Shuo Chen, Hong Chen, and Manuel Caballero
A complex software system typically has a large number of objects in the memory, holding references to each other to implement an object model. Deciding when the objects should be alive/active is non-trivial, but the decisions can be security-critical. This is especially true for web browsers: if certain browser objects do not disappear when the new page is switched in, basic security properties can be compromised, such as visual integrity, document integrity and memory safety. We refer to these browser objects as residue objects. Serious security vulnerabilities due to residue objects have been sporadically discovered in leading browser products in the past, such as IE, Firefox and Safari. However, this class of vulnerabilities has not been studied in the research literature. Our work is motivated by two questions: (1) what are the challenges imposed by residue objects on the browser’s logic correctness; (2) how prevalent can these vulnerabilities be in today’s commodity browsers. As an example, we analyze the mechanisms for guarding residue objects in Internet Explorer (IE), and use an enumerative approach to expose and understand new vulnerabilities. Although only the native HTML engine is studied so far, we have already discovered five new vulnerabilities and reported them to IE developers (one of the vulnerabilities has been patched in a Microsoft security update). These vulnerabilities demonstrate a diversity of logic errors in the browser code. Moreover, our study empirically suggests that the actual prevalence of this type of vulnerabilities can be higher than what is perceived today. We also discuss how the browser industry should respond to this class of security problems.
|Published in||Proceedings of EuroSys|
|Publisher||Association for Computing Machinery, Inc.|
Copyright © 2007 by the Association for Computing Machinery, Inc. Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, to republish, to post on servers, or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from Publications Dept, ACM Inc., fax +1 (212) 869-0481, or firstname.lastname@example.org. The definitive version of this paper can be found at ACM’s Digital Library --http://www.acm.org/dl/.