TY - GEN
T1 - The "Web/local" boundary is fuzzy
T2 - 23rd ACM Conference on Computer and Communications Security, CCS 2016
AU - Jia, Yaoqi
AU - Chua, Zheng Leong
AU - Hu, Hong
AU - Chen, Shuo
AU - Saxena, Prateek
AU - Liang, Zhenkai
N1 - Publisher Copyright:
© 2016 Copyright held by the owner/author(s). Publication rights licensed to ACM.
PY - 2016/10/24
Y1 - 2016/10/24
N2 - Process-based isolation, suggested by several research prototypes, is a cornerstone of modern browser security architectures. Google Chrome is the first commercial browser that adopts this architecture. Unlike several research prototypes, Chrome's process-based design does not isolate different web origins, but primarily promises to protect "the local system" from "the web". However, as billions of users now use web-based cloud services (e.g., Dropbox and Google Drive), which are integrated into the local system, the premise that browsers can effectively isolate the web from the local system has become questionable. In this paper, we argue that, if the process-based isolation disregards the same-origin policy as one of its goals, then its promise of maintaining the "web/local system (local)" separation is doubtful. Specifically, we show that existing memory vulnerabilities in Chrome's renderer can be used as a stepping-stone to drop executables/scripts in the local file system, install unwanted applications and misuse system sensors. These attacks are purely data-oriented and do not alter any control flow or import foreign code. Thus, such attacks bypass binary-level protection mechanisms, including ASLR and in-memory partitioning. Finally, we discuss various full defenses and present a possible way to mitigate the attacks presented.
AB - Process-based isolation, suggested by several research prototypes, is a cornerstone of modern browser security architectures. Google Chrome is the first commercial browser that adopts this architecture. Unlike several research prototypes, Chrome's process-based design does not isolate different web origins, but primarily promises to protect "the local system" from "the web". However, as billions of users now use web-based cloud services (e.g., Dropbox and Google Drive), which are integrated into the local system, the premise that browsers can effectively isolate the web from the local system has become questionable. In this paper, we argue that, if the process-based isolation disregards the same-origin policy as one of its goals, then its promise of maintaining the "web/local system (local)" separation is doubtful. Specifically, we show that existing memory vulnerabilities in Chrome's renderer can be used as a stepping-stone to drop executables/scripts in the local file system, install unwanted applications and misuse system sensors. These attacks are purely data-oriented and do not alter any control flow or import foreign code. Thus, such attacks bypass binary-level protection mechanisms, including ASLR and in-memory partitioning. Finally, we discuss various full defenses and present a possible way to mitigate the attacks presented.
UR - http://www.scopus.com/inward/record.url?scp=84995395647&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84995395647&partnerID=8YFLogxK
U2 - 10.1145/2976749.2978414
DO - 10.1145/2976749.2978414
M3 - Conference contribution
AN - SCOPUS:84995395647
T3 - Proceedings of the ACM Conference on Computer and Communications Security
SP - 791
EP - 804
BT - CCS 2016 - Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security
PB - Association for Computing Machinery
Y2 - 24 October 2016 through 28 October 2016
ER -