Using Replicated Execution for a More Secure and Reliable Browser

Authors: Hui Xue, Nathan Dautenhahn, Samuel T. King University of Illinois at Urbana ChampaignSource: NDSS '12Reporter: MinHao WU

https://netfiles.uiuc.edu/huixue2/www/cocktail.pptx

2

OutlineExampleIntroductionDesignImplementationEvaluationConclusion

3

Browsers Are Not SafeBrowsers are plagued with

vulnerabilities◦Internet Explorer: 59 new

vulnerabilities in 2010◦Firefox: 100 new vulnerabilities in

2010◦Safari: 119 new vulnerabilities in

2010◦Chrome: 191 new vulnerabilities in

2010

4

Firefox Browser Exploit Example

Firefox 3.0.x malicious popup by CVE-2009-3076

5

Opera: Exploit FailsOpera shows no popup

6

Reason: Browser Specific Vulnerabilities

Different browsers different code bases

The same bug often only in one browser

7

Cocktail: Mixing Browsers For Better Security

8

How Cocktail Works: Example

click

click

click

HTTP GET

Proxy

HTTP GET

a.com/img.pn

g “a.com”

server

requestimg.png

a.com/img.pn

g

✓

9

How Cocktail Works: Example

click

click

click

HTTP GET

HTTP GET

HTTP GET

a.com/img.pn

g “a.com”

server

requestimg.png

a.com/img.pn

g responseimg.png

responseimg.pngresponseimg.pngresponseimg.png

Qt DISPLAY

Proxy

✓

10

Withstanding False Positive/Attack

click

click

click

Proxy

“a.com”

server

HTTP GET

HTTP GET ✓a.com/img.pn

ga.com/img.pn

gHTTP GET a.com/

question.png

requestimg.pngresponseimg.png

responseimg.pngresponseimg.png

Qt DISPLAY

11

Observation：Opportunistic N-Version Programming

DOM

Same specification “roughly” followed

Different code base+

12

How to Compare Different Browsers?States to compare: display +

network◦Display: vision based page layout

abstractionInteraction with serverClient side non-determinism

13

Challenge: Interaction with ServerPages from server can be

different

“a.com”

server

A

B

C

14

SolutionAvoid major changes to browser

◦Browsers self-update is easy◦Open source is not required

Solution: proxy replication◦Replicate incoming network data

with proxy HTTPS handling: Man-in-the-middle

15

Solution: Proxy ReplicationOne browser as seen by server

a.comserver

Page A

Proxy

Page A

Page A

Page A

16

Challenge: Client Side Non-determinism

Same page content, different execution result

<html>…

<script>randomId = Math.random();url = “doubleclick.com?ad=” +

randomId;</script>

…</html>

17

Client Non-determinism SummaryScript related randomness

Browser specific behaviors◦E.g., Opera community

Random Number Math.random()Date and Time new Date()

Browser Specific Value window.opera; navigator.appName

Browser Locale “EN” VS “en-US”……….… ...

18

SolutionExtension modifies script execution

◦Overwrites Math, Date, window.opera

Browser configuration change◦Disable Opera community◦Adjust browser locale

Firefox

CocktailExtensi

onOpera

CocktailExtensi

onChrome

CocktailExtensi

on

19

False Positive Browsers treat malformed URL

differently<iframe src=" http://www.adfusion.com/Adfusion.PartnerSite/ca tegoryhtml.aspx?userfeedguid=948fbed8-69ae-4659 -b3c1-b9863e5ab24e&clicktag=http://ads.bluelith ium.com/clk?2,13%...%2Flrec%2F,&CB={REQUES TID}

width="300" height="250" scrolling="no" frameborder="0" marginheight="0" marginwidth="0”></iframe>

Missing"

20

Why Cocktail Is More SecureVoting == SecurityWithstand some F.P.

◦Only need 2 to proceed

Ext. to eliminatenon-determinism

Looks like a good oneActs like a good one It is one uncompromisedbrowser

CktExt

CktExt

CktExt

VotingProxy

DISPLAY

21

Implementation

22

The UI component is responsible for providing the interface between the user and Cocktail, routing user input to each replica, and voting on the display states of each replica.

The replica component maintains each browser replica, which all run in sandboxed environments.

The network component is responsible for handling network requests from the replicas and voting on network requests.

23

UI replication◦Recorder and re-player: Extension◦Passing UI events across browsers:

ProxyUI Display capturing and voting

◦ImageMagick and OpenCVProxy

◦OpenSSL for MITM

24

Evaluation

25

EvaluationSecurity analysis

◦User interaction: CVE-2009-3076◦Heap overflow: CVE-2009-2477◦DOS attack: Firefox 3.0.4 DOS, April

2009◦Same origin policy bypassing: CVE-

2007-0981Performance

◦30% slower comparing to Firefox

26

ConclusionMixing different browsers for

better security◦Practical N-Version programming for

browsers◦Cocktail mirrors all inputs across the

different browser replicas and votes on all outputs to withstand attacks

◦Our results showed that added little overhead to the page load latency times for the web sites we tested.