Advanced Web and E-Voting Security

A critical buffer overflow vulnerability has been found in Adobe reader versions and acrobat professional.

Here is the link from Adobe

http://www.adobe.com/support/security/advisories/apsa09-01.html

The patch will be made available by march 18th. Enough time for the vulnerability to be expolited effectively ? (Given the percentage of users who use pdf files )

http://bits.blogs.nytimes.com/2009/02/24/viddyho-phishing-scam-hits-gmail/

This happened with me today!
I received a offline message from my friend who is on my chat list. It was suspicious since it as a “tinyurl” and I did click on it! [i know! ]

Anyways, the site alerted me that it was a malicious content and hence I can view it at my risk, and I did not continue.

Hi all,

I am karthik and I will be presenting the paper “SpyProxy: Execution-based Detection of Malicious Web Content” on Wednesday, Feb 25,2009. This paper explores the use of execution-based Web content analysis to protect users from Internet-borne malware. Many anti-malware tools use signatures to identify malware infections on a user’s PC. In contrast, the authors approach is to render and observe active Web content in a disposable virtual machine before it reaches the user’s browser, identifying and blocking pages whose behavior is suspicious. Execution-based analysis can defend against undiscovered threats and zero-day attacks. However, it cannot identify cross site scripting and the authors approach faces challenges, such as achieving good interactive performance, and limitations, such as defending against malicious Web content that contains non-determinism.

Hi all,

I’m having a good time going through your reviews and have particularly enjoyed some of your reviews, comments and ideas. I realized that I don’t retain a copy of your essay once I return the graded copy to you.

Could you please submit your past essays by email attachment to i594a at cs ? PDF will be appreciated. (note the ‘a’ in the email address). If you had submitted handwritten reviews, you need not submit, but in future try to submit a typeset copy. For the email subject, use the short title of the paper as it appears (in square brackets) in the schedule. For instance, your email for the third paper in the list will have the subject “Re: Doppleganger”.

Note that I still require you to submit the reviews on paper in class for grading purposes.

Hi all. Am Guru. I will be presenting the paper on “A Safety-Oriented Platform forWeb Applications” here we will be concentrating on ‘Tahoma web browser’

We will go through the Tahoma Browser architecture and discuss how secure this browser is and also the pros and cons of this architecture. Tahoma architecture is based on the concept of users expectation of having a browser behave and be trustworthy like a real OS running on your PC.

Tahoma incorporates the following

- Isolates Web Applications
- Isolates Web browsers from the host operating system

Tahoma uses

- Xen Virtual machine on Linux OS
- Konqueror Web Browser

Here are some useful links for further reading.

http://en.wikipedia.org/wiki/Xen
http://en.wikipedia.org/wiki/Konqueror
http://www.cl.cam.ac.uk/research/srg/netos/xen/
http://www.vmware.com/pdf/asplos235_adams.pdf

Also this is a linkt to paper published by microsoft which critics the OP webbroswer, Chrome and Tahoma which uses ‘Browser Kernel’ as basic browser design and proposes a new browser called ‘Gazelle’. It was real fun to read.

http://research.microsoft.com/pubs/79655/gazelle.pdf

Thanks.

Gazelle is a new concept browser from Microsoft. I found this paper interesting, given the fact we just analyzed Doppelganger, OP and Chromium, with Tahoma on the horizon. You can find the paper here: http://research.microsoft.com/pubs/79655/gazelle.pdf.

Hi,
I am Kalpana Gondi, and I will be discussing the paper on “The Security Architecture of the Chromium Browser” on Wednesday, Feb 18,2009. The paper discusses the design of Google’s chrome browser from the security perspective. It is interesting to know that, chrome browser grabbed 3% share of the market within a month of its release in Sep 2008.
Chrome browser also uses a modular approach similar to OP browser (discussed in the last class). The key design goal for this browser is to prevent execution of arbitrary code in the browser code base (through exploitation of unpatched / zero day vulnerabilities). Threat model doesn’t cover – phishing, web site vulnerabilities (XSS, XSRF). As there is a production quality browser available, it seems more stable than OP.
Through sandboxing most browser code, and controlling access to OS resources, Chrome browser seems to reasonably achieve the design goals and can avoid  -

• persistent Malware
• Transient Keylogger
• File theft

Google chrome browser consists of two modules -

1. Rendering Engine (acts on behalf of the web)
2. Browser Kernel (acts on behalf of the user)

Rendering Engine is run in a sandbox which limits attackers’ abilities to compromise the user system. You can get more details about the sandbox design followed by google chrome at (mentioned in the references) http://dev.chromium.org/developers/design-documents/sandbox.
We will discuss in detail the architecture given in the paper and the security implications of the same. Also, a discussion on what security aspects to look for in browsers would be fruitful.

A document that sketches the class project requirements (along with some ideas for projects) has been mailed to everyone. If you have not received it, check your SPAM folder.

I am Nimit Shah and I will be presenting the paper “Secure Web Browsing with the OP Web Browser by Grier, Tang and King, IEEE S&P 2008”. This is an interesting paper as the authors claim that the modern browsers we use today like Internet Explorer, Mozilla Firefox and Opera are fundamentally flawed in their architecture. The authors suggest a different way of implementing a web browser.

The browsers were initially designed only to view static web pages as data. However, in a course of time, internet grew rapidly and now all sorts of data and business are flourishing on the internet. This would also mean that the browsers would have to add more and more functionality to cater to this demand. In doing so, there have been security flaws in the browsers which hackers have been able to exploit due to their weak architecture and their incapability to evolve for this change.

The operating system has been a subject of interest for many decades and a significant amount of research has been conducted on it. Hence the authors feel that the OS mechanisms can be applied to the browsers and their security can greatly be enhanced.

I would want to know that which is the browser you started surfing the internet with and how many have you changed along the way and which is the one you use now? What do you look for in a browser? Is it security? Is it performance? The looks? The functionality? Or is it the brand name? Of course we would really like to have all but which ones are you willing to compromise on a little and which ones are you not?

Also a while back, there were reported errors with Mozilla Firefox would crash every time a .wmv file was played on it. Could you find out why?

Also this does not have to do much with the paper but I came across an interview with an adware writer and thought it would be interesting to share it with you guys. Here is the link

http://philosecurity.org/2009/01/12/interview-with-an-adware-author

Interesting research and results on browser patches. Link.