Title | ||
---|---|---|
XSinator.com: From a Formal Model to the Automatic Evaluation of Cross-Site Leaks in Web Browsers |
Abstract | ||
---|---|---|
ABSTRACTCross-Site Leaks (XS-Leaks) describe a client-side bug that allows an attacker to collect side-channel information from a cross-origin HTTP resource. They are a significant threat to Internet privacy since simply visiting a web page may reveal if the victim is a drug addict or leak a sexual orientation. Numerous different attack vectors, as well as mitigation strategies, have been proposed, but a clear and systematic understanding of XS-Leak' root causes is still missing. Recently, Sudhodanan et al. gave a first overview of XS-Leak at NDSS 2020. We build on their work by presenting the first formal model for XS-Leaks. Our comprehensive analysis of known XS-Leaks reveals that all of them fit into this new model. With the help of this formal approach, we (1) systematically searched for new XS-Leak attack classes, (2) implemented XSinator.com, a tool to automatically evaluate if a given web browser is vulnerable to XS-Leaks, and (3) systematically evaluated mitigations for XS-Leaks. We found 14 new attack classes, evaluated the resilience of 56 different browser/OS combinations against a total of 34 XS-Leaks, and propose a completely novel methodology to mitigate XS-Leaks. |
Year | DOI | Venue |
---|---|---|
2021 | 10.1145/3460120.3484739 | Computer and Communications Security |
Keywords | DocType | Citations |
XS-Leaks, Browser, Web Security | Conference | 1 |
PageRank | References | Authors |
0.39 | 0 | 5 |
Name | Order | Citations | PageRank |
---|---|---|---|
Lukas Knittel | 1 | 1 | 0.39 |
christian mainka | 2 | 66 | 10.80 |
Marcus Niemietz | 3 | 1 | 0.72 |
Dominik Trevor Noß | 4 | 1 | 0.39 |
Jörg Schwenk | 5 | 899 | 88.54 |