C.R.E.A.M. Cache Rules Evidently Ambiguous, Misunderstood

Presented at DEF CON 21 (2013), Aug. 4, 2013, 4 p.m. (20 minutes)

Common wisdom dictates that web applications serving sensitive data must use an encrypted connection (i.e., HTTPS) to protect data in transit. Once served, that same sensitive data must be protected at rest, either through encryption, or more appropriately by not storing the sensitive data on disk at all. In the past, web browser disk caching policies maintained a distinction between HTTP and HTTPS requests, typically refusing to cache HTTPS requests. With today's bandwidth- and performance-hungry AJAX and HTML5 applications, most modern browsers treat all content (including HTTPS) as safe to cache to disk unless explicitly restricted by the server. This silent "shift" of responsibility from browser to web-application server has eluded both secure web-application and safe-browsing paradigms, leaving consumers exposed. Even OWASP recommended guidelines for creating secure web applications are wrong regarding this topic [1]. We tested over thirty sites that provide personal financial, health, and insurance-related information to determine what, if any, sensitive information was cached to disk and the results were surprising. Over 70% of tested sites cached sensitive information, ranging from account balances to bank-check images, bank statements, and full credit reports. We will discuss not only the technical details of these caching vulnerabilities, but also the history behind the "shift" in cache policy responsibility, the breakdown in conventional wisdom concerning web application and web-browser security policies, the ramifications of caching PII to disk, and the potential widespread violation of most compliance standards, including PCI, HIPAA, SOX, and government standards such as FIPS or Common Criteria.

Presenters:

• Jacob Thompson
  Jacob Thompson is a security analyst at Independent Security Evaluators, a Baltimore, Maryland, company specializing in high-end, custom security assessments of computer hardware and software products. Jacob holds an M.S. in Computer Science from the University of Maryland, Baltimore County. His primary security interests include analyzing commercial software products for design flaws and other vulnerabilities, reverse engineering, and cryptography. Prior to joining ISE, Jacob served as a Computer Science teaching assistant and briefly worked as an intern software engineer developing desktop and embedded applications for process control systems.

Links:

• https://defcon.org/html/defcon-21/dc-21-speakers.html#Thompson
• https://infocon.org/cons/DEF CON/DEF CON 21/DEF CON 21 video and slides/DEF CON 21 - Jacob Thompson - C.R.E.A.M. Cache Rules Evidently Ambiguous Misunderstood - Video and Slides.mp4 (Video and Slides)
• https://www.youtube.com/watch?v=S9vvG8z7bCk

Similar Presentations:

• Black Hat USA 2018 / Practical Web Cache Poisoning: Redefining 'Unexploitable'
• ToorCon San Diego 13 (2011) / Building a Robust Application Security Plan
• Black Hat USA 2017 / Web Cache Deception Attack