Quantifying Persistent Browser Cache Poisoning

Web browsers rely on caching for improving performance and for reducing bandwidth use. Cache poisoning poses alarming security concerns in light of HTTP’s lack of an integrity guarantee in conjunction with the properties of its caching behavior. In our previous study we demonstrated the simplicity of replacing objects in the browser cache with malicious code to enable a persistent attack. This paper expands on this topic with a quantitative analysis of the impact of this threat. Based on full-packet traces from two distinct environments – a large research lab in California and a network in rural northern India – we conduct an empirical study showing that (i) an attacker can with high probability achieve a long-lived attack vector when poisoning a web object picked at random and, (ii) that the high degree of object sharing, especially of executable code, enables an attacker to achieve high-coverage attack vectors by only poisoning a small set of intensively shared objects. We believe that the increasing popularity of Web 2.0 mash-ups will increase the degree of sharing, making the discussed attack extremely wide in scope. In particular, we note the conceptual security shortcomings and risks of JavaScript content distribution networks (CDNs), techniques used by cellular carriers for compressing content on-the-fly, advertising networks, and popular services to track users’ surfing behavior.

[1]  Li Fan,et al.  Web caching and Zipf-like distributions: evidence and implications , 1999, IEEE INFOCOM '99. Conference on Computer Communications. Proceedings. Eighteenth Annual Joint Conference of the IEEE Computer and Communications Societies. The Future is Now (Cat. No.99CH36320).

[2]  G. Voelker,et al.  On the scale and performance of cooperative Web proxy caching , 2000, OPSR.

[3]  Dan Boneh,et al.  Protecting browser state from web privacy attacks , 2006, WWW '06.

[4]  Azer Bestavros,et al.  Changes in Web client access patterns: Characteristics and caching implications , 1999, World Wide Web.

[5]  Syam Gadde,et al.  The Trickle-Down Effect: Web Caching and Server Request Distribution , 2002, Comput. Commun..

[6]  Alec Wolman,et al.  On the scale and performance of cooperative Web proxy caching , 1999, SOSP.

[7]  Terence Kelly,et al.  Design, Implementation, and Evaluation of Duplicate Transfer Detection in HTTP , 2004, NSDI.