浏览器安全白皮书：深度剖析漏洞挖掘技术

需积分: 9 97 浏览量更新于2024-07-18 收藏 5.12MB PDF 举报

身份认证购VIP最低享 7 折!

30元优惠券

"browser-security-whitepaper" 是一份由Cure53公司编写的浏览器安全白皮书，由Dr.-Ing. Mario Heiderich等人撰写。这份文档深入探讨了浏览器漏洞挖掘技术和安全措施，旨在为研究浏览器安全的人员提供有价值的参考资料。在当前的互联网环境中，浏览器作为用户与网络世界交互的主要接口，其安全性至关重要。这份白皮书首先介绍了Cure53公司及其在浏览器安全领域的背景，然后详细阐述了浏览器安全的全景，包括各种可能的攻击面和防御策略。白皮书的作者们对浏览器的安全特性进行了深入的研究，从内存安全特性开始，这些特性通常涉及到防止诸如缓冲区溢出和内存破坏等常见攻击。例如，内存安全特性可能包括数据执行防护（DEP）、地址空间布局随机化（ASLR）以及内存分配和释放机制的强化，这些都是为了保护浏览器免受恶意代码的侵害。接下来，白皮书详细讨论了进程级别的沙箱技术，这是一种将浏览器的不同组件隔离在独立的、权限受限的环境中，以防一个组件被攻破后影响到其他部分或整个系统。此外，白皮书还涵盖了内容安全策略（CSP）、X-Frame-Options（XFO）、子资源完整性（SRI）等其他安全特性，这些特性有助于防止跨站脚本攻击（XSS）、点击劫持和其他类型的网络攻击。DOM（文档对象模型）安全特性也是重点，因为DOM是浏览器处理网页内容的核心，任何对其的恶意操纵都可能导致安全问题。浏览器扩展和插件的安全性也得到了关注，因为它们往往拥有广泛的权限，可能成为攻击者的入口点。白皮书分析了如何限制这些扩展的权限，以及如何防止它们成为恶意软件的载体。 UI（用户界面）安全特性是另一个重要方面，涉及防止界面欺骗和误导用户进行危险操作的措施。这部分可能包括对警告消息的处理、URL显示的验证以及防止恶意修改用户界面的策略。最后，白皮书还提到了一些其他的浏览器安全特性，如安全响应机制和观察到的安全趋势。这些内容可能涵盖漏洞报告流程、补丁管理和持续的安全改进。总体而言，"browser-security-whitepaper" 是一个全面的指南，对于理解浏览器安全的复杂性、识别潜在风险以及实施有效的防御策略具有极高的价值。无论是开发人员、安全研究人员还是普通用户，都能从中获益，提高对网络环境安全的认识。

资源详情

资源推荐

Dr.-Ing. Mario Heiderich, Cure53

Bielefelder Str. 14

D 10709 Berlin

cure53.de · mario@cure53.de

Cure53, Berlin · 21.09.17 16/330

outlets. More specifically, it was questioned whether the results were valid, given that one

of the browser vendors sponsored the assessment. This impression was reinforced as

commentators pointed out that the paper makes out the browser managed by the funding

body as the best and most praiseworthy. In response, the Accuvant authors clearly stated

that their research was impartial, independent and objective, despite the potential doubts

the readers might have had. As we present this paper in 2017, it is rather anticipated that

similar questions will be raised by the lively and forceful IT community. In fact, the Cure53

authors expect nothing less and welcome constructive comments and feedback. Further,

being aware of the optics, we can only reiterate, as Accuvant did in 2011, that all tests

were rooted in research rigor, ethics and integrity. The team involved in the preparation of

this paper employed clearly documented methodologies and took advantage of the

available public data. The latter means that anyone can replicate and verify the results.

Despite the funding structure, we ensured that the evaluation were done from the bias-

free and neutral stance.

As already mentioned, quite a lot can change in the realm of browser security in the

arguably short span of mere six years. For that reason, the paper should be seen as both

a continuation of the documentation efforts initiated by Accuvant, and as a stand-alone

new response to the present browser security situation and challenges. By this logic,

paper covers similar areas to the ones examined in 2011, featuring malware, memory

corruption and exploitation. Furthermore, it expands the scope and reacts to the frequently

discussed novel web security challenges, DOM security issues, UX security features and

many other aspects.

Research Scope

This publication covers three browsers as primary test targets. These are: Microsoft

Internet Explorer 11, Microsoft Edge (as provided by the stable versions of Windows 10

x64), and Google Chrome. In the planning phase of this paper, the authors strongly

advocated to additionally include Mozilla Firefox and Apple’s Safari, but the ultimate

investigations were limited to the three browsers listed above.

The original intention expressed by the authors was to move past the browsers as such,

instead splitting the field by engine. In that sense, we sought to shed light on the security

properties of Trident represented by MSIE, Edge represented by the corresponding

browser with the same name, Gecko represented by Firefox or Firefox ESR

, Blink

represented by Chrome, and Webkit represented by Safari. After a series of meetings with

the sponsors, the expected scope was clearly delineated to entail research on MSIE,

https://www.mozilla.org/en-US/firefox/organizations/

Dr.-Ing. Mario Heiderich, Cure53

Bielefelder Str. 14

D 10709 Berlin

cure53.de · mario@cure53.de

Cure53, Berlin · 21.09.17 17/330

Edge, and Chrome only. This tripartite selection and comparison was reasoned by the fact

that Gecko has just recently received a technical analysis

via the Tor browser, while

Safari was excluded on the grounds of not having measurable relevance in the field of

corporate and enterprise browser-use. On the flipside, it was underlined that the ultimately

selected players, that is MSIE, Edge, and Chrome, represent the largest percentages of

enterprise usage. In other words, the lens of selecting the browsers most commonly used

in business contexts was endorsed by the funding body and treated as a final criterion.

The Cure53 team complied with this requirement and analyzed the aforementioned three

major browser players of MSIE, Edge, and Chrome. We will now briefly discuss

the underlying browser engines and their implications within the scope of this project.

Blink - represented by Google Chrome

The Blink browser engine was first announced in April 2013 as a fork of the formerly wide-

spread WebKit render engine. Blink is nowadays used by a wide range of modern

browsers, including Google Chrome, Opera, Amazon Silk, and the Android Browser. While

Blink continues to bear similarities to its origin and fork-father, the engine has been

optimized in several important regards. It should be emphasized that there is

a discrepancy within security features and their overall pace of development. More

specifically, Blink clearly stands out in terms of being more implementation-oriented when

compared to WebKit. On this matter, please note that the majority of the research for this

publication was performed against Chrome as a Blink-host and not just any arbitrary

Chromium builds issued by third-parties.

According to the W3Counter stats, Blink’s market share is calculated to encapsulate

Chrome and Opera and stood at about 62.8% in January 2017. StatCounter collated data

for Chrome & Opera and put it at 56.22% for December 2016

. Other stat counters tend

to corroborate this value.

Trident - represented by MSIE11

Trident is a rendering engine that has been fueling generations of Microsoft Internet

Explorer (MSIE) browsers. It furnishes developers and users with a wide array of standard

and, most importantly, non-standard-features. MSIE11 marks the final release of Internet

Explorer, concluding a twenty-two-year period of constant development and addition of

new browser and web-features. With this long-term perspective comes a sinusoidal curve

with respect to the market share, as IE faced tremendous ups and downs in this arena

throughout the years.

https://isecpartners.github.io/news/research/2014/08/13/tor-browser-research-report.html

Dr.-Ing. Mario Heiderich, Cure53

Bielefelder Str. 14

D 10709 Berlin

cure53.de · mario@cure53.de

Cure53, Berlin · 21.09.17 18/330

It is important to emphasize that browsers instrumenting the Trident engine are commonly

used in corporate environments, at least in part thanks to Microsoft’s once controversial

bundling of Operation System and web browser. Another reason for not writing MSIE off

too quickly is the fact that it offers a multitude of features and policies that make it

a powerful software for connecting Intranet applications to the Internet. MSIE additionally

includes features for desktop integration and connectivity to internal and external services

via interfaces like ActiveX, VBScript, MSXML, Browser Helper Objects, and others.

According to the W3Counter stats, Trident, represented by MSIE11, had a market share

of about 3.8% in January 2017. Comparatively, StatCounter put MSIE at 4.44% in

December 2016 and other stat counters mostly repeated that value.

EdgeHTML - represented by Microsoft Edge

EdgeHTML is the successor of Trident, the engine used by Microsoft Internet Explorer

(MSIE) and similar software. While MSIE dominated the market in terms of shares

and installations in the early days of the WWW, its supremacy has largely ended. MSIE

lost its pole-position to other browsers, initially to Firefox and meanwhile mainly to Google

Chrome and Safari.

Microsoft decided to abandon the development of Trident and fork out the code into a new

browser engine, simultaneously enriching it with new features. At the same time, a wide

range of old features is rigorously removed. The reduction of the overall available features

on offer was meant to increase performance and reduce the massive attack surface

characterizing MSIE. In this publication, MSIE and Trident will not be given special

attention unless mentioning them contributes to the arguments and points being made.

On the contrary, EdgeHTML will take a central spot and should be seen as one of the

project’s focal areas.

Represented by MS Edge, EdgeHTML had a market share of about 4.5% in January 2017,

as per the data available from the W3Counter stats. Illuminating quite a difference,

StatCounter measured MS Edge’s share at 1.61% back in December 2016 and other stat

counters mostly confirmed either of these values.

Mobile Browsers

In many parts of the world mobile browsers have replaced desktop browsers as the most

common way for navigating the Internet. Thus we acknowledge the importance of the

mobile platforms, while nevertheless noting that mobile instances share tremendous

similarities with desktop browsers at the engine level. For instance, Chrome on iOS uses

the same WebKit interface as Apple’s Safari, while it uses Blink on Android Chrome. This

Dr.-Ing. Mario Heiderich, Cure53

Bielefelder Str. 14

D 10709 Berlin

cure53.de · mario@cure53.de

Cure53, Berlin · 21.09.17 19/330

mirrors desktop behaviors and signifies that the mobile engines are already represented

by their desktop counterparts. As a consequence, it has been decided to exclude mobile

browsers from the overall browser security comparison.

Note that some of the code examples provided in this paper might show code and features

specific to the browsers omitted in the three-pronged general approach. This occurs when

the shown feature found in a different browser is particularly valid for explaining security

issues, foundations and features meaningful either for the overall comparison, or for

illuminating a broader security-critical point.

Version Details

For the purpose of conducting relevant research and tests, the authors relied on the

following browser versions, installed on a fully patched Windows 10 Pro x64 (Creators

Update, Version 1703, Build 15063.413):

• Microsoft Edge 40.15063.0.0

• Microsoft Internet Explorer 11.332.15063.0

• Google Chrome 59.0.3071.86

A VM with frozen updates was shared among all involved authors to guarantee a stable

test environment. We were therefore able to avoid discrepancies while the capacity for

others to reproduce the results was attained. This ensured internal reviews, cross-checks

and verification, as well as makes the process more transparent and available for the

readers to consult, follow and replicate.

Research Methodology, Project Schedule & Teams

The project was completed over the course of several months in 2017. Specifically,

the tests began in April 2017 and finished in July 2017. The research and writing-up of

the findings have been thought out and completed as ongoing processes. The majority

of work was conducted in parallel by several teams, respectively responsible for different

topics (and, effectively, subchapters). The Cure53 team members participating in this

white paper assignment have invested considerable resources into this publication,

hoping to guarantee a high-level of depth and useful, innovative insights

As already mentioned, the project of this magnitude warranted a dedicated schedule and

milestones. It was decided to split the scope into five key areas. Teams of researchers

with the best-matching skillsets and expertise were assigned to these main topics,

constituting five smaller working groups. Each team was led by a Team Lead, who was

responsible for contents, structure, and reaching the research and reporting goals in

a timely fashion.

Dr.-Ing. Mario Heiderich, Cure53

Bielefelder Str. 14

D 10709 Berlin

cure53.de · mario@cure53.de

Cure53, Berlin · 21.09.17 20/330

It should be emphasized that the research for this paper did not start from a blank slate,

but rather builds up on the existing knowledge, data, and sources disseminated through

various channels. A comprehensive review and selection of recent research results is

included in the discussions. Many items were specifically fact-checked and re-tested for

the purpose of this assessment, with a caveat of adapting an issue- or feature-test to

the relevant versions of the browsers in scope. Evidently, different thematic areas call for

precise and targeted methodologies, which is why each team’s approaches are detailed

separately below. It is hoped that this overview provides readers with an easy-to-follow

guide on the strategies of data collection, analysis, and representation. We further explain

how cross-tabulations and comparative frameworks were developed. While all five

chapters together serve as a both a bird’s eye view onto an ever-changing browser

security landscape, each chapter zooms in on the details, roles and peculiarities of its

specific topic.

Team Memory (Chapter 2)

• The first of the research chapters following this introduction entails coverage

of the memory safety matters. In this chapter, Team Memory examines how

hard

an exploitation of memory vulnerabilities can get when a bug is found. In the

opening section, some background and historical overview is provided. The

“old” hardware, OS and compiler-provided mitigations like ASLR, DEP, Stack

Cookies and SafeSEH are presented. The discussion then moves on to the

more recent and partially Windows 10-exclusive features.

• The chapter proceeds to analyzing the workflow of each browser in scope,

demonstrating the different process and their variable degree of security-

relevancy. Here Team Memory investigated the implications of the processes

handling untrusted input from potential attackers.

• To present consistent results, all team members used a Windows 10 VM setup

with frozen browser versions. A set of tools was included to help determine

the states of affairs across different browsers and concerning the most relevant

mitigations Windows 10 has to offer. Most of the tests were done through

Windows API functions like GetProcess- MitigationPolicy and checked which

processes utilized the best policies and were therefore more hardened. The

results can be found in tables, created for each mitigation in a way that

facilitates clear and direct comparisons between the tested browsers.

• A similar approach was chosen to test the sandboxing mechanism of each

browser. Sandboxing is nowadays necessary as a last line of defense in case

all browser mitigations fail and an attacker manages to gain code execution.

剩余329页未读，继续阅读

agree12017

粉丝: 0
资源: 4

浏览器安全白皮书：深度剖析漏洞挖掘技术

X41-Browser-Security-White-Paper.pdf

browser-security:Web App安全102练习

Browser-Security-Project:2020年Spring1863614828浏览器安全项目CMU

android-sqlite-browser-for-eclipse:自动从code.google.compandroid-sqlite-browser-for-eclipse导出

create-browser-sync:简单实现browser-sync最简功能

My Security Browser-crx插件

jekyll-sass-gulp-browser-sync：使用Jekyll，Sass，Gulp，Pug和Browser-sync开发的软件

sql-query-browser-for-elasticsearch:sql-query-browser-for-elasticsearch 是一个基于 Web 的查询工具，用于使用标准 SQL 语法查询 Elasticsearch

browser-token.js:browser-token.js 控制浏览器的 uuid 令牌和其他控制令牌

hack-browser-data-linux-386

tor-browser-linux-7.0.11

Spinal-browser-graph-inspector

gulp-browser-js-include

browser-storage-source-code

pass-browser-firefox:pass-browser-firefox是用于Firefox的浏览器插件，具有Web扩展支持（v48 +），可将通过pass管理的机密带到浏览器； 需要一个自托管的密码服务器

browser-extension-config

browser-sync-master

browser-image-compression

jupyter notebook --ip=0.0.0.0 --no-browser --allow-root --port 18001

最新资源

pass-browser-firefox:pass-browser-firefox是用于Firefox的浏览器插件，具有Web扩展支持（v48 +），可将通过pass管理的机密带到浏览器；需要一个自托管的密码服务器