VULNERABILITY OF \SECURE" WEB BROWSERS Flavio De Paoli, Andre L. Dos Santos, Richard A. Kemmerer Reliable Software Group Computer Science Department University of California Santa Barbara, CA 93106 [email protected], fandre,[email protected] Abstract Today the World Wide Web is considered to b e a platform for building distributed applications. This evolution is made p ossible by browsers with pro cessing capabilities and by programming languages that allowweb designers to emb ed real programs into HTML do cuments. Downloading and executing co de from anywhere on the Internet brings security problems along with it. A systematic and thorough analysis of security aws in the browsers and related technology is necessary to reach a sucient level of con dence. This pap er presents some preliminary results of ongoing research that has the nal goal of developing prop erties for secure browsers and pro cedures for secure browsing. The research started byinvestigating features provided by the standard environment. The pap er describ es some exp erimental attacks that have b een carried out by exploiting features of Java and JavaScript executed by Netscap e Navigator and Microsoft Explorer browsers. 1 Intro duction The growth of the Internet and the World Wide Web WWW during the past few years has b een phenomenal. The Internet is currently serving tens of millions of p eople connected through millions of computers. Most every business and government institution has a web page, and the web and web browsing are fast b ecoming the primary source of information for p eople of all ages. Languages like Java and JavaScript have b een develop ed to embed programs into Hyp erText Markup Language HTML do cuments pages. Java applets, which are designed to be downloaded from the web and run directly by the Java virtual machine within a browser, are also increasingly b eing included in web pages to provide more sophisticated animation and other desirable features. Downloading and executing co de from anywhere on the Internet brings security problems along with it. That is, the host computer is op en toavariety of attacks, ranging from attacks that simply monitor the environment to exp ort information, to attacks that change the con guration or the b ehavior of the host changing les, consuming resources, and nally to attacks that op en a back do or to let intruders get into the host. Attacks succeed either b ecause the implementation of the browser is weak from aws in the sp eci cation and/or from p o or implementation or b ecause the environment in which the browser is executed has aws. Weaknesses in the environment are mainly due to the new op en nature of software. Conventional computing paradigms assume that programs are installed and con gured once on any and every machine and that these programs only exchange data. This means that a user can make all p ossible checks over a new program b efore running it. This assumption is no longer valid for op en and mobile environments, suchasJava and the web. Many security holes in web browsers have b een discovered and broughtto the attention of the public [DFW96]. Although most of these holes have b een patched, a systematic analysis of the features of b oth the Java and JavaScript languages and the web environment is needed to identify p ossible design weaknesses in order to avoid similar problems. This researchwas partially supp orted by Digital Sound Corp oration and the University of California through a Micro Grant. Most of the attacks carried out so far require the attacker to have substantial capabilities, such as taking over a web server or a domain name server or assuming that the user will navigate only through hyp erlinks. These assumptions, therefore, often limit the likeliho o d of the attacks due to the low probability that the assumptions would b e satis ed or b ecause they require so much knowledge that only highly-skilled programmers could implement the attacks. The purp ose of this pap er is to describ e some exp erimental attacks that have b een carried out by ex- ploiting only features provided by the standard environment. What sets these attacks apart from most of the others is that the attacks presented in this pap er can be realized without assuming that the attacker has any capabilities b eyond those granted to every user on the net and without assuming that the attackers are highly skilled programmers with complex programs for carrying out the attacks. That is, the attacks rep orted in this pap er are straight forward to set up and are of limited complexity. This pap er rep orts on two attacks. The rst one deals with the violation of privacy, and it requires only that the victim downloads a page that includes an attacker applet, which collects and sends information back to its server. The second exp erimentisaspowerful as a \man-in-the-middle" attack, but it to o requires only that the victim downloads a honey-p ot page that includes an applet that can detect when the victim visits a certain site and displays an imp oster page for that site in order to steal sensitive information, such as credit card numb ers or p ersonal identi cation numb ers. The pap er is structured in the following way. Section 2 summarizes the browser and language features that have b een used. Section 3 brie y reviews some previously known attacks. Section 4 gives more details on applet capabilities and features to establish the background for the attacks. Section 5 describ es the new attacks. Finally, future work and conclusions are presented. 2 Browsers and Languages The World Wide Web isahyp ertext of network-accessible information. It was designed to supp ort static links to display static multimedia do cuments. The quick growth of the web and the related technology has changed this initial view. Today the web is considered a platform to build distributed applications. This evolution is made p ossible by browsers with pro cessing capabilities and by programming languages that allowweb designers to emb ed real programs into HTML do cuments. This section outlines the characteristics of Java and JavaScript, which are the most p opular languages for programming the web, and of Netscap e Navigator and Microsoft Explorer, which are the most p opular browsers. 2.1 Java The Java language is a general-purp ose ob ject-oriented language that was intro duced by Sun Microsystems in 1995 [GJS96a]. One of the ma jor design goals for Javawas p ortability. The result is that not only the Java source co de, but also the binary co de is executable on all pro cessors. This is accomplished by compiling the source co de into platform indep endentbyteco de, which is then run by the Java virtual machine. Some of the features of the Java language that make it simpler and supp osedly more secure are that it is strongly typ ed, there are no prepro cessor statements like C's de ne and include, there are no p ointers, no global variables, and no global functions. By keeping the language simple and without many of the error prone features, suchasmultiple inheritance, it is exp ected that Java will b e more secure. AJava program is a collection of classes and instances of classes. Each class is compiled into an inter- mediate format, called bytecode, which is then interpreted to execute the program. A ma jor characteristic of Java is that p ointers are not supp orted; object references are provided instead. Java supp orts dynamic creation of instances and bindings. When a class instance an ob ject is needed, it is created explicitly and a reference to it is returned; when a metho d is invoked on an ob ject, the interpreter selects the metho d to b e executed according to the class hierarchy and metho d overloading. Ob ject destruction is automatically handled byagarbage col lector, so that memory management is completely in the control of the interpreter. Another feature of Java is the supp ort for concurrent programming via thread s. Threads allow program- mers to asso ciate an indep endent execution ow with each class. A class with a thread can be started, stopp ed, and susp ended indep endently from the execution of the rest of the system of which it is part. Synchronization among thread executions can b e accomplished by class monitor s. As mentioned ab ove, Javacodewas designed to run on any client; therefore, compiled Java programs are network and platform indep endent. The absence of physical p ointers and automatic memory management help achieve this indep endence. Moreover, the byteco de has b een designed to fully supp ort the typing mechanism of Java so that dynamic co de veri cation can be p erformed. This is a safety and a security feature designed to prevent one from executing corrupted or malicious co de. The Java Virtual Machine is emulated in software and can run on numerous platforms [LY96]. It could also be compiled or implemented directly in micro co de or hardware, but currently it is mostly emulated in software. The virtual machine deals with class les, which contain Java virtual machine instructions, a symb ol table, and a few other necessary items. Java virtual machine instructions are all one byte long, and that is why they are called byteco des. Byteco de can also b e generated from other high level languages, such as Ada or C, or it could b e generated manually.