Yaoqi Jia, Zheng Leong Chua, Hong Hu,

Slides:



Advertisements
Similar presentations
Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.
Advertisements

CS457 – Introduction to Information Systems Security Software 4 Elias Athanasopoulos
CS457 – Introduction to Information Systems Security Software 3 Elias Athanasopoulos
EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers,
Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.
Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson Presented By: Rajat Khandelwal – 2009CS10209 Parikshit.
1 Extensible Security Architectures for Java Authors: Dan S.Wallch, Dirk Balfanz Presented by Moonjoo Kim.
Extensibility, Safety and Performance in the SPIN Operating System Brian Bershad, Stefan Savage, Przemyslaw Pardyak, Emin Gun Sirer, Marc E. Fiuczynski,
1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)
Subspace: Secure Cross-Domain Communication for Web Mashups Collin Jackson Stanford University Helen J. Wang Microsoft Research ACM WWW, May, 2007 Presenter:
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
RFC6520 defines SSL Heartbeats - What are they? 1. SSL Heartbeats are used to keep a connection alive without the need to constantly renegotiate the SSL.
Shuo Chen, Jun Xu, Emre C. Sezer, Prachi Gauriar, and Ravishankar K. Iyer Brett Hodges April 8, 2010.
Address Space Layout Permutation
Computer & Network Security
CSE 4481 Computer Security Lab Mark Shtern. INTRODUCTION.
3-Protecting Systems Dr. John P. Abraham Professor UTPA.
Cosc 4010 Sandboxing. Last lecture Last time, we covered chroot, which is a method to "sandbox" a problem. –Not full proof by any means. Many simple mistakes.
KGuard: Lightweight Kernel Protection against Return-to-User Attacks Authors: Vasileios P. Kemerlis Georgios Portokalidis Angelos D. Keromytis Presenter:
Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim
COMPUTER SECURITY MIDTERM REVIEW CS161 University of California BerkeleyApril 4, 2012.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
CSE 4481 Computer Security Lab Mark Shtern. INTRODUCTION.
Title of Selected Paper: IMPRES: Integrated Monitoring for Processor Reliability and Security Authors: Roshan G. Ragel and Sri Parameswaran Presented by:
M. Alexander Helen J. Wang Yunxin Liu Microsoft Research 1 Presented by Zhaoliang Duan.
Operating Systems Security
Protecting Browsers from Extension Vulnerabilities Paper by: Adam Barth, Adrienne Porter Felt, Prateek Saxena at University of California, Berkeley and.
Wireless and Mobile Security
Identifying Arbitrary Memory Access Vulnerabilities in Privilege-Separated Software 1 Hong Hu, Zheng Leong Chua, Zhenkai Liang, Prateek Saxena National.
1 Isolating Web Programs in Modern Browser Architectures CS6204: Cloud Environment Spring 2011.
Dilip Dwarakanath.  The topic I’m about to present was taken from a paper titled “Apple iOS 4 Security Evaluation” written by Dino A Dai Zovi.  Dino.
Buffer Overflows Taught by Scott Coté.-. _ _.-. / \.-. ((___)).-. / \ /.ooM \ / \.-. [ x x ].-. / \ /.ooM \ -/ \ /-----\-----/---\--\ /--/---\-----/-----\ / \-
Web Security Firewalls, Buffer overflows and proxy servers.
Security Attacks Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 11, 2011.
Efficient Software-Based Fault Isolation Authors: Robert Wahbe Steven Lucco Thomas E. Anderson Susan L. Graham Presenter: Gregory Netland.
Mark Shtern.  Our life depends on computer systems  Traffic control  Banking  Medical equipment  Internet  Social networks  Growing number of.
Software Security. Bugs Most software has bugs Some bugs cause security vulnerabilities Incorrect processing of security related data Incorrect processing.
By: Chuqing He. Android Overview - Purchased by Google in First Android Phone was sold in Oct Linux-based - Holds 75% of the worldwide.
Exploiting & Defense Day 1 Recap
Remix: On-demand Live Randomization
4.01 How Web Pages Work.
CMSC 345 Defensive Programming Practices from Software Engineering 6th Edition by Ian Sommerville.
Protecting Memory What is there to protect in memory?
Adaptive Android Kernel Live Patching
The Hardware/Software Interface CSE351 Winter 2013
World Wide Web policy.
Protecting Memory What is there to protect in memory?
Protection and OS Structure
Protecting Memory What is there to protect in memory?
Lesson 4: Web Browsing.
AUDACIOUS: USER DRIVEN ACCESS CONTROL WITH UNMODIFIED OPERATING SYSTEM
Suman Jana *Original slides from Vitaly Shmatikov
Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR
Java security (in a nutshell)
CSC 495/583 Topics of Software Security Stack Overflows (2)
Exam Review.
CSC 495/583 Topics of Software Security Web Browser Security (2)
Whether you decide to use hidden frames or XMLHttp, there are several things you'll need to consider when building an Ajax application. Expanding the role.
CS 465 Buffer Overflow Slides by Kent Seamons and Tim van der Horst
GuardION: Practical Mitigation of DMA-based Rowhammer Attacks on ARM
Distrustful Decomposition
Software Security Lesson Introduction
Firewalls Jiang Long Spring 2002.
Lesson 4: Web Browsing.
CS5123 Software Validation and Quality Assurance
CS703 - Advanced Operating Systems
Lecture 34: Testing II April 24, 2017 Selenium testing script 7/7/2019
Meltdown & Spectre Attacks
Presentation transcript:

The Web/Local Boundary Is Fuzzy A Security Study of Chrome’s Process-based Sandboxing Yaoqi Jia, Zheng Leong Chua, Hong Hu, Shuo Chen, Prateek Saxena, Zhenkai Liang National University of Singapore Microsoft Research

Monolithic Browser Design Web Page EXE Local System Files Apps Sensors

2nd Generation Browser: Process-based Isolation Process-based sandboxing – process boundary Web Page Web/Local Boundary Browser kernel Local System

Is the Web/Local Boundary Sufficient? Used by most modern browsers Web Page A Web Page B Web/Local Boundary Browser kernel Local System Stress testing, bug bounty, fuzzing …

Contributions The Web/Local Boundary is Fuzzy ! Access local files, system control Use 1 bug in renderer process Concrete Attacks Bypass in-memory protections using data-oriented attacks Attack Details Imperfect existing solutions Our light-weight mitigation Solutions

The Web/Local Boundary is Fuzzy Landscape changes --- Rise of the cloud services Before 2016 Web Page Fuzzy Cloud Web/Local Boundary A new path to access local system Browser Kernel Local System Client

Attacks due to Fuzzy Web/Local Boundary

Attack Example 1: Drop a Malware www.evil.com Dropbox Cloud Browser Kernel Local System Dropbox Client

Example 2: Steal a Local File www.evil.com Dropbox Cloud Browser Kernel Local System Dropbox Client

Example 3: Install Malware www.evil.com Google Play Server Browser Kernel Local System (Android) Google Play

Example 4: Remote System Control www.evil.com OpenStack Server rm -rf / Browser Kernel Local System (VM) OpenStack

But … Chrome’s Protections Same-Origin Policy (SOP) Control-Flow Integrity (CFI) on the way In-Memory Partitioning Internal Randomization

SOP Enforcement in Chrome www.evil.com bool SecurityOrigin::canAccess() { if (m_universalAccess) return true; if (this == other) ...... return canAccess;} SOP Checks www.dropbox.com Various SOP checks for cross-origin read/write: contentDocument, frames, etc.

Control-Flow Integrity CFI: control flows cannot be modified (on the way) <func1> … lea func2, %eax jmp *%eax <func2> push %ebx Check1 Check2 Check3

When m_universalAccess is true, the check always passes Bypass SOP & CFI Corrupt critical data Not modify control flow Bypass SOP checks bool SecurityOrigin::canAccess() { if (m_universalAccess) return true; if (this == other) ...... return canAccess; } Check1 True True Check2 When m_universalAccess is true, the check always passes Check3 True

In-Memory Partitioning Separate different types of objects in 4 partitions Surrounded by inaccessible guard pages Different Objects Guard Page Node Layout Buffer General

Cross-Partition References to Bypass Partitioning Link objects in one partition to another Pervasive & often under the control of scripts Dereference pointers to cross partition boundaries General Buffer Layout Node

Partition-based Randomization Randomize the base address of each partition Guard pages cannot be read/written Node Layout Buffer General

Fingerprinting Technique to Bypass ASLR & Find Critical Data Special pattern for security monitor objects Linearly scan memory class PLATFORM_EXPORT SecurityOrigin { ...... String m_protocol; String m_host; String m_domain; String m_suboriginName; unsigned short m_port; bool m_isUnique; bool m_universalAccess; bool m_domainWasSetInDOM; bool m_canLoadLocalResources; bool m_blockLocalAccessFromLocalOrigin; bool m_needsDatabaseIdentifierQuirkForFiles; }; …… B9 BB 88 20 B9 CC 91 10 00 00 00 00 protocol Match the pattern host domain suborigin 01 m_universalAccess

Find the Address of Vulnerable Array Create a predictable “fingerprinting” object Linearly scan memory to find the object’s location Count the offset when finding the pattern …… B9 DD 11 10 41 41 41 41 B9 DD 22 30 Vulnerable Array Offset Fingerprinting Object Most frequent data is the address of fingerprinting object Object Pointer … … Object Pointer Addrbase = Addrobj- Offset

Bypass SOP & In-Memory Protections Data-oriented attacks Seems difficult to bypass CFI Data-oriented attacks In-memory partitioning Cross-partition references Internal ASLR Fingerprinting technique

Attack Implementation Work on proper memory error vulnerabilities POC: CVE 2014-1705 heap overflow in V8 (Chrome 33) Over 10 SOP-related flags (Chrome 45) End-to-end attacks Access files on the local system Dropbox, Google Drive Interact with local system OpenStack, Google Play Misuse system sensors Fitbit, Runkeeper

Protections against Web/Local Attacks

Web Browser-Side Protection Memory safety Huge code base, e.g., +5 million LOC for Chrome Software-based fault isolation (SFI) Cross-partition references Node Buffer Layout General

Light-Weight Mitigation Identify critical data ASLR to hide the address of critical data Address of the critical data is not saved in user space Average 3.8% overhead Raise the bar of Web/Local attacks General Buffer Layout Node

Disclosure to Google Fine-grained process-based isolation Chrome’s Out-of-Process iframes Performance overhead and massive refactoring www.evil.com www.evil.com www.dropbox.com www.dropbox.com

Cloud Service-Side Protection Distinguish requests of its site from client Restrict the privileges for the web interface Require the user’s consent Web Page Cloud Web/Local Boundary Browser Kernel Local System Client

Conclusion Concrete Attacks on Web/Local Boundary Attack Details Access local files, system control Using 1 bug in renderer process Attack Details Bypass in-memory protections Solutions Imperfect existing solutions Open to researchers Video at https://youtu.be/fIHaiQ4btok POC at https://github.com/jiayaoqijia/Web-Local-Attacks

Thanks Yaoqi Jia (Graduating in 2017) jiayaoqi@comp.nus.edu.sg http://www.comp.nus.edu.sg/~jiayaoqi/

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.