Get 20M+ Full-Text Papers For Less Than $1.50/day. Start a 14-Day Trial for You or Your Team.

Learn More →

Cracking ShadowCrypt: Exploring the Limitations of Secure I/O Systems in Internet Browsers

Cracking ShadowCrypt: Exploring the Limitations of Secure I/O Systems in Internet Browsers AbstractAn important line of privacy research is investigating the design of systems for secure input and output (I/O) within Internet browsers. These systems would allow for users’ information to be encrypted and decrypted by the browser, and the specific web applications will only have access to the users’ information in encrypted form. The state-of-the-art approach for a secure I/O system within Internet browsers is a system called ShadowCrypt created by UC Berkeley researchers [23]. This paper will explore the limitations of ShadowCrypt in order to provide a foundation for the general principles that must be followed when designing a secure I/O system within Internet browsers. First, we developed a comprehensive UI attack that cannot be mitigated with popular UI defenses, and tested the efficacy of the attack through a user study administered on Amazon Mechanical Turk. Only 1 of the 59 participants who were under attack successfully noticed the UI attack, which validates the stealthiness of the attack. Second, we present multiple attack vectors against Shadow-Crypt that do not rely upon UI deception. These attack vectors expose the privacy weaknesses of Shadow DOM—the key browser primitive leveraged by ShadowCrypt. Finally, we present a sketch of potential countermeasures that can enable the design of future secure I/O systems within Internet browsers. http://www.deepdyve.com/assets/images/DeepDyve-Logo-lg.png Proceedings on Privacy Enhancing Technologies de Gruyter

Cracking ShadowCrypt: Exploring the Limitations of Secure I/O Systems in Internet Browsers

Download PDF
17 pages

Loading next page...
 
/lp/de-gruyter/cracking-shadowcrypt-exploring-the-limitations-of-secure-i-o-systems-hn7GsibY60
Publisher
de Gruyter
Copyright
© 2018 Michael Freyberger et al., published by De Gruyter Open
ISSN
2299-0984
eISSN
2299-0984
DOI
10.1515/popets-2018-0012
Publisher site
See Article on Publisher Site

Abstract

AbstractAn important line of privacy research is investigating the design of systems for secure input and output (I/O) within Internet browsers. These systems would allow for users’ information to be encrypted and decrypted by the browser, and the specific web applications will only have access to the users’ information in encrypted form. The state-of-the-art approach for a secure I/O system within Internet browsers is a system called ShadowCrypt created by UC Berkeley researchers [23]. This paper will explore the limitations of ShadowCrypt in order to provide a foundation for the general principles that must be followed when designing a secure I/O system within Internet browsers. First, we developed a comprehensive UI attack that cannot be mitigated with popular UI defenses, and tested the efficacy of the attack through a user study administered on Amazon Mechanical Turk. Only 1 of the 59 participants who were under attack successfully noticed the UI attack, which validates the stealthiness of the attack. Second, we present multiple attack vectors against Shadow-Crypt that do not rely upon UI deception. These attack vectors expose the privacy weaknesses of Shadow DOM—the key browser primitive leveraged by ShadowCrypt. Finally, we present a sketch of potential countermeasures that can enable the design of future secure I/O systems within Internet browsers.

Journal

Proceedings on Privacy Enhancing Technologiesde Gruyter

Published: Apr 1, 2018

References

  • Protecting sensitive web content from client - side vulnerabilities with cryptons InProceedings of the conference on Computer security pages
    Dong
  • Our future joins microsoft https www wunderlist com blog our future wunderlist joins microsoft
    Reber
  • Kaminsky Want these bugs off my internet def con slide http www slideshare net dakami i want these bugs off my internet
    August
  • Encrypting analytical web applications InProceedings of the on Workshop pages
    Fuhry
  • practical browser - based password manager with a security token InProceedings of the ACM Turing th Celebration Conference - China page
    Liang
  • Encrypted web applications for everyone of the Conference on Communications pages New
    He
  • Building web applications on top of encrypted data using mylar In th on Networked Systems Design and Implementation pages
    Popa
  • Lardinois Gmail now has more than monthly active users https techcrunch com gmail now has more than monthly active users
    February
  • Want these bugs off my internet def con https youtu be wx
    Kaminsky
  • Protecting confidentiality with encrypted query processing InProceedings of the Twenty - Third ACM Symposium on Operating Systems Principles pages New York
    Popa
  • Do security toolbars actually prevent phishing attacks ? InProceedings of the SIGCHI Conference on Human Factors in CHI pages New
    Wu
  • The protection of information in computer systems of the
    Saltzer
  • Trusted paths for browsers on Information and System
    Ye
  • Lardinois Gmail now has more than monthly active users https techcrunch com gmail now has more than monthly active users
    February
  • The universal encryption layer for mobile messaging applications Conference on and pages
    Ozcan
  • Encrypted web applications for everyone of the Conference on Communications pages New
    He
  • The battle against phishing : Dynamic security skins InProceedings of the symposium on Usable privacy and security pages
    Dhamija
  • Isolating web programs in modern browser architectures InProceedings of the th ACM European Conference on Computer Systems pages New York
    Reis
  • Shadow working draft december https goo gl
    Glazkov
  • Retrofitting the web with user - to - user encryption interface
    Ruoti
  • Building web applications on top of encrypted data using mylar In th on Networked Systems Design and Implementation pages
    Popa
  • Do security toolbars actually prevent phishing attacks ? InProceedings of the SIGCHI Conference on Human Factors in CHI pages New
    Wu
  • Collins Google collects Android users locations even when location services are disabled https qz com google collects android users locations even when location services are disabled November
  • Html input types http goo gl oDbNhf
  • Html input types http goo gl oDbNhf
  • What the app is that ? deception and countermeasures in the android user interface InSecurity and Privacy on pages
    Bianchi
  • The battle against phishing : Dynamic security skins InProceedings of the symposium on Usable privacy and security pages
    Dhamija
  • Shadow working draft december https goo gl
    Glazkov
  • Trusted paths for browsers on Information and System
    Ye
  • build a collaborative task app with meteor https www meteor com todos
    Todos
  • Guarini Experts say facebook leak of million users data might be bigger than we thought http www huffingtonpost com facebook leak data n html
    June
  • Dom attributes now on the prototype chain https goo gl
    DEitmJ
  • The protection of information in computer systems of the
    Saltzer
  • Aware Preventing abuse of privacy - sensitive sensors via operation bindings In th pages
    Petracca
  • Content - based security for the web InProceedings of the New Paradigms Workshop pages
    Afanasyev
  • Attacks defenses as part of the st pages Bellevue
    Huang
  • Protected web components Hiding sensitive information in the shadows IT Professional
    De Ryck
  • Protecting sensitive web content from client - side vulnerabilities with cryptons InProceedings of the conference on Computer security pages
    Dong
  • Our future joins microsoft https www wunderlist com blog our future wunderlist joins microsoft
    Reber
  • Kaminsky Want these bugs off my internet def con slide http www slideshare net dakami i want these bugs off my internet
    August
  • Attacks defenses as part of the st pages Bellevue
    Huang
  • Beeswax a platform for private web apps on pages PETS
    Légaré
  • ly project homepage https priv ly
    Priv
  • Dom attributes now on the prototype chain https goo gl
    DEitmJ
  • Web spoofing An internet con game Software World
    Felten
  • The universal encryption layer for mobile messaging applications Conference on and pages
    Ozcan
  • Guarini Experts say facebook leak of million users data might be bigger than we thought http www huffingtonpost com facebook leak data n html
    June
  • Collins Google collects Android users locations even when location services are disabled https qz com google collects android users locations even when location services are disabled November
  • Company info facebook http newsroom fb com company info
  • build a collaborative task app with meteor https www meteor com todos
    Todos
  • ly project homepage https priv ly
    Priv
  • Isolating web programs in modern browser architectures InProceedings of the th ACM European Conference on Computer Systems pages New York
    Reis
  • Web spoofing An internet con game Software World
    Felten
  • practical browser - based password manager with a security token InProceedings of the ACM Turing th Celebration Conference - China page
    Liang
  • Aware Preventing abuse of privacy - sensitive sensors via operation bindings In th pages
    Petracca
  • Protecting confidentiality with encrypted query processing InProceedings of the Twenty - Third ACM Symposium on Operating Systems Principles pages New York
    Popa
  • Company info facebook http newsroom fb com company info
  • What the app is that ? deception and countermeasures in the android user interface InSecurity and Privacy on pages
    Bianchi
  • Beeswax a platform for private web apps on pages PETS
    Légaré
  • Encrypting analytical web applications InProceedings of the on Workshop pages
    Fuhry
  • Want these bugs off my internet def con https youtu be wx
    Kaminsky
  • Content - based security for the web InProceedings of the New Paradigms Workshop pages
    Afanasyev
  • Secure web browsing with the op web browser In on Privacy sp pages
    Grier
  • Protected web components Hiding sensitive information in the shadows IT Professional
    De Ryck
  • Secure web browsing with the op web browser In on Privacy sp pages
    Grier
  • Retrofitting the web with user - to - user encryption interface
    Ruoti