CorbFuzz: Checking Browser Security Policies with Fuzzing

by   Chaofan Shou, et al.

Browsers use security policies to block malicious behaviors. Cross-Origin Read Blocking (CORB) is a browser security policy for preventing side-channel attacks such as Spectre. We propose a web browser security policy fuzzer called CorbFuzz for checking CORB and similar policies. In implementing a security policy, the browser only has access to HTTP requests and responses, and takes policy actions based solely on those interactions. In checking the browser security policies, CorbFuzz uses a policy oracle that tracks the web application behavior and infers the desired policy action based on the web application state. By comparing the policy oracle with the browser behavior, CorbFuzz detects weaknesses in browser security policies. CorbFuzz checks the web browser policy by fuzzing a set of web applications where the state-related queries are symbolically evaluated for increased coverage and automation. CorbFuzz collects type information from database queries and branch conditions in order to prevent the generation of inconsistent data values during fuzzing. We evaluated CorbFuzz on CORB implementations of Chromium and Webkit, and Opaque Response Blocking (ORB) policy implementation of Firefox using web applications collected from GitHub. We found three classes of weaknesses in Chromium's implementation of CORB.



There are no comments yet.


page 9


Blockaid: Data Access Policy Enforcement for Web Applications

Modern web applications serve large amounts of sensitive user data, acce...

LWeb: Information Flow Security for Multi-tier Web Applications

This paper presents LWeb, a framework for enforcing label-based, informa...

Categorizing Service Worker Attacks and Mitigations

Service Workers (SWs) are a powerful feature at the core of Progressive ...

CORSICA: Cross-Origin Web Service Identification

Vulnerabilities in private networks are difficult to detect for attacker...

BPFContain: Fixing the Soft Underbelly of Container Security

Linux containers currently provide limited isolation guarantees. While c...

Trusted Enforcement of Application-specific Security Policies

While there have been approaches for integrating security policies into ...

A System for Interactive Examination of Learned Security Policies

We present a system for interactive examination of learned security poli...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.