BrowserAudit: Automated testing of browser security features

The security of the client side of a web application relies on browser features such as cookies, the same-origin policy and HTTPS. As the client side grows increasingly powerful and sophisticated, browser vendors have stepped up their offering of security mechanisms which can be leveraged to protect it. These are often introduced experimentally and informally and, as adoption increases, gradually become standardised (e.g., CSP, CORS and HSTS). Considering the diverse landscape of browser vendors, releases, and customised versions for mobile and embedded devices, there is a compelling need for a systematic assessment of browser security. We present BrowserAudit, a tool for testing that a deployed browser enforces the guarantees implied by the main standardised and experimental security mechanisms. It includes more than 400 fully-automated tests that exercise a broad range of security features, helping web users, application developers and security researchers to make an informed security assessment of a deployed browser. We validate BrowserAudit by discovering both fresh and known security-related bugs in major browsers. Copyright is held by the owner/author(s)

G-free: Defeating return-oriented programming through gadget-less binaries

Despite the numerous prevention and protection mechanisms that have been introduced into modern operating systems, the exploitation of memory corruption vulnerabilities still represents a serious threat to the security of software systems and networks. A recent exploitation technique, called Return-Oriented Programming (ROP), has lately attracted a considerable attention from academia. Past research on the topic has mostly focused on refining the original attack technique, or on proposing partial solutions that target only particular variants of the attack. In this paper, we present G-Free, a compiler-based approach that represents the first practical solution against any possible form of ROP. Our solution is able to eliminate all unaligned free-branch instructions inside a binary executable, and to protect the aligned free-branch instructions to prevent them from being misused by an attacker. We developed a prototype based on our approach, and evaluated it by compiling GNU libc and a number of real-world applications. The results of the experiments show that our solution is able to prevent any form of return-oriented programming. © 2010 ACM

Ex-Ray: Detection of History-Leaking Browser Extensions

Web browsers have become the predominant means for developing and deploying applications, and thus they often handle sensitive data such as social interactions or financial credentials and information. As a consequence, defensive measures such as TLS, the Same-Origin Policy (SOP), and Content Security Policy (CSP) are critical for ensuring that sensitive data remains in trusted hands. Browser extensions, while a useful mechanism for allowing third-party extensions to core browser functionality, pose a security risk in this regard since they have access to privileged browser APIs that are not necessarily restricted by the SOP or CSP. Because of this, they have become a major vector for introducing malicious code into the browser. Prior work has led to improved security models for isolating and sandboxing extensions, as well as techniques for identifying potentially malicious extensions. The area of privacy-violating browser extensions has so far been covered by manual analysis and systems performing search on specific text on network traffic. However, comprehensive content-agnostic systems for identifying tracking behavior at the network level are an area that has not yet received significant attention. In this paper, we present a dynamic technique for identifying privacy-violating extensions in Web browsers that relies solely on observations of the network traffic patterns generated by browser extensions. We then present Ex-Ray, a prototype implementation of this technique for the Chrome Web browser, and use it to evaluate all extensions from the Chrome store with more than 1,000 installations (10,691 in total). Our evaluation finds new types of tracking behavior not covered by state of the art systems. Finally, we discuss potential browser improvements to prevent abuse by future user-tracking extensions

Ammonium and nitrate status of the first crop corn fields at Cukurova region

The ammonium (NH4) and nitrate (NO3) are the available nitrogen (N) forms that plants need in large quantities. Their existence in the soil is limited, and concentrations are kept low due to the losses by leaching in the soil profile and microbial consumptions. Sustainability of the plant available nitrogen forms in soil profile is important for plant growth and crop production. In this research, our main objective was to evaluate mineral nitrogen (Nmin) status of the first crop corn soils and plants in Akarsu Irrigation District of Cukurova Region in 2007. Soil samples prior to sowing and after harvest were taken from 0-30, 30-60 and 60-90 cm soil depths, and analyzed for ammonium and nitrate concentrations. Plant samples were also taken during harvest, and analyzed for N content for determination of total N uptake. There was considerable amount of ammonium and nitrate in the soil profile during preplanting and postharvest. Since the soils were mostly heavy texture, there is tendency to have ammonium also in the soil solution. However, ammonium concentration was far below the nitrate concentration throughout the profile. Plant nitrogen uptake in the irrigation district was very close to the amount that was applied by the local farmers. The results indicated that soil mineral nitrogen level is an important criteria for fertilization practices, especially the preplant Nmin values need to be considered to decrease the amount of N fertilizer that will be applied

Protecting Users against Phishing Attacks

This paper presents a novel browser extension, AntiPhish, that aims to protect users against spoofed web site-based phishing attacks. To this end, AntiPhish tracks the sensitive information of a user and generates warnings whenever the user attempts to give away this information to a web site that is considered untruste

ORIGINAL PAPER Dynamic analysis of malicious code

Abstract Malware analysis is the process of determining the purpose and functionality of a given malware sample (such as a virus, worm, or Trojan horse). This process is a necessary step to be able to develop effective detection techniques for malicious code. In addition, it is an important prerequisite for the development of removal tools that can thoroughly delete malware from an infected machine. Traditionally, malware analysis has been a manual process that is tedious and timeintensive. Unfortunately, the number of samples that need to be analyzed by security vendors on a daily basis is constantly increasing. This clearly reveals the need for tools that automate and simplify parts of the analysis process. In this paper, we present TTAnalyze, a tool for dynamically analyzing the behavior of Windows executables. To this end, the binary is run in an emulated operating system environment and its (security-relevant) actions are monitored. In particular, we record the Windows native system calls and Windows API functions that the program invokes. One important feature of our system is that it does not modify the program that it executes (e.g., through API call hooking or breakpoints), making it more difficult to detect by malicious code. Also, our tool runs binaries in an unmodified Windows environment

Hypervisor-based malware protection with AccessMiner

In this paper we discuss the design and implementation of AccessMiner, a system-centric behavioral malware detector. Our system is designed to model the general interactions between benign programs and the underlying operating system (OS). In this way, AccessMiner is able to capture which, and how, OS resources are used by normal applications and detect anomalous behavior in real-time. The advantage of our approach is that it does not require to be trained on malicious samples, and therefore it is able to provide a general detection solution that can be used to protect against both known and unknown malware. To make the system more resilient against tampering from sophisticated attackers, AccessMiner is implemented as a custom hypervisor that sits below the operating system. In this paper we discuss the implementation details and the technical solutions we adopted to optimize the performances and reduce the impact of the system. Our experiments show that in a stable environment AccessMiner can provide a high level of protection (around 90% detection rate with zero false positives) with an acceptable overhead - similar to the one that can be experienced in a state of the art virtual machine environment