1 / 26

Using Replicated Execution for a More Secure and Reliable Browser

Using Replicated Execution for a More Secure and Reliable Browser. Authors: Hui Xue, Nathan Dautenhahn, Samuel T. King University of Illinois at Urbana Champaign Source: NDSS '12 Reporter: MinHao WU. https://netfiles.uiuc.edu/huixue2/www/cocktail.pptx. Outline. Example

alina
Télécharger la présentation

Using Replicated Execution for a More Secure and Reliable Browser

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Using Replicated Execution for a More Secure and Reliable Browser Authors: Hui Xue, Nathan Dautenhahn, Samuel T. King University of Illinois at Urbana Champaign Source: NDSS '12 Reporter: MinHao WU https://netfiles.uiuc.edu/huixue2/www/cocktail.pptx

  2. Outline • Example • Introduction • Design • Implementation • Evaluation • Conclusion

  3. Browsers Are Not Safe • Browsers are plagued with vulnerabilities • Internet Explorer: 59 new vulnerabilities in 2010 • Firefox: 100 new vulnerabilities in 2010 • Safari: 119 new vulnerabilities in 2010 • Chrome: 191 new vulnerabilities in 2010

  4. Firefox Browser Exploit Example • Firefox 3.0.x malicious popup by CVE-2009-3076

  5. Opera: Exploit Fails • Opera shows no popup

  6. Reason: Browser Specific Vulnerabilities • Different browsers different code bases • The same bug often only in one browser

  7. Cocktail: Mixing Browsers For Better Security

  8. How Cocktail Works: Example Proxy HTTP GET a.com/img.png ✓ click “a.com” server request img.png HTTP GET a.com/img.png click click

  9. How Cocktail Works: Example Proxy HTTP GET a.com/img.png ✓ responseimg.png responseimg.png responseimg.png click “a.com” server request img.png Qt DISPLAY HTTP GET a.com/img.png click responseimg.png click HTTP GET

  10. Withstanding False Positive/Attack Proxy HTTP GET a.com/img.png ✓ responseimg.png responseimg.png click “a.com” server request img.png Qt DISPLAY HTTP GET HTTP GET a.com/img.png click responseimg.png click a.com/question.png

  11. Observation:Opportunistic N-Version Programming Different code base + DOM Same specification “roughly” followed

  12. How to Compare Different Browsers? • States to compare: display + network • Display: vision based page layout abstraction • Interaction with server • Client side non-determinism

  13. Challenge: Interaction with Server • Pages from server can be different A “a.com” server B C

  14. Solution • Avoid major changes to browser • Browsers self-update is easy • Open source is not required • Solution: proxy replication • Replicate incoming network data with proxy • HTTPS handling: Man-in-the-middle

  15. Solution: Proxy Replication • One browser as seen by server Page A a.com server Page A Proxy Page A Page A

  16. Challenge: Client Side Non-determinism • Same page content, different execution result <html> … <script> randomId = Math.random(); url = “doubleclick.com?ad=” + randomId; </script> … </html>

  17. Client Non-determinism Summary • Script related randomness • Browser specific behaviors • E.g., Opera community

  18. Solution • Extension modifies script execution • Overwrites Math, Date, window.opera • Browser configuration change • Disable Opera community • Adjust browser locale Cocktail Extension Firefox Cocktail Extension Chrome Cocktail Extension Opera

  19. False Positive • Browsers treat malformed URL differently <iframesrc=" http://www.adfusion.com/Adfusion.PartnerSite/ca tegoryhtml.aspx?userfeedguid=948fbed8-69ae-4659 -b3c1-b9863e5ab24e&clicktag=http://ads.bluelith ium.com/clk?2,13%...%2Flrec%2F,&CB={REQUES TID} width="300" height="250" scrolling="no" frameborder="0" marginheight="0" marginwidth="0” ></iframe> Missing "

  20. Why Cocktail Is More Secure • Voting == Security • Withstand some F.P. • Only need 2 to proceed • Ext. to eliminatenon-determinism • Looks like a good oneActs like a good one It is one uncompromisedbrowser Voting Proxy Ckt Ext Ckt Ext Ckt Ext DISPLAY

  21. Implementation

  22. The UI component is responsible for providing the interface between the user and Cocktail, routing user input to each replica, and voting on the display states of each replica. • The replica component maintains each browser replica, which all run in sandboxed environments. • The network component is responsible for handling network requests from the replicas and voting on network requests.

  23. UI replication • Recorder and re-player: Extension • Passing UI events across browsers: Proxy • UI Display capturing and voting • ImageMagick and OpenCV • Proxy • OpenSSL for MITM

  24. Evaluation

  25. Evaluation • Security analysis • User interaction: CVE-2009-3076 • Heap overflow: CVE-2009-2477 • DOS attack: Firefox 3.0.4 DOS, April 2009 • Same origin policy bypassing: CVE-2007-0981 • Performance • 30% slower comparing to Firefox

  26. Conclusion • Mixing different browsers for better security • Practical N-Version programming for browsers • Cocktail mirrors all inputs across the different browser replicas and votes on all outputs to withstand attacks • Our results showed that added little overhead to the page load latency times for the web sites we tested.

More Related