Sciweavers

CCS
2007
ACM

An analysis of browser domain-isolation bugs and a light-weight transparent defense mechanism

14 years 5 months ago
An analysis of browser domain-isolation bugs and a light-weight transparent defense mechanism
Browsers’ isolation mechanisms are critical to users’ safety and privacy on the web. Achieving proper isolations, however, is very difficult. Historical data show that even for seemingly simple isolation policies, the current browser implementations are surprisingly error-prone. Isolation bugs have been exploited on most major browser products. This paper presents a focused study of browser isolation bugs and attacks. We found that because of the intrinsic complexity of browser components, it is impractical to exhaustively examine the browser implementation to eliminate these bugs. In this paper, we propose the script accenting mechanism as a light-weight transparent defense to enhance the current domain isolation mechanism. The basic idea is to introduce domain-specific “accents” to scripts and HTML object names so that two frames cannot communicate/interfere if they have different accents. The mechanism has been prototyped on Internet Explorer. Our evaluations showed that al...
Shuo Chen, David Ross, Yi-Min Wang
Added 07 Jun 2010
Updated 07 Jun 2010
Type Conference
Year 2007
Where CCS
Authors Shuo Chen, David Ross, Yi-Min Wang
Comments (0)