Description
Vulnerabilities are frequently discovered in the Chromium browser. To protect sensitive
website data from an attacker abusing such a vulnerability, Chromium employs a
layered approach with multiple sandboxes. One of these sandboxes is the Chromium
Sandbox that encapsulates the rendering of a website in a dedicated renderer process.
To protect a website from a different malicious one, different websites use different
renderer processes. To increase Chromium’s performance and reduce the number
of renderer processes, websites with a related domain can share the same renderer
process. In this thesis, we investigate how an attacker can use this sharing of a renderer
process together with commonly found 0-, N-Day, and Spectre vulnerabilities to obtain
sensitive data from a victim website with a related domain. First we determine and
investigate different targets an attacker might be interested in that can be found on a
victim website. Next, we define 4 attacker models based on commonly found types
of vulnerabilities in Chromium. Then we present 5 different attacks that allow these
attacker models to obtain a secret from the victim website. By that, we show that
Chromium’s current security mechanisms are unable to protect sensitive data from any
of the attacker models we used. Most notable are the exploits that only use memory
disclosure attacker models, as they can obtain the session cookie from a real-world
website, and the attacker model they use does not rely on a type of vulnerability the
Chromium developers consider a breach of security guarantees.
|
