An analysis of browser domain-isolation bugs and a light-weight transparent defense mechanism

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

An analysis of browser domain-isolation bugs and a light-weight transparent defense mechanism

Full text

Pdf (421 KB)

Source

Conference on Computer and Communications Security archive
Proceedings of the 14th ACM conference on Computer and communications security table of contents

Alexandria, Virginia, USA

SESSION: Web applications security table of contents

Pages: 2 - 11

Year of Publication: 2007

ISBN:978-1-59593-703-2

Authors

Shuo Chen	Microsoft, Redmond, WA
David Ross	Microsoft, Redmond, WA
Yi-Min Wang	Microsoft, Redmond, WA

Sponsors

ACM: Association for Computing Machinery
SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 40, Downloads (12 Months): 424, Citation Count: 0

Additional Information:

abstract references index terms collaborative colleagues

Tools and Actions:	Review this Article Save this Article to a Binder Display Formats: BibTex EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/1315245.1315248 What is a DOI?

ABSTRACT

Browsers' isolation mechanisms are critical to users' safety and privacy on the web. Achieving proper isolations, however, is very difficult. Historical data show that even for seemingly simple isolation policies, the current browser implementations are surprisingly error-prone. Isolation bugs have been exploited on most major browser products. This paper presents a focused study of browser isolation bugs and attacks. We found that because of the intrinsic complexity of browser components, it is impractical to exhaustively examine the browser implementation to eliminate these bugs. In this paper, we propose the script accenting mechanism as a light-weight transparent defense to enhance the current domain isolation mechanism. The basic idea is to introduce domain-specific "accents" to scripts and HTML object names so that two frames cannot communicate/interfere if they have different accents. The mechanism has been prototyped on Internet Explorer. Our evaluations showed that all known attacks were defeated, and the proposed mechanism is fully transparent to existing web applications. The measurement about end-to-end browsing time did not show any noticeable slowdown. We also argue that accenting could be a primitive that is general enough for implementing other domain-isolation policies.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Firefox Cross-Frame Vulnerabilities. Security Focus Vulnerability Database. Bug IDs: 10877, 11177, 12465, 12884, 13231, 20042. http://www.securityfocus.com/bid
	2	Opera Cross-Frame Vulnerabilities. Security Focus Vulnerability Database. Bug IDs: 3553, 4745, 6754, 8887, 10763. http://www.securityfocus.com/bid
	3	Netscape Navigator Cross-Frame Vulnerabilities. Security Focus Vulnerability Database. Bug IDs: 11177, 13231. http://www.securityfocus.com/bid
	4	A. Clover. CSS visited pages disclosure, 2002. http://seclists.org/lists/bugtraq/2002/Feb/0271.html.
	5	Don Box. Essential COM. ISBN 0-201-63446-5. Addison Wesley.
	6	Richard S. Cox , Steven D. Gribble , Henry M. Levy , Jacob Gorm Hansen, A Safety-Oriented Platform for Web Applications, Proceedings of the 2006 IEEE Symposium on Security and Privacy, p.350-364, May 21-24, 2006 [doi>10.1109/SP.2006.4]
	7	Douglas Crockford. "JSONRequest," http://www.json.org/JSONRequest.html
	8	Edward W. Felten , Michael A. Schneider, Timing attacks on Web privacy, Proceedings of the 7th ACM conference on Computer and communications security, p.25-32, November 01-04, 2000, Athens, Greece [doi>10.1145/352600.352606]
	9	J. A. Goguen and J. Meseguer, "Security policies and security models," in Proc. 1982 IEEE Symposium on Security and Privacy
	10	Collin Jackson , Andrew Bortz , Dan Boneh , John C. Mitchell, Protecting browser state from web privacy attacks, Proceedings of the 15th international conference on World Wide Web, May 23-26, 2006, Edinburgh, Scotland [doi>10.1145/1135777.1135884]
	11	Martin Johns. "SessionSafe: Implementing XSS Immune Session Handling," in Proc. the 11th European Symposium on Research in Computer Security, Hamburg, Germany, September, 2006
	12	MSDN Online. http://msdn.microsoft.com
	13	The "Javascript:" Protocol. http://www.webreference.com/js/column35/protocol.html
	14	V. Benjamin Livshits , Monica S. Lam, Finding security vulnerabilities in java applications with static analysis, Proceedings of the 14th conference on USENIX Security Symposium, p.18-18, July 31-August 05, 2005, Baltimore, MD
	15	Wei Xu , Sandeep Bhatkar , R. Sekar, Taint-enhanced policy enforcement: a practical approach to defeat a wide range of attacks, Proceedings of the 15th conference on USENIX Security Symposium, p.9-9, July 31-August 04, 2006, Vancouver, B.C., Canada
	16	The XMLHttpRequest Object. W3C Working Draft 27 September 2006. http://www.w3.org/TR/XMLHttpRequest/
	17	Cross-site scripting. http://en.wikipedia.org/wiki/Cross _site_scripting
	18	Common Language Runtime (CLR). MSDN Online. http://msdn2.microsoft.com/en-us/netframework/aa497266.aspx