Abstract
Once a web application authenticates a user, it loosely associates all resources owned by the user to the web session established. Consequently, any scripts injected into the victim web session attain unfettered access to user-owned resources, including scripts that commit malicious activities inside a web application. In this paper, we establish the first explicit notion of user sub-origins to defeat such attempts. Based on this notion, we propose a new solution called UserPath to establish an end-to-end trusted path between web application users and web servers. To evaluate our solution, we implement a prototype in Chromium, and retrofit it to 20 popular web applications. UserPath reduces the size of client-side TCB that has access to user-owned resources by 8x to 264x, with small developer effort.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
W3C: Content security policy 1.0, http://www.w3.org/TR/CSP/
Johns, M.: Preparedjs: Secure script-templates for javascript. In: Detection of Intrusions and Malware & Vulnerability Assessment (2013)
Chen, P., Nikiforakis, N., Huygens, C., Desmet, L.: A dangerous mix: Large-scale analysis of mixed-content websites. In: Information Security Conference (2013)
Trend Micro: New york times pushes fake av malvertisement, http://goo.gl/BtjgPc
Verizon: 2013 Data breach investigation report, http://www.verizonenterprise.com/DBIR/2013/
Enigma Group: Facebook profiles can be hijacked by chrome extensions malware, http://underurhat.com/hacking
Liu, L., Zhang, X., Yan, G., Chen, S.: Chrome extensions: Threat analysis and countermeasures. In: Network and Distributed System Security Symposium (2012)
Akhawe, D., Li, F., He, W., Saxena, P., Song, D.: Data-confined html5 applications. In: European Symposium on Research in Computer Security (2013)
Dong, X., Chen, Z., Siadati, H., Tople, S., Saxena, P., Liang, Z.: Protecting sensitive web content from client-side vulnerabilities with cryptons. In: Proceedings of the 20th ACM Conference on Computer and Communications Security (2013)
Parno, B., McCune, J.M., Wendlandt, D., Andersen, D.G., Perrig, A.: Clamp: Practical prevention of large-scale data leaks. In: IEEE Symposium on Security and Privacy (2009)
Felt, A.P., Finifter, M., Weinberger, J., Wagner, D.: Diesel: Applying privilege separation to database access. In: ACM Symposium on Information, Computer and Communications Security (2011)
Chen, E.Y., Gorbaty, S., Singhal, A., Jackson, C.: Self-exfiltration: The dangers of browser-enforced information flow control. In: Web 2.0 Security and Privacy (2012)
Dong, X., Patil, K., Mao, J., Liang, Z.: A comprehensive client-side behavior model for diagnosing attacks in ajax applications. In: ICECCS (2013)
Projects, T.C.: Per-page suborigins, http://goo.gl/PoH5pY
Roesner, F., Kohno, T., Moshchuk, A., Parno, B., Wang, H.J., Cowan, C.: User-driven access control: Rethinking permission granting in modern operating systems. In: Proceedings of the 2012 IEEE Symposium on Security and Privacy (2012)
Roesner, F., Fogarty, J., Kohno, T.: User interface toolkit mechanisms for securing interface elements. In: User Interface Software and Technology (2012)
Dong, X., Hu, H., Saxena, P., Liang, Z.: A quantitative evaluation of privilege separation in web browser designs. In: Crampton, J., Jajodia, S., Mayes, K. (eds.) ESORICS 2013. LNCS, vol. 8134, pp. 75–93. Springer, Heidelberg (2013)
Akhawe, D., Saxena, P., Song, D.: Privilege separation in html5 applications. In: USENIX Security (2012)
mOiwa, Y., Takagi, H., Watanabe, H., Suzuki, H.: Pake-based mutual http authentication for preventing phishing attacks. In: World Wide Web Conference (2009)
Budianto, E., Jia, Y.: Summary of source code modification, chromium patches, and userpath technical report, https://github.com/ebudianto/UserPath
Budianto, E., Jia, Y.: Url for demo video, https://github.com/ebudianto/UserPath/wiki/DEMO-Video-URLs
Dietz, M., Czeskis, A., Balfanz, D., Wallach, D.S.: Origin-bound certificates: A fresh approach to strong client authentication for the web. In: USENIX Security (2012)
Jackson, C., Simon, D.R., Tan, D.S., Barth, A.: An evaluation of extended validation and picture-in-picture phishing attacks. In: Proceedings of 1st USEC (2007)
Cao, Y., Yegneswaran, V., Porras, P., Chen, Y.: Pathcutter: Severing the self-propagation path of xss javascript worms in social web networks. In: Network and Distributed System Security Symposium (2012)
Hansen, R., Grossman, J.: Clickjacking, http://goo.gl/p7dxIC
YGN Ethical Hacker Group: Elgg 1.7.9 xss vulnerability, http://goo.gl/XUeqis
Cve-2012-6561, C.V.E.: xss vulnerability in elgg, http://goo.gl/mmW8bM
Barth, A., Jackson, C., Mitchell, J.C.: Robust defenses for cross-site request forgery. In: Conference on Computer and Communications Security (2008)
Wu, M., Miller, R.C., Little, G.: Web wallet: Preventing phishing attacks by revealing user intentions. In: Symposium on Usable Privacy and Security (2006)
Bhargavan, K., Delignat-Lavaud, A., Maffeis, S.: Language-based defenses against untrusted browser origins. In: USENIX Security (2013)
Maffeis, S., Mitchell, J.C., Taly, A.: Object capabilities and isolation of untrusted web application. In: IEEE Symposium on Security and Privacy (2010)
Huang, L.S., Moshchuk, A., Wang, H.J., Schechter, S., Jackson, C.: Clickjacking: attacks and defenses. In: USENIX Security (2012)
Zhou, Y., Evans, D.: Protecting private web content from embedded scripts. In: European Symposium on Research in Computer Security (2011)
Dong, X., Tran, M., Liang, Z., Jiang, X.: Adsentry: comprehensive and flexible confinement of javascript-based advertisements. In: ACSAC (2011)
Akhawe, D., Barth, A., Lam, P.E., Mitchell, J., Song, D.: Towards a formal foundation of web security. In: Computer Security Foundations (2010)
Barth, A., Felt, A.P., Saxena, P., Boodman, A.: Protecting browsers from extension vulnerabilities. In: Network and Distributed System Security Symposium (2010)
Bisht, P., Hinrichs, T., Skrupsky, N., Bobrowicz, R., Venkatakrishnan, V.N.: Notamper: automatic blackbox detection of parameter tampering opportunities in web applications. In: Conference on Computer and Communications Security (2010)
Wu, T.: The secure remote password protocol. In: Network and Distributed System Security Symposium (1998)
The Spanner: Dom clobbering, http://goo.gl/ZOLmal
pAdida, B., Barth, A., Jackson, C.: Rootkits for javascript environments. In: WOOT (2009)
Ye, Z.E., Smith, S.: Trusted paths for browsers. In: USENIX Security (2002)
Libonati, A., McCune, J.M., Reiter, M.K.: Usability testing a malware-resistant input mechanism. In: Network and Distributed System Security Symposium (2011)
Engler, J., Karlof, C., Shi, E., Song, D.: Is it too late for pake? In: Proceedings of Web 2.0 Security and Privacy (2009)
Slack, Q.: Tls-srp in apache mod_ssl, http://goo.gl/cHMoau
Provos, N., Friedl, M., Honeyman, P.: Preventing privilege escalation. In: USENIX Security (2003)
Brumley, D., Song, D.: Privtrans: automatically partitioning programs for privilege separation. In: USENIX Security (2004)
Grier, C., Tang, S., King, S.: Designing and implementing the op and op2 web browsers. ACM Transactions on the Web (2011)
Wang, H.J., Grier, C., Moshchuk, A., King, S.T., Choudhury, P., Venter, H.: The multi-principal os construction of the gazelle web browser. In: USENIX Security (2009)
Barth, A., Jackson, C., Reis, C., Team, T.G.C.: The security architecture of the chromium browser, http://goo.gl/BGjJqC
Papagiannis, I., Pietzuch, P.: Cloudfilter: practical control of sensitive data propagation to the cloud. In: Cloud Computing Security Workshop (2012)
Tong, T., Evans, D.: Guardroid: A trusted path for password entry. In: MoST (2013)
McCune, J.M., Perrig, A., Reiter, M.K.: Safe passage for passwords and other sensitive data. In: Network and Distributed System Security Symposium (2009)
Zhou, Z., Gligor, V.D., Newsome, J., McCune, J.M.: Building verifiable trusted path on commodity x86 computers. In: IEEE Symposium on Security and Privacy (2012)
Ter Louw, M., Venkatakrishnan, V.N.: Blueprint: Robust prevention of cross-site scripting attacks for existing browsers. In: IEEE Symposium on Security and Privacy (2009)
Nadji, Y., Saxena, P., Song, D.: Document structure integrity: A robust basis for cross-site scripting defense. In: Network and Distributed System Security Symposium (2009)
Gundy, M.V., Chen, H.: Noncespaces: Using randomization to enforce information flow tracking and thwart cross-site scripting attacks. In: Network and Distributed System Security Symposium (2009)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Budianto, E., Jia, Y., Dong, X., Saxena, P., Liang, Z. (2014). You Can’t Be Me: Enabling Trusted Paths and User Sub-origins in Web Browsers. In: Stavrou, A., Bos, H., Portokalidis, G. (eds) Research in Attacks, Intrusions and Defenses. RAID 2014. Lecture Notes in Computer Science, vol 8688. Springer, Cham. https://doi.org/10.1007/978-3-319-11379-1_8
Download citation
DOI: https://doi.org/10.1007/978-3-319-11379-1_8
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-11378-4
Online ISBN: 978-3-319-11379-1
eBook Packages: Computer ScienceComputer Science (R0)