Abstract
By directly attacking the client device, the attacker can gain control over the device, allowing him/her to manipulate the user’s actions, steal sensitive information or abuse the device for other activities, such as denial of service attacks. In this chapter, we discuss two important attack vectors. The first attack vector uses drive-by download techniques to exploit a memory corruption vulnerability in the client software, for example, a buffer overflow vulnerability in the browser. The second attack vector attacks the client device through a malicious browser extension, which is characterized by a high degree of control over the browser.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Amadeo, R.: Adware vendors buy Chrome extensions to send ad- and malware-filled updates. http://arstechnica.com/security/2014/01/malware-vendors-buy-chrome-extensions-to-send-adware-filled-updates/ (2014)
Bandhakavi, S., King, S.T., Madhusudan, P., Winslett, M.: Vex: vetting browser extensions for security vulnerabilities. In: Proceedings of the 19th USENIX Security Symposium, pp. 339–354 (2010)
Barth, A., Felt, A.P., Saxena, P., Boodman, A.: Protecting browsers from extension vulnerabilities. In: Proceedings of the 17th Annual Network and Distributed System Security Conference (NDSS) (2010)
Caballero, J., Grier, C., Kreibich, C., Paxson, V.: Measuring pay-per-install: the commoditization of malware distribution. In: USENIX Security Symposium (2011)
Carlini, N., Felt, A.P., Wagner, D.: An evaluation of the Google Chrome extension security architecture. In: Proceedings of the 21st USENIX Security Symposium (2012)
CERT: Microsoft Internet Explorer buffer overflow in PNG image rendering component. Vulnerability Note VU#189754 (2005)
Chen, K.Z., Gu, G., Zhuge, J., Nazario, J., Han, X.: Webpatrol: automated collection and replay of web-based malware scenarios. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security (ASIACCS), pp. 186–195 (2011)
Cova, M., Kruegel, C., Vigna, G.: Detection and analysis of drive-by-download attacks and malicious javascript code. In: Proceedings of the 19th International Conference on World Wide Web (WWW), pp. 281–290 (2010)
Curtsinger, C., Livshits, B., Zorn, B.G., Seifert, C.: Zozzle: fast and precise in-browser javascript malware detection. In: Proceedings of the 20th USENIX Security Symposium, pp. 33–48 (2011)
Dhawan, M., Ganapathy, V.: Analyzing information flow in JavaScript-based browser extensions. In: Proceedings of the 25th Annual Computer Security Applications Conference (ACSAC), pp. 382–391 (2009)
Duebendorfer, T., Frei, S.: Why silent updates boost security. Tech. rep., TIK, ETH Zurich (2009)
Erlingsson, Ú., Younan, Y., Piessens, F.: Low-level software security by example. In: Handbook of Information and Communication Security, pp. 633–658 (2010)
European Union Agency for Network and Information Security (ENISA): ENISA threat landscape, mid-year 2013. https://www.enisa.europa.eu/activities/risk-management/evolving-threat-environment/enisa-threat-landscape-mid-year-2013/ (2013)
Gadaleta, F., Younan, Y., Joosen, W.: Bubble: A JavaScript engine level countermeasure against heap-spraying attacks. In: Proceedings of the 2nd International Symposium on Engineering Secure Software and Systems (ESSoS), pp. 1–17 (2010)
Guha, A., Fredrikson, M., Livshits, B., Swamy, N.: Verified security for browser extensions. In: Proceedings of the 32nd IEEE Symposium on Security and Privacy (SP), pp. 115–130 (2011)
Hickson, I.: HTML5 web messaging. W3C Candidate Recommendation (2012)
Kapravelos, A., Grier, C., Chachra, N., Kruegel, C., Vigna, G., Paxson, V.: Hulk: eliciting malicious behavior in browser extensions. In: Proceedings of the 23rd USENIX Security Symposium, pp. 641–654 (2014)
Kolbitsch, C., Livshits, B., Zorn, B., Seifert, C.: Rozzle: De-cloaking internet malware. In: Proceedings of the 33rd IEEE Symposium on Security and Privacy (SP), pp. 443–457 (2012)
Laskov, P., Šrndić, N.: Static detection of malicious javascript-bearing pdf documents. In: Proceedings of the 27th Annual Computer Security Applications Conference (ACSAC), pp. 373–382 (2011)
Lerner, B., Elberty, L., Poole, N., Krishnamurthi, S.: Verifying Web Browser Extensions Compliance with Private-Browsing Mode. In: Proceedings of the 18th European Symposium on Research in Computer Security (ESORICS), pp. 57–74 (2013)
Mozilla: Jetpack. https://wiki.mozilla.org/Jetpack (2014)
Muttis, F., Sacco, A.: HTML5 heap sprays. http://exploiting.files.wordpress.com/2012/10/html5-heap-spray.pdf (2012)
Nguyen, N.: Please read: security issue on AMO. http://blog.mozilla.org/addons/2010/02/04/please-read-security-issue-on-amo/ (2010)
Ratanaworabhan, P., Livshits, V.B., Zorn, B.G.: Nozzle: a defense against heap-spraying code injection attacks. In: Proceedings of the 18th USENIX Security Symposium, pp. 169–186 (2009)
Rieck, K., Krueger, T., Dewald, A.: Cujo: efficient detection and prevention of drive-by-download attacks. In: Proceedings of the 26th Annual Computer Security Applications Conference (ACSAC), pp. 31–39 (2010)
Schneier, B.: How the nsa attacks tor/firefox users with QUANTUM and FOXACID. https://www.schneier.com/blog/archives/2013/10/how_the_nsa_att.html (2013)
Schwartz, M.: Hackers target Java 6 with security exploits. http://www.informationweek.com/security/vulnerabilities/hackers-target-java-6-with-security-expl/240160443 (2013)
Sterne, B., Barth, A.: Content security policy 1.0. W3C Candidate Recommendation (2012)
Stone-Gross, B., Abman, R., Kemmerer, R.A., Kruegel, C., Steigerwald, D.G., Vigna, G.: The underground economy of fake antivirus software. In: Proceedings of the 12th Workshop on the Economics of Information Security (WEIS), pp. 55–78 (2013)
US-CERT: Oracle Java contains multiple vulnerabilities. Alert (TA13-064A) (2013)
Van Acker, S., Nikiforakis, N., Desmet, L., Piessens, F., Joosen, W.: Monkey-in-the-browser: malware and vulnerabilities in augmented browsing script markets. In: Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security (ASIACCS), pp. 525–530. ACM (2014)
Younan, Y., Joosen, W., Piessens, F.: Runtime countermeasures for code injection attacks against c and c++ programs. ACM Comput. Surv. 44(3), 17 (2012)
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
Copyright information
© 2014 Philippe De Ryck, Lieven Desmet, Frank Piessens, Martin Johns
About this chapter
Cite this chapter
Ryck, P., Desmet, L., Piessens, F., Johns, M. (2014). Attacks on the Client Device. In: Primer on Client-Side Web Security. SpringerBriefs in Computer Science. Springer, Cham. https://doi.org/10.1007/978-3-319-12226-7_9
Download citation
DOI: https://doi.org/10.1007/978-3-319-12226-7_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-12225-0
Online ISBN: 978-3-319-12226-7
eBook Packages: Computer ScienceComputer Science (R0)