Pub Date : 1900-01-01DOI: 10.14722/madweb.2022.23003
Abdulla Aldoseri, David F. Oswald
—Uniform Resource Identifier (URI) schemes instruct browsers to conduct specific actions depending on the requested scheme. Previous research has addressed numerous issues with web URI schemes (e.g., http: and https:) both for desktop and mobile browsers. Less attention has been paid to local schemes (e.g., data: and file:), specifically for mobile browsers. In this work, we examined the implementation of such schemes in Android OS browsers, analysing the top-15 mobile browsers. As a result, we discovered three vulnerability types that affect several major browsers (including Google Chrome, Opera and Samsung Inter-net). First, we demonstrate an URI sanitisation issue that leads to a cross-site scripting attack via the JavaScript scheme. The problem affects Chromium browsers including Chrome, Opera, Edge, and Vivaldi. Second, we found a display issue in Samsung Internet that allows abusing data URIs to impersonate origins and protocols, posing a threat in the context of phishing attacks. Finally, we discover a privilege escalation issue in Samsung’s Android OS, leading to full read and write access to the internal storage without user consent and bypassing the Android storage permission. While this issue was originally discovered in the file scheme of the Samsung browser, utilising a combination of static and dynamic analysis, we traced the problem back to an authorization issue in Knox Sensitive Data Protection SDK. We then show that any app can abuse this SDK to obtain full access to the internal storage without appropriate permission on Samsung devices running Android 10. We responsibly disclosed the vulnerabilities presented in this paper to the affected vendors, leading to four CVEs and security patches in Chrome, Opera and Samsung Internet browser.
{"title":"insecure:// Vulnerability Analysis of URI Scheme Handling in Android Mobile Browsers","authors":"Abdulla Aldoseri, David F. Oswald","doi":"10.14722/madweb.2022.23003","DOIUrl":"https://doi.org/10.14722/madweb.2022.23003","url":null,"abstract":"—Uniform Resource Identifier (URI) schemes instruct browsers to conduct specific actions depending on the requested scheme. Previous research has addressed numerous issues with web URI schemes (e.g., http: and https:) both for desktop and mobile browsers. Less attention has been paid to local schemes (e.g., data: and file:), specifically for mobile browsers. In this work, we examined the implementation of such schemes in Android OS browsers, analysing the top-15 mobile browsers. As a result, we discovered three vulnerability types that affect several major browsers (including Google Chrome, Opera and Samsung Inter-net). First, we demonstrate an URI sanitisation issue that leads to a cross-site scripting attack via the JavaScript scheme. The problem affects Chromium browsers including Chrome, Opera, Edge, and Vivaldi. Second, we found a display issue in Samsung Internet that allows abusing data URIs to impersonate origins and protocols, posing a threat in the context of phishing attacks. Finally, we discover a privilege escalation issue in Samsung’s Android OS, leading to full read and write access to the internal storage without user consent and bypassing the Android storage permission. While this issue was originally discovered in the file scheme of the Samsung browser, utilising a combination of static and dynamic analysis, we traced the problem back to an authorization issue in Knox Sensitive Data Protection SDK. We then show that any app can abuse this SDK to obtain full access to the internal storage without appropriate permission on Samsung devices running Android 10. We responsibly disclosed the vulnerabilities presented in this paper to the affected vendors, leading to four CVEs and security patches in Chrome, Opera and Samsung Internet browser.","PeriodicalId":424703,"journal":{"name":"Proceedings 2022 Workshop on Measurements, Attacks, and Defenses for the Web","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1900-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129192486","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 1900-01-01DOI: 10.14722/madweb.2022.23001
Alan Cao, Brendan Dolan-Gavitt
static Abstract —On GitHub, open-source developers use the fork feature to create server-side clones and implement code changes separately before creating pull requests. However, such fork repositories can be abused to store and distribute malware, particularly malware that stealthily mines cryptocurrencies. In this paper, we present an analysis of this emerging attack vector and a system for catching malware in GitHub fork repositories with minimal human effort called Fork Integrity Analysis , implemented through a detection infrastructure called Fork Sentry. By automatically detecting and reverse engineering interesting artifacts extracted from a given repository’s forks, we can generate alerts for suspicious artifacts, and provide a means for takedown by GitHub Trust & Safety. We demonstrate the efficacy of our techniques by scanning 68,879 forks of 35 popular cryptocurrency repositories, leading to the discovery of 26 forked repositories that were hosting malware, and report them to GitHub with seven successful takedowns so far. Our detection infrastructure allows not only for the triaging and alerting of suspicious forks, but also provides continuous monitoring for later potential malicious forks. The code and collected data from Fork Sentry will be released as an open-source project.
{"title":"What the Fork? Finding and Analyzing Malware in GitHub Forks","authors":"Alan Cao, Brendan Dolan-Gavitt","doi":"10.14722/madweb.2022.23001","DOIUrl":"https://doi.org/10.14722/madweb.2022.23001","url":null,"abstract":"static Abstract —On GitHub, open-source developers use the fork feature to create server-side clones and implement code changes separately before creating pull requests. However, such fork repositories can be abused to store and distribute malware, particularly malware that stealthily mines cryptocurrencies. In this paper, we present an analysis of this emerging attack vector and a system for catching malware in GitHub fork repositories with minimal human effort called Fork Integrity Analysis , implemented through a detection infrastructure called Fork Sentry. By automatically detecting and reverse engineering interesting artifacts extracted from a given repository’s forks, we can generate alerts for suspicious artifacts, and provide a means for takedown by GitHub Trust & Safety. We demonstrate the efficacy of our techniques by scanning 68,879 forks of 35 popular cryptocurrency repositories, leading to the discovery of 26 forked repositories that were hosting malware, and report them to GitHub with seven successful takedowns so far. Our detection infrastructure allows not only for the triaging and alerting of suspicious forks, but also provides continuous monitoring for later potential malicious forks. The code and collected data from Fork Sentry will be released as an open-source project.","PeriodicalId":424703,"journal":{"name":"Proceedings 2022 Workshop on Measurements, Attacks, and Defenses for the Web","volume":"16 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1900-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114478996","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 1900-01-01DOI: 10.14722/madweb.2022.23012
Ali AlSabeh, Elie F. Kfoury, J. Crichigno, E. Bou-Harb
—One of the main roles of the Domain Name System (DNS) is to map domain names to IP addresses. Despite the importance of this function, DNS traffic often passes without being analyzed, thus making the DNS a center of attacks that keep evolving and growing. Software-based mitigation ap- proaches and dedicated state-of-the-art firewalls c a n become a bottleneck and are subject to saturation attacks, especially in high-speed networks. The emerging P4-programmable data plane can implement a variety of network security mitigation approaches at high-speed rates without disrupting legitimate traffic.This paper describes a system that relies on programmable switches and their stateful processing capabilities to parse and analyze DNS traffic solely in the data plane , and subsequently apply security policies on domains according to the network administrator. In particular, Deep Packet Inspection (DPI) is leveraged to extract the domain name consisting of any number of labels and hence, apply filtering rules (e.g., blocking malicious domains). Evaluation results show that the proposed approach can parse more domain labels than any state-of-the-art P4-based approach. Additionally, a significant performance gain is attained when comparing it to a traditional software firewall -pfsense-, in terms of throughput, delay, and packet loss. The resources occupied by the implemented P4 program are minimal, which allows for more security functionalities to be added.
—DNS (Domain Name System)的主要作用之一是将域名映射到IP地址。尽管这一功能很重要,但DNS流量往往没有经过分析就通过了,从而使DNS成为不断发展和增长的攻击中心。基于软件的缓解方法和专用的最先进的防火墙可能会成为瓶颈,并受到饱和攻击,特别是在高速网络中。新兴的p4可编程数据平面可以在不中断合法流量的情况下以高速速率实现各种网络安全缓解方法。本文描述了一个系统,该系统依靠可编程交换机及其状态处理能力,仅在数据平面上解析和分析DNS流量,然后根据网络管理员的需要在域上应用安全策略。特别是,利用深度包检测(DPI)来提取由任意数量的标签组成的域名,从而应用过滤规则(例如,阻止恶意域名)。评估结果表明,该方法比任何基于最先进的p4的方法可以解析更多的领域标签。此外,与传统的软件防火墙(pfsense)相比,在吞吐量、延迟和数据包丢失方面,它获得了显著的性能提升。实现的P4程序占用的资源很少,因此可以添加更多的安全功能。
{"title":"P4DDPI: Securing P4-Programmable Data Plane Networks via DNS Deep Packet Inspection","authors":"Ali AlSabeh, Elie F. Kfoury, J. Crichigno, E. Bou-Harb","doi":"10.14722/madweb.2022.23012","DOIUrl":"https://doi.org/10.14722/madweb.2022.23012","url":null,"abstract":"—One of the main roles of the Domain Name System (DNS) is to map domain names to IP addresses. Despite the importance of this function, DNS traffic often passes without being analyzed, thus making the DNS a center of attacks that keep evolving and growing. Software-based mitigation ap- proaches and dedicated state-of-the-art firewalls c a n become a bottleneck and are subject to saturation attacks, especially in high-speed networks. The emerging P4-programmable data plane can implement a variety of network security mitigation approaches at high-speed rates without disrupting legitimate traffic.This paper describes a system that relies on programmable switches and their stateful processing capabilities to parse and analyze DNS traffic solely in the data plane , and subsequently apply security policies on domains according to the network administrator. In particular, Deep Packet Inspection (DPI) is leveraged to extract the domain name consisting of any number of labels and hence, apply filtering rules (e.g., blocking malicious domains). Evaluation results show that the proposed approach can parse more domain labels than any state-of-the-art P4-based approach. Additionally, a significant performance gain is attained when comparing it to a traditional software firewall -pfsense-, in terms of throughput, delay, and packet loss. The resources occupied by the implemented P4 program are minimal, which allows for more security functionalities to be added.","PeriodicalId":424703,"journal":{"name":"Proceedings 2022 Workshop on Measurements, Attacks, and Defenses for the Web","volume":"24 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1900-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126940386","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 1900-01-01DOI: 10.14722/madweb.2022.23010
D. Everson, Long Cheng, Zhenkai Zhang
—The log4shell vulnerability has been called one of the most significant cybersecurity vulnerabilities in recent history. For weeks after initial disclosure, companies around the globe scrambled to respond by patching their systems or by applying mitigating security measures to protect systems that could not be readily patched. There are many possible ways to detect if and where an organization is vulnerable to log4shell, each with advantages and disadvantages. Penetration testing in particular is one possible solution, though its results can be misleading if not interpreted in the proper context. Mitigation measures have varying degrees of success: Web Application Firewalls (WAFs) could be bypassed, whereas our analysis revealed that outbound network restrictions would have provided an effective protection given the rapidly evolving patch cycle. Ultimately, log4shell should change the way we look at web attack surfaces; doing so will ensure we can be better prepared for the next critical zero-day Remote Code Execution (RCE) vulnerability.
{"title":"Log4shell: Redefining the Web Attack Surface","authors":"D. Everson, Long Cheng, Zhenkai Zhang","doi":"10.14722/madweb.2022.23010","DOIUrl":"https://doi.org/10.14722/madweb.2022.23010","url":null,"abstract":"—The log4shell vulnerability has been called one of the most significant cybersecurity vulnerabilities in recent history. For weeks after initial disclosure, companies around the globe scrambled to respond by patching their systems or by applying mitigating security measures to protect systems that could not be readily patched. There are many possible ways to detect if and where an organization is vulnerable to log4shell, each with advantages and disadvantages. Penetration testing in particular is one possible solution, though its results can be misleading if not interpreted in the proper context. Mitigation measures have varying degrees of success: Web Application Firewalls (WAFs) could be bypassed, whereas our analysis revealed that outbound network restrictions would have provided an effective protection given the rapidly evolving patch cycle. Ultimately, log4shell should change the way we look at web attack surfaces; doing so will ensure we can be better prepared for the next critical zero-day Remote Code Execution (RCE) vulnerability.","PeriodicalId":424703,"journal":{"name":"Proceedings 2022 Workshop on Measurements, Attacks, and Defenses for the Web","volume":"3 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1900-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114525133","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 1900-01-01DOI: 10.14722/madweb.2022.23005
Zubair Ahmad, Samuele Casarin, Stefano Calzavara
We provide below a brief review of the technical ingredients required to understand the present paper. We Abstract —In this paper we perform the first empirical analysis of the use of web storage in the wild. By using dynamic taint tracking at the level of JavaScript and by performing an automated classification of the detected information flows, we shed light on the key characteristics of web storage uses in the Tranco Top 5k. Our analysis shows that web storage is routinely accessed by third parties, including known web trackers, who are particularly eager to have both read and write access to persistent web storage information. This motivates the need for further research on the security and privacy implications of web storage content.
{"title":"What Storage? An Empirical Analysis of Web Storage in the Wild","authors":"Zubair Ahmad, Samuele Casarin, Stefano Calzavara","doi":"10.14722/madweb.2022.23005","DOIUrl":"https://doi.org/10.14722/madweb.2022.23005","url":null,"abstract":"We provide below a brief review of the technical ingredients required to understand the present paper. We Abstract —In this paper we perform the first empirical analysis of the use of web storage in the wild. By using dynamic taint tracking at the level of JavaScript and by performing an automated classification of the detected information flows, we shed light on the key characteristics of web storage uses in the Tranco Top 5k. Our analysis shows that web storage is routinely accessed by third parties, including known web trackers, who are particularly eager to have both read and write access to persistent web storage information. This motivates the need for further research on the security and privacy implications of web storage content.","PeriodicalId":424703,"journal":{"name":"Proceedings 2022 Workshop on Measurements, Attacks, and Defenses for the Web","volume":"6 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1900-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124402116","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 1900-01-01DOI: 10.14722/madweb.2022.23014
W. Findlay, A. Abdou
—While security researchers are adept at discovering vulnerabilities and measuring their impact, disclosing vulnerabilities to affected stakeholders has traditionally been difficult. Beyond public notices such as CVEs, there have traditionally been few appropriate channels through which to directly communicate the nature and scope of a vulnerability to those directly impacted by it. Security.txt is a relatively new proposed standard that hopes to change this by defining a canonical file format and URI through which organizations can provide contact information for vulnerability disclosure. However, despite its favourable characteristics, limited studies have systematically analyzed how effective Security.txt might be for a widespread vulnerability notification c ampaign. I n t his p aper, w e p resent a large-scale study of Security.txt’s adoption over the top 1M popular domains according to the Tranco list. We measure specific f eatures of Security.txt files such as contact information, preferred language, and RFC version compliance. We then analyze these results to better understand how suitable the current Security.txt standard is for facilitating a large-scale vulnerability notification campaign, and make recommendations for improving future version of the standard.
{"title":"Characterizing the Adoption of Security.txt Files and their Applications to Vulnerability Notification","authors":"W. Findlay, A. Abdou","doi":"10.14722/madweb.2022.23014","DOIUrl":"https://doi.org/10.14722/madweb.2022.23014","url":null,"abstract":"—While security researchers are adept at discovering vulnerabilities and measuring their impact, disclosing vulnerabilities to affected stakeholders has traditionally been difficult. Beyond public notices such as CVEs, there have traditionally been few appropriate channels through which to directly communicate the nature and scope of a vulnerability to those directly impacted by it. Security.txt is a relatively new proposed standard that hopes to change this by defining a canonical file format and URI through which organizations can provide contact information for vulnerability disclosure. However, despite its favourable characteristics, limited studies have systematically analyzed how effective Security.txt might be for a widespread vulnerability notification c ampaign. I n t his p aper, w e p resent a large-scale study of Security.txt’s adoption over the top 1M popular domains according to the Tranco list. We measure specific f eatures of Security.txt files such as contact information, preferred language, and RFC version compliance. We then analyze these results to better understand how suitable the current Security.txt standard is for facilitating a large-scale vulnerability notification campaign, and make recommendations for improving future version of the standard.","PeriodicalId":424703,"journal":{"name":"Proceedings 2022 Workshop on Measurements, Attacks, and Defenses for the Web","volume":"6 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1900-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126887301","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: