTLD+1 and the origin of each fetched subresource.

{{< hint warning >}}
Researchers found out attackers [could abuse some ITP features](https://TODO) to infer private user data.
{{< /hint >}}

<!--TODO(manuelvsousa): ADD ITP XS-Leak here -->

### First Party Isolation

First Party Isolation is a [Browser Extension](https://addons.mozilla.org/en-US/firefox/addon/first-party-isolation/) for Firefox which restricts access to cookies and persistent data (e.g cache) per domain.

## Considerations

Partitioned HTTP caches are a promising security feature that will eventually land in browsers. These partitioning strategies will mitigate all the XS-Leaks leveraging browsers caches and might be extended to other browser resources which help mitigate resilient attack vectors like the [Socket Exhaustion XS-Leak](https://TODO).

<!--TODO(manuelvsousa): Add socket exhaustion ?-->
empijei marked this conversation as resolved.
Show resolved Hide resolved

## XS-Leaks Mitigation Overview
manuelvsousa marked this conversation as resolved.
Show resolved Hide resolved

| XS-Leak | Partitioned Cache Mitigation | Full Mitigation |
|:-----------------------------------------------------------------:|:----------------------------:|:-------------------:
| [Frame Counting]({{< ref "../../attacks/frame-counting.md" >}}) | ❌ | ❌
| [Navigations]({{< ref "../../attacks/navigations.md" >}}) | ❌ | ❌
| [ID Leaks]({{< ref "../../attacks/id-attribute.md" >}}) | ❌ | ❌

### Table Legend

- **Partitioned Cache Protection** - At least one attack alternative of the XS-Leak can be mitigated if the defense mechanism would exist
manuelvsousa marked this conversation as resolved.
Show resolved Hide resolved
- **Full Mitigation** - Fully mitigates an XS-Leak if the defense mechanism would exist
manuelvsousa marked this conversation as resolved.
Show resolved Hide resolved


[^1]: Double-keyed HTTP cache, [link](https://github.com/whatwg/fetch/issues/904)
[^2]: Explainer - Partition the HTTP Cache, [link](https://github.com/shivanigithub/http-cache-partitioning)
[^3]: Client-Side Storage Partitioning, [link](https://privacycg.github.io/storage-partitioning/)
25 changes: 25 additions & 0 deletions content/docs/defenses/opt-in/corp.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
+++
title = "Cross-Origin-Resource-Policy"
description = ""
date = "2020-07-21"
category = "defenses"
menu = "main"
+++

Cross-Origin-Resource-Policy (CORP) response header enforces [Cross-Origin Read Blocking]({{< ref "../browser-intrinsic/corb.md" >}}) (CORB) as it provides more protection by covering more resources [^1]. Both protect against speculative side-channel attacks (Spectre) by preventing attackers from loading certain cross-origin resources in elements like `script`, `img`, `video`, etc. Unlike CORB, this protection is enforced in the browser if an application **opts into the protection**. Applications can define which groups of origins (same-site, same-origin, cross-site) are allowed to read their resources.
terjanq marked this conversation as resolved.
Show resolved Hide resolved

If an application sets a certain resource CORP Header as `same-site` or `same-origin`, an attacker origin is incapable of reading that resource because is not part of the CORP group of origins.

{{< hint info >}}
Firefox is the only browser with CORP deployed.
{{< /hint >}}

{{< hint info >}}
[Cross-Origin Read Blocking (CORB)]({{< ref "../browser-intrinsic/corb.md" >}}), a similar protection, is an no-opt protection based on heuristics to prevent attackers from loading certain cross-origin resources in unlikely scenarios.
terjanq marked this conversation as resolved.
Show resolved Hide resolved
terjanq marked this conversation as resolved.
Show resolved Hide resolved
{{< /hint >}}

{{< hint warning >}}
This mechanism introduced [a new XS-Leak](https://TODO), which allows attackers detect wether CORP was enforced in a certain request.
{{< /hint >}}

[^1]: Cross-Origin Resource Policy (CORP), [link](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cross-Origin_Resource_Policy_(CORP))