ABSTRACT
A complex software system typically has a large number of objects in the memory, holding references to each other to implement an object model. Deciding when the objects should be alive/active is non-trivial, but the decisions can be security-critical. This is especially true for web browsers: if certain browser objects do not disappear when the new page is switched in, basic security properties can be compromised, such as visual integrity, document integrity and memory safety. We refer to these browser objects as residue objects. Serious security vulnerabilities due to residue objects have been sporadically discovered in leading browser products in the past, such as IE, Firefox and Safari. However, this class of vulnerabilities has not been studied in the research literature. Our work is motivated by two questions: (1) what are the challenges imposed by residue objects on the browser's logic correctness; (2) how prevalent can these vulnerabilities be in today's commodity browsers. As an example, we analyze the mechanisms for guarding residue objects in Internet Explorer (IE), and use an enumerative approach to expose and understand new vulnerabilities. Although only the native HTML engine is studied so far, we have already discovered five new vulnerabilities and reported them to IE developers (one of the vulnerabilities has been patched in a Microsoft security update). These vulnerabilities demonstrate a diversity of logic errors in the browser code. Moreover, our study empirically suggests that the actual prevalence of this type of vulnerabilities can be higher than what is perceived today. We also discuss how the browser industry should respond to this class of security problems.
- Don Box, "Essential COM," ISBN 0-201-63446-5, Addison-Wesley 1998Google Scholar
- Adam Barth, Joel Weinberger, and Dawn Song. "Cross-Origin JavaScript Capability Leaks: Detection, Exploitation, and Defense," In Proc. of the 18th USENIX Security Symposium, 2009 Google ScholarDigital Library
- Shuo Chen, David Ross, Yi-Min Wang, "An Analysis of Browser Domain-Isolation Bugs and A Light-Weight Transparent Defense Mechanism," in ACM Conference on Computer and Communications Security (CCS), Alexandria, VA, Oct--Nov 2007. Google ScholarDigital Library
- Jim Chow, Ben Pfaff, Tal Garfinkel, Mendel Rosenblum, "Shredding Your Garbage: Reducing Data Lifetime Through Secure Deallocation." In Proceedings of the 14th USENIX Security Symposium, August 2005. Google ScholarDigital Library
- Jim Chow, Ben Pfaff, Tal Garfinkel, Mendel Rosenblum, "Understanding data lifetime via whole system simulation." In Proc. of the 12th USENIX Security Symposium, 2004. Google ScholarDigital Library
- Chris Grier, Shuo Tang, and Samuel T. King, "Secure web browsing with the OP web browser", Proceedings of the 2008 IEEE Symposium on Security and Privacy, May 2008. Google ScholarDigital Library
- Chris Grier, Helen J. Wang, Alexander Moshchuk, Samuel T. King, Piali Choudhury, Herman Venter."The Multi-Principal OS Construction of the Gazelle Web Browser," Proceedings of the 18th USENIX Security Symposium, Montreal, Canada, August 2009. Google ScholarDigital Library
- Collin Jackson, Adam Barth, Andrew Bortz, Weidong Shao, and Dan Boneh, "Protecting Browsers from DNS Rebinding Attacks," the Fourteenth ACM Conference on Computer and Communications Security (CCS 2007), November 2007. Google ScholarDigital Library
- Chris Karlof, Umesh Shankar, J.D. Tygar, and David Wagner, "Dynamic Pharming Attacks and Locked Same-origin Policies for Web Browsers," the Fourteenth ACM Conference on Computer and Communications Security (CCS 2007), November 2007. Google ScholarDigital Library
- Mozilla, "XPCOM", http://www.mozilla.org/projects/ xpcom/index.htmlGoogle Scholar
- Mozilla, "XPConnect (Scriptable Components)", http://www.mozilla.org/scriptable/Google Scholar
- Object Capability Model. http://c2.com/cgi/wiki? ObjectCapabilityModelGoogle Scholar
- Paruj Ratanaworabhan, Benjamin Livshits, and Benjamin Zorn. "Nozzle: A Defense Against Heap-spraying Code Injection Attacks," Microsoft Research Technical Report MSR-TR-2008-176, November 2008.Google Scholar
- Charles Reis, Steven D. Gribble. "Isolating Web Programs in Modern Browser Architectures," Eurosys 2009. Nuremberg, Germany, April 2009. Google ScholarDigital Library
- Jesse Ruderman. "The Same Origin Policy," http://www.mozilla.org/projects/security/components/same-origin.htmlGoogle Scholar
- Markus Horstmann and Mary Kirtland, "DCOM Architecture," http://msdn.microsoft.com/en-us/library/ms809311.aspxGoogle Scholar
- SecurityFocus Vulnerability Repository. http://www.securityfocus.com/bidGoogle Scholar
- Net Applications. "Browser Market Share of March 2009" http://marketshare.hitslink.com/browser-market-share.aspx?qprid=0Google Scholar
Index Terms
- Residue objects: a challenge to web browser security
Recommendations
Defeating Cross-Site Request Forgery Attacks with Browser-Enforced Authenticity Protection
Financial Cryptography and Data SecurityA cross site request forgery (CSRF) attack occurs when a user's web browser is instructed by a malicious webpage to send a request to a vulnerable web site, resulting in the vulnerable web site performing actions not intended by the user. CSRF ...
When tolerance causes weakness: the case of injection-friendly browsers
WWW '13: Proceedings of the 22nd international conference on World Wide WebWe present a practical off-path TCP-injection attack for connections between current, non-buggy browsers and web-servers. The attack allows web-cache poisoning with malicious objects; these objects can be cached for long time period, exposing any user ...
Scriptless attacks: Stealing more pie without touching the sill
Web Application Security Web @ 25Due to their high practical impact, Cross-Site Scripting (XSS) attacks have attracted a lot of attention from the members of security community worldwide. In the same way, a plethora of more or less effective defense techniques have been proposed, ...
Comments