MIT course "Security of computer systems". Lecture 18: "Private Internet Browsing", part 3

Massachusetts Institute of Technology. Lecture course # ???. "Security of computer systems." Nikolai Zeldovich, James Mykens. 2014

3r33434.  
Computer Systems Security is a course on the development and implementation of secure computer systems. Lectures cover threat models, attacks that compromise security, and security methods based on the latest scientific work. Topics include operating system (OS) security, capabilities, information flow control, language security, network protocols, hardware protection and security in web applications. 3r33434.  
3r33434.  
Lecture 1: “Introduction: Threat Models” 3r312. Part 1
/ Part 2 / Part 3 3r33434.  
Lecture 2: "Control of hacker attacks" Part 1 / Part 2 / Part 3 3r33434.  
Lecture 3: "Buffer overflow: exploits and protection" 3r-328. Part 1
/ Part 2 / Part 3 3r33434.  
Lecture 4: “Separation of Privileges” 3–3–336. Part 1
/ Part 2 / Part 3 3r33434.  
Lecture 5: “Where Security Errors Come From” Part 1 / Part 2 3r33434.  
Lecture 6: "Opportunities" 3r350. Part 1
/ Part 2 / Part 3 3r33434.  
Lecture 7: “Sandbox Native Client” Part 1 / Part 2 / Part 3 3r33434.  
Lecture 8: “Network Security Model” 3r3666. Part 1
/ Part 2 / Part 3 3r33434.  
Lecture 9: “Web application security” 3r374. Part 1
/ Part 2 / Part 3 3r33434.  
Lecture 10: “Symbolic Execution” 3r382. Part 1
/ Part 2 / Part 3 3r33434.  
Lecture 11: “Ur /Web programming language” 3r390. Part 1
/ Part 2 / Part 3 3r33434.  
Lecture 12: “Network Security” Part 1 /3r33100. Part 2
/ Part 3 3r33434.  
Lecture 13: “Network Protocols” 3r3106. Part 1
/ Part 2 / Part 3 3r33434.  
Lecture 14: “SSL and HTTPS” 3r3114. Part 1
/ Part 2 / Part 3 3r33434.  
Lecture 15: “Medical Software” 3r3122. Part 1
/ Part 2 / Part 3 3r33434.  
Lecture 16: "Attacks through the side channel" 3r3-33130. Part 1
/ Part 2 / Part 3 3r33434.  
Lecture 17: User Authentication Part 1 / Part 2 / Part 3 3r33434.  
Lecture 18: "Private Internet Browsing" Part 1 / Part 2 / Part 3 3r3152. 3r33432. 3r33434.  
3r33434.  
So, the first approach will be to use virtual machines as a way to enhance the guarantee of private browsing, that is, we consider privacy at the virtual machine level. 3r33434.  
3r33434.  
The basic idea is that each private session should run in a separate virtual machine. Then, when the user finishes a private browsing session, the virtual machine is deleted. So what is the advantage of this idea? 3r33434.  
3r33434.  
3r3r1616. 3r33434.  
3r33434.  
It’s probably because you’ve got stronger privacy guarantees that you can provide to the user because, presumably, the virtual machine has a fairly clean data input /output interface. We can assume that you combine these virtual machines into, say, some kind of secure solution for a swap, for example, using Open BSD along with encryption of data on the disk. 3r33434.  
3r33434.  
So, we have a very clear separation of the VM here, above, and all I /O operations that occur below. This provides you with stronger guarantees than those that you get from a browser that was not designed from scratch to take very careful care of all the information input /output ways and what secrets can leak when this information resides in the data store. . 3r33434.  
3r33434.  
So yes, it provides stronger guarantees. And besides, it does not require any changes in your applications, that is, in the browser. You take a browser, put it in one of these virtual machines - and everything magically gets better without any changes in the application. 3r33434.  
3r33434.  
What's wrong with that - I’ll draw a sad smiley on the blackboard - it’s cumbersome. By bulkiness, I mean that when you want to start one of the private browsing sessions, you have to start the whole virtual machine. And this can be quite painful, because users will be upset because it will take them a long time to launch their private browsing sessions. 3r33434.  
3r33434.  
3r3187. 3r33434.  
3r33434.  
Other problems are that this solution is impractical. And the reason for the impracticality is not that it’s really difficult for users to do such things as transfer files that they saved in private browsing mode to a computer, transfer all the bookmarks they generated in this mode - all this can be done by But here there is a lot of inconvenience associated with laziness. 3r33434.  
3r33434.  
The second approach to the problem is similar to the first, but we actually implement it within the OS itself, and not in the virtual machine. Here the basic idea is that each process can potentially be started in a private domain. A private domain is a kind of collection of shared resources of the OS that the process uses, and the OS keeps track of all such things. And as soon as the process dies, the OS looks at everything that is in the private domain, and completely releases all these resources for new use. 3r33434.  
3r33434.  
The advantage of this approach compared to using VM is lighter weight, because, if you think about it, a virtual machine is essentially agnostic with the state of the OS and the state of all applications being launched. Thus, using a VM creates more work than an OS does, because the operating system presumably knows all the points at which a private browser will come into contact with data input /output, “talk” to the network, and the like. Perhaps the OS even knows how to selectively clear the DNS cache. 3r33434.  
3r33434.  
Thus, you can imagine that it is much easier to “unleash” these privacy domains so that you can simply “pull them down”. However, the disadvantage of this solution, at least with respect to running the VM, is that it is much more difficult to execute in the right way. So I just described the approach using VM as progressive, because the virtual machine is essentially agnostic to everything that works inside the OS container. 3r33434.  
3r33434.  
3r3208. 3r33434.  
3r33434.  
The nice thing is that the VM approach only allows you to focus on a few low-level interfaces. For example, the interface used by the virtual machine to write to disk causes a higher degree of trust because it contains everything that is needed. While using the OS, this is much more complicated, because you expect it to use individual files with a system interface, for example, with an individual network interface. So if you do all this at the OS level, the possibility of data leakage is much greater. 3r33434.  
3r33434.  
So, these were the two main approaches to enhancing privacy guarantees when using the private browsing mode, which can be implemented now. 3r33434.  
You may ask, can we still reveal the user's identity if he applies one of these more powerful security solutions - browsing the Internet using a virtual machine or privacy domains in the OS? Can we deprive the user of anonymity? The answer to this question will be - yes, we can! 3r33434.  
3r33434.  
De-anonymization of the user is possible because the virtual machine is for some reason unique. This is similar to how we were able to fingerprint the browser using the Panopticlick website. There is probably something unique about how a virtual machine will be configured, which allows you to take its fingerprints. It is also possible that the VM monitor or the OS itself is in some ways unique. And this allows the network attacker to reveal the user's identity. 3r33434.  
3r33434.  
A typical example is TCP fingerprinting. The idea is that the TCP protocol specification actually allows the installation of some protocol parameters during the implementation of this protocol. For example, TCP allows executors to select the initial size of packets that are sent in the first part of establishing a TCP connection, which allows executors to choose things like the initial lifetime of these packets. 3r33434.  
3r33434.  
MIT course "Security of computer systems". Lecture 18: "Private Internet Browsing", part 3 3r33434.  
3r33434.  
This way, you can get off-the-shelf tools, such as InMap, which can tell with high probability which operating system you are running by simply sending you carefully processed packages. They will see such things as the fact that TTL is represented here, and here - the size of the distribution package, and here was the serial number of the TTP. Thus, they create a database of fingerprints. They say: “if the returned package has this, this and this characteristic, then according to the table, you are working on Solaris, you are using a Mac, and you are Windows”, or something else. Therefore, even using one of these approaches to enhance privacy during private browsing using a virtual machine or OS, an attacker is still able to launch one of these fingerprint detection attacks via TCP and learn a lot about a particular user. 3r33434.  
3r33434.  
It will be interesting to know that even if the user is protected by one of these more powerful methods, the user is still divided between both viewing modes, public and private, he still physically uses the computer. This is interesting because you can contribute to the leakage of your personal information in the course of your handling of a computer. 3r33434.  
3r33434.  
For example, as it turns out, each user has a unique keystroke speed. So if I give you a task to start typing the phrase “quick brown fox” or any such nonsense at the same time, the observation will show that the time of keystroke for each of you is so unique that it can potentially be used for fingerprinting. 3r33434.  
3r33434.  
It is also interesting that users have unique writing styles. There is a security industry called styling. 3r33434.  
3r33434.  
3r33434.  
3r33434.  
The idea behind stylography is that an attacker can figure out who you are by just looking at the samples of your letter. Imagine that for some reason you hang out at 4chan and I want to find out if you really were hanging out there. I can look at a bunch of different messages on 4chan and group them into comment sets that look stylistically the same. Then I will try to find public samples of the style of your writing, for example, in homework assignments that you have written. After that, I match the style samples in the 4chan comment sets with your homework, and if I find a match, I can write to your parents to explain to you the harm of hanging on the 4chan forums. That is the reason that I decided to draw your attention to the stylography. This is actually quite interesting. 3r33434.  
3r33434.  
So, we discussed how you can use VMs or modified operating systems to provide support for private browsing. Therefore, you may wonder why, then, browsers do not require users to do one of these things - run a virtual machine or modify the OS? Why do browsers take on the implementation of all this? 3r33434.  
3r33434.  
The main reason is deployability. Browser manufacturers usually do not want to force their users to do something special to use the browser, in addition to installing the browser itself. This is similar to the motivation of the Native Client when Google is going to add these cool features to end-user computers, but does not want to force users to install a special version of Windows or Linux or something else. Thus, Google says that "we will take care of this ourselves." 3r33434.  
3r33434.  
Another reason is ease of use. Many of these private browsing solutions at the virtual machine and OS level, as we have already discussed, make it difficult for users to save things received during a private browsing session — downloaded files, bookmarks, and the like. 3r33434.  
3r33434.  
3r33434.  
3r33434.  
Basically, browser makers say that if they themselves implement private browsing modes, they will be able to allow users to receive files downloaded in private browsing mode and save them on a computer. At first it sounds good. But note that this approach allows users to export a certain kind of private state, which opens up many security vulnerabilities and makes it very difficult to analyze the security properties used to implement the private browsing mode. 3r33434.  
Therefore, the authors of the article are trying to characterize the different types of browser states that can be modified, and consider how the current private viewing modes can modify them. 3r33434.  
3r33434.  
The article classifies browser status changes. There are four types of changes in this classification. The first type is when state changes are initiated by the site itself without user intervention. Examples of this type of state change are getting cookies, adding something to the browser’s address history, and possibly updating the browser’s cache. Therefore, basically this state is preserved throughout the entire mode of private viewing, but is destroyed after its completion. 3r33434.  
3r33434.  
It can be assumed that since the user does not interact with the browser during the formation of this state, it is assumed that the user himself would not like to participate in it. 3r33434.  
3r33434.  
The second type of browser state change is also initiated by the web site.volume, but there is some interaction with the user who visited this site. For example, a user installs a client certificate or uses a password for authorization on the site, that is, tries to go somewhere. At the same time, the browser very helpfully says: “Do you want to save this password?”. If the user answers yes, then such things as saved passwords can be used outside of the private viewing mode. Therefore, in principle, it is not clear what the privacy policy should be in this case. In practice, it turns out that browsers allow the existence of things that have arisen in the private browsing mode, beyond its limits, assuming that the user himself will choose the best option for him, saying "yes" or "no." If the user is smart enough, then he will not save the password for some dubious site, because someone else can then use it. So there may be a user error, not a browser that could lead to loss of privacy. 3r33434.  
3r33434.  
Therefore, it is not clear which policy is the best, but in practice this type of state change is allowed to be kept outside the private viewing mode. 3r33434.  
3r33434.  
The third type of state change is fully initiated by the user. These are things like saving bookmarks or downloading files. This state is similar to the previous one, because the user directly participates in its creation. In this case, the private viewing mode agrees that state changes of this type are saved for further use outside the private viewing. 3r33434.  
3r33434.  
3r3304. 3r33434.  
3r33434.  
Further, there are some kinds of states that are not associated with any particular session at all. For example, this is the update state of the browser itself, that is, changing the file that represents the browser. Browser developers believe that this state change is part of a global state that is available for both public and private viewing. 3r33434.  
3r33434.  
In the end, if you look at it carefully, you will notice that there are quite a few conditions that can lead to data leakage beyond the limits of the private viewing mode, especially if there is user interaction. I wonder if this is the best compromise between security and privacy? 3r33434.  
3r33434.  
3r33333. 3r33434.  
3r33434.  
The article says that it is difficult to prevent the possibility that a local attacker can determine whether you are using private browsing or not. This article says a little vague. The fact is that the very nature of information leaks can tell in what mode of viewing - private or public - they occur. For example, in Firefox and Chrome, when you create a bookmark in private browsing mode, this tab has a bunch of metadata associated with it, such as time to visit a site and the like. In many cases, this metadata will be zero or close to some null value if this tab was created in the private viewing mode. Then whoever controls your computer later will be able to view your bookmark information. If he sees that this metadata is zero, he will conclude that this bookmark was probably created in private browsing mode. 3r33434.  
3r33434.  
When we talk about browser security, we think about what exactly people do with jаvascript, HTML or CSS, what can they do with plugins or extensions? In the context of private browsing, plug-ins and extensions are quite interesting, because in most cases they are not limited to the same origin policy, for example, they can limit the use of things like jаvascript. Interestingly, these extensions and plugins usually work with very high privileges. Roughly speaking, you can think of them as kernel modules. They have a high authority, allowing for the implementation of new features directly within the browsers themselves. Therefore, this is a bit problematic, since these plugins and extensions are often developed by someone who is not the actual developer of the browser. This means that someone is trying to do something good and give your browser useful properties by adding a plugin or extension to it. But this third-party developer may not fully understand the security context in which its extension is performed, therefore such an extension may not provide the semantics of the private viewing mode or provide it in the wrong way. 3r33434.  
3r33434.  
In a couple of minutes, I’ll tell you what’s really bad from a security point of view, because if we add some of these new plug-ins or extensions, you won’t be able to correctly evaluate the resulting privacy. The good news is that soon plugins can follow the path of dinosaurs, that is, become extinct. You probably know that HTML5 adds all these new features, such as audio tags, video tags and the like. Many of these new features have been designed to allow people to stop using plug-ins like Java or Flash. Because in the past, when people wanted to use 2D or 3D graphics on sites, they would have to use something like Java or Flash. Now they can use things like web gl or info tags, so it’s probably time the plugins go. 3r33434.  
3r33434.  
For example, the IE development team stated that they did not think that in a couple of years someone would use plugins, because the terms would be things like HTML5. In fact, if you go to YouTube, I don’t know if you noticed it, but the HTML5 player is used when watching video clips, they refused to play the video based on their standard plug-in. So it is very interesting. You can already see sites that are trying to move to this new world without plug-ins. However, extensions are likely to be used at least in the foreseeable future, so it is still important to do everything correctly when developing them. 3r33434.  
3r33434.  
The last thing I wanted to discuss is that this article was written four years ago, in 201? so you might wonder what has changed in private viewing during this time? 3r33434.  
At the highest level, it is still quite difficult to organize a private browsing mode in the right way for several reasons. First of all, because browsers are constantly evolving, for example HTML5. 3r33434.  
3r33434.  
The boundaries of the interface, which should be safe with respect to the private browsing mode, are constantly expanding. Developers are more focused on adding new features than on ensuring browser privacy. Therefore, in practice it is still difficult to create a private browsing mode that prevents all potential data leaks. 3r33434.  
3r33434.  
For example, in January 201? a bug in Firefox was fixed, the main idea of ​​which was to use the pdf.js extension, which allows you to view PDF files using a clean HTML5 interface. As it turned out, this extension allowed, in a private view mode, the leakage of cookies that were received in the public view mode. 3r33434.  
3r33434.  
Suppose that you visit some websites in a public mode and intend to download some PDF files, with the result that some cookies are returned to you. Then you switch to private browsing mode and want to view another PDF file from this site, after which pdf.js actually sends these cookies received in public mode. In the lecture notes I have a link to the discussion of this particular bug. His correction was quite simple after they realized what the problem was. They just added a check on which browser mode the browser is in - if in private, the cookies should not be sent anywhere. 3r33434.  
3r33434.  
So fix it is pretty simple. But the problem was, I repeat once again that people added this cool, new extension, and it did not occur to them to conduct a full, exhaustive audit of his work in order to find out all the areas of private viewing that this plugin may affect. 3r33434.  
3r33434.  
There is another interesting point that we discussed half an hour ago: what happens if you have private and public tabs that you open at the same time or after a very short amount of time. 3r33434.  
3r33434.  
3r33333. 3r33434.  
3r33434.  
There is an error in Firefox that has not been fixed since 2011. It consists in the following. If you enter the private browsing mode, then you perform some actions there, and then close this tab and open a new tab in the public viewing mode, then you’ll refer to аbout: memory, where you probably know the browser identifies fake URLs and information about how they work. So, you go to the private tab, close it, and then go to аbout: memory. This will inform you about all the objects selected in Firefox. It usually happens that window objects are released and fall into the Firefox bin during garbage collection. In the end, it turns out that when you open a new tab of the public mode, then in аbout: memory there is still information about what constituted the tab window of the private mode. 3r33434.  
3r33434.  
For example, there you can find a URL that tells you how much memory was allocated to all these things, all in plain text. This is an example of how these very sensitive browser interfaces can contribute to information leakage. And so it is very interesting. 3r33434.  
If you look at the Bugzilla discussion, it’s very interesting to know how these problems are solved in real life. I indicated a link to this discussion, and it was mentioned there that this bug lost priority when it became clear that eliminating it was a much more difficult problem than originally intended. This is a fairly long discussion on how to fix it, which included a discussion of changing the way garbage collection from the browser's recycle bin was taken. But it is quite difficult to implement in practice, since the frequent repetition of this operation affects performance. Therefore, they said: “It lost the priority of the problem when it became clear that its solution turned out to be more difficult than expected.” In response, the developer said: “It’s sad to hear that because it can greatly affect the preservation of sessions when using private windows view. 3r33434.  
3r33434.  
So the developers, as in the case of the session store - this is the function of saving to HTML5 - came across a lot of problems associated with deleting things belonging to closed windows of private viewing. But basically the reason for this bug, which still exists, is to preserve information about data that is still in the memory of the browser. 3r33434.  
In short, it is still quite difficult to ensure the correct mode of private viewing. There are computer forensics tools that you can download to find evidence of public and private viewing modes. Therefore, if you are a hacker, you may not even use your own tools. 3r33434.  
3r33434.  
For example, there is a Magnet tool that searches for Internet evidence, and you can simply use it. It will do such things as viewing the paging file to find the artifacts of RAM and provide you with a very good graphical interface that lists the images found, URLs, and the like. Therefore, in practice, these private viewing modes still allow some information to leak. 3r33434.  
3r33434.  
So, in the next lecture, we'll talk about Tor. 3r33434.  
3r33434.  
3r33393. 3r33394. 3r33395. 3r33440. 3r33440. 3r33440. 3r33434.  
The full course is available here is . 3r33434.  
3r33434.  
Thank you for staying with us. Do you like our articles? Want to see more interesting materials? Support us by placing an order or recommending a friend, 30% discount for users of Habr on a unique analogue of entry-level servers, which was invented by us for you: 3r33411. The whole truth about VPS (KVM) E5-2650 v4 (6 Cores) 10GB DDR???GB SSD 1Gbps from $ 20 or how to share the server? 3r33432. (Available options with RAID1 and RAID1? up to 24 cores and up to 40GB DDR4). 3r33434.  
3r33434.  
3r33427. VPS (KVM) E5-2650 v4 (6 Cores) 10GB DDR???GB SSD 1Gbps until December for free [/b] When paying for a period of six months, you can order 3r3343419. here 3r33432. . 3r33434.  
3r33434.  
3r33427. Dell R730xd 2 times cheaper? 3r33430. Only we have [b] 3r33434. 2 x Intel Dodeca-Core Xeon E5-2650v???GB DDR4 6x480GB SSD 1Gbps 100 TV from $ 249
in the Netherlands and the USA! 3r33430. Read about
How to build the infrastructure of the building. class c using servers Dell R730xd E5-2650 v4 worth 9000 euros for a penny? 3r33432. 3r33440.
3r33440.
+ +1 -

Add comment