[cap-talk] Clickjacking as Confused Deputy? (was: Re: Confused Deputies in Capability Systems - not)

Jed Donnelley capability at webstart.com
Tue Feb 24 02:55:14 EST 2009 

At 09:51 AM 2/23/2009, Tyler Close wrote:
>On Mon, Feb 23, 2009 at 3:36 AM, Jed Donnelley 
><capability at webstart.com> wrote:
> > On a related topic, in doing some research for this message
> > I looked a bit at the description of "clickjacking":
> >
> > http://en.wikipedia.org/wiki/Clickjacking
> >
> > which is also referred to on:
> >
> > http://en.wikipedia.org/wiki/Confused_deputy_problem
> >
> > where it says the clickjacking category "can be analysed as confused
> > deputy attacks".  I don't agree with this statement.  I believe
> > something else is going on with "clickjacking" where the user
> > is being fooled into executing code supplied by a malicious
> > user due to the nature of an interface.
>
>In "ACLs don't" <http://waterken.sf.net/aclsdont/>, I wrote:
>
>"""
>An HTML link is a request for the browser to place
>named content at a specified on-screen location. When
>the browser includes cookies in the GET request to
>fetch the content, it is acting as a Confused Deputy.

So far I understand.  This much is like the CSRF attack.
Note that in the CSRF attack the sender (mallory, supplying
the html as below) can't inject a capability into
the html because it doesn't possess the capability
to begin with.  It can only insert names because
names are universal and depend on context to designate
authority.  The interpretation of such names to
indicate an authority is the special character of
the Confused Deputy vulnerability.

>Like in the compilation scenario, the requestor does
>not have permission to access the named resource, but
>can provide the resource's name to the deputy, who
>will access the resource on the requestor's behalf.

We're still on target so far.

>In clickjacking, the requestor is the creator of the HTML
>link and the deputy is again the Web browser.

If in the clickjacking case it is 'just' HTML that is
being interpreted in the context of the browser, then
I agree we're talking about the same thing.

Perhaps this is where there is some ambiguity.  In the
Wikipedia description of clickjacking it says that when
the user clicks, "embedded code or script (that) can execute".
If this is general code that could, for example, send
off a capability, then I believe we're talking about a
Trojan Horse and not "simply" a Confused Deputy.  If
we're only talking about interpreted HTML then I can
see that the case is essentially the same.

>A full
>listing of the corresponding elements in the attacks is
>shown in Table 3. This formulation of a Confused
>Deputy attack is quite similar to the previously discussed
>CSRF attack. In that attack, the attacker causes
>a POST request to a victim site, accompanied by the
>victim site's cookies.

(aside) Is it necessarily a POST request or can it also be
a GET request?  In the CSRF attack I understand that
names can designate authorities (e.g. as in the account
names from the Wikipedia example:

<img 
src="http://bank.example/withdraw?account=bob&amount=1000000&for=mallory">

If that example is invalid it seems we should correct it.)

The above to me fits with the classical Confused Deputy problem
as discussed on:

http://en.wikipedia.org/wiki/Confused_deputy_problem

(crux) However, with regard to:

>Clickjacking can similarly be
>thought of as an attack in which the attacker causes
>a GET request to a victim site, accompanied by the
>victim site's cookies. In a CSRF attack, the payoff to
>the attacker comes from the side-effects of the POST
>request. In a clickjacking attack, the payoff comes
>from the on-screen positioning of private controls.
>Gratification is slightly delayed in the clickjacking
>attack, since it doesn't come until the user clicks, but
>the subterfuge comes before the final click, in the set
>up of the click target.
>"""

In the clickjacking case it appears that when the user
clicks on a control element, essentially arbitrary code can
be executed.  To me this means that even if authority was
communicated by capabilities, the code could make use of
the capabilities available in the context of the executing
browser and still violate security.  This seems to me more
like a classical Trojan Horse attack:

http://en.wikipedia.org/wiki/Trojan_horse_(computing)

- which is not substantively helped by using capabilities
to communicate authority.

>There's still more explanation in the surrounding text in the paper.
>Does this clarify the Confused Deputy nature of clickjacking for you?

(disclaimer - I haven't yet had time to look back at the
surrounding text - sorry)

I believe I'm understanding how the "deputy" is confused in the
clickjacking case, but I believe it is exactly this more general
sort of Trojan Horse confusion that was the source of the
ambiguity that was bothering Marcus and Toby (gentlemen?).
If general sorts of code injection flaws are considered "Confused
Deputies", then I believe the Confused Deputy problem losses it's
special character, specifically:

"Not every program that misuses authority is a confused deputy...
The confused deputy problem occurs when the designation of an
object is passed from one program to another, and the associated
permission changes unintentionally, without any explicit
action by either party. It is insidious because neither
party did anything explicit to change the authority."

Without this special character the more general sorts of
"confused deputies" (lower case) as with Trojan Horses
aren't corrected by using capabilities for communicating
authority.

It still doesn't seem to me that the clickjacking example
meets this strict criteria - unless it is restricted to only
interpreting HTML or other code in a restricted context
(e.g. Java or Javascript in a sandbox).

If you believe that clickjacking, even with general code
injection, still fits the Confused Deputy definition (upper case)
then perhaps you can point to a description of a designation
that is being communicated and having its associated
permission (should this be "authority"?) changed
unintentionally.  If you agree that general code injection
constitutes a Trojan Horse and is a different sort of
problem, then perhaps we just need to get a bit more
specific in the definition of the clickjacking problem - or
divide it into a Trojan Horse category and a Confused
Deputy category.

--Jed  http://www.webstart.com/jed-signature.html

More information about the cap-talk mailing list