ABSTRACT
The wide use of Flash technologies makes the security risks posed by Flash content an increasingly serious issue. Such risks cannot be effectively addressed by the Flash player, which either completely blocks Flash content's access to web resources or grants it unconstrained access. Efforts to mitigate this threat have to face the practical challenges that Adobe Flash player is closed source, and any changes to it need to be distributed to a large number of web clients. We demonstrate in this paper, however, that it is completely feasible to avoid these hurdles while still achieving fine-grained control of the interactions between Flash content and its hosting page. Our solution is FIRM, a system that embeds an inline reference monitor (IRM) within the web page hosting Flash content. The IRM effectively mediates the interactions between the content and DOM objects, and those between different Flash applications, using the capability tokens assigned by the web designer. FIRM can effectively protect the integrity of its IRM and the confidentiality of capability tokens. It can be deployed without making any changes to browsers. Our evaluation based upon real-world web applications and Flash applications demonstrates that FIRM effectively protects valuable user information and incurs small overhead.
- Adobe flash cs4. http://www.adobe.com/products/flash/.Google Scholar
- Adobe flash player clipboard security weakness. http://www.securityfocus.com/bid/31117.Google Scholar
- Antlr parser generator. http://www.antlr.org/.Google Scholar
- Bbcode. http://www.bbcode.org/.Google Scholar
- Cnn. http://http://www.cnn.com.Google Scholar
- drupal community pluminbing. http://drupal.org.Google Scholar
- Ecmascript. http://www.ecmascript.org.Google Scholar
- Flash url parameter attacks. http://code.google.com/p/doctype/wiki/ArticleFlashSecurityURL.Google Scholar
- Kimili flash embed. http://kimili.com/plugins/kml_flashembed/.Google Scholar
- Mashup dashboard - programmableweb. http://www.programmableweb.com/mashups.Google Scholar
- phpbb - creating communities worldwide. http://www.phpBB.com.Google Scholar
- Standard ecma-262. http://www.ecma-international.org/publications/standards/Ecma-262.htm.Google Scholar
- Swfscan. https://h30406.www3.hp.com/campaigns/2009/wwcampaign/1-5TUVE/index.php?key=swf.Google Scholar
- Wordpress - blog tool and publishing platform. http://wordpress.org.Google Scholar
- Yahoo! http://www.yahoo.com.Google Scholar
- M. Abadi, M. Budiu, Ú. Erlingsson, and J. Ligatti. Control-flow integrity. In ACM Conference on Computer and Communications Security, pages 340--353, 2005. Google ScholarDigital Library
- Adobe. Flash player security - controlling outbound url access. http://help.adobe.com/en_US/ActionScript/3.0_ProgrammingAS3/WS5b3ccc516d4fbf351e63e3d118a9b90204-7c9b.html, 2009.Google Scholar
- Y. Baror, A. Yogev, and A. Sharabani. Flash parameter injection. Technical report, IBM, As of September 2008.Google Scholar
- A. Barth, C. Jackson, and W. Li. Attacks on javascript mashup communication. In Proceedings of Web 2.0 Security and Privacy 2009 (W2SP 2009), 2009.Google Scholar
- L. Bauer, J. Ligatti, and D. Walker. Composing security policies with polymer. In PLDI '05: Proceedings of the 2005 ACM SIGPLAN conference on Programming language design and implementation, pages 305--314, New York, NY, USA, 2005. ACM. Google ScholarDigital Library
- S. Chenette. Malicious flash redirectors - security labs blog. http://securitylabs.websense.com/content/Blogs/3165.aspx, 2008.Google Scholar
- S. Crites, F. Hsu, and H. Chen. Omash: enabling secure web mashups via object abstractions. In Proceedings of the 15th ACM conference on Computer and communications security table of contents, pages 99--108. ACM New York, NY, USA, 2008. Google ScholarDigital Library
- DP. Flash clicktag parameter xss. banks, e-shops, adobe and others vulnerable. http://xssed.org/news/98/Flash_clickTAG_parameter_XSS._Banks_e-shops_Adobe_and_others_vulnerable/, 2009.Google Scholar
- U. Erlingsson and F. B. Schneider. Irm enforcement of java stack inspection. In IEEE Symposium on Security and Privacy, pages 246--255, 2000. Google ScholarDigital Library
- Google. Attackvectors. http://code.google.com/p/google-caja/wiki/AttackVectors, 2010.Google Scholar
- C. Grier, S. Tang, and S. T. King. Secure web browsing with the op web browser. In SP '08: Proceedings of the 2008 IEEE Symposium on Security and Privacy, pages 402--416, Washington, DC, USA, 2008. IEEE Computer Society. Google ScholarDigital Library
- S. Guarnieri and B. Livshits. Gatekeeper: Mostly static enforcement of security and reliability policies for javascript code. In Proceedings of the USENIX Security Symposium, Montreal, Canada, August 2009. Google ScholarDigital Library
- M. V. Gundy and H. Chen. Noncespaces: Using randomization to enforce information flow tracking and thwart cross-site scripting attacks. In NDSS'09: Proceedings of the 16th Network and Distributed System Security Symposium, 2009.Google Scholar
- P. Jagdale. Blinded by flash: Widespread security risks flash developers don't see. In Black Hat DC 2009. Hewlett-Packard, 2009.Google Scholar
- T. Jim, N. Swamy, and M. Hicks. Defeating script injection attacks with browser-enforced embedded policies. In WWW '07: Proceedings of the 16th international conference on World Wide Web, pages 601--610, New York, NY, USA, 2007. ACM. Google ScholarDigital Library
- G. S. Kc, A. D. Keromytis, and V. Prevelakis. Countering code-injection attacks with instruction-set randomization. In CCS '03: Proceedings of the 10th ACM conference on Computer and communications security, pages 272--280, New York, NY, USA, 2003. ACM. Google ScholarDigital Library
- E. Kirda, C. Kruegel, G. Vigna, and N. Jovanovic. Noxes: a client-side solution for mitigating cross-site scripting attacks. In SAC '06: Proceedings of the 2006 ACM symposium on Applied computing, pages 330--337, New York, NY, USA, 2006. ACM. Google ScholarDigital Library
- H. M. Levy. Capability-Based Computer Systems. Butterworth-Heinemann, Newton, MA, USA, 1984. Google ScholarDigital Library
- S. D. Paola. Testing flash applications. In 6th OWASP AppSec Conference, 2007.Google Scholar
- I. Parakey. Firebug - web development evolved. http://getfirebug.com/, 2009.Google Scholar
- P. H. Phung, D. Sands, and A. Chudnov. Lightweight self-protecting javascript. In ASIACCS '09: Proceedings of the 4th International Symposium on Information, Computer, and Communications Security, pages 47--60, New York, NY, USA, 2009. ACM. Google ScholarDigital Library
- C. Reis, J. Dunagan, H. J. Wang, O. Dubrovsky, and S. Esmeir. Browsershield: Vulnerability-driven filtering of dynamic html. In Proc. OSDI, 2006. Google ScholarDigital Library
- J. Ruderman. The same origin policy. http://www.mozilla.org/projects/security/components/same-origin.html, 2008.Google Scholar
- A. Sabelfeld and A. Myers. Language-based information-flow security. IEEE Journal on Selected Areas in Communications, 21(1):5--19, January 2003. Google ScholarDigital Library
- K. Singh, S. Bhola, and W. Lee. xbook: Redesigning privacy control in social networking platforms. In Proceedings of the USENIX Security Symposium, Montreal, Canada, August 2009. Google ScholarDigital Library
- M. Sridhar and K. W. Hamlen. Actionscript in-lined reference monitoring in prolog. In Proceedings of the Twelfth Symposium on Practical Aspects of Declarative Languages (PADL), 2010. Google ScholarDigital Library
- E. Stark, M. Hamburg, and D. Boneh. Symmetric cryptography in javascript. In 25th Annual Computer Security Applications Conference (ACSAC), 2009. Google ScholarDigital Library
- M. Ter Louw and V. Venkatakrishnan. Blueprint: Precise browser-neutral prevention of cross-site scripting attacks. In 30th IEEE Symposium on Security and Privacy, May 2009.Google Scholar
- H. J. Wang, X. Fan, J. Howell, and C. Jackson. Protection and communication abstractions for web browsers in mashupos. In Proceedings of the 21st ACM Symposium on Operating Systems Principles (SOSP 2007), pages 1--16, 2007. Google ScholarDigital Library
- W. Xu, S. Bhatkar, and R. Sekar. Taint-enhanced policy enforcement: A practical approach to defeat a wide range of attacks. In Proceedings of the 15th USENIX Security Symposium, Vancouver, BC, Canada, August 2006. Google ScholarDigital Library
- A. Yip, N. Narula, M. Krohn, and R. Morris. Privacy-preserving browser-side scripting with bflow. In EuroSys'09, 2009. Google ScholarDigital Library
Index Terms
- FIRM: capability-based inline mediation of Flash behaviors
Recommendations
POSTER: trend of online flash XSS vulnerabilities
CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications securityFlash objects are widely embedded in web pages, supporting Rich Internet Applications using ActionScript. However, according to our survey, many Flash objects are seriously exposed to Cross-site Scripting vulnerabilities as they are usually coded ...
Will HTML 5 Restandardize the Web?
The World Wide Web Consortium is developing HTML 5 as a standard that provides Web users and developers with enhanced functionality without using the proprietary technologies that have become popular in recent years.
FIRM: Fair and High-Performance Memory Control for Persistent Memory Systems
MICRO-47: Proceedings of the 47th Annual IEEE/ACM International Symposium on MicroarchitectureByte-addressable nonvolatile memories promise a new technology, persistent memory, which incorporates desirable attributes from both traditional main memory (byte-addressability and fast interface) and traditional storage (data persistence). To support ...
Comments