XSinator.com: From a Formal Model to the Automatic Evaluation of Cross-Site Leaks in Web Browsers

Cross-Site Leaks (XS-Leaks) describe a client-side bug that allows an attacker to collect side-channel information from a cross-origin HTTP resource. They are a significant threat to Internet privacy since simply visiting a web page may reveal if the victim is a drug addict or leak a sexual orientation. Numerous different attack vectors, as well as mitigation strategies, have been proposed, but a clear and systematic understanding of XS-Leak' root causes is still missing. Recently, Sudhodanan et al. gave a first overview of XS-Leak at NDSS 2020. We build on their work by presenting the first formal model for XS-Leaks. Our comprehensive analysis of known XS-Leaks reveals that all of them fit into this new model. With the help of this formal approach, we (1) systematically searched for new XS-Leak attack classes, (2) implemented XSinator.com, a tool to automatically evaluate if a given web browser is vulnerable to XS-Leaks, and (3) systematically evaluated mitigations for XS-Leaks. We found 14 new attack classes, evaluated the resilience of 56 different browser/OS combinations against a total of 34 XS-Leaks, and propose a completely novel methodology to mitigate XS-Leaks.

[1]  Amir Herzberg,et al.  Cross-Site Search Attacks , 2015, CCS.

[2]  Zhan Wang,et al.  Privacy Breach by Exploiting postMessage in HTML5: Identification, Evaluation, and Countermeasure , 2016, AsiaCCS.

[3]  Nick Feamster,et al.  Web-based Attacks to Discover and Control Local IoT Devices , 2018, IoT S&P@SIGCOMM.

[4]  Juan Caballero,et al.  Cross-Origin State Inference (COSI) Attacks: Leaking Web Site States through XS-Leaks , 2020, NDSS.

[5]  Wouter Joosen,et al.  The Clock is Still Ticking: Timing Attacks in the Modern Web , 2015, CCS.

[6]  Jason Polakis,et al.  Awakening the Web's Sleeper Agents: Misusing Service Workers for Privacy Leakage , 2021, NDSS.

[7]  Ben Stock,et al.  Complex Security Policy? A Longitudinal Analysis of Deployed Content Security Policies , 2020, NDSS.

[8]  Artur Janc,et al.  Oh, the Places You’ll Go! Finding Our Way Back from the Web Platform’s Ill-conceived Jaunts , 2020, 2020 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW).

[9]  Engin Kirda,et al.  Cached and Confused: Web Cache Deception in the Wild , 2020, USENIX Security Symposium.

[10]  Adam Barth,et al.  The Web Origin Concept , 2011, RFC.

[11]  Dan Boneh,et al.  Exposing private information by timing web applications , 2007, WWW '07.

[12]  Michael Pradel,et al.  Leaky Images: Targeted Privacy Attacks in the Web , 2019, USENIX Security Symposium.

[13]  Ralf Küsters,et al.  An Expressive Model for the Web Infrastructure: Definition and Application to the Browser ID SSO System , 2014, 2014 IEEE Symposium on Security and Privacy.

[14]  Christopher Krügel,et al.  A Practical Attack to De-anonymize Social Network Users , 2010, 2010 IEEE Symposium on Security and Privacy.

[15]  Artur Janc,et al.  Information Leaks via Safari's Intelligent Tracking Prevention , 2020, ArXiv.

[16]  Ahmad-Reza Sadeghi,et al.  Browser Model for Security Analysis of Browser-Based Protocols , 2005, ESORICS.

[17]  Jörg Schwenk,et al.  Out of the Dark: UI Redressing and Trustworthy Events , 2017, CANS.

[18]  Claude Castelluccia,et al.  On the uniqueness of Web browsing history patterns , 2014, Ann. des Télécommunications.

[19]  Benjamin Eriksson,et al.  AutoNav: Evaluation and Automatization of Web Navigation Policies , 2020, WWW.

[20]  Michael Backes,et al.  A Tale of Two Headers: A Formal Analysis of Inconsistent Click-Jacking Protection on the Web , 2020, USENIX Security Symposium.

[21]  Michael Hamburg,et al.  Spectre Attacks: Exploiting Speculative Execution , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[22]  Jason Polakis,et al.  Carnus: Exploring the Privacy Threats of Browser Extension Fingerprinting , 2020, NDSS.

[23]  Jörg Schwenk,et al.  Same-Origin Policy: Evaluation in Modern Browsers , 2017, USENIX Security Symposium.

[24]  Alexey Melnikov,et al.  The WebSocket Protocol , 2011, RFC.

[25]  Shravan Narayan,et al.  Browser history re: visited , 2018, WOOT @ USENIX Security Symposium.

[26]  Sorin Lerner,et al.  Retrofitting Fine Grain Isolation in the Firefox Renderer (Extended Version) , 2020, USENIX Security Symposium.

[27]  Jong Kim,et al.  Identifying Cross-origin Resource Status Using Application Cache , 2015, NDSS.

[28]  Claude Castelluccia,et al.  To Extend or not to Extend: On the Uniqueness of Browser Extensions and Web Logins , 2018, WPES@CCS.

[29]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[30]  Wouter Joosen,et al.  Timeless Timing Attacks: Exploiting Concurrency to Leak Secrets over Remote Connections , 2020, USENIX Security Symposium.

[31]  Ben Stock,et al.  The Unexpected Dangers of Dynamic JavaScript , 2015, USENIX Security Symposium.