ABSTRACT
Browsers' isolation mechanisms are critical to users' safety and privacy on the web. Achieving proper isolations, however, is very difficult. Historical data show that even for seemingly simple isolation policies, the current browser implementations are surprisingly error-prone. Isolation bugs have been exploited on most major browser products. This paper presents a focused study of browser isolation bugs and attacks. We found that because of the intrinsic complexity of browser components, it is impractical to exhaustively examine the browser implementation to eliminate these bugs. In this paper, we propose the script accenting mechanism as a light-weight transparent defense to enhance the current domain isolation mechanism. The basic idea is to introduce domain-specific "accents" to scripts and HTML object names so that two frames cannot communicate/interfere if they have different accents. The mechanism has been prototyped on Internet Explorer. Our evaluations showed that all known attacks were defeated, and the proposed mechanism is fully transparent to existing web applications. The measurement about end-to-end browsing time did not show any noticeable slowdown. We also argue that accenting could be a primitive that is general enough for implementing other domain-isolation policies.
- Firefox Cross-Frame Vulnerabilities. Security Focus Vulnerability Database. Bug IDs: 10877, 11177, 12465, 12884, 13231, 20042. http://www.securityfocus.com/bidGoogle Scholar
- Opera Cross-Frame Vulnerabilities. Security Focus Vulnerability Database. Bug IDs: 3553, 4745, 6754, 8887, 10763. http://www.securityfocus.com/bidGoogle Scholar
- Netscape Navigator Cross-Frame Vulnerabilities. Security Focus Vulnerability Database. Bug IDs: 11177, 13231. http://www.securityfocus.com/bidGoogle Scholar
- A. Clover. CSS visited pages disclosure, 2002. http://seclists.org/lists/bugtraq/2002/Feb/0271.html.Google Scholar
- Don Box. Essential COM. ISBN 0-201-63446-5. Addison Wesley.Google Scholar
- Richard S. Cox, Jacob G. Hansen, Steven D. Gribble and Henry M. Levy: "A Safety-Oriented Platform for Web Applications," IEEE Symposium on Security and Privacy, 2006 Google ScholarDigital Library
- Douglas Crockford. "JSONRequest," http://www.json.org/JSONRequest.htmlGoogle Scholar
- E. W. Felten and M. A. Schneider, "Timing attacks on web privacy," in Proc. ACM Conference on Computer and Communications Security, 2000 Google ScholarDigital Library
- J. A. Goguen and J. Meseguer, "Security policies and security models," in Proc. 1982 IEEE Symposium on Security and PrivacyGoogle Scholar
- Collin Jackson, Andrew Bortz, Dan Boneh, and John C. Mitchell. "Protecting Browser State from Web Privacy Attacks," in Proc. the 15th ACM World Wide Web Conference, Edinburgh, Scotland, 2006. Google ScholarDigital Library
- Martin Johns. "SessionSafe: Implementing XSS Immune Session Handling," in Proc. the 11th European Symposium on Research in Computer Security, Hamburg, Germany, September, 2006 Google ScholarDigital Library
- MSDN Online. http://msdn.microsoft.comGoogle Scholar
- The "Javascript:" Protocol. http://www.webreference.com/js/column35/protocol.htmlGoogle Scholar
- Benjamin Livshits and Monica S. Lam. "Finding Security Vulnerabilities in Java Applications with Static Analysis," in Proc. Usenix Security Symposium, Baltimore, Maryland, August 2005. Google ScholarDigital Library
- Wei Xu, Sandeep Bhatkar and R. Sekar. "Taint-Enhanced Policy Enforcement: A Practical Approach to Defeat a Wide Range of Attacks," in Proc. the 15th USENIX Security Symposium, Vancouver, BC, Canada, July 2006. Google ScholarDigital Library
- The XMLHttpRequest Object. W3C Working Draft 27 September 2006. http://www.w3.org/TR/XMLHttpRequest/Google Scholar
- Cross-site scripting. http://en.wikipedia.org/wiki/Cross _site_scriptingGoogle Scholar
- Common Language Runtime (CLR). MSDN Online. http://msdn2.microsoft.com/en-us/netframework/aa497266.aspxGoogle Scholar
Index Terms
- An analysis of browser domain-isolation bugs and a light-weight transparent defense mechanism
Recommendations
Protection and communication abstractions for web browsers in MashupOS
SOSP '07: Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principlesWeb browsers have evolved from a single-principal platform on which one site is browsed at a time into a multi-principal platform on which data and code from mutually distrusting sites interact programmatically in a single page at the browser. Today's "...
Protection and communication abstractions for web browsers in MashupOS
SOSP '07Web browsers have evolved from a single-principal platform on which one site is browsed at a time into a multi-principal platform on which data and code from mutually distrusting sites interact programmatically in a single page at the browser. Today's "...
Content-based isolation: rethinking isolation policy design on client systems
CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications securityModern client platforms, such as iOS, Android, Windows Phone, and Windows 8, have progressed from a per-user isolation policy, where users are isolated but a user's applications run in the same isolation container, to an application isolation policy, ...
Comments