Visible to the public Biblio

Filters: Keyword is Chromium  [Clear All Filters]
2023-04-14
Salcedo, Mathew David, Abid, Mehdi, Kim, Yoohwan, Jo, Ju-Yeon.  2022.  Evil-Twin Browsers: Using Open-Source Code to Clone Browsers for Malicious Purposes. 2022 IEEE 12th Annual Computing and Communication Workshop and Conference (CCWC). :0776—0784.
Browsers are one of the most widely used types of software around the world. This prevalence makes browsers a prime target for cyberattacks. To mitigate these threats, users can practice safe browsing habits and take advantage of the security features available to browsers. These protections, however, could be severely crippled if the browser itself were malicious. Presented in this paper is the concept of the evil-twin browser (ETB), a clone of a legitimate browser that looks and behaves identically to the original browser, but discreetly performs other tasks that harm a user's security. To better understand the concept of the evil-twin browser, a prototype ETB named ChroNe was developed. The creation and installation process of ChroN e is discussed in this paper. This paper also explores the motivation behind creating such a browser, examines existing relevant work, inspects the open-source codebase Chromium that assisted in ChroNe's development, and discusses relevant topics like ways to deliver an ETB, the capabilities of an ETB, and possible ways to defend against ETBs.
Mingsheng, Xu, Chunxia, Li, Wenhui, Du.  2022.  Research and Development of Dual-Core Browser-Based Compatibility and Security. 2022 IEEE 8th International Conference on Computer and Communications (ICCC). :1697—1701.
Aiming at the current troubles encountered by enterprise employees in their daily work when operating business systems due to web compatibility issues, a dual-core secure browser is designed and developed in the paper based on summarizing the current development status of multi-core browsers, key difficulties and challenges in the field. Based on the Chromium open-source project, the design of a dual-core browser auto-adaptation method is carried out. Firstly, dual-core encapsulation technology is implemented, followed by a study of the core auto-adaptation algorithm, and then a core cookie sharing function is developed based on Hook technology. In addition, the security of the browser is reinforced by designing a cookie manager, adding behavior monitoring functions, and unified platform control to enhance confidentiality and security, providing a safe and secure interface for employees' work and ubiquitous IoT access. While taking security into account, the browser realizes the need for a single browser compatible with all business system web pages of the enterprise, enhancing the operating experience of the client. Finally, the possible future research directions in this field are summarized and prospected.
2022-04-18
Paul, Rajshakhar, Turzo, Asif Kamal, Bosu, Amiangshu.  2021.  Why Security Defects Go Unnoticed During Code Reviews? A Case-Control Study of the Chromium OS Project 2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE). :1373–1385.
Peer code review has been found to be effective in identifying security vulnerabilities. However, despite practicing mandatory code reviews, many Open Source Software (OSS) projects still encounter a large number of post-release security vulnerabilities, as some security defects escape those. Therefore, a project manager may wonder if there was any weakness or inconsistency during a code review that missed a security vulnerability. Answers to this question may help a manager pinpointing areas of concern and taking measures to improve the effectiveness of his/her project's code reviews in identifying security defects. Therefore, this study aims to identify the factors that differentiate code reviews that successfully identified security defects from those that missed such defects. With this goal, we conduct a case-control study of Chromium OS project. Using multi-stage semi-automated approaches, we build a dataset of 516 code reviews that successfully identified security defects and 374 code reviews where security defects escaped. The results of our empirical study suggest that the are significant differences between the categories of security defects that are identified and that are missed during code reviews. A logistic regression model fitted on our dataset achieved an AUC score of 0.91 and has identified nine code review attributes that influence identifications of security defects. While time to complete a review, the number of mutual reviews between two developers, and if the review is for a bug fix have positive impacts on vulnerability identification, opposite effects are observed from the number of directories under review, the number of total reviews by a developer, and the total number of prior commits for the file under review.
2022-03-14
Bauer, Markus, Rossow, Christian.  2021.  NoVT: Eliminating C++ Virtual Calls to Mitigate Vtable Hijacking. 2021 IEEE European Symposium on Security and Privacy (EuroS P). :650—666.
The vast majority of nowadays remote code execution attacks target virtual function tables (vtables). Attackers hijack vtable pointers to change the control flow of a vulnerable program to their will, resulting in full control over the underlying system. In this paper, we present NoVT, a compiler-based defense against vtable hijacking. Instead of protecting vtables for virtual dispatch, our solution replaces them with switch-case constructs that are inherently control-flow safe, thus preserving control flow integrity of C++ virtual dispatch. NoVT extends Clang to perform a class hierarchy analysis on C++ source code. Instead of a vtable, each class gets unique identifier numbers which are used to dispatch the correct method implementation. Thereby, NoVT inherently protects all usages of a vtable, not just virtual dispatch. We evaluate NoVT on common benchmark applications and real-world programs including Chromium. Despite its strong security guarantees, NoVT improves runtime performance of most programs (mean overhead −0.5%, −3.7% min, 2% max). In addition, protected binaries are slightly smaller than unprotected ones. NoVT works on different CPU architectures and protects complex C++ programs against strong attacks like COOP and ShrinkWrap.
2022-01-31
Mabe, Abigail, Nelson, Michael L., Weigle, Michele C..  2021.  Extending Chromium: Memento-Aware Browser. 2021 ACM/IEEE Joint Conference on Digital Libraries (JCDL). :310—311.
Users rely on their web browser to provide information about the websites they are visiting, such as the security state of the web page their viewing. Current browsers do not differentiate between the live Web and the past Web. If a user loads an archived web page, known as a memento, they have to rely on user interface (UI) elements within the page itself to inform them that the page they are viewing is not the live Web. Memento-awareness extends beyond recognizing a page that has already been archived. The browser should give users the ability to easily archive live web pages as they are browsing. This report presents a proof-of-concept browser that is memento-aware and is created by extending Google's open-source web browser Chromium.
2020-09-04
Carpentier, Eleonore, Thomasset, Corentin, Briffaut, Jeremy.  2019.  Bridging The Gap: Data Exfiltration In Highly Secured Environments Using Bluetooth IoTs. 2019 IEEE 37th International Conference on Computer Design (ICCD). :297—300.
IoT devices introduce unprecedented threats into home and professional networks. As they fail to adhere to security best practices, they are broadly exploited by malicious actors to build botnets or steal sensitive information. Their adoption challenges established security standard as classic security measures are often inappropriate to secure them. This is even more problematic in sensitive environments where the presence of insecure IoTs can be exploited to bypass strict security policies. In this paper, we demonstrate an attack against a highly secured network using a Bluetooth smart bulb. This attack allows a malicious actor to take advantage of a smart bulb to exfiltrate data from an air gapped network.
2019-12-17
Huang, Jeff.  2018.  UFO: Predictive Concurrency Use-After-Free Detection. 2018 IEEE/ACM 40th International Conference on Software Engineering (ICSE). :609-619.

Use-After-Free (UAF) vulnerabilities are caused by the program operating on a dangling pointer and can be exploited to compromise critical software systems. While there have been many tools to mitigate UAF vulnerabilities, UAF remains one of the most common attack vectors. UAF is particularly di cult to detect in concurrent programs, in which a UAF may only occur with rare thread schedules. In this paper, we present a novel technique, UFO, that can precisely predict UAFs based on a single observed execution trace with a provably higher detection capability than existing techniques with no false positives. The key technical advancement of UFO is an extended maximal thread causality model that captures the largest possible set of feasible traces that can be inferred from a given multithreaded execution trace. By formulating UAF detection as a constraint solving problem atop this model, we can explore a much larger thread scheduling space than classical happens-before based techniques. We have evaluated UFO on several real-world large complex C/C++ programs including Chromium and FireFox. UFO scales to real-world systems with hundreds of millions of events in their execution and has detected a large number of real concurrency UAFs.