Proposal for Virtual Web Browser by Using HTML5

Similar documents
Create and Apply Clientless SSL VPN Policies for Accessing. Connection Profile Attributes for Clientless SSL VPN

Live Guide Co-browsing

Learning Center Computer and Security Settings

Practice Labs User Guide

Web browsers - Firefox

Computer Security 3e. Dieter Gollmann. Chapter 18: 1

JAVASCRIPT BASICS. Handling Events In JavaScript. In programing, event-driven programming could be a programming

MAC CHECKING MINDTAP SYSTEM REQUIREMENTS

GRITS AJAX & GWT. Trey Roby. GRITS 5/14/09 Roby - 1

Exploring Chrome Internals. Darin Fisher May 28, 2009

Lecture 9a: Sessions and Cookies

Learning Center Computer and Security Settings

CNIT 129S: Securing Web Applications. Ch 3: Web Application Technologies

Author: Tonny Rabjerg Version: Company Presentation WSF 4.0 WSF 4.0

The security of Mozilla Firefox s Extensions. Kristjan Krips

Recommended Browser Settings

Beijing , China. Keywords: Web system, XSS vulnerability, Filtering mechanisms, Vulnerability scanning.

INTERNET ENGINEERING. HTTP Protocol. Sadegh Aliakbary

mytsa Knowledge Technical Guide

WEB BROWSER SANDBOXING: SECURITY AGAINST WEB ATTACKS

OWASP AppSec Research The OWASP Foundation New Insights into Clickjacking

Adobe Reader (AR) and Internet Explorer (IE) Browser Settings. Adobe Reader and Internet Explorer Browser settings

Lecture Overview. IN5290 Ethical Hacking. Lecture 4: Web hacking 1, Client side bypass, Tampering data, Brute-forcing

QuestionPoint chat The Guide to IE browser setup Last updated: 2009 June 23

Sun Mgt Bonus Lab 11: Auto-Tagging in PAN-OS 8.X

E-companion. Quiz for IT-knowledge

How I Learned to Stop Worrying and Love Plugins

Client Installation Guide

Clientless SSL VPN Remote Users

Outline. Web browsers & Web servers

Manual Internet Explorer 9 Xp For Windows 7 64 Bit

CSC Introduction to Computers and Their Applications

Graphic Selenium Testing Tool

Clientless SSL VPN End User Set-up

PLATO Learning Environment (v2.0) System and Configuration Requirements

Flash Ads. Tracking Clicks with Flash Clicks using the ClickTAG

Portal Recipient Guide. The Signature Approval Process

Dell Data Protection Protected Workspace

Recommended Browser Settings

TABLE OF CONTENTS 1. INTRODUCTION DEFINITIONS Error! Bookmark not defined REASON FOR ISSUE 2 3. RELATED DOCUMENTS 2 4.

Comodo Dragon. User Guide Guide Version Software Version Comodo Security Solutions 525 Washington Blvd. Jersey City, NJ 07310

Discovering the Mobile Safari Platform

The Reading Inventory Installation Guide

CFS Browser Compatibility

Is Browsing Safe? Web Browser Security. Subverting the Browser. Browser Security Model. XSS / Script Injection. 1. XSS / Script Injection

CyberP3i Course Module Series

Secure Web Appliance. SSL Intercept

Potential Threats to Mobile Network Security

Robust Defenses for Cross-Site Request Forgery Review

Web Programming Paper Solution (Chapter wise)

Secured Browsing with SmartBrowser

Hardening the Education. with NGFW. Narongveth Yutithammanurak Business Development Manager 23 Feb 2012

Website Report for test.com

Trouble Shooting Portable Documents Format (PDF) Q/A Solutions: AT ANY TIME THE USER CAN SAVE THE FILE TO THEIR COMPUTER AND FILL OUT THE FORM

FIREFLY ARCHITECTURE: CO-BROWSING AT SCALE FOR THE ENTERPRISE

Chrome Extension Security Architecture

Information Security CS 526 Topic 11

LECT 8 WEB SECURITY BROWSER SECURITY. Repetition Lect 7. WEB Security

QUICK SET-UP VERIFICATION...3

PLATO Learning Environment System and Configuration Requirements

Firefox for Nokia N900 Reviewer s Guide

Manual Internet Explorer 10 Windows 7 Full. Version >>>CLICK HERE<<<

System 44 Installation Guide

CYAN SECURE WEB Installing on Windows

FinalCode Viewer User Manual

Unit 4 The Web. Computer Concepts Unit Contents. 4 Web Overview. 4 Section A: Web Basics. 4 Evolution

Chrome and IE comparisons

YU Kaltura Media Package User's Guide For version 1.1.x. Written by Media and Information Technology Center, Yamaguchi University.

Cambium Wireless Manager

TTerm Connect Installation Guide

Palo Alto Networks PAN-OS

FinalCode Viewer User Manual

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 3 Protecting Systems

Human vs Artificial intelligence Battle of Trust

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

KVM Console. KVM Console

Access Gateway 9.3, Enterprise Edition

RNDC / NDC MicroStrategy Supplier Web Troubleshooting Guide

Micro Focus Desktop Containers

PROTECTION SERVICE FOR BUSINESS. Datasheet

Comodo Dragon Software Version 24.0

JUGAT Adobe Technology Platform for Rich Internet Applications

FASTT Math Installation Guide

[Frequently Asked Questions] Accommodation Booking Website

Tabular Presentation of the Application Software Extended Package for Web Browsers

Instructions for Configuring Your Browser Settings and Online Security FAQ s

GFI MailSecurity 2011 for Exchange/SMTP. Administration & Configuration Manual

Configuring User Defined Patterns

Want to add cool effects like rollovers and pop-up windows?

estatements Help Document October 2016

Web basics: HTTP cookies

SpaceShuttle User guide v3

Full Stack Web Developer Nanodegree Syllabus

MANTRA REGISTERED DEVICE SERVICE WINDOWS MANTRA SOFTECH INDIA PVT LTD

NGFW Security Management Center

PCI DSS and VNC Connect


Ethical Hacking. Content Outline: Session 1

ObserveIT 7.1 Release Notes

Editor Guide. There are three ways to create, edit and delete an article within SOCS. They are Central Services, SOCS Wiki s and Easy Edit.

Transcription:

Proposal for Virtual Web Browser by Using HTML5 Tomokazu Hayakawa 1 and Teruo Hikita 1 1 School of Science and Technology, Meiji University Kasawaki, 214-8571, Japan {t_haya, hikita}@cs.meiji.ac.jp Abstract. We propose a method of a virtual Web browser that enables safer Web-browsing environment. The method uses an HTML5 compliant Web browser as client environment and JavaScript-related technologies in server environment. The idea of the method is that (1) the server works as the HTTP/WebSocket proxy, (2) it transforms requested Web pages from clients into equivalent images, and (3) it returns the images to the clients, thereby making Web pages that contain malicious software (e.g., viruses, worms, and so on) harmless and protecting the clients against being infected with such malware. The virtual Web browser also supports other features such as keyboard events, mouse events, Cookies, and so on. The evaluation shows that the method provides a safer way of browsing Web pages without increasing network traffic. Finally, we conclude that the method is useful to realize safer Web-browsing environment. Keywords: security, proxy, Web browser, HTML5, JavaScript 1 Introduction As the World Wide Web becomes an essential part in our business, threats of malicious Web pages that contain viruses, worms, or others are increasing gradually. For example, there is an attack called Drive-by download that causes unintended download of computer software from the Internet. To protect our computers from malicious Web pages, it is required to use the latest Web browsers, the latest browser plugins (e.g., Java Applet, Flash Player, Adobe Acrobat Reader, and others), the latest anti-viruses, and the latest Operating Systems. In spite of these efforts, there still remains another kind of threats called Zero-day attack, because they use vulnerability in computer software before we aware and fix the vulnerability. Unfortunately, as far as we know, there seem few effective solutions for this kind of threats. To solve the problem, we propose a method, named virtual Web browser, that enables safer Web-browsing environment. The virtual Web browser consists of two parts: an HTML5 compliant Web browser as client environment and JavaScriptrelated technologies in server environment. The client side of the virtual Web browser is written in HTML5, and it transparently runs on any Web browser that is compatible with HTML5, as if the browser were not virtualized. The server side of the virtual Web browser consists of two parts: the HTTP/WebSocket proxy server and the

rasterization server. The idea of the method is that (1) the server works as the HTTP/WebSocket proxy, (2) it transforms requested Web pages from clients into equivalent images, and (3) it returns the images to the clients. This makes Web pages that contain viruses, worms, or others, harmless and protects the clients against being infected with them. We have evaluated the method from the point of view of network traffic, and the result shows that the method rarely increases network traffic. The rest of this paper is organized as follows: Section 2 and 3 describe the design and the implementation of the method, respectively. Section 4 reports the result of the evaluation. Section 5 introduces related work. Section 6 gives the conclusion. 2 Design of Virtual Web Browser 2.1 Objectives The virtual Web browser aims to be a light-weight secure browser that strengthens user security. Its main objective is to protect computers that run Web browsers against malicious Web pages with as good user experience as modern Web browsers without any additional cost. We define the user experience as follows: let the user of the virtual Web browser be able to (1) keep using his/her current Web browser as runtime environment without installing any additional software, (2) bookmark Web pages into his/her Web browser, (3) operate the browser with the keyboard and/or the mouse, and (4) use Web applications that use persistent features such as Cookies, Local Storage, and WebSQL. Moreover, there is also another objective: to solve a compatibility problem of RIAs (Rich Internet Applications). The problem is caused by the fact that there is no compatibility among RIA technologies. Hence, already existing RIAs cannot be ported to other environment even if the Web browsers or the plugins on which the RIAs run become obsolete. 2.2 How to Make Malicious Web Pages Harmless The virtual Web browser makes malicious Web pages harmless by transforming them into equivalent images, i.e., rasterization, in controlled and isolated environment. Although it is not impossible to embed malicious software in images in some situations, we believe that this method undoubtedly strengthens user security. Although there are a large number of methods that realize virtualization such as application virtualization, desktop virtualization, OS virtualization, and so on, we have decided to use HTML5 as client environment and several Unix s APIs, namely setuid(2), setgid(2), and chroot(2), in server environment to realize a safer browser without any cost nor installing any software 1. 1 The rasterization process, described in Section 2.5, is launched under a jailed directory with a limited privilege in the server, and the contents of Cookie, Local Storage, and WebSQL are stored under the directory, which minimizes and contains the influence of malware.

By this decision, there exist advantages and disadvantages. Some of the advantages are: users can use the virtual Web browser transparently through their browsers, and they can bookmark any Web page as their browsers bookmark, not the virtual Web browser s bookmark. Some of the disadvantages are: users cannot download/upload any file because the virtual Web browser does not allow any file system access, and users cannot view Web pages that require any plugin. In spite of these disadvantages, we consider them acceptable to increase security in exchange for usability. 2.3 Screenshots of Virtual Web Browser Fig. 1 shows a screenshot of the virtual Web browser that shows the CSA 2013 Web site, indicating that there is no View Page Source in the context menu. This is because the entire Web page is rasterized as a single image. Since the virtual Web browser handles user events, any link shown in the browser is clickable; if a link of an already-loaded page is clicked, the virtual Web browser moves to the new URL, and then it shows a new image of the new page indicated by the URL. 2.4 Network Model and Assumptions We assume that the network structure in which our proposed method is applied as shown in Fig. 2. The client computers are to be in the internal network and the network to which they belong is required to contain at least one DMZ (Demilitarized Zone) that is located between the two firewalls. The HTTP/WebSocket proxy server and the rasterization server are required to be placed in the DMZ. This network structure reduces the risk of the client computers being cracked even if one or both of the servers are cracked, because the firewall between the internal network and the DMZ does not allow access from the DMZ to the internal network. Fig. 1. Screenshot of Virtual Web Browser that Shows CSA 2013 Web Site.

Fig. 2. Network Structure of Virtual Web Browser. 2.5 Behavior of Virtual Web Browser Fig. 3 shows the behavior of the virtual Web browser, which indicates as follows 2 : (1) Each Web browser of the clients requests a Web page by entering a URL, by selecting a bookmark, or by clicking a link contained in an already-loaded Web page. (2) In response to the first request 3, the proxy server requests the digest access authentication that queries a username and a password; both are used to launch the rasterization process in the rasterization server under the isolated environment. (3) The browser re-requests the Web page with the proxy authentication information. (4) The proxy server launches the rasterization process on the rasterization server according to the information of proxy authentication. (5) The proxy server returns the virtual Web browser written in HTML5. (6) The virtual Web browser sends a request to the Web page by using a WebSocket. (7) The proxy server transfers the request to the rasterization server. (8) The rasterization server transfers the request to the original destination server or an upstream HTTP proxy server. (9) The rasterization server receives the response from the server. (10) The rasterization server transforms the response into an equivalent image. (11) The rasterization server returns the image to the proxy server as a binary image. (12) The proxy server returns the binary image to the browser as a base64 image. (13) Finally, the browser shows the base64 image onto its <img>. 2 Whenever the size of the user s Web browser changes, the virtual Web browser sends the new size to the server, so that the rasterization process rasterizes requested Web pages into equivalent images with the correct resolution. 3 Once the proxy authentication succeeds, the Web browser caches the authentication information, so that the user will never be asked to input his/her username/password anymore.

Fig. 3. Behavioral Overview of Virtual Web Browser. It is important to use WebSocket instead of HTTP to communicate with the proxy server, because it can communicate bidirectionally and asynchronously. Hence, the virtual Web browser can almost completely be synchronized with the launched rasterization process. For example, if a loaded Web page in the rasterization process moves to other URL, then the process sends a URL-changed notification to the virtual Web browser, which causes the browser to move to the new URL. For another example, if any of supported events such as onresize, onscroll, onmouseup, onmousedown, onmousemove, onclick, ondblclick, onkeyup, onkeydown, and onkeypress is occurred, the information of the event is sent to the process through the WebSocket, which means that the virtual Web browser supports user interaction events such as keyboard, mouse, scroll, and resize events. 3 Implementation of Virtual Web Browser 3.1 Used Software and Implementation We have used the software products shown in Table 1 to implement the virtual Web browser. JavaScript is used as the single programming language of the system to reduce development costs. jquery makes our virtual Web browser portable among modern Web browsers. PhantomJS [6] is a CUI-based Web browser that is used as the rasterization engine. Apache HTTP server is used to act as the HTTP/WebSocket proxy. Node.js [5] is used to implement the HTTP/WebSocket proxy software that runs behind the Apache and communicates with PhantomJS.

To reduce network traffic, we have decided to compress the contents between the virtual Web browser and the proxy server. Table 2 shows the compression methods that current Web browsers support. We choose deflate over gzip, because it is supported by the Apache module named mod_deflate. Fig. 4 shows the skeleton of the virtual Web browser. As figure shows, it has only one <img> element that shows a rasterized image. All events related to user interaction such as keyboard and mouse events are handled by the embedded JavaScript and are notified to the server through the WebSocket. In addition, all events fired in the rasterization process are also notified to the virtual Web browser through the WebSocket. This event-handling lets the virtual Web browser act as though it were the browser itself on which the virtual Web browser runs. Table 1. Used Software for Virtual Web Browser Implementation. Software Version Description jquery 2.0.3 JavaScript library. PhantomJS 1.9.1 Used as rasterization engine. Node.js 0.10.15 Used for HTTP/WebSocket proxy implementation. Apache HTTP Server 2.4.6 Used as HTTP/WebSocket proxy server. CentOS 6.4 Operating System. Table 2. HTTP 1.1 Compression Methods Supported by Web Browsers. Web Browser Version gzip compress deflate Internet Explorer 10.0 Yes No Yes Firefox 22.0 Yes No Yes Chrome 28.0 Yes No Yes Opera 12.15 Yes No Yes Fig. 4. Skeleton of Virtual Web Browser.

3.2 Limitations The virtual Web browser does not support any Web browser plugin such as Java Applet, Flash Player, Adobe Acrobat Reader, and others. This fact is generally considered to be a disadvantage that decreases user experience, but we consider this acceptable as a trade-off between usability and security. We intend to use the virtual Web browser with a PAC (Proxy Auto Configuration) file [4]. Since the PAC file controls what URLs should be browsed directly or through a proxy, the virtual Web browser will be used only to browse URLs that are not listed in the file. This design minimizes deterioration of user experience and enables users to use the virtual Web browser with other proxy and/or other solutions for the Zero-day attack. In addition, the virtual Web browser does not support HTTPS, because the behavior of the virtual Web browser is recognized as the MITM (Man-In-The-Middle) attack by Web browsers, and modern browsers are designed to prevent the attack from occurring. 4 Evaluation To evaluate our proposed method, we measured the amount of transferred bytes between the virtual Web browser and the proxy server. We use the top 5 Web sites ordered by traffic volume ( Alexa Internet, Inc.). Table 3 shows the size of the images of the top pages of the Web sites. The result shows that (1) transforming Web pages into equivalent images rarely increases network traffic 4, (2) encoding the images with base64 increases their size, and (3) by using the deflate, the size of the base64-encoded images becomes almost the same as the original image size. 5 Related Work There are several virtualization technologies such as desktop/application/os virtualization. One of the differences between them and ours is that such virtualizations often require dedicated software and/or OS, but our proposed method requires only an HTML5 compliant Web browser as client environment, which means that our method can be widely used without any additional cost. Table 3. Image File Sizes of Top Pages of Web Sites. Web Site Raw Size PNG PNG PNG (base64) (base64, deflate) Facebook 520,832 88,554 119,626 86,476 Google 184,125 45,392 61,321 42,490 YouTube 1,279,892 814,113 1,099,767 829,920 Yahoo! 978,704 812,161 1,097,133 821,183 Amazon.com 1,316,049 1,114,448 1,505,484 1,132,271 4 Strictly, it strongly depends on the contents of the Web page.

Palanques et al. [2] has proposed the model and architecture called Secure Cloud Browser that supports secure Web navigation. Their work and ours are similar in that both methods rasterize the contents of requested Web pages in controlled environment to protect client computers against malicious software. On the other hand, both methods are different in that their method is based on the assumption that an attacker has administrative privileges on a victim s computer and their method requires a Web browser and JRE (Java Runtime Environment) to run; our method aims to protect client computers against being infected with malware, and our method requires only an HTML5 compliant Web browser. Grier et al. [1] has proposed the OP web browser to enable more secure Web browsing. Their and our methods are similar in that both rasterize requested Web pages in isolated processes and send them back to the clients. However, both methods are different in that their method requires JRE and the dedicated Web browser; our method requires an HTML5 compliant Web browser only. Wang et al. [3] has proposed SafeFox, to create a safe browsing environment. They need light-weight virtualization to protect each Web browser process. On the other hand, we do not need virtual environment; instead, we use Unix s APIs to isolate the behavior of the rasterization process. 6 Conclusion In this paper, we have proposed the virtual Web browser that enables safer Webbrowsing environment. As a result, we conclude that the method strengthens user security of client computers to some extent, and it can be one of the solutions for the malware threats. We plan to enhance our browser to increase usability. For example, partial rasterization of requested Web pages is one idea, since rasterizing entire pages loses some information including links, texts, animations, and others. Or enhancing the browser by using the tag <canvas> is another idea, which enables links to be noticeable, texts to be copied, animations to be runnable, and so on. References 1. Grier, C., Tang, S., and King, S.T.: Secure Web Browsing with the OP Web Browser. In: IEEE Symposium on Security and Privacy, pp. 402--416, Oakland (2008) 2. Palanques, M., Dipietro, R., del Ojo, C., Malet, M., Marino, M., and Felguera, T.: Secure Cloud Browser: Model and Architecture to Support Secure WEB Navigation. In: 31st IEEE Symposium on Reliable Distributed Systems (SRDS), pp. 402--403, Irvine (2012) 3. Wang, J., Huang, Y., and Ghosh, A.: SafeFox: A Safe Lightweight Virtual Browsing Environment. In: 43rd Hawaii International Conference on System Sciences (HICSS), pp. 1- -10, Honolulu (2010) 4. Microsoft TechNet, http://technet.microsoft.com/library/dd361918 5. Node.js, http://nodejs.org/ 6. PhantomJS: Headless WebKit with JavaScript API, http://phantomjs.org/

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback