DOCSLIB.ORG

Webcapsule: Towards a Lightweight Forensic Engine for Web Browsers

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Webcapsule: Towards a Lightweight Forensic Engine for Web Browsers WebCapsule: Towards a Lightweight Forensic Engine for Web Browsers Christopher Neasbitty, Bo Liy, Roberto Perdisciyo, Long Luz, Kapil Singh◦, and Kang Liy yDepartment of Computer Science, University of Georgia oCollege of Computing, Georgia Tech zDepartment of Computer Science, Stony Brook University ◦IBM Research {cjneasbi,lubao515}@uga.edu, [email protected], [email protected] [email protected], [email protected] ABSTRACT Categories and Subject Descriptors Performing detailed forensic analysis of real-world web security C.2.0 [Computer-Communication Networks]: General—Secu- incidents targeting users, such as social engineering and phishing rity and protection attacks, is a notoriously challenging and time-consuming task. To reconstruct web-based attacks, forensic analysts typically rely on General Terms browser cache files and system logs. However, cache files and logs provide only sparse information often lacking adequate detail to Security; Forensics reconstruct a precise view of the incident. To address this problem, we need an always-on and lightweight Keywords (i.e., low overhead) forensic data collection system that can be eas- ily integrated with a variety of popular browsers, and that allows Forensic Engine; Web Security; Browsing Replay for recording enough detailed information to enable a full recon- struction of web security incidents, including phishing attacks. 1. INTRODUCTION To this end, we propose WebCapsule, a novel record and replay The ability to perform accurate forensic analysis of web-based forensic engine for web browsers. WebCapsule functions as an security incidents is critical, as it allows security researchers to bet- always-on system that aims to record all non-deterministic inputs ter understand past incidents and develop stronger defenses against to the core web rendering engine embedded in popular browsers, future attacks. Unfortunately, analyzing real-world web attacks that including all user interactions with the rendered web content, web directly target users, such as social engineering and phishing at- traffic, and non-deterministic signals and events received from the tacks, remains an extremely challenging and time-consuming task. runtime environment. At the same time, WebCapsule aims to be The state-of-the-art methods for reconstructing web-based inci- lightweight and introduce low overhead. In addition, given a previ- dents generally follow two approaches. The first approach relies ously recorded trace, WebCapsule allows a forensic analyst to fully on analyzing the web browser’s history, cache files, and system replay and analyze past web browsing sessions in a controlled iso- logs [16, 20]. However, cache files and logs provide only sparse lated environment. information often lacking adequate detail to reconstruct a precise We design WebCapsule to also be portable, so that it can be view of what happened during social engineering and phishing at- integrated with minimal or no changes into a variety of popular tacks that may have occurred days in the past. The second approach web-rendering applications and platforms. To achieve this goal, leverages access to full network packet traces, which may provide we build WebCapsule as a self-contained instrumented version of some indications of how an incident unfolded. However, the com- Google’s Blink rendering engine and its tightly coupled V8 Java- plexity of modern web pages results in a large semantic gap be- Script engine. tween the web traffic and the detailed events (e.g., page render- We evaluate WebCapsule on numerous real-world phishing at- ing, mouse movements, key presses, etc.) that occurred within the tack instances, and demonstrate that such attacks can be recorded browser [18]. Such semantic gaps make it very difficult to precisely and fully replayed. In addition, we show that WebCapsule can reconstruct what a victim actually saw and how she was tricked, record complex browsing sessions on popular websites and differ- and to identify what information was consequently leaked. ent platforms (e.g., Linux and Android) while imposing reasonable To address this problem, we need a forensic data collection sys- overhead, thus making always-on recording practical. tem that satisfies the following requirements: - be always-on, so that all (unexpected) incidents can be trans- Permission to make digital or hard copies of all or part of this work for personal or parently recorded, including new attacks that follow previ- classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full cita- ously unknown patterns; tion on the first page. Copyrights for components of this work owned by others than - be lightweight, to minimize performance overhead, thus mak- ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or re- ing always-on recording practical; publish, to post on servers or to redistribute to lists, requires prior specific permission - be portable, to operate in a variety of web-rendering applica- and/or a fee. Request permissions from [email protected]. tions and platforms; CCS’15, October 12–16, 2015, Denver, Colorado, USA. - provide critical information to greatly enhance and facilitate c 2015 ACM. ISBN 978-1-4503-3832-5/15/10 ...$15.00. DOI: http://dx.doi.org/10.1145/2810103.2813656. a forensic analyst’s investigation of web security incidents, with particular focus on attacks that directly target users, Runtime Environment (User's Device) Isolated Analysis Environment such as social engineering and phishing attacks. Browser Replay Browser In this paper we propose WebCapsule, a novel record and replay forensic engine for web browsers. WebCapsule lays the founda- User Input Platform tions for web-based attack reconstruction and analysis while meet- WebTraffic Web Rendering Web Rendering shim Engine shim Engine ing all of the above stated requirements. Our main goal is to enable System Calls an always-on, transparent, and fine-grained recording (and subse- quent replay) of potentially harmful web browsing sessions. As de- picted in Figure 1, WebCapsule aims to record all non-deterministic Record Storage Replay inputs to the core web rendering engine embedded in the browser, Remote Web Server including all user interactions with the rendered web content, web traffic, and non-deterministic signals and events received from the runtime environment. Figure 1: High-level overview of WebCapsule’s record and replay WebCapsule allows an analyst to later replay previously recorded capabilities. Non-deterministic inputs to the embedded web ren- browsing sessions in a separate controlled environment, where no dering engine are recorded, and can be fully replayed in an isolated new external user inputs or network transactions are needed. This forensic analysis environment where no new external user inputs or enables detailed analysis of security incidents that are (obviously) network transactions are received. unexpected, and allows for reconstructing detailed information about incidents that may follow new, never-before-seen attack pat- terns. In addition, by replaying all non-deterministic inputs, in- Web-rendering App cluding all content provided by the server, WebCapsule enables Web-rendering API a full forensic investigation of incidents involving ephemeral web Instrumentation Shim content, such as short-lived phishing or social engineering attack WebCapsule pages. V8 JavaScript While some previous work has studied record and replay to as- Blink Engine Rendering Engine sist the debugging of web applications [2,5,23], these studies do not focus on forensic analysis and, more importantly, do not satisfy the associated requirements listed above. For example, TimeLapse [5] Instrumentation Shim is a debugging tool based on Apple’s WebKit [30] that allows for OS / Platform API recording and replaying web content. However, TimeLapse does Platform not work as an “always on” system. Also, TimeLapse does not al- low for transparent recording because it deeply modifies the inter- nals of WebKit, for example to force a synchronous scheduling of Figure 2: Overview of WebCapsule’s instrumentation shims. threads such as the HTML parser thread [25], thus also impacting performance. In addition, TimeLapse currently only works on Ma- pled V8 JavaScript engine [28] (see Figure 2) in a way that allows cOS+Safari+WebKit [26], and is not easily portable to other oper- us to inherit Blink’s portability. ating systems and browsers. Conversely, WebCapsule can function WebCapsule’s portability has several advantages. Not only can as an always-on system (e.g., it can be configured to start record- it be readily deployed into existing Blink-based browsers and mul- ing at browser startup with no user intervention) to continuously tiple platforms, but it also allows us to fully replay the browsing and transparently record browsing sessions while introducing low traces on a device (or virtual machine) whose platform may differ overhead. Furthermore, WebCapsule is highly portable, can be em- from the platform where the traces were recorded. bedded in a variety of web-rendering applications, and can run on At the same time, our design choice of “living” strictly inside a variety of platforms. Furthermore, unlike [2, 23], WebCapsule Blink imposes a number of constraints that make the instrumenta- is not limited to only recording user interactions with web pages, tion process challenging, especially for enabling the replay of com- but instead aims to
Load more

Recommended publications
  • Opera Mini Application for Android
    Opera Mini Application For Android Wat theologized his eternities goggling deathy, but quick-frozen Mohammed never hammer so unshakably. Fain and neverfringillid headline Tyrone sonever lambently. reapplied his proles! Tracie meows his bibulousness underdevelop someplace, but unrimed Ephrayim This application lies in early on this one knows of applications stored securely for example by that? Viber account to provide only be deactivated since then. Opera Mini is a super lightweight browser that loads web pages faster than what every other browser available. Opera Mini Browser Latest News Photos Videos on Opera. The Opera Mini for Android lets you do everything you any to online without wasting your fireplace plan It's stand fast safe mobile web browser that saves you tons of. Analysis of tomorrow with a few other. The mini application for opera android open multiple devices. Just with our site on a view flash drives against sim swap scammers? Thanks for better alternative software included in multitasking is passionate about how do you can browse, including sms charges may not part of mail and features. Other download option for opera mini Hospedajes Mirta. Activating it for you are you want. Opera mini 16 beta android app has a now released and before downloading the read or full review covering all the features here. It only you sign into your web page title is better your computer. The Opera Mini works the tender as tide original Opera for Android This app update features a similar appearance and functionality but thrive now displays Facebook. With google pixel exclusive skin smoothing makeover tool uses of your computer in total, control a light.
    [Show full text]
  • Telenor Takes the Mobile Internet to the Masses
    Telenor takes the mobile Internet to the masses The Mobile Internet Asia project hit the ground running this spring. Telenor is on its way to bringing the Web to the masses on both feature phones and smartphones. Today Asia is experiencing the world’s most rapid growth when it comes to mobile Internet usage. In the past two years alone, mobile Web traffic has tripled on the continent, making Asia the source of 18 percent of the world’s mobile Web browsing (source: Statcounter, Pingdom). In order to play a central role in capturing a share of this growth, Telenor Digital Services kicked off the Mobile Internet Asia (MIA) project in April this year. A mobile Internet leader in Asia “Telenor Group and its Business Units have, for several years now, focused on the importance of mobile Internet in Asia, and we have run pilot projects in this area to find the best solutions that meet the needs of our customers,” says Sissel Henriette Larsen, Vice President and Head of Services, Telenor Asia. “By starting the MIA project now, we are making a formal move to become leaders in mobile Internet in Asia. We want to tap into this explosive growth and the best Internet experience to customers.” The MIA project, under the Telenor Digital Services umbrella, includes two main focus areas: “Build the Base” and “Smartphone”. Each focus area shares the goal of establishing Telenor as a leader in providing mobile Internet. However, the two work streams differ in terms of who is targeted and how. Accelerating smartphone growth in Asia The Smartphone work stream within in MIA project is newly headed by Mark (Amarit) Sukhavanij, effective July 1, 2012.
    [Show full text]
  • Browser Wars
    Uppsala universitet Inst. för informationsvetenskap Browser Wars Kampen om webbläsarmarknaden Andreas Högström, Emil Pettersson Kurs: Examensarbete Nivå: C Termin: VT-10 Datum: 2010-06-07 Handledare: Anneli Edman "Anyone who slaps a 'this page is best viewed with Browser X' label on a Web page appears to be yearning for the bad old days, before the Web, when you had very little chance of read- ing a document written on another computer, another word processor, or another network" - Sir Timothy John Berners-Lee, grundare av World Wide Web Consortium, Technology Review juli 1996 Innehållsförteckning Abstract ...................................................................................................................................... 1 Sammanfattning ......................................................................................................................... 2 1 Inledning .................................................................................................................................. 3 1.1 Bakgrund .............................................................................................................................. 3 1.2 Syfte ..................................................................................................................................... 3 1.3 Frågeställningar .................................................................................................................... 3 1.4 Avgränsningar .....................................................................................................................
    [Show full text]
  • Using Replicated Execution for a More Secure and Reliable Web Browser
    Using Replicated Execution for a More Secure and Reliable Web Browser Hui Xue Nathan Dautenhahn Samuel T. King University of Illinois at Urbana Champaign huixue2, dautenh1, kingst @uiuc.edu { } Abstract Unfortunately, hackers actively exploit these vulnerabil- ities as indicated in reports from the University of Wash- Modern web browsers are complex. They provide a ington [46], Microsoft [61], and Google [49, 48]. high-performance and rich computational environment Both industry and academia have improved the se- for web-based applications, but they are prone to nu- curity and reliability of web browsers. Current com- merous types of security vulnerabilities that attackers modity browsers make large strides towards improving actively exploit. However, because major browser plat- the security and reliability of plugins by using sandbox- forms differ in their implementations they rarely exhibit ing techniques to isolate plugins from the rest of the the same vulnerabilities. browser [62, 33]. However, these browsers still scatter In this paper we present Cocktail, a system that uses security logic throughout millions of lines of code, leav- three different off-the-shelf web browsers in parallel to ing these systems susceptible to browser-based attacks. provide replicated execution for withstanding browser- Current research efforts, like Tahoma [32], the OP web based attacks and improving browser reliability. Cock- browser [36], the Gazelle web browser [59], and the Illi- tail mirrors inputs to each replica and votes on browser nois Browser Operating System [58] all propose build- states and outputs to detect potential attacks, while con- ing new web browsers to improve security. Although tinuing to run.
    [Show full text]
  • Opera Software the Best Browsing Experience on Any Device
    Opera Software The best browsing experience on any device The best Internet experience on any device Web Standards for the Future – Bruce Lawson, Opera.com • Web Evangelist, Opera • Tech lead, Law Society & Solicitors Regulation Authority (2004-8) • Author 2 books on Web Standards, edited 2 • Committee member for British Standards Institution (BSI) for the new standard for accessible websites • Member of Web Standards Project: Accessibility Task Force • Member of W3C Mobile Best Practices Working Group Web Standards for the Future – Bruce Lawson, Opera.com B.A., Honours English Literature and Language with Drama Theresa is blind But she can use the Web if made with standards The big picture WWW The big picture Western Western Web A web (pre)history • 1989 TBL proposes a project • 1992 <img> in Mosaic beta. Now 99.57% (MAMA) • 1994 W3C started at MIT • 1996 The Browser Wars • 1999 WAP, Web Content Accessibility Guidelines (WCAG) • 2000 Flash Modern web history • 2000-ish .com Crash - Time to grow up... • 2002 Opera Mobile with Small Screen Rendering • 2005 WHAT-WG founded, W3C Mobile Web Initiative starts • 2007 W3C adopts WHAT-WG spec as basis for HTML 5 • January 22, 2008 First public working draft of HTML 5 Standards at Opera • 25 employees work on standards • Mostly at W3C - a big player • Working on many standards • Bringing new work to W3C • Implementing Standards properly (us and you!) (Web Standards Curriculum www.opera.com/wsc) Why standards? The Web works everywhere - The Web is the platform • Good standards help developers: validate; separate content and presentation - means specialisation and maintainability.
    [Show full text]
  • 'Inside Track' Mobile App Beta Testing
    PITTSBURGHOPERA page 1 Pittsburgh Opera ‘Inside Track’ Mobile App beta testing Thank you for being a beta tester for our new ‘Inside Track’ functionality within the Pittsburgh Opera Mobile App. Background on Pittsburgh Opera Mobile App The Pittsburgh Opera Mobile App launched in 2016. It was built using a platform called Instant Encore, which is the leading software provider of performing arts mobile apps in North America. The app, which is free and available for both iOS and Android devices, features a plethora of opera content. Examples include performance and event schedules, bios on our Resident Artists, ticket purchasing, video excerpts, and more. Instant Encore has recently added functionality which enables patrons in the theater to receive content during an actual performance. The content, which is all visual (photos/text), is meant to enhance the patron’s experience during the performance, by providing context, background information about the composer or piece being performed, etc. Pittsburgh Opera has installed this software in our app, and is testing it during the fall performances at the Benedum. Over the winter we will be rolling out new, custom-built functionality which allow us to include audio content as well. We are calling the combined product ‘Inside Track’. We want to make sure that we have worked out any kinks with the ‘phase 1’ software (i.e. visual content only) prior to launching phase 2 (audio content.) How to download the app The Pittsburgh Opera mobile app is available for free download in the App Store for iOS devices and Google Play for Android devices.
    [Show full text]
  • Using Property-Based Testing, Weighted Grammar-Based Generators and a Consensus Oracle to Test Browser Rendering Engines and To
    USING PROPERTY-BASED TESTING, WEIGHTED GRAMMAR-BASED GENERATORS AND A CONSENSUS ORACLE TO TEST BROWSER RENDERING ENGINES AND TO REPRODUCE MINIMIZED VERSIONS OF EXISTING TEST CASES by JOEL DAVID MARTIN Presented to the Faculty of the Graduate School of The University of Texas at Arlington in Partial Fulfillment of the Requirements for the Degree of DOCTOR OF PHILOSOPHY THE UNIVERSITY OF TEXAS AT ARLINGTON December 2019 Supervising Committee: Farhad Kamangar, Supervising Professor David Levine, Supervising Professor Manfred Huber Gergley Zaruba Copyright by Joel David Martin 2019 The copyright of Chapter2 was transferred to the IEEE as part of publication in COMPSAC 2018 (\Property-Based Testing of Browser Rendering Engines with a Consensus Oracle") [1]. Please refer to the IEEE for information about licensing the content from Chapter2. Chapter3 is a manuscript that is intended for separated publication. All copyrights on Chapter3 are currently reserved to Joel Martin. The remainder of this work, excluding Chapter2 and Chapter3, is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. ACKNOWLEDGMENTS Thank you to the members of my Supervising Committee for their support and guidance. In particular, I would like to thank David Levine who spent many long hours with me discussing the research and helping with the numerous large and small details that were necessary to complete my thesis. Many thanks to my employer, Viasat, for the financial investment toward my education. Thank you to my supervisors at Viasat, Ingolf Krueger and Markus Kaltenbach, for their support and encouragement throughout my graduate education. I would like to apologize for the harm done to numerous figurative trees during the completion of this research.
    [Show full text]
  • Internet Explorer 9 Features
    m National Institute of Information Technologies NIIT White Paper On “What is New in Internet Explorer 9” Submitted by: Md. Yusuf Hasan Student ID: S093022200027 Year: 1st Quarter: 2nd Program: M.M.S Date - 08 June 2010 Dhaka - Bangladesh Internet Explorer History Abstract: In the early 90s—the dawn of history as far as the World Wide Web is concerned—relatively few users were communicating across this Internet Explorer 9 (abbreviated as IE9) is the upcoming global network. They used an assortment of shareware and other version of the Internet Explorer web browser from software for Microsoft Windows operating system. In 1995, Microsoft Microsoft. It is currently in development, but developer hosted an Internet Strategy Day and announced its commitment to adding Internet capabilities to all its products. In fulfillment of that previews have been released. announcement, Microsoft Internet Explorer arrived as both a graphical Web browser and the name for a set of technologies. IE9 will have complete or nearly complete support for all 1995: Internet Explorer 1.0: In July 1995, Microsoft released the CSS 3 selectors, border-radius CSS 3 property, faster Windows 95 operating system, which included built-in support for JavaScript and embedded ICC v2 or v4 color profiles dial-up networking and TCP/IP (Transmission Control support via Windows Color System. IE9 will feature Protocol/Internet Protocol), key technologies for connecting to the hardware accelerated graphics rendering using Direct2D, Internet. In response to the growing public interest in the Internet, Microsoft created an add-on to the operating system called Internet hardware accelerated text rendering using Direct Write, Explorer 1.0.
    [Show full text]
  • Designing and Implementing the OP and OP2 Web Browsers
    Designing and Implementing the OP and OP2 Web Browsers CHRIS GRIER, SHUO TANG and SAMUEL T. KING, University of Illinois at Urbana-Champaign Current web browsers are plagued with vulnerabilities, providing hackers with easy access to computer systems via browser-based attacks. Browser security efforts that retrofit existing browsers have had lim- ited success because the design of modern browsers is fundamentally flawed. To enable more secure web browsing, we design and implement a new browser, called the OP web browser, that attempts to improve the state-of-the-art in browser security. We combine operating system design principles with formal methods to design a more secure web browser by drawing on the expertise of both communities. Our design philosophy is to partition the browser into smaller subsystems and make all communication between subsystems sim- ple and explicit. At the core of our design is a small browser kernel that manages the browser subsystems and interposes on all communications between them to enforce our new browser security features. To show the utility of our browser architecture, we design and implement three novel security features. First, we develop flexible security policies that allow us to include browser plugins within our security framework. Second, we use formal methods to prove useful security properties including user interface invariants and browser security policy. Third, we design and implement a browser-level information-flow tracking system to enable post-mortem analysis of browser-based attacks. In addition to presenting the OP browser architecture, we discuss the design and implementation of a second version of OP, OP2, that includes features from other secure web browser designs to improve on the overall security and performance of OP.
    [Show full text]
  • Automated Cross-Browser Compatibility Testing
    Automated Cross-Browser Compatibility Testing ∗ Ali Mesbah Mukul R. Prasad Electrical and Computer Engineering Trusted Systems Innovation Group University of British Columbia Fujitsu Laboratories of America Vancouver, BC, Canada Sunnyvale, CA, USA [email protected] [email protected] ABSTRACT web browsers render web content somewhat differently [18, With the advent of Web 2.0 applications and new browsers, 24, 25, 26]. However, the scope and impact of this problem the cross-browser compatibility issue is becoming increas- has been rapidly growing due to two, fairly recent trends. ingly important. Although the problem is widely recognized First, modern, rich-content web applications have a heavy among web developers, no systematic approach to tackle client-side behavioral footprint, i.e., they are designed to ex- it exists today. None of the current tools, which provide ecute significant elements of their behavior exclusively on the screenshots or emulation environments, specifies any notion client-side, typically within the web browser. Further, tech- of cross-browser compatibility, much less check it automat- nologies such as Ajax [12], Flash, and event-handling for ically. In this paper, we pose the problem of cross-browser dynamic HTML, which support this thick-client behavior, compatibility testing of modern web applications as a `func- are the very aspects in which web browsers differ. tional consistency' check of web application behavior across Second, recent years have seen an explosion in the num- different web browsers and present an automated solution ber of available web browsers. There are nearly 100 different for it. Our approach consists of (1) automatically analyzing web browsers available today [31].
    [Show full text]
  • Opera Mini Opera Mobile Shipments Pre-Installed in 4Q08: 7.3 Million
    Opera Software Fourth quarter 2008 A note from our lawyers 2 This presentation contains and is, i.a., based on forward-looking statements. These statements involve known and unknown risks, uncertainties and other factors which may cause our actual results, performance or achievements to be materially different from any future results, performances or achievements expressed or implied by the forward-looking statements . Forward-looking statements may in some cases be identified by terminology such as “may”, “will”, “could”, “should”, “expect”, “plan”, “intend”, “anticipate”, “believe”, “estimate”, “predict”, “pp,gpgyotential” or “continue”, the negative of such terms or other comparable terminology. These statements are only predictions. Actual events or results may differ materially, and a number of factors may cause our actual results to differ materially from any such statement. Although we believe that the expectations and assumptions reflected in the statements are reasonable, we cannot guarantee future results, levels of activity, performance or achievement. Opera Software ASA makes no representation or warranty (express or implied) as to the correctness or completeness of the presentation, and neither Opera Software ASA nor any of its direc tors or emp loyees assumes any lia bility resu lting from use. Excep t as requ ire d by law, we undertake no obligation to update publicly any forward-looking statements for any reason after the date of this presentation to conform these statements to actual results or to changes in our expectations. You are advised, however, to consult any further public disclosures made by us, su ch as filings made w ith the OSE or press releases .
    [Show full text]
  • Appendix a the Ten Commandments for Websites
    Appendix A The Ten Commandments for Websites Welcome to the appendixes! At this stage in your learning, you should have all the basic skills you require to build a high-quality website with insightful consideration given to aspects such as accessibility, search engine optimization, usability, and all the other concepts that web designers and developers think about on a daily basis. Hopefully with all the different elements covered in this book, you now have a solid understanding as to what goes into building a website (much more than code!). The main thing you should take from this book is that you don’t need to be an expert at everything but ensuring that you take the time to notice what’s out there and deciding what will best help your site are among the most important elements of the process. As you leave this book and go on to updating your website over time and perhaps learning new skills, always remember to be brave, take risks (through trial and error), and never feel that things are getting too hard. If you choose to learn skills that were only briefly mentioned in this book, like scripting, or to get involved in using content management systems and web software, go at a pace that you feel comfortable with. With that in mind, let’s go over the 10 most important messages I would personally recommend. After that, I’ll give you some useful resources like important websites for people learning to create for the Internet and handy software. Advice is something many professional designers and developers give out in spades after learning some harsh lessons from what their own bitter experiences.
    [Show full text]