Most Websites Don't Need to Vibrate: A Cost-Benefit Approach to Improving Browser Security

Modern web browsers have accrued an incredibly broad set of features since being invented for hypermedia dissemination in 1990. Many of these features benefit users by enabling new types of web applications. However, some features also bring risk to users' privacy and security, whether through implementation error, unexpected composition, or unintended use. Currently there is no general methodology for weighing these costs and benefits. Restricting access to only the features which are necessary for delivering desired functionality on a given website would allow users to enforce the principle of lease privilege on use of the myriad APIs present in the modern web browser. However, security benefits gained by increasing restrictions must be balanced against the risk of breaking existing websites. This work addresses this problem with a methodology for weighing the costs and benefits of giving websites default access to each browser feature. We model the benefit as the number of websites that require the feature for some user-visible benefit, and the cost as the number of CVEs, lines of code, and academic attacks related to the functionality. We then apply this methodology to 74 Web API standards implemented in modern browsers. We find that allowing websites default access to large parts of the Web API poses significant security and privacy risks, with little corresponding benefit. We also introduce a configurable browser extension that allows users to selectively restrict access to low-benefit, high-risk features on a per site basis. We evaluated our extension with two hardened browser configurations, and found that blocking 15 of the 74 standards avoids 52.0% of code paths related to previous CVEs, and 50.0% of implementation code identified by our metric, without affecting the functionality of 94.7% of measured websites.

[1]  Ryen W. White,et al.  Understanding web browsing behaviors through Weibull analysis of dwell time , 2010, SIGIR.

[2]  Thomas Zimmermann,et al.  Predicting Bugs from History , 2008, Software Evolution.

[3]  Amir Herzberg,et al.  Cross-Site Search Attacks , 2015, CCS.

[4]  Dan Boneh,et al.  Tick Tock: Building Browser Red Pills from Timing Side Channels , 2014, WOOT.

[5]  Wouter Joosen,et al.  The Clock is Still Ticking: Timing Attacks in the Modern Web , 2015, CCS.

[6]  Vitaly Shmatikov,et al.  The Postman Always Rings Twice: Attacking and Defending postMessage in HTML5 Websites , 2013, NDSS.

[7]  Paul C. van Oorschot,et al.  Device fingerprinting for augmenting web authentication: classification and analysis of methods , 2016, ACSAC.

[8]  Wouter Joosen,et al.  Request and Conquer: Exposing Cross-Origin Resource Size , 2016, USENIX Security Symposium.

[9]  Wouter Joosen,et al.  Cookieless Monster: Exploring the Ecosystem of Web-Based Device Fingerprinting , 2013, 2013 IEEE Symposium on Security and Privacy.

[10]  Benjamin Livshits,et al.  ConScript: Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser , 2010, 2010 IEEE Symposium on Security and Privacy.

[11]  Laurie A. Williams,et al.  Evaluating Complexity, Code Churn, and Developer Activity Metrics as Indicators of Software Vulnerabilities , 2011, IEEE Transactions on Software Engineering.

[12]  Collin Jackson,et al.  Cross-origin pixel stealing: timing attacks using CSS filters , 2013, CCS.

[13]  Stuart E. Schechter,et al.  Milk or Wine: Does Software Security Improve with Age? , 2006, USENIX Security Symposium.

[14]  C. Peng,et al.  SCALABLE VECTOR GRAPHICS (SVG) , 2000 .

[15]  Yuan Tian,et al.  All Your Screens Are Belong to Us: Attacks Exploiting the HTML5 Screen Sharing API , 2014, 2014 IEEE Symposium on Security and Privacy.

[16]  Walter Rudametkin,et al.  Beauty and the Beast: Diverting Modern Web Browsers to Build Unique Browser Fingerprints , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[17]  Zhen Huang,et al.  Short paper: a look at smartphone permission models , 2011, SPSM '11.

[18]  Boris Smus Web Audio API , 2013 .

[19]  Herbert Bos,et al.  ASLR on the Line: Practical Cache Attacks on the MMU , 2017, NDSS.

[20]  Wenke Lee,et al.  UCognito: Private Browsing without Tears , 2015, CCS.

[21]  Stefan Mangard,et al.  Practical Memory Deduplication Attacks in Sandboxed Javascript , 2015, ESORICS.

[22]  Frank Piessens,et al.  FPDetective: dusting the web for fingerprinters , 2013, CCS.

[23]  Chris Kanich,et al.  Browser Feature Usage on the Modern Web , 2016, Internet Measurement Conference.

[24]  Nick Mathewson,et al.  Tor: The Second-Generation Onion Router , 2004, USENIX Security Symposium.

[25]  Nikita Borisov,et al.  Tracking Mobile Web Users Through Motion Sensors: Attacks and Defenses , 2016, NDSS.

[26]  Song Li,et al.  (Cross-)Browser Fingerprinting via OS and Hardware Level Features , 2017, NDSS.

[27]  Benjamin Livshits,et al.  GATEKEEPER: Mostly Static Enforcement of Security and Reliability Policies for JavaScript Code , 2009, USENIX Security Symposium.

[28]  Arvind Narayanan,et al.  Online Tracking: A 1-million-site Measurement and Analysis , 2016, CCS.

[29]  Sid Stamm,et al.  Reining in the web with content security policy , 2010, WWW '10.

[30]  Thorsten Holz,et al.  IceShield: Detection and Mitigation of Malicious Websites with a Frozen DOM , 2011, RAID.

[31]  Sorin Lerner,et al.  On Subnormal Floating Point and Abnormal Timing , 2015, 2015 IEEE Symposium on Security and Privacy.

[32]  Claude Castelluccia,et al.  The Leaking Battery - A Privacy Analysis of the HTML5 Battery Status API , 2015, DPM/QASA@ESORICS.

[33]  Jong Kim,et al.  Exploring and mitigating privacy threats of HTML5 geolocation API , 2014, ACSAC '14.

[34]  Angelos D. Keromytis,et al.  The Spy in the Sandbox: Practical Cache Attacks in JavaScript and their Implications , 2015, CCS.

[35]  Christopher Krügel,et al.  ZigZag: Automatically Hardening Web Applications Against Client-side Validation Vulnerabilities , 2015, USENIX Security Symposium.

[36]  Arvind Narayanan,et al.  The Web Never Forgets: Persistent Tracking Mechanisms in the Wild , 2014, CCS.