Securing Script-Based Extensibility in Web Browsers

نویسندگان

  • Vladan Djeric
  • Ashvin Goel
چکیده

Web browsers are increasingly designed to be extensible to keep up with the Web’s rapid pace of change. This extensibility is typically implemented using script-based extensions. Script extensions have access to sensitive browser APIs and content from untrusted web pages. Unfortunately, this powerful combination creates the threat of privilege escalation attacks that grant web page scripts the full privileges of extensions and control over the entire browser process. This paper makes two contributions. First, it describes the pitfalls of script-based extensibility based on our study of the Firefox web browser. We find that script-based extensions can lead to arbitrary code injection and execution control, the same types of vulnerabilities found in unsafe code. Second, we propose a taint-based system to track the spread of untrusted data in the browser and to detect the characteristic signatures of privilege escalation attacks. We evaluate this approach by using exploits from the Firefox bug database and show that our system detects the vast majority of attacks with almost no false alarms.

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

منابع مشابه

WebSOS: an overlay-based system for protecting web servers from denial of service attacks

We present WebSOS, a novel overlay-based architecture that provides guaranteed access to a web server that is targeted by a denial of service (DoS) attack. Our approach exploits two key characteristics of the web environment: its design around a human-centric interface, and the extensibility inherent in many browsers through downloadable “applets.” We guarantee access to a web server for a larg...

متن کامل

C3: An Experimental, Extensible, Reconfigurable Platform for HTML-based Applications

The common conception of a (client-side) web application is some collection of HTML, CSS and JavaScript (JS) that is hosted within a web browser and that interacts with the user in some non-trivial ways. The common conception of a web browser is a monolithic program that can render HTML, execute JS, and gives the user a portal to navigate the web. Both of these are misconceptions: nothing inher...

متن کامل

Rethinking Web Platform Extensibility

OF THE DISSERTATION RETHINKING WEB PLATFORM EXTENSIBILITY by MOHAN DHAWAN Dissertation Director: Vinod Ganapathy The modern Web platform provides an extensible architecture that lets third party extensions, often untrusted, enhance and customize the Web browser and the Web applications. While the prevalence of extensions for both browsers and applications has been instrumental in making the Web...

متن کامل

Foundations of Web Script Security

FOUNDATIONS OF WEB SCRIPT SECURITY Aaron Bohannon Benjamin C. Pierce A web browser works with data and scripts from different sources, and these sources are not all trusted equally by the user of the browser. This fact requires web browser designers to take special care in order to keep information secure within the browser: data from one source should not be stolen or corrupted by a script fro...

متن کامل

Improving the Security and Robustness of Modern Web Browsers

Despite their popularity, modern web browsers do not offer a secure or robust environment for interacting with untrusted content. Today’s web users face a variety of threats, including exploits of browser vulnerabilities, interference between web sites, script injection attacks, and abuse of authentication credentials. To address these threats, I leverage an analogy between operating systems an...

متن کامل

ذخیره در منابع من


  با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

عنوان ژورنال:

دوره   شماره 

صفحات  -

تاریخ انتشار 2010