Visible to the public Revisiting Browser Security in the Modern Era: New Data-Only Attacks and Defenses

TitleRevisiting Browser Security in the Modern Era: New Data-Only Attacks and Defenses
Publication TypeConference Paper
Year of Publication2017
AuthorsRogowski, R., Morton, M., Li, F., Monrose, F., Snow, K. Z., Polychronakis, M.
Conference Name2017 IEEE European Symposium on Security and Privacy (EuroS P)
Keywordsarbitrary script code cross-origin execution, backward compatibility, browser security, Browsers, Chrome, Computer architecture, control flow hijacking, cross-platform memory cartography framework, data-only attacks, HTTP cookie leakage, Human Behavior, Internet, Internet Explorer, isolation policies, memory disclosure vulnerabilities, memory mapping primitive, Metrics, online front-ends, process isolation, process memory, pubcrawl, reliability, rendering (computer graphics), Resiliency, script level, security, security of data, security-critical data, Semantics, Web Browser Security, Web functionality
AbstractThe continuous discovery of exploitable vulnerabilitiesin popular applications (e.g., web browsers and documentviewers), along with their heightening protections against control flow hijacking, has opened the door to an oftenneglected attack strategy-namely, data-only attacks. In thispaper, we demonstrate the practicality of the threat posedby data-only attacks that harness the power of memorydisclosure vulnerabilities. To do so, we introduce memorycartography, a technique that simplifies the construction ofdata-only attacks in a reliable manner. Specifically, we showhow an adversary can use a provided memory mapping primitive to navigate through process memory at runtime, andsafely reach security-critical data that can then be modifiedat will. We demonstrate this capability by using our cross-platform memory cartography framework implementation toconstruct data-only exploits against Internet Explorer and Chrome. The outcome of these exploits ranges from simple HTTP cookie leakage, to the alteration of the same originpolicy for targeted domains, which enables the cross-originexecution of arbitrary script code. The ease with which we can undermine the security ofmodern browsers stems from the fact that although isolationpolicies (such as the same origin policy) are enforced atthe script level, these policies are not well reflected in theunderlying sandbox process models used for compartmentalization. This gap exists because the complex demands oftoday's web functionality make the goal of enforcing thesame origin policy through process isolation a difficult oneto realize in practice, especially when backward compatibility is a priority (e.g., for support of cross-origin IFRAMEs). While fixing the underlying problems likely requires a majorrefactoring of the security architecture of modern browsers(in the long term), we explore several defenses, includingglobal variable randomization, that can limit the power ofthe attacks presented herein.
DOI10.1109/EuroSP.2017.39
Citation Keyrogowski_revisiting_2017