Description
Vulnerabilities are frequently discovered in the Chromium browser. To protect sensitive website data from an attacker abusing such a vulnerability, Chromium employs a layered approach with multiple sandboxes. One of these sandboxes is the Chromium Sandbox that encapsulates the rendering of a website in a dedicated renderer process. To protect a website from a different malicious one, different websites use different renderer processes. To increase Chromium’s performance and reduce the number of renderer processes, websites with a related domain can share the same renderer process. In this thesis, we investigate how an attacker can use this sharing of a renderer process together with commonly found 0-, N-Day, and Spectre vulnerabilities to obtain sensitive data from a victim website with a related domain. First we determine and investigate different targets an attacker might be interested in that can be found on a victim website. Next, we define 4 attacker models based on commonly found types of vulnerabilities in Chromium. Then we present 5 different attacks that allow these attacker models to obtain a secret from the victim website. By that, we show that Chromium’s current security mechanisms are unable to protect sensitive data from any of the attacker models we used. Most notable are the exploits that only use memory disclosure attacker models, as they can obtain the session cookie from a real-world website, and the attacker model they use does not rely on a type of vulnerability the Chromium developers consider a breach of security guarantees.
|