Cracking ShadowCrypt: Exploring the Limitations of Secure I/O Systems in Internet Browsers
作者: Michael Freyberger , Warren He , Devdatta Akhawe , Michelle L. Mazurek , Prateek Mittal
关键词: Computer science 、 Cracking 、 Information technology 、 World Wide Web 、 The Internet
摘要: An important line of privacy research is investigating the design of systems for secure input and output (I/O) within Internet browsers. These systems would allow for users’ information to be encrypted and decrypted by the browser, and the specific web applications willonly have access to the users’ information in encrypted form. The state-of-the-art approach for a secure I/O system within Internet browsers is a system called ShadowCrypt created by UC Berkeley researchers [23]. This paper will explore the limitations of ShadowCrypt in order to provide a foundation for the general principles that must be followed when designing a secure I/O system within Internet browsers. First, we developed a comprehensive UI attack that cannot be mitigated with popular UI defenses, and tested the efficacy of the attack through a user study administered on Amazon Mechanical Turk. Only 1 of the 59 participants who were under attack successfully noticed the UI attack, which validates the stealthiness of the attack. Second, we present multiple attack vectors against Shadow-Crypt that do not rely upon UI deception. These attack vectors expose the privacy weaknesses of Shadow DOM—the key browser primitive leveraged by ShadowCrypt. Finally, we present a sketch of potential countermeasures that can enable the design of future secure I/O systems within Internet browsers.
core.ac.uk 
sci-hub.st 参考文章(25)
Nickolai Zeldovich, Raluca Ada Popa, Hari Balakrishnan, Steven Valdez, Jonas Helfer, Emily Stark, M. Frans Kaashoek, Building web applications on top of encrypted data using Mylar networked systems design and implementation. pp. 157- 172 ,(2014) , 10.5555/2616448.2616464
Antonio Bianchi, Jacopo Corbetta, Luca Invernizzi, Yanick Fratantonio, Christopher Kruegel, Giovanni Vigna, What the App is That? Deception and Countermeasures in the Android User Interface 2015 IEEE Symposium on Security and Privacy. pp. 931- 948 ,(2015) , 10.1109/SP.2015.62
Lin-Shung Huang, Alex Moshchuk, Helen J Wang, Stuart Schecter, Collin Jackson, None, Clickjacking: attacks and defenses usenix security symposium. pp. 22- 22 ,(2012)
Sascha Fahl, Marian Harbach, Thomas Muders, Matthew Smith, Uwe Sander, Helping Johnny 2.0 to encrypt his Facebook conversations symposium on usable privacy and security. pp. 11- ,(2012) , 10.1145/2335356.2335371
Rachna Dhamija, J. D. Tygar, The battle against phishing: Dynamic Security Skins symposium on usable privacy and security. pp. 77- 88 ,(2005) , 10.1145/1073001.1073009
Min Wu, Robert C. Miller, Simson L. Garfinkel, Do security toolbars actually prevent phishing attacks human factors in computing systems. pp. 601- 610 ,(2006) , 10.1145/1124772.1124863
Warren He, Devdatta Akhawe, Sumeet Jain, Elaine Shi, Dawn Song, ShadowCrypt: Encrypted Web Applications for Everyone computer and communications security. pp. 1028- 1039 ,(2014) , 10.1145/2660267.2660326
Philippe De Ryck, Nick Nikiforakis, Lieven Desmet, Frank Piessens, Wouter Joosen, Protected Web Components: Hiding Sensitive Information in the Shadows IT Professional. ,vol. 17, pp. 36- 43 ,(2015) , 10.1109/MITP.2015.12
J.H. Saltzer, M.D. Schroeder, The protection of information in computer systems Proceedings of the IEEE. ,vol. 63, pp. 1278- 1308 ,(1975) , 10.1109/PROC.1975.9939
Edward W. Felten, Drew Dean, Dan S. Wallach, Dirk Balfanz, Web Spoofing: An Internet Con Game ,(1997)