19-02-2013, 12:13 PM
Browsers.
Browsers.docx (Size: 507.88 KB / Downloads: 14)
Abstract:
The Internet is used to provide a growing number of services like online banking and shopping, which transfer confidential information over the internet. This development has heightened user sensitivity to security violations. Most users use browsers to access these online services making browsers a critical part of the Internet communication infrastructure. A browserís reputation can be lost for a long time, if news of security vulnerabilities reaches the users. Thus, it is in the interest of browser vendors to test the security and robustness of their products proactively, before any problems occur. In this paper, we will describe how robustness testing techniques can be used to assess the security and robustness of internet browsers. In the case study, we analyze the robustness of five major browsers. None of the browsers pass the security test.
Introduction
Every time users connect their computers to the internet and start communicating with other computers, they are taking a risk. When the user wants to access a web page, the web browser program sends a request to the web server. The server gathers the requests from the browser, looks for the resource (e.g. a web page, picture, or database request) and gives a response, which depends on whether the serve was able to locate the resource or not. The browser processes the response, and attempts to load the content and display it on the web page. If the loaded web page contains anomalous code, then these are also loaded into the browser.
Attackers can add code to a website which makes the browser download and execute a file. The malicious files can be any¬thing from pictures and videos to more complex document files which exploit vulnerabilities in the browsers or third-par¬ty browser extensions. If attackers are able to exploit a vul¬nerability, they can disturb the operations of the browser and crash it. Amore common goal for attackers is to include the compromised computers in a bot network through executing malicious code on the vulnerable host. As a result, the victimís computer starts to send spam and carry out other attacks on other innocent victims.
The biggest factor in browser security is undeniably the user. If users were to act in a more responsible manner, most se¬curity violations could probably be avoided. After all, it is the user, who opens suspicious sites and downloads content from unreliable sources. However, security violations would be much harder to do, if there were not any flaws in the soft¬ware. To device an attack, the attacker needs to find a vulner¬ flaws and create patches proactively. Robustness tests send anomalous inputs to a system. If the system fails, then there is a bug in the code. Thus, robustness testing is essentially do¬ing what the attackers do, but before them and in a more sys¬tematic and automated manner. By testing the robustness of their products proactively, browser vendors can ensure that their products are secure and they can provide their custom-ers good quality of service.
ability to exploit. These vulnerabilities are mistakes made dur¬ing the implementation of the browser. Attackers search for such vulnerabilities by sending malicious inputs through the browserís public interface (most commonly through HTTP Response). If the operation of the browser is disrupted or it crashes, then there is a bug in the software.
Firewalls and anti-virus programs are generally used to pro¬tect devices, which have access to the internet. However, they cannot provide complete coverage. Anti-virus programs only scan for known problems, and are unable to find zero-day vulnerabilities. Zero-day vulnerabilities pose the largest se¬curity threat, because vendors are unaware of their existence and are not prepared to fix them.
Testing methodology
In this whitepaper, we will describe how robustness testing techniques can be used to assess the security and robustness of internet browsers. We will present a related a case study, in which the robustness of five major browsers was analyzed. All browsers were downloaded and installed during same time period, and all of them were tested in the same Windows 7 operating system environment. In the case study, the robust¬ness of the browsersí HTTP, TLSand XMLprocessing is tested. The tested protocols were chosen on the basis of popularity. The assumption was that popular interfaces are also the most frequently tested ones. Moreover, TLSand XMLare complex protocols and therefore provide interesting additional testing challenges.
The tests were run until the first critical vulnerability was found. None of the tested browsers passed the test, which indicates that all the browser contain critical vulnerabilities, which can be used to exploit the browsers. The tests were conducted with Codenomiconís Defensics testing tools and all the tests can be repeated by third parties to verify the re¬sults. However, to protect the reputation of the manufactur¬ers, Codenomicon will not disclose any details of individual vulnerabilities, nor name any of the products tested in the case study. The following paragraphs will relate more spe¬cifically how the individual protocols were tested, but first we will describe our fuzzing technique in more detail.
Positive vs. negative testing
Traditionally, black-box tests have used specifications to demonstrate that the target software meets the set requirements. In robustness testing, specifications are used for the opposite purpose, to discover design and implementation flaws in the protocol implementations. In contrast to traditional positive testing, robustness tests use protocol specifications to create negative black-box tests which can be used to proactively find robustness and security related design and implementation level bugs in protocol implementations. In robustness testing, there are no false positives: All found vulnerabilities, are always critical vulnerabilities, which could have been exploited.
e.g., by crashing or by failing built in code assertions, then there is a bug in the software. Fuzzing is a form of robustness testing,
Fuzzing
In robustness testing, unexpected data is fed to the inputs of a system, and the behavior of the system is then monitored for stability, security and reliability. If the system fails, e.g., by crashing or by failing built in code assertions, then there is a bug in the software. Fuzzing is a form of robustness testing, HTTP is used to gain initial access into a network, which makes it a preferred target for attacks. Vulnerabilities in browsersí HTTP implementations provide all-too-easy attack-scenarios, which the attackers will have no problem real¬izing. It is important to note that TLS/SSLencryption does not protect the browser against HTTP flaws, if the authenti¬cation takes place on the HTTP level. If a HTTP packet con¬tains anomalies targeting vulnerabilities on the HTTP layer then these will pass the TLS/SSLlayer unnoticed. HTTP traf¬fic is also not filtered by firewalls. Thus, HTTP vulnerabilities can have serious consequences in terms of browser security and every single HTTP flaw should be considered critical. When testing browser security, it essential to test the robust¬ness of the HTTP implementation. When a browser sends request a web page from a server it also sends a set of head¬ers with information about the client. Similarly, the response from the server is preceded by a header containing informa¬tion about the requested page. The actual payload of an HTTP message, the request or the response, can be almost any¬thing. Thus, to simplify testing the tests can target the header instead of the payload. Figure 2 shows an example of a HTTP response message containing an anomaly.
Testing HTTP
HTTP is the primary method used to convey information on the Internet. It is a stateless protocol, and functions as a re¬quest/response protocol between clients and servers. HTTP is used by millions of people every day to access the internet from their homes, workplaces, mobile devices and public ac¬cess terminals. People increasingly depend on web access to perform everyday tasks, like checking timetables, making ap-pointments and paying bills. Web access has become a stan¬dard commodity upon which even various critical infrastruc¬tures and information services have become to rely.
Testing TLS
TLSis the current standard for communication privacy on the Internet. TLSis used in client and server applications rang¬ing from web browsers to electronic banking software and e-commerce sites. As higher level protocols often build on it, the dependability of the underlying TLSimplementation is an integral factor in securing the operation of a large num¬ber of a wide amount of software products. TLSalso utilizes ASN.1 certificates to verify service providers. The complexity of these certificates further increases the vulnerability of TLS