Using replicated execution for a more secure and reliable web browser

Modern web browsers are complex. They provide a high-performance and rich computational environment for web-based applications, but they are prone to numerous types of security vulnerabilities that attackers actively exploit. However, because major browser platforms differ in their implementations they rarely exhibit the same vulnerabilities. In this paper we present Cocktail, a system that uses three different off-the-shelf web browsers in parallel to provide replicated execution for withstanding browserbased attacks and improving browser reliability. Cocktail mirrors inputs to each replica and votes on browser states and outputs to detect potential attacks, while continuing to run. The net effect of Cocktail’s architecture is to shift the security burden of the system from complex browsers to a simplified layer of software. We demonstrate that Cocktail can withstand real-world browser exploits and reliability issues, such as browser crashes, while adding only 31.5% overhead to page load latency times on average, and remaining compatible with popular web sites.

[1]  John F. Canny,et al.  A Computational Approach to Edge Detection , 1986, IEEE Transactions on Pattern Analysis and Machine Intelligence.

[2]  E. Berger DieHard : Efficient Probabilistic Memory Safety , 2007 .

[3]  Steven D. Gribble,et al.  A safety-oriented platform for Web applications , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[4]  Liming Chen,et al.  N-VERSION PROGRAMMINC: A FAULT-TOLERANCE APPROACH TO RELlABlLlTY OF SOFTWARE OPERATlON , 1995, Twenty-Fifth International Symposium on Fault-Tolerant Computing, 1995, ' Highlights from Twenty-Five Years'..

[5]  Emery D. Berger,et al.  DieHard: probabilistic memory safety for unsafe languages , 2006, PLDI '06.

[6]  Albrecht Schmidt,et al.  Knowing the User's Every Move – User Activity Tracking for Website Usability Evaluation and Implicit Interaction , 2006 .

[7]  Haining Wang,et al.  RCB: A Simple and Practical Framework for Real-time Collaborative Browsing , 2009, USENIX Annual Technical Conference.

[8]  Niels Provos,et al.  Improving Host Security with System Call Policies , 2003, USENIX Security Symposium.

[9]  Niels Provos,et al.  All Your iFRAMEs Point to Us , 2008, USENIX Security Symposium.

[10]  Arun Venkataramani,et al.  Separating agreement from execution for byzantine fault tolerant services , 2003, SOSP '03.

[11]  Daniel Görgen,et al.  Co-browsing dynamic web pages , 2009, WWW '09.

[12]  Samuel T. King,et al.  Trust and Protection in the Illinois Browser Operating System , 2010, OSDI.

[13]  Niels Provos,et al.  The Ghost in the Browser: Analysis of Web-based Malware , 2007, HotBots.

[14]  David Evans,et al.  N-Variant Systems: A Secretless Framework for Security through Diversity , 2006, USENIX Security Symposium.

[15]  Radomir S. Stankovic,et al.  The Haar wavelet transform: its status and achievements , 2003, Comput. Electr. Eng..

[16]  Jon Howell,et al.  Mugshot: Deterministic Capture and Replay for JavaScript Applications , 2010, NSDI.

[17]  Fred B. Schneider,et al.  Implementing trustworthy services using replicated state machines , 2005, IEEE Security & Privacy Magazine.

[18]  Xuxian Jiang,et al.  Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities , 2006, NDSS.

[19]  Helen J. Wang,et al.  BrowserShield: vulnerability-driven filtering of dynamic HTML , 2006, OSDI '06.

[20]  Kevin Borders,et al.  Analyzing websites for user-visible security design flaws , 2008, SOUPS '08.

[21]  Benjamin Livshits,et al.  NOZZLE: A Defense Against Heap-spraying Code Injection Attacks , 2009, USENIX Security Symposium.

[22]  Ramakrishna Kotla,et al.  Zyzzyva , 2007, SOSP.

[23]  E. Felten,et al.  Cross-Site Request Forgeries : Exploitation and Prevention , 2008 .

[24]  Bennet S. Yee,et al.  Native Client: A Sandbox for Portable, Untrusted x86 Native Code , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[25]  Wei-Ying Ma,et al.  VIPS: a Vision-based Page Segmentation Algorithm , 2003 .

[26]  Deepayan Chakrabarti,et al.  A graph-theoretic approach to webpage segmentation , 2008, WWW.

[27]  Jon Howell,et al.  Leveraging Legacy Code to Deploy Desktop Applications on the Web , 2008, OSDI.

[28]  Helen J. Wang,et al.  The Multi-Principal OS Construction of the Gazelle Web Browser , 2009, USENIX Security Symposium.

[29]  Albrecht Schmidt,et al.  Tracking the interaction of users with AJAX applications for usability testing , 2007, CHI.

[30]  Helen J. Wang,et al.  On the Incoherencies in Web Browser Access Control Policies , 2010, 2010 IEEE Symposium on Security and Privacy.

[31]  Benjamin Livshits,et al.  Ripley: automatically securing web 2.0 applications through replicated execution , 2009, CCS.

[32]  Jeremiah Grossman,et al.  XSS Attacks: Cross Site Scripting Exploits and Defense , 2007 .

[33]  Onur Aciiçmez,et al.  Alhambra: a system for creating, enforcing, and testing browser security policies , 2010, WWW '10.

[34]  Andrea C. Arpaci-Dusseau,et al.  Tolerating File-System Mistakes with EnvyFS , 2009, USENIX Annual Technical Conference.

[35]  Helen J. Wang,et al.  MashupOS: Operating System Abstractions for Client Mashups , 2007, HotOS.

[36]  Miguel Castro,et al.  BASE: using abstraction to improve fault tolerance , 2001, SOSP.

[37]  Steven D. Gribble,et al.  A Crawler-based Study of Spyware in the Web , 2006, NDSS.

[38]  Damien Deville,et al.  SpyProxy: Execution-based Detection of Malicious Web Content , 2007, USENIX Security Symposium.

[39]  Samuel T. King,et al.  Secure Web Browsing with the OP Web Browser , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[40]  Miguel Oom Temudo de Castro,et al.  Practical Byzantine fault tolerance , 1999, OSDI '99.

[41]  David G. Lowe,et al.  Object recognition from local scale-invariant features , 1999, Proceedings of the Seventh IEEE International Conference on Computer Vision.