CorbFuzz: Checking Browser Security Policies with Fuzzing

Browsers use security policies to block malicious behaviors. Cross-Origin Read Blocking (CORB) is a browser security policy for preventing side-channel attacks such as Spectre. We propose a web browser security policy fuzzer called CorbFuzz for checking CORB and similar policies. In implementing a security policy, the browser only has access to HTTP requests and responses, and takes policy actions based solely on those interactions. In checking the browser security policies, CorbFuzz uses a policy oracle that tracks the web application behavior and infers the desired policy action based on the web application state. By comparing the policy oracle with the browser behavior, CorbFuzz detects weaknesses in browser security policies. CorbFuzz checks the web browser policy by fuzzing a set of web applications where the state-related queries are symbolically evaluated for increased coverage and automation. CorbFuzz collects type information from database queries and branch conditions in order to prevent the generation of inconsistent data values during fuzzing. We evaluated CorbFuzz on CORB implementations of Chromium and Webkit, and Opaque Response Blocking (ORB) policy implementation of Firefox using web applications collected from GitHub. We found three classes of weaknesses in Chromium’s implementation of CORB.

[1]  Jong Kim,et al.  Stealing Webpages Rendered on Your Browser by Exploiting GPU Vulnerabilities , 2014, 2014 IEEE Symposium on Security and Privacy.

[2]  Jeffrey Scott Vitter,et al.  Random sampling with a reservoir , 1985, TOMS.

[3]  Alessandro Orso,et al.  X-PERT: a web application testing tool for cross-browser inconsistency detection , 2014, ISSTA 2014.

[4]  Mark Harman,et al.  Automated web application testing using search based software engineering , 2011, 2011 26th IEEE/ACM International Conference on Automated Software Engineering (ASE 2011).

[5]  Michael Backes,et al.  Deemon: Detecting CSRF with Dynamic Analysis and Property Graphs , 2017, CCS.

[6]  Jeremiah Grossman,et al.  XSS Attacks: Cross Site Scripting Exploits and Defense , 2007 .

[7]  Charles Reis,et al.  Site Isolation: Process Separation for Web Sites within the Browser , 2019, USENIX Security Symposium.

[8]  Stefan Schmid,et al.  Runtime Verification of P4 Switches with Reinforcement Learning , 2019, NetAI@SIGCOMM.

[9]  Gregg Rothermel,et al.  Improving web application testing with user session data , 2003, 25th International Conference on Software Engineering, 2003. Proceedings..

[10]  Stefan Mangard,et al.  Exploiting Data-Usage Statistics for Website Fingerprinting Attacks on Android , 2016, WISEC.

[11]  Thomas Eisenbarth,et al.  PerfWeb: How to Violate Web Privacy with Hardware Performance Events , 2017, ESORICS.

[12]  Tevfik Bultan,et al.  JVM Fuzzing for JIT-Induced Side-Channel Detection , 2020, 2020 IEEE/ACM 42nd International Conference on Software Engineering (ICSE).

[13]  Christopher Krügel,et al.  Driller: Augmenting Fuzzing Through Selective Symbolic Execution , 2016, NDSS.

[14]  Michael Hamburg,et al.  Spectre Attacks: Exploiting Speculative Execution , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[15]  Robin Milner,et al.  A Theory of Type Polymorphism in Programming , 1978, J. Comput. Syst. Sci..

[16]  Wen Xu,et al.  FREEDOM: Engineering a State-of-the-Art DOM Fuzzer , 2020, CCS.

[17]  Jörg Schwenk,et al.  Same-Origin Policy: Evaluation in Modern Browsers , 2017, USENIX Security Symposium.

[18]  Taesoo Kim,et al.  Finding semantic bugs in file systems with an extensible fuzzing framework , 2019, SOSP.

[19]  Paolo Tonella,et al.  Search Based Path and Input Data Generation for Web Application Testing , 2017, SSBSE.

[20]  Jong Kim,et al.  Inferring browser activity and status through remote monitoring of storage usage , 2016, ACSAC.

[21]  Chaofan Shou PorkFuzz: testing stateful software-defined network applications with property graphs , 2021, ESEC/SIGSOFT FSE.

[22]  Frank Tip,et al.  Finding bugs in dynamic web applications , 2008, ISSTA '08.

[23]  Vitaly Shmatikov,et al.  Memento: Learning Secrets from Process Footprints , 2012, 2012 IEEE Symposium on Security and Privacy.

[24]  Michael Hamburg,et al.  Meltdown: Reading Kernel Memory from User Space , 2018, USENIX Security Symposium.

[25]  Benjamin Flesch,et al.  BetterAuth: web authentication revisited , 2012, ACSAC '12.

[26]  David L. Dowe,et al.  Two decades of Web application testing - A survey of recent advances , 2014, Inf. Syst..

[27]  Hiroshi Inamura,et al.  Dynamic test input generation for web applications , 2008, ISSTA '08.

[28]  Insik Shin,et al.  HFL: Hybrid Fuzzing on the Linux Kernel , 2020, NDSS.

[29]  Jason Polakis,et al.  Awakening the Web's Sleeper Agents: Misusing Service Workers for Privacy Leakage , 2021, NDSS.

[30]  Margus Veanes,et al.  Qex: Symbolic SQL Query Explorer , 2010, LPAR.

[31]  Tim Bray,et al.  Internet Engineering Task Force (ietf) the Javascript Object Notation (json) Data Interchange Format , 2022 .