Clickjacking: Attacks & Defences. Lin-Shung Huang, Alex Moshchuk, Helen Wang, Stuart Schechter, and Collin Jackson Carnegie Mellon, Microsoft Research USENIX Security 2012. SIL765 paper presentation by: Rahul Goyal: 2008CS50222 Ravee Malla: 2008CS50224. Course Instructor: - PowerPoint PPT Presentation
Clickjacking: Attacks & Defences
Lin-Shung Huang, Alex Moshchuk, Helen Wang, Stuart Schechter,
and Collin JacksonCarnegie Mellon, Microsoft ResearchUSENIX
Security 2012Clickjacking: Attacks & DefencesSIL765 paper
presentation by:Rahul Goyal: 2008CS50222 Ravee Malla:
2008CS50224Course Instructor:Prof. Huzur SaranCSE, IIT Delhi
LikejackingThe user can be tricked into clicking button, on an
attackers websiteUser visits attacker.comLike button hidden behind
another button
Clickjacking: DefinitionPrerequisite: Multiple mutually
distrusting applications sharing the same display, and having
permission to manipulate each others visual appearanceAttacker
comprimises context integrity of another apps UI componentsTemporal
IntegrityVisual IntegrityTypes of Context IntegrityVisual
IntegrityTemporal IntegrityWhat the user sees, is actually what is
presentNo transparent, overlayed objectsEg should be visible should
be visibleState of the UI between time of user checking and the
time of initiating the click, remains the same
Compromising Visual IntegrityHide the targetPartial Overlays
Compromising Visual IntegrityMultiple cursor feedback known as
cursorjacking
Fake CursorReal CursorCompromising Temporal IntegrityBait and
switch: As mouse comes near Claim you.. button, Like moves to take
its location before the user realizes it
Existing DefencesUser confirmationDegrades user experienceUI
randomizationUnreliable & not user-friendly. (Multi-click
attacks)Framebusting (X-Frame-Options)Incompatible with embedding
3rd-party widgetsOpaque overlay policyBreaks legitimate
sitesVisibility detection on clickAllow clicks only on elements
that are visibleProtecting temporal integrityImposing a delay after
displaying a UIAnnoying to users
New Attacks DemonstratedAuthors conducted new exploits using
Clickjacking & with and without their own patches using Amazon
Mechanical TurksReported the effectiveness of the
attackAttacks:Accessing users webcam: Attack success: 43%Stealing
users email: Attack success: 47%Revealing users identity: Attack
success: 98%
Accessing users webcam
Fake CursorReal CursorStealing users email
InContext DefenceDesign Goals:Should support 3rd party object
embeddingShould not have to prompt users for actionsShould not
break existing sitesShould be resilient to new attacks
Basic IdeaTechniques to ensure user is always InContext of the
sensitive UI in interactionWebsites can indicate their sensitive
UIBrowsers can enforce context integrity rules on these sensitive
UIs
Ensuring visual integrity of targetOS can compare the screenshot
of sensitive UI with the reference bitmap provided30ms overhead on
click processing
Ensuring visual integrity of pointerRemove cursor
customizationFreeze screen
Ensuring visual integrity of pointerLightbox effect around
target on pointer entry
Ensuring temporal integrityUI DelayOn a visual change, all
buttons are inactive for a certain timePointer Re-entry: On a
visual change, invalidate clicks till pointer re-enters the UI
Conclusions & ExtensionsDemonstrate clickjacking variants
and dangersShow effective defences (success 43-98%)Our
Extensions:Replicate the studies and test the effectiveness of
defencesExplore other methods/cases where Clickjacking can be used
as an exploitQuestions & Comments.Thanks
