with OP and Chrome

scacchicgardenΛογισμικό & κατασκευή λογ/κού

13 Δεκ 2013 (πριν από 3 χρόνια και 5 μήνες)

101 εμφανίσεις

Secure Web Browsing

with OP and Chrome

by

Mohan Dhawan

More Troubles


Current browsers are plagued by


Script based Attacks


XSS, drive by downloads, pharming attacks, DNS Rebinding


Compromised / malicious plugins and extensions


Statistics for 2007


Internet Explorer had 93 security vulnerabilities, Mozilla
browsers had 74, Safari had 29, and Opera had 9


301 reported vulnerabilities in browser plugins

[OP Browser]

Outline


The problem


Related Work


OP Web Browser


Evaluation


Discussion


Way Forward ?


Conclusion

The problem


Malicious script execution


XSS, XSRF, etc.


Sand
-
boxing


Browsers are a multi
-
principal platform


data and code (lots of scripts) from mutually distrusting sites interact


iGoogle, Microsoft Live


single
-
application model provides little isolation or security


limited built
-
in security by enforcing same origin policy


too restrictive


Handling compromised / malicious plugins and extensions


have full browser privileges


plugin writers implement ad
-
hoc policies

Related Work


Language Abstractions


MashupOS


<Sandbox>


<ServiceInstance>


Helen Wang et al

SOSP 07


BEEP


<div class = “noexecute” >


Trevor Jim et al

IWWW 07

Related Work (contd.)


Architecture


Tahoma


web applications should not be trusted


browsers should not be trusted


Separate browser instances with VMs


Richard Cox et al

CCS 07

Related Work (contd.)


Modify the browser


Script Accent


Domain specific “accents” for scripts and HTML object names


“An Analysis of Browser Domain
-
Isolation Bugs and A Light
-
Weight
Transparent Defence Mechanism”
-

Shuo Chen et al.
-

CCS 07


Dynamic Tainting


Track flow of sensitive information inside the web browser


“Cross Site Scripting Prevention with Dynamic Tainting and Static
Analysis”
-

Phillip Vogt et al.


NDSS 07


Different isolation policy


Enforces access using server’s X.509 certificates and keys


“Dynamic Pharming Attacks and Locked Same
-
origin Policies for
Web Browsers”
-

Chris Karlof et al.
-

CCS 07

New Solutions


Build browser from scratch


Keeping in mind


web 2.0 applications


secure script execution


Latest efforts


OP


Chris Grier, Shuo Tang, Samuel King

Oakland 08


Chrome


Google

OP Web Browser


Primary Goal is to ensure Secure Web
Browsing


prevent browser based attacks from happening


limit the damage in case of a successful
compromise


provide ability to recover from successful attacks

Threat Model & Assumptions


Designed to operate under malicious influence


Attacks originated from a web page could potentially
target any part of the browser


Attacker can have complete control over the content


Circle of Trust


OS and JVM to enforce isolation


DNS names for labelling security contexts

OP Guiding Principles


Simple and explicit communication between components


Clean separation of functionality and security


Explicit interfaces reduce number of control flow paths



Strong isolation between browser components


Prevents unanticipated and unaudited interactions



Monitor components to ensure faithful execution


Delegate some security logic



Compatible with existing technologies


Goal is to secure web browsing

OP Architecture


Main subsystems


the web page subsystem,


a network component,


a storage component,


a UI component, and


a browser kernel


Each subsystem runs within separate OS level
processes


SELinux sand
boxing to limit subsystem interaction
with OS

OP Architecture (contd.)

Subsystem Privileges

Browser Kernel


Manage subsystems


Creates and deletes all processes and subsystems


Creates web
-
page instances on demand


Multiplexes between existing web
-
pages on user navigation


Manages communication between subsystems


interposes on all message communication


Use of OS level pipes


Mapping of subsystems and pipes prevents spoofing


Single threaded, event driven component


All messages have unique ID

Browser Kernel (contd.)


Manages access control


Browser processes tagged with a security context


Tag depends on initial messages intercepted


Maintains detailed security audit log


Records all messages between subsystem


Helps in forensic analysis in event of system compromise

Web Page Subsystem



HTML parsing and rendering Engine


KHTML



JavaScript Interpreter


Rhino (Java based)




provides strong isolation



Plugins are separate OS level processes


provide better isolation



Xvnc server which renders the visual content

Web Page Subsystem (contd.)

UI, Network & Storage Subsystems


UI is built in Java


do not render content directly


Each web page instance renders its own content


File System is accessed only through UI system


Storage component uses sqlite
-
db to store persistent
data like cookies


Network subsystem implements HTTP

Browser Plugins


Allow browsers to view additional mime types


loaded as a DLLs or shared objects


Communicate with the browser through a well defined API


Run in the same address space as the browser


Complicates security as they are given unchecked access to
browser internals


Successful attack on a plugin can lead to a full system
compromise


Plugins writers may implement their own ad
hoc security

Plugins and OP


Each instance is treated as a separate process


assigned a label (security context) by the kernel


By inspecting the messages


Plugin Access Control done by browser kernel


Uses the same security mechanisms and policies as for
the rest of the browser subsystems

OP and Plugin Security


Plugin Security Policies


Provider domain policy


allows a plugin in a page to use the permissions of the plugin
content source


Plugin freedom policy


allows additional outgoing network accesses for plugins to
support peer
-
to
-
peer applications


can only talk to network and storage subsystems

Formal Verification


OP browser modeled using Maude (reasoning engine)


both interpreter and language



Formally specify browser components in terms of invariants over
finite space


Program invariants include access control policies


Visual invariants include UI tampering


Address bar spoofing



Maude checks for states that violate invariants

Attack Analysis


Build a dependency graph between browser level
objects


Objects connected by causal events






Backtracker graph generation algorithm is used


Backward algorithm is used to find origin of an attack


Forward algorithm is used to track effects of an attack


Great analyzing tool once an attack has occurred

Performance Evaluation

Discussion


Apply OS principles for security


Process abstraction to provide protection and isolation


Process management


How long to cache the web page instance ?


Messages to subsystems analogous to syscalls


Access to protected resources via the kernel


Browser kernel intercepts all messages


Plugins are like device drivers


Hard to secure


OP provides protection against buggy plugins


Not against malicious ones

Discussion (contd.)


Performance


No micro
-
benchmark performance figures


Comparative analysis of how OP stands out with other
browsers


combating the known web exploits (e.g. XSS, XSRF etc.)



Future works


Enhance OP browser to prevent common attacks


DNS rebinding


Automated detection of crashed and malfunctioning
subsystems to trigger recovery actions

Way Forward ?


Chrome


Developed by Google


Apple’s WebKit


Open source rendering engine for chrome


Mozilla


Developed for web 2.0 applications


Browsers are multi
-
principal

Design Goals


New Age browsers must be


More stable


Faster


More secure


Simpler user interface

Legacy Browsers

Chrome Design


Different processes for
different tabs


separate address space


No fragmentation of
memory unlike legacy
browsers


isolation offers
protection



Separate thread for
JavaScript

Speed : WebKit and V8


Webkit


Efficient memory usage


Easily adapted to embedded devices


Easy interface for developers


V8


Virtual machine for JavaScript


Provides safety and platfrom independence


Hidden class transition

Hidden Class Transition

function Point(x,y){


this.x = x;


this.y = y;

}

Machine Code Generation

Speed (contd.)


V
8


Machine code generation


Dynamic code generation


Cache code for future reference


Garbage collection


Heap segmented as new space and old space


GC entails


Stop program execution


Process only part of the heap in most GC cycles


Always know precise location of all pointers and objects


Updates all pointers to object if it moves to old space

Chrome features


Separation of the browser and tabs processes


Tabs no longer bound to a window


Privacy mode


Read
-
only mode


No logging


No history saved


Session cookies deleted on closing the window


Web apps have their own chrome

Security and Safe Browsing


Malware and Phishing


Huge monetary incentive


Chrome continuously downloads lists of phishing and malware sites


Sandboxing


Security from malware


All processes stripped of their rights to read / write to sensitive areas


Cannot interact among themselves


Security Levels

Sandboxing

Plugins


Plugins run as a separate process


Unlike legacy browsers where plugins,
HTML and JavaScript run as a single process

Overall Picture

Google Gears


Adds a set of API to the browser for developers


Plugin that extends browser capabilities


Create web apps that can run offline


Key features


A local server, to cache and serve application


A database, to store and access data from within the browser


A worker thread pool, to make web apps more responsive


Open standard

Discussion


Similarities with OP


Browser split into components


Each within its own protection domain


Both have a main process


Browser Kernel, Chrome Process


Plugins are executed as separate processes


No details about extension handling


Differences with OP


Separate thread for JavaScript VM


Separation of browser and tabs

Discussion (contd.)


New Features


Dynamic code generation


Phishing and Malware protection


Gears



Open Issues


Secure script execution


Handling malicious plugins and extensions


Framework for web 2.0 applications

Conclusion


OP uses OS features to secure web browsers


Chrome extends OP, adds security and speed

Thank You