skip to main content
10.1145/2976749.2978414acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
research-article

"The Web/Local" Boundary Is Fuzzy: A Security Study of Chrome's Process-based Sandboxing

Published: 24 October 2016 Publication History

Abstract

Process-based isolation, suggested by several research prototypes, is a cornerstone of modern browser security architectures. Google Chrome is the first commercial browser that adopts this architecture. Unlike several research prototypes, Chrome's process-based design does not isolate different web origins, but primarily promises to protect "the local system" from "the web". However, as billions of users now use web-based cloud services (e.g., Dropbox and Google Drive), which are integrated into the local system, the premise that browsers can effectively isolate the web from the local system has become questionable. In this paper, we argue that, if the process-based isolation disregards the same-origin policy as one of its goals, then its promise of maintaining the "web/local system (local)" separation is doubtful. Specifically, we show that existing memory vulnerabilities in Chrome's renderer can be used as a stepping-stone to drop executables/scripts in the local file system, install unwanted applications and misuse system sensors. These attacks are purely data-oriented and do not alter any control flow or import foreign code. Thus, such attacks bypass binary-level protection mechanisms, including ASLR and in-memory partitioning. Finally, we discuss various full defenses and present a possible way to mitigate the attacks presented.

References

[1]
Sanitizer (ASan). https://www.chromium.org/developers/testing/addresssanitizer.
[2]
SpaceRandomization. https://chromium.googlesource.com/chromium/blink/+/master/Source/wtf/AddressSpaceRandomization.cpp.
[3]
Android intents with chrome. https://developer.chrome.com/multidevice/android/intents.
[4]
Canvasrenderingcontext2d.getimagedata(). https://developer.mozilla.org/en-US/docs/Web/API/CanvasRenderingContext2D/getImageData.
[5]
Chromium Issue Tracker. https://code.google.com/p/chromium/issues/list.
[6]
CSP (content security policy). https://developer.mozilla.org/en-US/docs/Web/Security/CSP.
[7]
CSP policy directives. https://developer.mozilla.org/en-US/docs/Web/Security/CSP/CSP_policy_directives.
[8]
CVE-2014--1705. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014--1705.
[9]
Demo: Dropbox. https://youtu.be/P-oX0wEasz4.
[10]
Demo: FILE Scheme. https://youtu.be/IPWJzzpvJdA.
[11]
Demo: Google Play. https://youtu.be/nKyvCo5cn6c.
[12]
Demo: VNC. https://youtu.be/dYSTxmNVgxI.
[13]
DROMAEO, JavaScript Performance Testing. http://dromaeo.com.
[14]
Dropbox Announces User Base Exceeds 400 Million, with Eight Million Business Users. http://www.cloudcomputing-news.net/news/2015/jun/26/dropbox-announces-user-base-exceeds-400-million-eight-million-business-users/.
[15]
Github Press. https://github.com/about/press.
[16]
Google Chrome Exploitation - A Case Study. http://researchcenter.paloaltonetworks.com/2014/12/google-chrome-exploitation-case-study/.
[17]
Google Chrome Vulnerability Statistics. http://www.cvedetails.com/product/15031/Google-Chrome.html?vendor_id=1224.
[18]
Google Drive Has Passed 240M Active Users. http://thenextweb.com/google/2014/10/01/google-announces-10-price-cut-compute-engine-instances-google-drive-passed-240m-active-users/.
[19]
HTTP State Management Mechanism. http://tools.ietf.org/html/rfc6265.
[20]
Indexed Database API. http://www.w3.org/TR/IndexedDB/.
[21]
Inter-Process Communication. https://www.chromium.org/developers/design-documents/inter-process-communication.
[22]
JetStream Benchmark,. http://browserbench.org/JetStream/.
[23]
Linux and Chrome OS Sandboxing. https://code.google.com/p/chromium/wiki/LinuxSandboxing.
[24]
Multi-Process Architecture. https://www.chromium.org/developers/design-documents/multi-process-architecture.
[25]
Octane Benchmark. https://code.google.com/p/octane-benchmark.
[26]
Out-of-Process Iframes. https://www.chromium.org/developers/design-documents/oop-iframes.
[27]
Partitionalloc. https://chromium.googlesource.com/chromium/blink/+/master/Source/wtf/PartitionAlloc.h.
[28]
Process Models. https://www.chromium.org/developers/design-documents/process-models.
[29]
Redirecting to intent from manually entered url gives Unknown URL Scheme Error. https://bugs.chromium.org/p/chromium/issues/detail?id=477456.
[30]
Same Origin Policy for JavaScript. https://developer.mozilla.org/En/Same origin policy for JavaScript.
[31]
Sandbox. https://www.chromium.org/developers/design-documents/sandbox.
[32]
Site Isolation. https://www.chromium.org/developers/design-documents/site-isolation.
[33]
SOP Bypass Demos. https://youtu.be/fIHaiQ4btok.
[34]
Visual Studio 2015 Preview: Work-in-Progress Security Feature. https://blogs.msdn.microsoft.com/vcblog/2014/12/08/visual-studio-2015-preview-work-in-progress-security-feature/.
[35]
Web Storage. http://www.w3.org/TR/webstorage/#the-localstorage-attribute.
[36]
Window.postMessage(). https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage.
[37]
Market Share Reports. https://netmarketshare.com/, 2015.
[38]
M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti. A Theory of Secure Control Flow. In International Conference on Formal Engineering Methods. 2005.
[39]
M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti. Control-flow Integrity. In ACM Conference on Computer and Communications Security, 2005.
[40]
D. Akhawe, P. Saxena, and D. Song. Privilege Separation in HTML5 Applications. In USENIX Security Symposium, 2012.
[41]
S. Andersen and V. Abella. Memory Protection Technologies, Data Execution Prevention. Microsoft TechNet Library, September 2004.
[42]
M. Andreessen. NCSA Mosaic Technical Summary. National Center for Supercomputing Applications, 1993.
[43]
A. Barth, C. Jackson, and C. Reis. The Security Architecture of the Chromium Browser. http://seclab.stanford.edu/websec/chromium/chromium-security-architecture.pdf, 2008.
[44]
A. Barth, J. Weinberger, and D. Song. Cross-Origin JavaScript Capability Leaks: Detection, Exploitation, and Defense. In USENIX Security Symposium, 2009.
[45]
M. Castro, M. Costa, and T. Harris. Securing Software by Enforcing Data-Flow Integrity. In USENIX Symposium on Operating Systems Design and Implementation, 2006.
[46]
P. Chen, J. Xu, Z. Lin, D. Xu, B. Mao, and P. Liu. A Practical Approach for Adaptive Data Structure Layout Randomization. In European Symposium on Research in Computer Security, 2015.
[47]
S. Chen, J. Xu, E. C. Sezer, P. Gauriar, and R. K. Iyer. Non-Control-Data Attacks Are Realistic Threats. In USENIX Security Symposium, 2005.
[48]
J. Criswell, N. Dautenhahn, and V. Adve. KCoFI: Complete Control-Flow Integrity for Commodity Operating System Kernels. In IEEE Security & Privacy, 2014.
[49]
B. Dolan-Gavitt, A. Srivastava, P. Traynor, and J. Giffin. Robust Signatures for Kernel Data Structures. In ACM Conference on Computer and Communications Security, 2009.
[50]
X. Dong, H. Hu, P. Saxena, and Z. Liang. A Quantitative Evaluation of Privilege Separation in Web Browser Designs. In European Symposium on Research in Computer Security. 2013.
[51]
U. Erlingsson, M. Abadi, M. Vrable, M. Budiu, and G. C. Necula. XFI: Software Guards for System Address Spaces. In USENIX Symposium on Operating Systems Design and Implementation, 2006.
[52]
C. Grier, S. Tang, and S. T. King. Secure Web Browsing with the OP Web Browser. In IEEE Security & Privacy, 2008.
[53]
C. Grier, S. Tang, and S. T. King. Designing and Implementing the OP and OP2 web Browsers. ACM Transactions on the Web, 2011.
[54]
B. Hassanshahi, Y. Jia, R. H. Yap, P. Saxena, and Z. Liang. Web-to-Application Injection Attacks on Android: Characterization and Detection. In European Symposium on Research in Computer Security, 2015.
[55]
H. Hu, Z. L. Chua, A. Sendroiu, P. Saxena, and Z. Liang. Automatic Generation of Data-Oriented Exploits. In USENIX Security Symposium, 2015.
[56]
H. Hu, S. Shinde, A. Sendroiu, Z. L. Chua, P. Saxena, and Z. Liang. Data-Oriented Programming: On the Expressiveness of Non-Control Data Attacks. In IEEE Security & Privacy, 2016.
[57]
T. Jim, J. G. Morrisett, D. Grossman, M. W. Hicks, J. Cheney, and Y. Wang. Cyclone: A Safe Dialect of C. In USENIX Annual Technical Conference, 2002.
[58]
S. Lekies, M. Heiderich, D. Appelt, T. Holz, and M. Johns. On the Fragility and Limitations of Current Browser-Provided Clickjacking Protection Schemes. Workshop on Offensive Technologies, 2012.
[59]
Z. Lin, R. D. Riley, and D. Xu. Polymorphing Software by Randomizing Data Structure Layout. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, 2009.
[60]
S. Maffeis, J. C. Mitchell, and A. Taly. Object Capabilities and Isolation of Untrusted Web Applications. In IEEE Security & Privacy, 2010.
[61]
A. J. Mashtizadeh, A. Bittau, D. Boneh, and D. Mazières. CCFI: Cryptographically Enforced Control Flow Integrity. In ACM Conference on Computer and Communications Security, 2015.
[62]
S. McCanne and V. Jacobson. The BSD Packet Filter: A New Architecture for User-Level Packet Capture. In USENIX, 1993.
[63]
S. Nagarakatte, J. Zhao, M. M. Martin, and S. Zdancewic. SoftBound: Highly Compatible and Complete Spatial Memory Safety for C. In ACM SIGPLAN Conference on Programming Language Design and Implementation, 2009.
[64]
S. Nagarakatte, J. Zhao, M. M. Martin, and S. Zdancewic. CETS: Compiler Enforced Temporal Safety for C. In ACM International Symposium on Memory Management, 2010.
[65]
G. C. Necula, S. McPeak, and W. Weimer. CCured: Type-safe Retrofitting of Legacy Code. In Principles of Programming Languages, 2002.
[66]
D. Sehr, R. Muth, C. Biffle, V. Khimenko, E. Pasko, K. Schimpf, B. Yee, and B. Chen. Adapting Software Fault Isolation to Contemporary CPU Architectures. In USENIX Security Symposium, 2010.
[67]
K. Z. Snow, F. Monrose, L. Davi, A. Dmitrienko, C. Liebchen, and A.-R. Sadeghi. Just-In-Time Code Reuse: On the Effectiveness of Fine-Grained Address Space Layout Randomization. In IEEE Security & Privacy, 2013.
[68]
C. Song, B. Lee, K. Lu, W. Harris, T. Kim, and W. Lee. Enforcing Kernel Security Invariants with Data Flow Integrity. In Network & Distributed System Security Symposium, 2016.
[69]
S. Tang, H. Mai, and S. T. King. Trust and Protection in the Illinois Browser Operating System. In USENIX Symposium on Operating Systems Design and Implementation, 2010.
[70]
C. Tice, T. Roeder, P. Collingbourne, S. Checkoway, U. Erlingsson, L. Lozano, and G. Pike. Enforcing Forward-edge Control-flow Integrity in GCC & LLVM. In USENIX Security Symposium, 2014.
[71]
R. Wahbe, S. Lucco, T. E. Anderson, and S. L. Graham. Efficient Software-based Fault Isolation. In ACM SIGOPS Operating Systems Review, 1994.
[72]
H. J. Wang, C. Grier, A. Moshchuk, S. T. King, P. Choudhury, and H. Venter. The Multi-Principal OS Construction of the Gazelle Web Browser. In USENIX Security Symposium, 2009.
[73]
W. Xu, S. Bhatkar, and R. Sekar. Taint-Enhanced Policy Enforcement: A Practical Approach to Defeat a Wide Range of Attacks. In USENIX Security Symposium, 2006.
[74]
B. Yee, D. Sehr, G. Dardyk, J. B. Chen, R. Muth, T. Ormandy, S. Okasaka, N. Narula, and N. Fullagar. Native Client: A Sandbox for Portable, Untrusted x86 Native Code. In IEEE Security & Privacy, 2009.
[75]
A. Yip, X. Wang, N. Zeldovich, and M. F. Kaashoek. Improving Application Security with Data Flow Assertions. In Symposium on Operating Systems Principles, 2009.
[76]
Yu Yang. ROPs are for the 99%, CanSecWest 2014. https://cansecwest.com/slides/2014/ROPs_are_for_the_99_CanSecWest_2014.pdf, 2014.
[77]
B. Zeng, G. Tan, and G. Morrisett. Combining Control-Flow Integrity and Static Analysis for Efficient and Validated Data Sandboxing. In ACM Conference on Computer and Communications Security, 2011.
[78]
C. Zhang, T. Wei, Z. Chen, L. Duan, L. Szekeres, S. McCamant, D. Song, and W. Zou. Practical Control Flow Integrity and Randomization for Binary Executables. In IEEE Security & Privacy, 2013.
[79]
M. Zhang and R. Sekar. Control Flow Integrity for COTS Binaries. In USENIX Security Symposium, 2013.

Cited By

View all
  • (2024)Understanding the Security Landscape of Control-Data and Non-Control-Data Attacks Against IoT Systems2024 9th International Conference on Smart and Sustainable Technologies (SpliTech)10.23919/SpliTech61897.2024.10612517(01-06)Online publication date: 25-Jun-2024
  • (2024)Optimized Data-Flow Integrity for Modern CompilersIEEE Access10.1109/ACCESS.2024.345455112(124171-124182)Online publication date: 2024
  • (2023)Not all data are created equalProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620318(1433-1450)Online publication date: 9-Aug-2023
  • Show More Cited By

Index Terms

  1. "The Web/Local" Boundary Is Fuzzy: A Security Study of Chrome's Process-based Sandboxing

      Recommendations

      Comments

      Information & Contributors

      Information

      Published In

      cover image ACM Conferences
      CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security
      October 2016
      1924 pages
      ISBN:9781450341394
      DOI:10.1145/2976749
      Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

      Sponsors

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      Published: 24 October 2016

      Permissions

      Request permissions for this article.

      Check for updates

      Author Tags

      1. browser design
      2. browser security
      3. data-oriented attacks

      Qualifiers

      • Research-article

      Funding Sources

      • National Research Foundation Prime Minister's Office Singapore

      Conference

      CCS'16
      Sponsor:

      Acceptance Rates

      CCS '16 Paper Acceptance Rate 137 of 831 submissions, 16%;
      Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

      Upcoming Conference

      CCS '25

      Contributors

      Other Metrics

      Bibliometrics & Citations

      Bibliometrics

      Article Metrics

      • Downloads (Last 12 months)40
      • Downloads (Last 6 weeks)4
      Reflects downloads up to 14 Feb 2025

      Other Metrics

      Citations

      Cited By

      View all
      • (2024)Understanding the Security Landscape of Control-Data and Non-Control-Data Attacks Against IoT Systems2024 9th International Conference on Smart and Sustainable Technologies (SpliTech)10.23919/SpliTech61897.2024.10612517(01-06)Online publication date: 25-Jun-2024
      • (2024)Optimized Data-Flow Integrity for Modern CompilersIEEE Access10.1109/ACCESS.2024.345455112(124171-124182)Online publication date: 2024
      • (2023)Not all data are created equalProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620318(1433-1450)Online publication date: 9-Aug-2023
      • (2022)Timing-Based Browsing Privacy Vulnerabilities Via Site Isolation2022 IEEE Symposium on Security and Privacy (SP)10.1109/SP46214.2022.9833710(1525-1539)Online publication date: May-2022
      • (2021)Exploitation Techniques for Data-oriented Attacks with Existing and Potential Defense ApproachesACM Transactions on Privacy and Security10.1145/346269924:4(1-36)Online publication date: 2-Sep-2021
      • (2021)The Master and Parasite Attack2021 51st Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)10.1109/DSN48987.2021.00029(141-148)Online publication date: Jun-2021
      • (2020)Retrofitting fine grain isolation in the firefox rendererProceedings of the 29th USENIX Conference on Security Symposium10.5555/3489212.3489252(699-716)Online publication date: 12-Aug-2020
      • (2019)RAZORProceedings of the 28th USENIX Conference on Security Symposium10.5555/3361338.3361459(1733-1750)Online publication date: 14-Aug-2019
      • (2019)Site isolationProceedings of the 28th USENIX Conference on Security Symposium10.5555/3361338.3361454(1661-1678)Online publication date: 14-Aug-2019
      • (2019)Leaky imagesProceedings of the 28th USENIX Conference on Security Symposium10.5555/3361338.3361403(923-939)Online publication date: 14-Aug-2019
      • Show More Cited By

      View Options

      Login options

      View options

      PDF

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader

      Figures

      Tables

      Media

      Share

      Share

      Share this Publication link

      Share on social media