1 eurosys 2010, paris, france shuo chen, hong chen, manuel caballero microsoft corporation purdue...
TRANSCRIPT
1EuroSys 2010, Paris, France
Shuo Chen†, Hong Chen† ‡, Manuel Caballero†
†Microsoft Corporation ‡Purdue University Redmond, WA, USA West Lafayette, IN, USA
April 15th, 2010
2EuroSys 2010, Paris, France
Managing the lifetimes for objects in the memory
A difficult task for complex systemsEspecially true for browsers
Expected semantics of browser navigationAfter a page is navigated away, no object in the page is accessible by future pages.
Otherwise, basic security properties can be compromised
Visual integrity, document integrity and memory safetyDemos …
3EuroSys 2010, Paris, France
Due to the dilemma between the scripting capability, the navigation mechanism and the garbage collection1. Scripts are allowed to hold references to objects in other
pages
2. A page is allowed to be navigated away regardless of whether its internal objects are referenced by other pages.
3. Objects with non-zero reference counts cannot be garbage collected.Page A
Page B If objects in page B are garbage collected dangling references, memory corruption.
Not garbage collected become residue objects.
Page C
4EuroSys 2010, Paris, France
Every browser has the logic trying to ensure thatResidue objects cannot be accessible.
Unfortunately, the logic is non-trivial, and historically error-prone.
Our paper cites several known bugs that are clearly due to incorrect guarding of residue objects.
4 for IE, 3 for Firefox and 1 for Safari
Each bug is specific to a browser, but the problem is cross-browser.
Despite individual bug reports, the bugs had not been studied as a class.
No collective understanding is available.
5EuroSys 2010, Paris, France
We attempt to answer two questionsWhat are the challenges of guarding residue objects? Is it a minor problem or its scope is not well recognized?
These bugs have not been prevalent in public vulnerability repositories.
What we didWe conducted a focused study about IE to understand its guarding logic.We examined the logic using an enumerative test generation approach.
We found 5 new bugs of this type in IE.
We explained some pitfalls in building the guarding logic.
6EuroSys 2010, Paris, France
7EuroSys 2010, Paris, France
ActiveX – the technology to build most browser objects
All HTML elements, as well as the HTML rendering engine and the Javascript engine
ActiveX object interfaceAddRef, Release – refcounting
Invoke – invocation of a method of an object
HTML and Javascript languages have generic mechanisms to load ActiveX objects.
In HTML, <object ...> element
In Javascript, obj=new ActiveXObject(‘...‘)
8EuroSys 2010, Paris, France
<window> and <document> elementsUpon a navigation, the window object persists, but a new document object is switched in.At the C++ level, they are implemented as objects of CWindow and CDocument classes.
Class names begin with C by convention.
Security based on the object-capability modelObject capability model: object A can access object B only if it has a reference to object B.
9EuroSys 2010, Paris, France
Cross-window security check – CWinProxy No reference of a CWindow object should be passed to other windows.
Instead, upon a cross-window referencing, an object of CWinProxy class is created and passed out.
CWinProxy enforces security checks.
Each object of CWindow, CDocument or CWinProxy has a Boolean flag “validity”
If validity == false, then the object should not be accessed.
Main questionThe mechanism seems simple to enforce.
What can go wrong in the actual browser implementation?
10EuroSys 2010, Paris, France
11EuroSys 2010, Paris, France
Our tactic for test case generation
A tool to obtain the memory-level insights into the test cases
12EuroSys 2010, Paris, France
We generate test cases byEnumerating different inner objects
Enumerating different ways of object hosting
Enumerating different ways of navigations
Persistent window
Inner object
Navigational window
(1) Reference to the inner object
(2) navigate the navigational window
13EuroSys 2010, Paris, France
We log important operations of the browserConstruction/destruction/addRef/release of the objects ofCWindow/CDocument/CWinProxy
Validity changes of these objects
The navigation
We built an analysis tool to obtain the following insights
After the navigation, which objects are in the memory (and their refcounts)?
What are their validity flags?
Which are the remaining references and who are holding them?
14EuroSys 2010, Paris, France
15EuroSys 2010, Paris, France
The test case: the inner object is a windowPersistent window
Navigational window
ObservationsThe inner window stays in the memory after the navigation of the navigational window, although invalidated
When the inner window is created by createPopup(), it remains visible.
Damage to the visual integrity
E.g., the demo of the EuroSys banner.
Inner window
var ref = InnerWin;
16EuroSys 2010, Paris, France
The test case: the inner object is a method of the inner window
Persistent window
Navigational window
ObservationsThe CWindow object of the inner window is invalidated, but its CWinProxy object held by the persistent window is not.
The C++ object representing the method contains a polymorphic pointer whose real type is CWinProxy, not CWindow.
The method is allowed to run after the navigation.
Result: a script in the old page can survive the navigation.
var ref = InnerWindow.setTimout;Inner window
A method of the window
17EuroSys 2010, Paris, France
The test case: the inner window is hosted in another HTML engine.
Remember that the HTML engine itself is an ActiveX object, and the HTML allows loading an ActiveX object into the page. Persistent window
Navigational window
ObservationThe inner window is not invalidated after the navigation of the navigational window
Result: a script in the inner window can survive the navigation.
Another HTML engine
The inner window is rendered by another HTML engine!Inner window
18EuroSys 2010, Paris, France
Erroneous refcountingA CWinProxy object loses one extra refcount when the window is navigated away. This results in a dangling reference. EIP is corrupted.Microsoft patched this bug in a hotfix.
Partially destroyed data structure in a valid object
A CWindow object is still valid after navigationBut some members in the object have been destroyed.It results in an invalid pointer value.
19EuroSys 2010, Paris, France
At the conceptual level – seemingly simpleResidue objects should be invalidated, and the invalid objects should not interfere with the user’s browsing experience.
At the implementation level – difficult to be error-proof
Which objects to stay or to remove – need to be precise.
Whose references are held by whom – any unexpected reference path?
How to correctly set the validity for every affected object?E.g., even in the cross-HTML-engine situation
How to perform the validity checking appropriately?E.g., despite the polymorphism in the program.
…
20EuroSys 2010, Paris, France
Implementing browsers using Java, C#, etc, rather than C++?
It will eliminate memory bugs, but other bugs are unaffected.
Placing each window in a process?It will mitigate the exploits of memory bugs, but other bugs do not involve any raw memory access, and thus are unaffected.
Promising directionTo think about partitioning objects in different processes
And, to examine the HTML DOM policies and implementation
Examples: OP browser of UIUC and Gazelle browser of Microsoft Research
21EuroSys 2010, Paris, France
We formulated a class of previously reported security bugs as the residue object problem.
The literature shows that it is a cross-browser problem.
We studied IE, which gives evidences to show that
The logic of guarding residue objects is non-trivial, despite the seemingly simple policy at the conceptual level.Many unknown bugs may still exist in major browsers.
The scope of the problem has not been well recognized.