Using Replicated Execution for a More Secure and Reliable Browser
Authors: Hui Xue, Nathan Dautenhahn, Samuel T. King University of Illinois at Urbana ChampaignSource: NDSS '12Reporter: MinHao WU
https://netfiles.uiuc.edu/huixue2/www/cocktail.pptx
2
OutlineExampleIntroductionDesignImplementationEvaluationConclusion
3
Browsers Are Not SafeBrowsers are plagued with
vulnerabilities◦Internet Explorer: 59 new
vulnerabilities in 2010◦Firefox: 100 new vulnerabilities in
2010◦Safari: 119 new vulnerabilities in
2010◦Chrome: 191 new vulnerabilities in
2010
4
Firefox Browser Exploit Example
Firefox 3.0.x malicious popup by CVE-2009-3076
5
Opera: Exploit FailsOpera shows no popup
6
Reason: Browser Specific Vulnerabilities
Different browsers different code bases
The same bug often only in one browser
7
Cocktail: Mixing Browsers For Better Security
8
How Cocktail Works: Example
click
click
click
HTTP GET
Proxy
HTTP GET
a.com/img.pn
g “a.com”
server
requestimg.png
a.com/img.pn
g
✓
9
How Cocktail Works: Example
click
click
click
HTTP GET
HTTP GET
HTTP GET
a.com/img.pn
g “a.com”
server
requestimg.png
a.com/img.pn
g responseimg.png
responseimg.pngresponseimg.pngresponseimg.png
Qt DISPLAY
Proxy
✓
10
Withstanding False Positive/Attack
click
click
click
Proxy
“a.com”
server
HTTP GET
HTTP GET ✓a.com/img.pn
ga.com/img.pn
gHTTP GET a.com/
question.png
requestimg.pngresponseimg.png
responseimg.pngresponseimg.png
Qt DISPLAY
11
Observation:Opportunistic N-Version Programming
DOM
Same specification “roughly” followed
Different code base+
12
How to Compare Different Browsers?States to compare: display +
network◦Display: vision based page layout
abstractionInteraction with serverClient side non-determinism
13
Challenge: Interaction with ServerPages from server can be
different
“a.com”
server
A
B
C
14
SolutionAvoid major changes to browser
◦Browsers self-update is easy◦Open source is not required
Solution: proxy replication◦Replicate incoming network data
with proxy HTTPS handling: Man-in-the-middle
15
Solution: Proxy ReplicationOne browser as seen by server
a.comserver
Page A
Proxy
Page A
Page A
Page A
16
Challenge: Client Side Non-determinism
Same page content, different execution result
<html>…
<script>randomId = Math.random();url = “doubleclick.com?ad=” +
randomId;</script>
…</html>
17
Client Non-determinism SummaryScript related randomness
Browser specific behaviors◦E.g., Opera community
Random Number Math.random()Date and Time new Date()
Browser Specific Value window.opera; navigator.appName
Browser Locale “EN” VS “en-US”……….… ...
18
SolutionExtension modifies script execution
◦Overwrites Math, Date, window.opera
Browser configuration change◦Disable Opera community◦Adjust browser locale
Firefox
CocktailExtensi
onOpera
CocktailExtensi
onChrome
CocktailExtensi
on
19
False Positive Browsers treat malformed URL
differently<iframe src=" http://www.adfusion.com/Adfusion.PartnerSite/ca tegoryhtml.aspx?userfeedguid=948fbed8-69ae-4659 -b3c1-b9863e5ab24e&clicktag=http://ads.bluelith ium.com/clk?2,13%...%2Flrec%2F,&CB={REQUES TID}
width="300" height="250" scrolling="no" frameborder="0" marginheight="0" marginwidth="0”></iframe>
Missing"
20
Why Cocktail Is More SecureVoting == SecurityWithstand some F.P.
◦Only need 2 to proceed
Ext. to eliminatenon-determinism
Looks like a good oneActs like a good one It is one uncompromisedbrowser
CktExt
CktExt
CktExt
VotingProxy
DISPLAY
21
Implementation
22
The UI component is responsible for providing the interface between the user and Cocktail, routing user input to each replica, and voting on the display states of each replica.
The replica component maintains each browser replica, which all run in sandboxed environments.
The network component is responsible for handling network requests from the replicas and voting on network requests.
23
UI replication◦Recorder and re-player: Extension◦Passing UI events across browsers:
ProxyUI Display capturing and voting
◦ImageMagick and OpenCVProxy
◦OpenSSL for MITM
24
Evaluation
25
EvaluationSecurity analysis
◦User interaction: CVE-2009-3076◦Heap overflow: CVE-2009-2477◦DOS attack: Firefox 3.0.4 DOS, April
2009◦Same origin policy bypassing: CVE-
2007-0981Performance
◦30% slower comparing to Firefox
26
ConclusionMixing different browsers for
better security◦Practical N-Version programming for
browsers◦Cocktail mirrors all inputs across the
different browser replicas and votes on all outputs to withstand attacks
◦Our results showed that added little overhead to the page load latency times for the web sites we tested.