Revisiting Browser Security in the Modern Era: New Data-Only Attacks and Defenses

2017 IEEE European Symposium on Security and Privacy (EuroS&P) Pub Date : 2017-04-26 DOI:10.1109/EuroSP.2017.39

Roman Rogowski, Micah Morton, Forrest Li, F. Monrose, K. Snow, M. Polychronakis

{"title":"Revisiting Browser Security in the Modern Era: New Data-Only Attacks and Defenses","authors":"Roman Rogowski, Micah Morton, Forrest Li, F. Monrose, K. Snow, M. Polychronakis","doi":"10.1109/EuroSP.2017.39","DOIUrl":null,"url":null,"abstract":"The continuous discovery of exploitable vulnerabilitiesin popular applications (e.g., web browsers and documentviewers), along with their heightening protections againstcontrol flow hijacking, has opened the door to an oftenneglected attack strategy—namely, data-only attacks. In thispaper, we demonstrate the practicality of the threat posedby data-only attacks that harness the power of memorydisclosure vulnerabilities. To do so, we introduce memorycartography, a technique that simplifies the construction ofdata-only attacks in a reliable manner. Specifically, we showhow an adversary can use a provided memory mapping primitive to navigate through process memory at runtime, andsafely reach security-critical data that can then be modifiedat will. We demonstrate this capability by using our cross-platform memory cartography framework implementation toconstruct data-only exploits against Internet Explorer andChrome. The outcome of these exploits ranges from simpleHTTP cookie leakage, to the alteration of the same originpolicy for targeted domains, which enables the cross-originexecution of arbitrary script code. The ease with which we can undermine the security ofmodern browsers stems from the fact that although isolationpolicies (such as the same origin policy) are enforced atthe script level, these policies are not well reflected in theunderlying sandbox process models used for compartmentalization. This gap exists because the complex demands oftoday's web functionality make the goal of enforcing thesame origin policy through process isolation a difficult oneto realize in practice, especially when backward compatibility is a priority (e.g., for support of cross-origin IFRAMEs). While fixing the underlying problems likely requires a majorrefactoring of the security architecture of modern browsers(in the long term), we explore several defenses, includingglobal variable randomization, that can limit the power ofthe attacks presented herein.","PeriodicalId":233564,"journal":{"name":"2017 IEEE European Symposium on Security and Privacy (EuroS&P)","volume":"17 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2017-04-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"37","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2017 IEEE European Symposium on Security and Privacy (EuroS&P)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/EuroSP.2017.39","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 37

Abstract

The continuous discovery of exploitable vulnerabilitiesin popular applications (e.g., web browsers and documentviewers), along with their heightening protections againstcontrol flow hijacking, has opened the door to an oftenneglected attack strategy—namely, data-only attacks. In thispaper, we demonstrate the practicality of the threat posedby data-only attacks that harness the power of memorydisclosure vulnerabilities. To do so, we introduce memorycartography, a technique that simplifies the construction ofdata-only attacks in a reliable manner. Specifically, we showhow an adversary can use a provided memory mapping primitive to navigate through process memory at runtime, andsafely reach security-critical data that can then be modifiedat will. We demonstrate this capability by using our cross-platform memory cartography framework implementation toconstruct data-only exploits against Internet Explorer andChrome. The outcome of these exploits ranges from simpleHTTP cookie leakage, to the alteration of the same originpolicy for targeted domains, which enables the cross-originexecution of arbitrary script code. The ease with which we can undermine the security ofmodern browsers stems from the fact that although isolationpolicies (such as the same origin policy) are enforced atthe script level, these policies are not well reflected in theunderlying sandbox process models used for compartmentalization. This gap exists because the complex demands oftoday's web functionality make the goal of enforcing thesame origin policy through process isolation a difficult oneto realize in practice, especially when backward compatibility is a priority (e.g., for support of cross-origin IFRAMEs). While fixing the underlying problems likely requires a majorrefactoring of the security architecture of modern browsers(in the long term), we explore several defenses, includingglobal variable randomization, that can limit the power ofthe attacks presented herein.

查看原文本刊更多论文

重新审视现代浏览器的安全性:新的纯数据攻击和防御

在流行的应用程序(例如，web浏览器和文档查看器)中不断发现可利用的漏洞，以及它们对控制流劫持的加强保护，已经打开了一种经常被忽视的攻击策略的大门-即仅数据攻击。在本文中，我们展示了利用内存泄露漏洞的力量的纯数据攻击所构成的威胁的实用性。为了做到这一点，我们引入了内存制图，这是一种以可靠的方式简化仅数据攻击构造的技术。具体来说，我们展示了攻击者如何使用提供的内存映射原语在运行时浏览进程内存，并安全地到达可以随意修改的安全关键数据。我们通过使用我们的跨平台内存制图框架实现来构造针对Internet Explorer和chrome的仅限数据的漏洞来演示此功能。这些漏洞利用的结果从简单的http cookie泄漏到更改目标域的相同源策略，从而允许任意脚本代码的跨源执行。我们可以轻易地破坏现代浏览器的安全性，这源于这样一个事实:尽管隔离策略(如同源策略)在脚本级别强制执行，但这些策略并没有很好地反映在用于划分的底层沙盒进程模型中。这种差距的存在是因为当今web功能的复杂需求使得通过进程隔离来实施同源策略的目标在实践中很难实现，特别是当向后兼容性是优先考虑的时候(例如，支持跨域iframe)。虽然修复潜在的问题可能需要对现代浏览器的安全架构进行重大重构(从长远来看)，但我们探索了几种防御措施，包括全局变量随机化，这可以限制本文所述攻击的力量。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2017 IEEE European Symposium on Security and Privacy (EuroS&P)

自引率

0.00%

发文量