Wednesday, April 11, 2007

Talk: Browser Security: A New Research Territory

Talk #2 for the day: By Dr. Shuo Chen, Microsoft Research. His talk was centered around two papers (technical reports if you will) published:

1. A Systematic Approach to Uncover Security Flaws in GUI Logic
2. Light-Weight Transparent Defense Against Browser Cross-Frame Attacks Using Script Accenting

As the $subject and $titles imply, their goal is to improve security in web browsers: though he presented the concepts citing examples using IE, most of the issues prevail in other browsers as well.

One thing that fascinated me is the systematic approach they took to reason about the security. In more specific terms, they initially have clearly defined the system invariants and made sure that the invariants are maintained through out. (This is what we call formal verification.)

He beautifully explained how (smart) hackers have exploited logic bugs in browser interfaces to launch phishing attacks (some of them are very subtle) and went out to talk about how to uncover systematically and fix them.

The next area he talked about is how do deal with browser cross-domain attacks. He showed how hackers have exploited, among other things, race conditions to launch such attacks and provided some insight about script accenting technique he has developed to counter them.

The talk was well worth the time!

One last thought about it...If hackers can exploit browser inconsistencies (may be bugs) with the black box techniques (they know the general techniques that all browsers use), I wonder how many more attacks we would have seen if proprietary browser codes are made public. Doesn't it violate one of the pillars of security?: "the security of a mechanism should not depend on the secrecy of its implementation".

No comments: