BrowserShield: vulnerability-driven filtering of dynamic HTML

Proceedings of the -- USENIX Symposium on Operating Systems Design and Implementation (OSDI). USENIX Symposium on Operating Systems Design and Implementation Pub Date : 2006-11-06 DOI:10.1145/1281480.1281481

C. Reis, John Dunagan, Helen J. Wang, O. Dubrovsky, Saher Esmeir

{"title":"BrowserShield: vulnerability-driven filtering of dynamic HTML","authors":"C. Reis, John Dunagan, Helen J. Wang, O. Dubrovsky, Saher Esmeir","doi":"10.1145/1281480.1281481","DOIUrl":null,"url":null,"abstract":"Vulnerability-driven filtering of network data can offer a fast and easy-to-deploy alternative or intermediary to software patching, as exemplified in Shield [43]. In this paper, we take Shield's vision to a new domain, inspecting and cleansing not just static content, but also dynamic content. The dynamic content we target is the dynamic HTML in web pages, which have become a popular vector for attacks. The key challenge in filtering dynamic HTML is that it is undecidable to statically determine whether an embedded script will exploit the browser at run-time. We avoid this undecidability problem by rewriting web pages and any embedded scripts into safe equivalents, inserting checks so that the filtering is done at run-time. The rewritten pages contain logic for recursively applying run-time checks to dynamically generated or modified web content, based on known vulnerabilities. We have built and evaluated BrowserShield, a system that performs this dynamic instrumentation of embedded scripts, and that admits policies for customized run-time actions like vulnerability-driven filtering.","PeriodicalId":90294,"journal":{"name":"Proceedings of the -- USENIX Symposium on Operating Systems Design and Implementation (OSDI). USENIX Symposium on Operating Systems Design and Implementation","volume":"16 1","pages":"61-74"},"PeriodicalIF":0.0000,"publicationDate":"2006-11-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"252","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the -- USENIX Symposium on Operating Systems Design and Implementation (OSDI). USENIX Symposium on Operating Systems Design and Implementation","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/1281480.1281481","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 252

Abstract

Vulnerability-driven filtering of network data can offer a fast and easy-to-deploy alternative or intermediary to software patching, as exemplified in Shield [43]. In this paper, we take Shield's vision to a new domain, inspecting and cleansing not just static content, but also dynamic content. The dynamic content we target is the dynamic HTML in web pages, which have become a popular vector for attacks. The key challenge in filtering dynamic HTML is that it is undecidable to statically determine whether an embedded script will exploit the browser at run-time. We avoid this undecidability problem by rewriting web pages and any embedded scripts into safe equivalents, inserting checks so that the filtering is done at run-time. The rewritten pages contain logic for recursively applying run-time checks to dynamically generated or modified web content, based on known vulnerabilities. We have built and evaluated BrowserShield, a system that performs this dynamic instrumentation of embedded scripts, and that admits policies for customized run-time actions like vulnerability-driven filtering.

查看原文本刊更多论文

BrowserShield:漏洞驱动的动态HTML过滤

漏洞驱动的网络数据过滤可以为软件补丁提供一种快速且易于部署的替代方案或中介，Shield[43]就是一个例子。在本文中，我们将Shield的视野扩展到一个新的领域，不仅对静态内容进行检查和清理，而且对动态内容进行检查和清理。我们针对的动态内容是网页中的动态HTML，它已经成为攻击的热门载体。过滤动态HTML的关键挑战是，在运行时静态地确定嵌入式脚本是否会利用浏览器是无法确定的。我们通过将网页和任何嵌入脚本重写为安全的对等物来避免这种不可判定性问题，并插入检查，以便在运行时完成过滤。重写的页面包含基于已知漏洞递归地将运行时检查应用于动态生成或修改的web内容的逻辑。我们已经构建并评估了BrowserShield，这是一个执行嵌入式脚本动态检测的系统，它允许自定义运行时操作的策略，如漏洞驱动的过滤。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings of the -- USENIX Symposium on Operating Systems Design and Implementation (OSDI). USENIX Symposium on Operating Systems Design and Implementation

自引率

0.00%

发文量