Cracking ShadowCrypt: Exploring the Limitations of Secure I/O Systems in Internet Browsers

Abstract An important line of privacy research is investigating the design of systems for secure input and output (I/O) within Internet browsers. These systems would allow for users’ information to be encrypted and decrypted by the browser, and the specific web applications will only have access to the users’ information in encrypted form. The state-of-the-art approach for a secure I/O system within Internet browsers is a system called ShadowCrypt created by UC Berkeley researchers [23]. This paper will explore the limitations of ShadowCrypt in order to provide a foundation for the general principles that must be followed when designing a secure I/O system within Internet browsers. First, we developed a comprehensive UI attack that cannot be mitigated with popular UI defenses, and tested the efficacy of the attack through a user study administered on Amazon Mechanical Turk. Only 1 of the 59 participants who were under attack successfully noticed the UI attack, which validates the stealthiness of the attack. Second, we present multiple attack vectors against Shadow-Crypt that do not rely upon UI deception. These attack vectors expose the privacy weaknesses of Shadow DOM—the key browser primitive leveraged by ShadowCrypt. Finally, we present a sketch of potential countermeasures that can enable the design of future secure I/O systems within Internet browsers.

[1]  Samuel T. King,et al.  Secure Web Browsing with the OP Web Browser , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[2]  Yue Zhang,et al.  ShadowPWD: practical browser-based password manager with a security token , 2017, ACM TUR-C '17.

[3]  Lorrie Faith Cranor,et al.  You've been warned: an empirical study of the effectiveness of web browser phishing warnings , 2008, CHI.

[4]  Sean W. Smith,et al.  Trusted paths for browsers , 2002, TSEC.

[5]  Helen J. Wang,et al.  Clickjacking: Attacks and Defenses , 2012, USENIX Security Symposium.

[6]  William Aiello,et al.  Beeswax: a platform for private web apps , 2016, Proc. Priv. Enhancing Technol..

[7]  Elaine Shi,et al.  ShadowCrypt: Encrypted Web Applications for Everyone , 2014, CCS.

[8]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[9]  Zhenkai Liang,et al.  Protecting sensitive web content from client-side vulnerabilities with CRYPTONS , 2013, CCS.

[10]  Hari Balakrishnan,et al.  CryptDB: protecting confidentiality with encrypted query processing , 2011, SOSP.

[11]  Christopher Krügel,et al.  What the App is That? Deception and Countermeasures in the Android User Interface , 2015, 2015 IEEE Symposium on Security and Privacy.

[12]  Florian Kerschbaum,et al.  Encrypting Analytical Web Applications , 2016, CCSW.

[13]  Yuqiong Sun,et al.  AWare: Preventing Abuse of Privacy-Sensitive Sensors via Operation Bindings , 2017, USENIX Security Symposium.

[14]  Min Wu,et al.  Do security toolbars actually prevent phishing attacks? , 2006, CHI.

[15]  Hari Balakrishnan,et al.  Building Web Applications on Top of Encrypted Data Using Mylar , 2014, NSDI.

[16]  William K. Robertson,et al.  BabelCrypt: The Universal Encryption Layer for Mobile Messaging Applications , 2015, Financial Cryptography.

[17]  Matthew Smith,et al.  Helping Johnny 2.0 to encrypt his Facebook conversations , 2012, SOUPS.

[18]  Daniel Zappala,et al.  MessageGuard: Retrofitting the Web with User-to-user Encryption , 2015 .

[19]  Charles Reis,et al.  Isolating web programs in modern browser architectures , 2009, EuroSys '09.

[20]  Michael Runcieman Google collects Android users' locations even when location services are disabled — Quartz , 2017 .

[21]  Daniel Zappala,et al.  Content-based security for the web , 2016, NSPW.

[22]  Dan S. Wallach,et al.  Web Spoofing: An Internet Con Game , 1997 .

[23]  Helen J. Wang,et al.  A Systematic Approach to Uncover Security Flaws in GUI Logic , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[24]  J. Doug Tygar,et al.  The battle against phishing: Dynamic Security Skins , 2005, SOUPS '05.

[25]  Wouter Joosen,et al.  Protected Web Components: Hiding Sensitive Information in the Shadows , 2015, IT Professional.