Presentation is loading. Please wait.

Presentation is loading. Please wait.

Yaoqi Jia, Zheng Leong Chua, Hong Hu,

Published byBeverly O’Neal’ Modified over 6 years ago

Similar presentations

Presentation on theme: "Yaoqi Jia, Zheng Leong Chua, Hong Hu,"— Presentation transcript:

1 The Web/Local Boundary Is Fuzzy A Security Study of Chrome’s Process-based Sandboxing
Yaoqi Jia, Zheng Leong Chua, Hong Hu, Shuo Chen, Prateek Saxena, Zhenkai Liang National University of Singapore Microsoft Research

2 Monolithic Browser Design
Web Page EXE Local System Files Apps Sensors

3 2nd Generation Browser: Process-based Isolation
Process-based sandboxing – process boundary Web Page Web/Local Boundary Browser kernel Local System

4 Is the Web/Local Boundary Sufficient?
Used by most modern browsers Web Page A Web Page B Web/Local Boundary Browser kernel Local System Stress testing, bug bounty, fuzzing …

5 Contributions The Web/Local Boundary is Fuzzy !
Access local files, system control Use 1 bug in renderer process Concrete Attacks Bypass in-memory protections using data-oriented attacks Attack Details Imperfect existing solutions Our light-weight mitigation Solutions

6 The Web/Local Boundary is Fuzzy
Landscape changes --- Rise of the cloud services Before 2016 Web Page Fuzzy Cloud Web/Local Boundary A new path to access local system Browser Kernel Local System Client

7 Attacks due to Fuzzy Web/Local Boundary

8 Attack Example 1: Drop a Malware
Dropbox Cloud Browser Kernel Local System Dropbox Client

9 Example 2: Steal a Local File
Dropbox Cloud Browser Kernel Local System Dropbox Client

10 Example 3: Install Malware
Google Play Server Browser Kernel Local System (Android) Google Play

11 Example 4: Remote System Control
OpenStack Server rm -rf / Browser Kernel Local System (VM) OpenStack

12 But … Chrome’s Protections
Same-Origin Policy (SOP) Control-Flow Integrity (CFI) on the way In-Memory Partitioning Internal Randomization

13 SOP Enforcement in Chrome
bool SecurityOrigin::canAccess() { if (m_universalAccess) return true; if (this == other) ...... return canAccess;} SOP Checks Various SOP checks for cross-origin read/write: contentDocument, frames, etc.

14 Control-Flow Integrity
CFI: control flows cannot be modified (on the way) <func1> lea func2, %eax jmp *%eax <func2> push %ebx Check1 Check2 Check3

15 When m_universalAccess is true, the check always passes
Bypass SOP & CFI Corrupt critical data Not modify control flow Bypass SOP checks bool SecurityOrigin::canAccess() { if (m_universalAccess) return true; if (this == other) ...... return canAccess; } Check1 True True Check2 When m_universalAccess is true, the check always passes Check3 True

16 In-Memory Partitioning
Separate different types of objects in 4 partitions Surrounded by inaccessible guard pages Different Objects Guard Page Node Layout Buffer General

17 Cross-Partition References to Bypass Partitioning
Link objects in one partition to another Pervasive & often under the control of scripts Dereference pointers to cross partition boundaries General Buffer Layout Node

18 Partition-based Randomization
Randomize the base address of each partition Guard pages cannot be read/written Node Layout Buffer General

19 Fingerprinting Technique to Bypass ASLR & Find Critical Data
Special pattern for security monitor objects Linearly scan memory class PLATFORM_EXPORT SecurityOrigin { String m_protocol; String m_host; String m_domain; String m_suboriginName; unsigned short m_port; bool m_isUnique; bool m_universalAccess; bool m_domainWasSetInDOM; bool m_canLoadLocalResources; bool m_blockLocalAccessFromLocalOrigin; bool m_needsDatabaseIdentifierQuirkForFiles; }; …… B9 BB 88 20 B9 CC 91 10 protocol Match the pattern host domain suborigin 01 m_universalAccess

20 Find the Address of Vulnerable Array
Create a predictable “fingerprinting” object Linearly scan memory to find the object’s location Count the offset when finding the pattern …… B9 DD 11 10 B9 DD 22 30 Vulnerable Array Offset Fingerprinting Object Most frequent data is the address of fingerprinting object Object Pointer … … Object Pointer Addrbase = Addrobj- Offset

21 Bypass SOP & In-Memory Protections
Data-oriented attacks Seems difficult to bypass CFI Data-oriented attacks In-memory partitioning Cross-partition references Internal ASLR Fingerprinting technique

22 Attack Implementation
Work on proper memory error vulnerabilities POC: CVE heap overflow in V8 (Chrome 33) Over 10 SOP-related flags (Chrome 45) End-to-end attacks Access files on the local system Dropbox, Google Drive Interact with local system OpenStack, Google Play Misuse system sensors Fitbit, Runkeeper

23 Protections against Web/Local Attacks

24 Web Browser-Side Protection
Memory safety Huge code base, e.g., +5 million LOC for Chrome Software-based fault isolation (SFI) Cross-partition references Node Buffer Layout General

25 Light-Weight Mitigation
Identify critical data ASLR to hide the address of critical data Address of the critical data is not saved in user space Average 3.8% overhead Raise the bar of Web/Local attacks General Buffer Layout Node

26 Disclosure to Google Fine-grained process-based isolation
Chrome’s Out-of-Process iframes Performance overhead and massive refactoring

27 Cloud Service-Side Protection
Distinguish requests of its site from client Restrict the privileges for the web interface Require the user’s consent Web Page Cloud Web/Local Boundary Browser Kernel Local System Client

28 Conclusion Concrete Attacks on Web/Local Boundary Attack Details
Access local files, system control Using 1 bug in renderer process Attack Details Bypass in-memory protections Solutions Imperfect existing solutions Open to researchers Video at POC at

29 Thanks Yaoqi Jia (Graduating in 2017) jiayaoqi@comp.nus.edu.sg

Download ppt "Yaoqi Jia, Zheng Leong Chua, Hong Hu,"

Similar presentations

Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.

Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.
CS457 – Introduction to Information Systems Security Software 4 Elias Athanasopoulos

CS457 – Introduction to Information Systems Security Software 4 Elias Athanasopoulos
CS457 – Introduction to Information Systems Security Software 3 Elias Athanasopoulos

CS457 – Introduction to Information Systems Security Software 3 Elias Athanasopoulos
EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers,

EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers,
Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.

Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.
Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson Presented By: Rajat Khandelwal – 2009CS10209 Parikshit.

Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson Presented By: Rajat Khandelwal – 2009CS10209 Parikshit.
1 Extensible Security Architectures for Java Authors: Dan S.Wallch, Dirk Balfanz Presented by Moonjoo Kim.

1 Extensible Security Architectures for Java Authors: Dan S.Wallch, Dirk Balfanz Presented by Moonjoo Kim.
Extensibility, Safety and Performance in the SPIN Operating System Brian Bershad, Stefan Savage, Przemyslaw Pardyak, Emin Gun Sirer, Marc E. Fiuczynski,

Extensibility, Safety and Performance in the SPIN Operating System Brian Bershad, Stefan Savage, Przemyslaw Pardyak, Emin Gun Sirer, Marc E. Fiuczynski,
1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)

1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)
Subspace: Secure Cross-Domain Communication for Web Mashups Collin Jackson Stanford University Helen J. Wang Microsoft Research ACM WWW, May, 2007 Presenter:

Subspace: Secure Cross-Domain Communication for Web Mashups Collin Jackson Stanford University Helen J. Wang Microsoft Research ACM WWW, May, 2007 Presenter:
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
RFC6520 defines SSL Heartbeats - What are they? 1. SSL Heartbeats are used to keep a connection alive without the need to constantly renegotiate the SSL.

RFC6520 defines SSL Heartbeats - What are they? 1. SSL Heartbeats are used to keep a connection alive without the need to constantly renegotiate the SSL.
Shuo Chen, Jun Xu, Emre C. Sezer, Prachi Gauriar, and Ravishankar K. Iyer Brett Hodges April 8, 2010.

Shuo Chen, Jun Xu, Emre C. Sezer, Prachi Gauriar, and Ravishankar K. Iyer Brett Hodges April 8, 2010.
Address Space Layout Permutation

Address Space Layout Permutation
Computer & Network Security

Computer & Network Security
CSE 4481 Computer Security Lab Mark Shtern. INTRODUCTION.

CSE 4481 Computer Security Lab Mark Shtern. INTRODUCTION.
3-Protecting Systems Dr. John P. Abraham Professor UTPA.

3-Protecting Systems Dr. John P. Abraham Professor UTPA.
Cosc 4010 Sandboxing. Last lecture Last time, we covered chroot, which is a method to sandbox a problem. –Not full proof by any means. Many simple mistakes.

Cosc 4010 Sandboxing. Last lecture Last time, we covered chroot, which is a method to "sandbox" a problem. –Not full proof by any means. Many simple mistakes.
KGuard: Lightweight Kernel Protection against Return-to-User Attacks Authors: Vasileios P. Kemerlis Georgios Portokalidis Angelos D. Keromytis Presenter:

KGuard: Lightweight Kernel Protection against Return-to-User Attacks Authors: Vasileios P. Kemerlis Georgios Portokalidis Angelos D. Keromytis Presenter:
Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim 09.11.2004.

Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim

Similar presentations

Ads by Google