Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add CORB, CORP and Partitioned Caches Defense Articles to the Wiki #6

Merged
merged 40 commits into from
Sep 17, 2020
Merged
Show file tree
Hide file tree
Changes from 22 commits
Commits
Show all changes
40 commits
Select commit Hold shift + click to select a range
0b5bcf3
Add Double Keyd Cache references and article strucure.
manuelvsousa Aug 4, 2020
9560b17
Add Draft for Partitioned caches.
manuelvsousa Aug 5, 2020
3f5fb99
Fix Partitioned Key Cache Draft.
manuelvsousa Aug 5, 2020
534a24d
Add improved draft for partitioned cache draft.
manuelvsousa Aug 5, 2020
8427bf2
Rename Double Key to Partitioned Cache.
manuelvsousa Aug 6, 2020
f0865ae
Add ITP partitioned cache keys.
manuelvsousa Aug 6, 2020
1c7367a
Add initial drafs for CORB and CORP.
manuelvsousa Aug 6, 2020
0c8a9b2
Add more contents to CORB draft.
manuelvsousa Aug 7, 2020
0ca50f9
Add pre-final drafts for corb and corp.
manuelvsousa Aug 7, 2020
8937d32
Add final drafts for corb and corp.
manuelvsousa Aug 7, 2020
5fef16f
Remove title in CORP.
manuelvsousa Aug 10, 2020
30db5e3
Update content/docs/defenses/browser-intrinsic/corb.md
manuelvsousa Aug 17, 2020
4928c73
Update content/docs/defenses/browser-intrinsic/partitioned-cache.md
manuelvsousa Aug 17, 2020
2497d80
Update content/docs/defenses/browser-intrinsic/partitioned-cache.md
manuelvsousa Aug 17, 2020
cce14c9
Update content/docs/defenses/browser-intrinsic/partitioned-cache.md
manuelvsousa Aug 17, 2020
00c6170
Update content/docs/defenses/browser-intrinsic/partitioned-cache.md
manuelvsousa Aug 17, 2020
4ac4e27
Update content/docs/defenses/browser-intrinsic/partitioned-cache.md
manuelvsousa Aug 17, 2020
b9069ad
Update content/docs/defenses/opt-in/corp.md
manuelvsousa Aug 17, 2020
07eaadc
Update content/docs/defenses/browser-intrinsic/partitioned-cache.md
manuelvsousa Aug 17, 2020
ddbe7ed
Apply Rob suggestion to CORB.
manuelvsousa Aug 18, 2020
a7de532
Add Rob suggestion to Partitioned Cached: Vary Header with Fetch-Meta…
manuelvsousa Aug 18, 2020
b740814
Apply Rob's suggestion to ITP warning.
manuelvsousa Aug 18, 2020
f3d2b3b
Update content/docs/defenses/browser-intrinsic/partitioned-cache.md
manuelvsousa Aug 25, 2020
22cf2cc
Change CORB article with new wording and insights.
manuelvsousa Sep 3, 2020
82d8aa6
Remove old TODO.
manuelvsousa Sep 3, 2020
e59ac50
Add new visual to Partitioned cache article.
manuelvsousa Sep 3, 2020
b20540d
Fix impossible wording in corp/corp
manuelvsousa Sep 3, 2020
2f5e09e
Update content/docs/defenses/browser-intrinsic/partitioned-cache.md
manuelvsousa Sep 3, 2020
3b4c9af
Fix Word in partitioned caches article.
manuelvsousa Sep 3, 2020
7b47c7e
Add warning about impact regarding CORB protection
manuelvsousa Sep 3, 2020
87d18be
Change CORB wording.
manuelvsousa Sep 3, 2020
d4f42cd
Remove firefox is the only with corp deployed message.
manuelvsousa Sep 7, 2020
63ed7bf
Drop mention to CORP in CORB article.
manuelvsousa Sep 7, 2020
fb2eab2
Add CORP hint in CORB article.
manuelvsousa Sep 7, 2020
bcdce5b
Remaster sentence in CORP article.
manuelvsousa Sep 7, 2020
5c18cc7
Change CORB reference from presentation page to explainer
manuelvsousa Sep 7, 2020
306d36e
Fix Plural in a CORB sentence.
manuelvsousa Sep 7, 2020
b7dbc34
Update corb.md
terjanq Sep 8, 2020
733615e
Update content/docs/defenses/browser-intrinsic/partitioned-cache.md
manuelvsousa Sep 9, 2020
aeb7a10
Update content/docs/defenses/browser-intrinsic/partitioned-cache.md
manuelvsousa Sep 9, 2020
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 21 additions & 1 deletion content/docs/defenses/browser-intrinsic/corb.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,4 +6,24 @@ category = "defenses"
menu = "main"
+++

TODO

## Explanation

Cross-Origin Read Blocking (CORB) is a browser defense mechanism that prevents attackers from loading certain cross-origin resources in impossible scenarios [^1]. This protection was created to prevent speculative side-channel attacks such as Spectre which allow attackers to read the memory of their own process. CORB aims to prevent attackers from loading cross-origin contents which might contain sensitive information into an attacker controlled process. For instance, if an attacker tries to load an HTML, XML, or JSON as an `img` or `script` tag, CORB will prevent this from happening. To classify resource types CORB uses the `Content-Type` header but when it detects a page does not serve a `nosniff` header it detects if the resource is worth protecting by looking at the beginning of the response body.
manuelvsousa marked this conversation as resolved.
Show resolved Hide resolved
manuelvsousa marked this conversation as resolved.
Show resolved Hide resolved

{{< hint info >}}
Chrome is the only browser with CORB deployed.
{{< /hint >}}

{{< hint info >}}
An important complement of CORB is the [Cross-Origin Resource Policy (CORP)]({{< ref "../opt-in/corp.md" >}}).
{{< /hint >}}


## Considerations

{{< hint danger >}}
CORB introduced a [new set of XS-Leaks](https://TODO) since attackers are able to observe when a request is blocked or allowed by CORB. This leads to information leaks when CORB blocks certain requests depending on user information the attacker is after.
manuelvsousa marked this conversation as resolved.
Show resolved Hide resolved
{{< /hint >}}

[^1]: Cross-Origin Read Blocking for Web Developers, [link](https://www.chromium.org/Home/chromium-security/corb-for-developers)
9 changes: 0 additions & 9 deletions content/docs/defenses/browser-intrinsic/double-keyd-cache.md

This file was deleted.

60 changes: 60 additions & 0 deletions content/docs/defenses/browser-intrinsic/partitioned-cache.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
+++
title = "Partitioned HTTP Cache"
description = ""
date = "2020-07-21"
category = "defenses"
menu = "main"
+++

## Explanation

[Cache probing attacks](https://TODO) have been present on the web for a long time mainly because browsers HTTP cache is shared across all the websites visited by a user, allowing attackers to interact with it and infer private information from other origins.

<!--TODO(manuelvsousa): Add reference to cache probing attacks-->

Considering Opt-in solutions, applications can use the [`Vary` Header combined with `Fetch-Metadata`](https://TODO) to restrict the cache usage to a certain group of origins or use [some workarounds]({{< ref "../design-protections/subresource-protections.md" >}}) to protect resources, which come with tradeoffs. Browsers, however, have been planning a defense mechanism to segregate the cached resources per origin/site, making it impossible for attackers pages to interact with cached contents of different origins[^1] [^2] [^3]. Specifically, browsers tested caching with double keys such as `top-frame origin` and URL, however, other keys and strategies (triple keys) have also been considered.
manuelvsousa marked this conversation as resolved.
Show resolved Hide resolved

[Chrome](https://bugs.chromium.org/p/chromium/issues/detail?id=910708) and [Firefox](https://bugzilla.mozilla.org/show_bug.cgi?id=1590107) are still discussing an implementation for a Multi-Keyed Cache while [Safari](https://bugs.webkit.org/show_bug.cgi?id=110269) already runs a version of it since 2013.
manuelvsousa marked this conversation as resolved.
Show resolved Hide resolved


<!--TODO(manuelvsousa): Add socket exhaustion ?-->
manuelvsousa marked this conversation as resolved.
Show resolved Hide resolved

## Relevant Projects

### Intelligent Tracking Prevention

[Intelligent Tracking Prevention](https://webkit.org/tracking-prevention/) (ITP) is a privacy feature part of WebKit. It's a conjunction of several tracking prevention features containing a partitioned HTTP Cache which originated from the initial [WebKit Keyed cache from 2013](https://bugs.webkit.org/show_bug.cgi?id=110269). The used keys for the cache are the top frame's eTLD+1 and the origin of each fetched subresource.

{{< hint warning >}}
Researchers found out attackers [could abuse some ITP features](https://TODO) to infer to private user data.
manuelvsousa marked this conversation as resolved.
Show resolved Hide resolved
{{< /hint >}}

<!--TODO(manuelvsousa): ADD ITP XS-Leak here -->

### First Party Isolation

First Party Isolation is a [Browser Extension](https://addons.mozilla.org/en-US/firefox/addon/first-party-isolation/) for Firefox which restricts access to cookies and persistent data (e.g cache) per domain.

## Considerations

Partitioned HTTP caches are a promising security feature that will eventually land in browsers. These partitioning strategies will mitigate all the XS-Leaks leveraging browsers caches and might be extended to other browser resources which help mitigate resilient attack vectors like the [Socket Exhaustion XS-Leak](https://TODO).

<!--TODO(manuelvsousa): Add socket exhaustion ?-->
empijei marked this conversation as resolved.
Show resolved Hide resolved

## XS-Leaks Mitigation Overview
manuelvsousa marked this conversation as resolved.
Show resolved Hide resolved

| XS-Leak | Partitioned Cache Mitigation | Full Mitigation |
|:-----------------------------------------------------------------:|:----------------------------:|:-------------------:
| [Frame Counting]({{< ref "../../attacks/frame-counting.md" >}}) | ❌ | ❌
| [Navigations]({{< ref "../../attacks/navigations.md" >}}) | ❌ | ❌
| [ID Leaks]({{< ref "../../attacks/id-attribute.md" >}}) | ❌ | ❌

### Table Legend

- **Partitioned Cache Protection** - At least one attack alternative of the XS-Leak can be mitigated if the defense mechanism would exist
manuelvsousa marked this conversation as resolved.
Show resolved Hide resolved
- **Full Mitigation** - Fully mitigates an XS-Leak if the defense mechanism would exist
manuelvsousa marked this conversation as resolved.
Show resolved Hide resolved


[^1]: Double-keyed HTTP cache, [link](https://github.com/whatwg/fetch/issues/904)
[^2]: Explainer - Partition the HTTP Cache, [link](https://github.com/shivanigithub/http-cache-partitioning)
[^3]: Client-Side Storage Partitioning, [link](https://privacycg.github.io/storage-partitioning/)
16 changes: 16 additions & 0 deletions content/docs/defenses/opt-in/corp.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
+++
title = "Cross-Origin-Resource-Policy"
description = ""
date = "2020-07-21"
category = "defenses"
menu = "main"
+++


## Explanation

Cross-Origin-Resource-Policy (CORP) response header is a complement of [Cross-Origin Read Blocking]({{< ref "../browser-intrinsic/corb.md" >}}) (CORB). CORP allows applications to **opt into the protection** for resources that might not be covered automatically by CORB[^1]. Applications can define which origins are allowed to read their resources.
manuelvsousa marked this conversation as resolved.
Show resolved Hide resolved

If an application sets a certain resource CORP Header as `same-site`, an attacker is incapable of reading that resource because it's in a different origin.

[^1]: Cross-Origin Resource Policy (CORP), [link](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cross-Origin_Resource_Policy_(CORP))