research-article

Exploiting split browsers for efficiently protecting user data

Authors:

Angeliki Zavou,

Elias Athanasopoulos,

Georgios Portokalidis,

Angelos D. KeromytisAuthors Info & Claims

CCSW '12: Proceedings of the 2012 ACM Workshop on Cloud computing security workshop

Pages 37 - 42

https://doi.org/10.1145/2381913.2381921

Published: 19 October 2012 Publication History

Abstract

Offloading complex tasks to a resource-abundant environment like the cloud, can extend the capabilities of resource constrained mobile devices, extend battery life, and improve user experience. Split browsing is a new paradigm that adopts this strategy to improve web browsing on devices like smartphones and tablets. Split browsers offload computation to the cloud by design; they are composed by two parts, one running on the thin client and one in the cloud. Rendering takes place primarily in the latter, while a bitmap or a simplified web page is communicated to the client. Despite its difference with traditional web browsing, split browsing still suffers from the same types of threats, such as cross-site scripting. In this paper, we propose exploiting the design of split browsers to also utilize cloud resources for protecting against various threats efficiently. We begin by systematically studying split browsing architectures, and then proceed to propose two solutions, in parallel and inline cloning, that exploit the inherent features of this new browsing paradigm to accurately and efficiently protect user data against common web exploits. Our preliminary results suggest that our framework can be efficiently applied to Amazon's Silk, the most widely deployed at the time of writing, split browser.

References

[1]

SPDY: An experimental protocol for a faster web. The Chromium Projects. http://www.chromium.org/spdy/spdy-whitepaper/.

[2]

Internet Appliance - new cheap Internet access for schools from Icentrix. trainingzone, April 1999. http://www.trainingzone.co.uk/item/3756.

[3]

IDC: More Mobile Internet Users Than Wireline Users in the U.S. by 2015, September 2011. http://www.idc.com/getdoc.jsp?containerId=prUS23028711.

[4]

iSuppli Report: Kindle Fire Takes Off, Apple Loses Grip. ANDROID AUTHORITY, February 2012. http://www.androidauthority.com/isuppli-kindle-fire-gaining-on-ipad-54230/.

[5]

D. Alperovitch and G. Kurtz. Hacking Exposed: Mobile RAT Edition. In RSA, Febrary 2012.

[6]

D. Auerbach. EFF Gets Straight Privacy Answers From Amazon About New "Silk" Tablet Browser. https://www.eff.org/2011/october/amazon-fire%E2%80%99s-new-browser-puts-spotlight-privacy-trade-offs, October 2011.

[7]

P. Bisht and V. N. Venkatakrishnan. XSS-GUARD: Precise dynamic prevention of cross-site scripting attacks. In Proc. of the 5th DIMVA, pages 23--43, July 2008.

Digital Library

[8]

R. Chow, P. Golle, M. Jakobsson, E. Shi, J. Staddon, R. Masuoka, and J. Molina. Controlling data in the cloud: outsourcing computation without outsourcing control. In Proc. of the 2009 CCSW, pages 85--90, November 2009.

Digital Library

[9]

B.-G. Chun, S. Ihm, P. Maniatis, M. Naik, and A. Patti. CloneCloud: elastic execution between mobile device and cloud. In Proc. of EuroSys'11, pages 301--314, April 2011.

Digital Library

[10]

B. Davis and H. Chen. DBTaint: cross-application information flow tracking via databases. In Proc. of WebApps'10, June 2010.

Digital Library

[11]

D. Goodin. At hacking contest, Google Chrome falls to third zero-day attack. Arstechnica, March 2012. http://arstechnica.com/business/2012/03/googles-chrome-browser-on-friday/.

[12]

M. V. Gundy and H. Chen. Noncespaces: Using randomization to enforce information flow tracking and thwart cross-site scripting attacks. In Proc. of the 16th NDSS, February 2009.

[13]

A. Ho, M. Fetterman, C. Clark, A. Warfield, and S. Hand. Practical taint-based protection using demand emulation. In Proc. of EuroSys'06, pages 29--41, Arpil 2006.

Digital Library

[14]

T. Jim, N. Swamy, and M. Hicks. Defeating script injection attacks with browser-enforced embedded policies. In Proc. of the 16th WWW, pages 601--610, May 2007.

Digital Library

[15]

V. P. Kemerlis, G. Portokalidis, K. Jee, and A. D. Keromytis. libdft: Practical dynamic data flow tracking for commodity systems. In Proc. of the 8th VEE, pages 121--132, March 2012.

Digital Library

[16]

A. Ku. Amazon Silk: Assisted Web Browsing (Sort Of). tom's hardware http://www.tomshardware.com/reviews/amazon-kindle-fire-review,3076-7.html, November 2011.

[17]

H. Moore. Cracking the iPhone (part 1). Metasploit, October 2010. https://community.rapid7.com/community/metasploit/blog/2007/10/11/cracking-the-iphone-part-1.

[18]

Y. Mundada, A. Ramachandran, and N. Feamster. SilverLine: Data and network isolation for cloud services. In Proc. of 3rd HotCloud, June 2011.

Digital Library

[19]

Y. Nadji, P. Saxena, and D. Song. Document Structure Integrity: A robust basis for cross-site scripting defense. In Proc. of the 16th NDSS, February 2009.

[20]

F. Nentwich, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna. Cross-site scripting prevention with dynamic data tainting and static analysis. In Proc. of the 14th NDSS, February 2007.

[21]

J. Newsome and D. Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In Proc. of the 12th NDSS, February 2005.

[22]

G. Portokalidis, P. Homburg, K. Anagnostakis, and H. Bos. Paranoid Android: versatile protection for smartphones. In Proc. of the 26th ACSAC, pages 347--356, December 2010.

Digital Library

[23]

R. Sekar. An efficient black-box technique for defeating web application attacks. In Proc. of the 16th NDSS, February 2009.

[24]

Site Specific Browser. Turn any web site into a Windows Program or Mac App. http://sitespecificbrowser.com/.

[25]

M. Ter Louw and V. Venkatakrishnan. Blueprint: Precise browser-neutral prevention of cross-site scripting attacks. In Proc. of the 30th IEEE Symposium on Security & Privacy, May 2009.

Digital Library

[26]

theharmonyhuy. Recent Facebook XSS Attacks Show Increasing Sophistication. Social Hacking, April 2011. http://theharmonyguy.com/oldsite/2011/04/21/recent-facebook-xss-attacks-show-increasing-sophistication/.

[27]

S. J. Vaughan-Nichols. The mobile web comes of age. Computer, 41(11):15--17, November 2008.

Digital Library

[28]

E. Walker. Benchmarking Amazon EC2 for high-performance scientific computing. LOGIN, 33(5):18--23, October 2008.

[29]

W. Xu, S. Bhatkar, and R. Sekar. Taint-enhanced policy enforcement: a practical approach to defeat a wide range of attacks. In Proc. of the 15th USENIX Security Symposium, July 2006.

Digital Library

[30]

A. Yip, X. Wang, N. Zeldovich, and M. F. Kaashoek. Improving application security with data flow assertions. In Proc. of the 22nd SOSP, pages 291--304, October 2009.

Digital Library

[31]

A. Zavou, G. Portokalidis, and A. D. Keromytis. Taint-exchange: a generic system for cross-process and cross-host taint tracking. In Proc. of the 6th IWSEC, pages 113--128, November 2011.

Digital Library

[32]

N. Zeldovich, S. Boyd-Wickizer, E. Kohler, and D. Mazières. Making information flow explicit in HiStar. In Proc. of 7th OSDI, November 2006.

Digital Library

[33]

D. Zhu, J. Jung, D. Song, T. Kohno, and D. Wetherall. TaintEraser: Protecting sensitive data leaks using application-level taint tracking. ACM Operating Systems Review, 45(1):142--154, 2011.

Digital Library

Cited By

Garg SSingh RMohapatra A(2019)Analysis of software vulnerability classification based on different technical parametersInformation Security Journal: A Global Perspective10.1080/19393555.2019.162832528:1-2(1-19)Online publication date: 14-Jun-2019
https://doi.org/10.1080/19393555.2019.1628325
Fossati TGurbani VKolesnikov VBenson TRaiciu C(2015)Love All, Trust FewProceedings of the 2015 ACM SIGCOMM Workshop on Hot Topics in Middleboxes and Network Function Virtualization10.1145/2785989.2785990(1-6)Online publication date: 21-Aug-2015
https://dl.acm.org/doi/10.1145/2785989.2785990
Bickford JGiura P(2015)Safe Internet Browsing Using a Transparent Virtual BrowserProceedings of the 2015 IEEE 2nd International Conference on Cyber Security and Cloud Computing (CSCloud)10.1109/CSCloud.2015.58(423-432)Online publication date: 3-Nov-2015
https://dl.acm.org/doi/10.1109/CSCloud.2015.58

Index Terms

Exploiting split browsers for efficiently protecting user data
1. Security and privacy
  1. Systems security
    1. Information flow control
    2. Operating systems security

Recommendations

Noncespaces: Using randomization to defeat cross-site scripting attacks

Cross-site scripting (XSS) vulnerabilities are among the most common and serious web application vulnerabilities. It is challenging to eliminate XSS vulnerabilities because it is difficult for web applications to sanitize all user input appropriately. ...
Protecting browsers from cross-origin CSS attacks
CCS '10: Proceedings of the 17th ACM conference on Computer and communications security

Cross-origin CSS attacks use style sheet import to steal confidential information from a victim website, hijacking a user's existing authenticated session; existing XSS defenses are ineffective. We show how to conduct these attacks with any browser, ...
Secure Content Sniffing for Web Browsers, or How to Stop Papers from Reviewing Themselves
SP '09: Proceedings of the 2009 30th IEEE Symposium on Security and Privacy

Cross-site scripting defenses often focus on HTML documents, neglecting attacks involving the browser's content-sniffing algorithm, which can treat non-HTML content as HTML.Web applications, such as the one that manages this conference, must defend ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCSW '12: Proceedings of the 2012 ACM Workshop on Cloud computing security workshop

October 2012

134 pages

ISBN:9781450316651

DOI:10.1145/2381913

General Chair:
Ting Yu
North Carolina State University, USA
,
Program Chairs:
Srdjan Capkun
ETH Zurich, Switzerland
,
Seny Kamara
Microsoft Research, USA

Copyright © 2012 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 19 October 2012

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS'12

Sponsor:

SIGSAC

CCS'12: the ACM Conference on Computer and Communications Security

October 19, 2012

North Carolina, Raleigh, USA

Acceptance Rates

Overall Acceptance Rate 37 of 108 submissions, 34%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
294
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 01 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Garg SSingh RMohapatra A(2019)Analysis of software vulnerability classification based on different technical parametersInformation Security Journal: A Global Perspective10.1080/19393555.2019.162832528:1-2(1-19)Online publication date: 14-Jun-2019
https://doi.org/10.1080/19393555.2019.1628325
Fossati TGurbani VKolesnikov VBenson TRaiciu C(2015)Love All, Trust FewProceedings of the 2015 ACM SIGCOMM Workshop on Hot Topics in Middleboxes and Network Function Virtualization10.1145/2785989.2785990(1-6)Online publication date: 21-Aug-2015
https://dl.acm.org/doi/10.1145/2785989.2785990
Bickford JGiura P(2015)Safe Internet Browsing Using a Transparent Virtual BrowserProceedings of the 2015 IEEE 2nd International Conference on Cyber Security and Cloud Computing (CSCloud)10.1109/CSCloud.2015.58(423-432)Online publication date: 3-Nov-2015
https://dl.acm.org/doi/10.1109/CSCloud.2015.58

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten