Understanding and mitigating attacks targeting web browsers

Abstract

Nowadays, web browsers are installed on almost all computers and mobile devices. Because of their popularity, privileges, and capabilities, web browsers have become an attractive target for attackers. Although it is relatively more difficult to find a vulnerability in browser code, browser extensions and web applications present an ample supply of security vulnerabilities and new opportunities for attackers. In this thesis, we argue that browser extensions and web applications have an abundant supply of easy-to-exploit vulnerabilities but one can reduce the attack surface and protect users from a large number of web browser attacks by implementing defenses inside the browser. To support this claim, we developed novel methods to automatically detect code-reuse vulnerabilities in browser extensions, proposed an in-browser defense to protect web users from malicious or vulnerable extensions and introduced novel methods to measure the reflected XSS techniques used in the wild and evaluated the effectiveness of existing in-browser filters. In the first part, we first identify an extension-reuse vulnerability that allows adversaries to reuse security sensitive functionality from innocuous legitimate extensions. We then present Cross-Fire, a lightweight static analyzer for legacy Firefox extensions to automatically discover instances of extension-reuse vulnerabilities, generate exploits that confirm the presence of vulnerabilities, and output exploit templates to assist users of the tool in rapidly constructing proof-of-concept exploits. In the second part, we investigate the several plausible attacks using a malicious extension or exploiting a vulnerable extension. Then, we introduce a novel in-browser defense which is a run-time policy enforcer that provides fine-grained control to the user over the actions of browser extensions. We showed that, our proposed defense can effectively prevent concrete, real-world Firefox extension attacks without a detrimental impact on the user's browsing experience. In the third part, we conduct a longitudinal study of 134K reflected Cross-Site Scripting exploits submitted by independent security researchers spanning a period of nearly ten years. In order to detect the exploitation techniques used, we combine the static and dynamic techniques and execute the attacks in a sandbox environment. Our results suggests that the web applications still has an abundant supply of easy-to-exploit vulnerabilities and implementing defenses inside the browser is effective against the most prevalent type of attacks and a promising avenue for further enhancements.