1EuroSys 2010, Paris, France

Shuo Chen†, Hong Chen† ‡, Manuel Caballero†

†Microsoft Corporation ‡Purdue University Redmond, WA, USA West Lafayette, IN, USA

April 15th, 2010

2EuroSys 2010, Paris, France

Managing the lifetimes for objects in the memory

A difficult task for complex systemsEspecially true for browsers

Expected semantics of browser navigationAfter a page is navigated away, no object in the page is accessible by future pages.

Otherwise, basic security properties can be compromised

Visual integrity, document integrity and memory safetyDemos …

3EuroSys 2010, Paris, France

Due to the dilemma between the scripting capability, the navigation mechanism and the garbage collection1. Scripts are allowed to hold references to objects in other

pages

2. A page is allowed to be navigated away regardless of whether its internal objects are referenced by other pages.

3. Objects with non-zero reference counts cannot be garbage collected.Page A

Page B If objects in page B are garbage collected dangling references, memory corruption.

Not garbage collected become residue objects.

Page C

4EuroSys 2010, Paris, France

Every browser has the logic trying to ensure thatResidue objects cannot be accessible.

Unfortunately, the logic is non-trivial, and historically error-prone.

Our paper cites several known bugs that are clearly due to incorrect guarding of residue objects.

4 for IE, 3 for Firefox and 1 for Safari

Each bug is specific to a browser, but the problem is cross-browser.

Despite individual bug reports, the bugs had not been studied as a class.

No collective understanding is available.

5EuroSys 2010, Paris, France

We attempt to answer two questionsWhat are the challenges of guarding residue objects? Is it a minor problem or its scope is not well recognized?

These bugs have not been prevalent in public vulnerability repositories.

What we didWe conducted a focused study about IE to understand its guarding logic.We examined the logic using an enumerative test generation approach.

We found 5 new bugs of this type in IE.

We explained some pitfalls in building the guarding logic.

6EuroSys 2010, Paris, France

7EuroSys 2010, Paris, France

ActiveX – the technology to build most browser objects

All HTML elements, as well as the HTML rendering engine and the Javascript engine

ActiveX object interfaceAddRef, Release – refcounting

Invoke – invocation of a method of an object

HTML and Javascript languages have generic mechanisms to load ActiveX objects.

In HTML, <object ...> element

In Javascript, obj=new ActiveXObject(‘...‘)

8EuroSys 2010, Paris, France

<window> and <document> elementsUpon a navigation, the window object persists, but a new document object is switched in.At the C++ level, they are implemented as objects of CWindow and CDocument classes.

Class names begin with C by convention.

Security based on the object-capability modelObject capability model: object A can access object B only if it has a reference to object B.

9EuroSys 2010, Paris, France

Cross-window security check – CWinProxy No reference of a CWindow object should be passed to other windows.

Instead, upon a cross-window referencing, an object of CWinProxy class is created and passed out.

CWinProxy enforces security checks.

Each object of CWindow, CDocument or CWinProxy has a Boolean flag “validity”

If validity == false, then the object should not be accessed.

Main questionThe mechanism seems simple to enforce.

What can go wrong in the actual browser implementation?

10EuroSys 2010, Paris, France

11EuroSys 2010, Paris, France

Our tactic for test case generation

A tool to obtain the memory-level insights into the test cases

12EuroSys 2010, Paris, France

We generate test cases byEnumerating different inner objects

Enumerating different ways of object hosting

Enumerating different ways of navigations

Persistent window

Inner object

Navigational window

(1) Reference to the inner object

(2) navigate the navigational window

13EuroSys 2010, Paris, France

We log important operations of the browserConstruction/destruction/addRef/release of the objects ofCWindow/CDocument/CWinProxy

Validity changes of these objects

The navigation

We built an analysis tool to obtain the following insights

After the navigation, which objects are in the memory (and their refcounts)?

What are their validity flags?

Which are the remaining references and who are holding them?

14EuroSys 2010, Paris, France

15EuroSys 2010, Paris, France

The test case: the inner object is a windowPersistent window

Navigational window

ObservationsThe inner window stays in the memory after the navigation of the navigational window, although invalidated

When the inner window is created by createPopup(), it remains visible.

Damage to the visual integrity

E.g., the demo of the EuroSys banner.

Inner window

var ref = InnerWin;

16EuroSys 2010, Paris, France

The test case: the inner object is a method of the inner window

Persistent window

Navigational window

ObservationsThe CWindow object of the inner window is invalidated, but its CWinProxy object held by the persistent window is not.

The C++ object representing the method contains a polymorphic pointer whose real type is CWinProxy, not CWindow.

The method is allowed to run after the navigation.

Result: a script in the old page can survive the navigation.

var ref = InnerWindow.setTimout;Inner window

A method of the window

17EuroSys 2010, Paris, France

The test case: the inner window is hosted in another HTML engine.

Remember that the HTML engine itself is an ActiveX object, and the HTML allows loading an ActiveX object into the page. Persistent window

Navigational window

ObservationThe inner window is not invalidated after the navigation of the navigational window

Result: a script in the inner window can survive the navigation.

Another HTML engine

The inner window is rendered by another HTML engine!Inner window

18EuroSys 2010, Paris, France

Erroneous refcountingA CWinProxy object loses one extra refcount when the window is navigated away. This results in a dangling reference. EIP is corrupted.Microsoft patched this bug in a hotfix.

Partially destroyed data structure in a valid object

A CWindow object is still valid after navigationBut some members in the object have been destroyed.It results in an invalid pointer value.

19EuroSys 2010, Paris, France

At the conceptual level – seemingly simpleResidue objects should be invalidated, and the invalid objects should not interfere with the user’s browsing experience.

At the implementation level – difficult to be error-proof

Which objects to stay or to remove – need to be precise.

Whose references are held by whom – any unexpected reference path?

How to correctly set the validity for every affected object?E.g., even in the cross-HTML-engine situation

How to perform the validity checking appropriately?E.g., despite the polymorphism in the program.

…

20EuroSys 2010, Paris, France

Implementing browsers using Java, C#, etc, rather than C++?

It will eliminate memory bugs, but other bugs are unaffected.

Placing each window in a process?It will mitigate the exploits of memory bugs, but other bugs do not involve any raw memory access, and thus are unaffected.

Promising directionTo think about partitioning objects in different processes

And, to examine the HTML DOM policies and implementation

Examples: OP browser of UIUC and Gazelle browser of Microsoft Research

21EuroSys 2010, Paris, France

We formulated a class of previously reported security bugs as the residue object problem.

The literature shows that it is a cross-browser problem.

We studied IE, which gives evidences to show that

The logic of guarding residue objects is non-trivial, despite the seemingly simple policy at the conceptual level.Many unknown bugs may still exist in major browsers.

The scope of the problem has not been well recognized.