KSII Transactions on Internet and Information Systems (TIIS)

Korean Society for Internet Information (한국인터넷정보학회)
권호 표지
DOI QR코드

DOI QR Code

Analysis of Web Browser Security Configuration Options

  • Jillepalli, Ananth A. (Center for Secure and Dependable Systems, University of Idaho) ;
  • de Leon, Daniel Conte (Center for Secure and Dependable Systems, University of Idaho) ;
  • Steiner, Stuart (Center for Secure and Dependable Systems, University of Idaho) ;
  • Alves-Foss, Jim (Center for Secure and Dependable Systems, University of Idaho)
  • Received : 2018.03.21
  • Accepted : 2018.07.08
  • Published : 2018.12.31
Download PDF
⟨ Previous Next ⟩

Abstract

For ease of use and access, web browsers are now being used to access and modify sensitive data and systems including critical control systems. Due to their computational capabilities and network connectivity, browsers are vulnerable to several types of attacks, even when fully updated. Browsers are also the main target of phishing attacks. Many browser attacks, including phishing, could be prevented or mitigated by using site-, user-, and device-specific security configurations. However, we discovered that all major browsers expose disparate security configuration procedures, option names, values, and semantics. This results in an extremely hard to secure web browsing ecosystem. We analyzed more than a 1000 browser security configuration options in three major browsers and found that only 13 configuration options had syntactic and semantic similarity, while 4 configuration options had semantic similarity, but not syntactic similarity. We: a) describe the results of our in-depth analysis of browser security configuration options; b) demonstrate the complexity of policy-based configuration of web browsers; c) describe a knowledge-based solution that would enable organizations to implement highly-granular and policy-level secure configurations for their information and operational technology browsing infrastructures at the enterprise scale; and d) argue for necessity of developing a common language and semantics for web browser configurations.

Keywords

References

  1. Web Application Security Consortium, "WebAppSec: threat classification," online, January 2010. [Visited: March 2018].
  2. Venkata Anirudh Bhandhari, "Analysis of Web Browser Security Policies and A Multiplatform and Multibrowser Browser Configuration Tool: Open Browser GP," Master's thesis, University of Idaho, August 2015.
  3. Daniel Conte de Leon, Venkata Anirudh Bhandari, Ananth A. Jillepalli, and Frederic T. Sheldon, "Using A Knowledge-based Security Orchestration Tool to Reduce the Risk of Browser Compromise," in Proc. of 2016 IEEE 07th Symposium Series On Computational Intelligence (SSCI-2016), December 2016.
  4. Ananth A. Jillepalli, "HiFiPol:Browser - Securing the Web Browsing Ecosystem," Master's thesis, University of Idaho, May 2017.
  5. Ananth A. Jillepalli and Daniel Conte de Leon, "An Architecture for a Policy-oriented Web Browser Management System: HiFiPol: Browser," in Proc. of 2016 IEEE 40th Annual Computer Software and Applications Conference (COMPSAC-2016), June 2016.
  6. Ananth A. Jillepalli, Daniel Conte de Leon, Stuart Steiner, and Frederick T. Sheldon, "HERMES: A High-level Policy Language for High-granularity Enterprise-wide Secure Browser Configuration Management," in Proc. of 2016 IEEE 07th Symposium Series On Computational Intelligence (SSCI-2016), December 2016.
  7. Jeremy Moskowitz, "Inside ADM and ADMX Templates for Group Policy," online, January 2008. [Visited: March 2018].
  8. Judith Herman, "Managing Group Policy ADMX files: A Step-by-step Guide," online, June 2007. [Visited: March 2018].
  9. Jack Stromberg, "Configuring Google Chrome via Group Policy," online, August 2013. [Visited: March 2018].
  10. National Security Agency - Central Security Service, "Deploying and Securing Google Chrome in a Windows Enterprise," online, October 2012. [Visited; March 2018].
  11. Redkitten Corporation, "How to Install a Firefox Add-on," online, June 2015. [Visited: March 2018].
  12. MozillaZine Knowledge Base, "about:config Entries," online, June 2015. [Visited: Mach 2018].
  13. Red Hat Inc., "FreeIPA," online, June 2015. [Visited: March 2018].
  14. Quest Software Inc., "KACE Systems Management Appliance: Patch Management and Endpoint Security," online, November 2016. [Visited: March 2018].
  15. StatCounter, "Statcounter global stats," online, December 2014. [Visited: March 2018].
  16. Daniel B. Cid, "Open Source Security [OSSEC]," online, June 2012. [Visited: March 2018].
  17. Zachary Kessin, "Building Web Applications with Erlang," 1st Edition, O'Reilly, Springfield, Missouri, June 2012.
  18. Accuvant Labs, "Browser Security Comparison - A Quantitative Approach," online, December 2011. [Visited: March 2018].
  19. Microsoft Research "Policy Language Research," online, June 2015. [Visited: March 2018].
  20. Tao Xie, Vincent Hu and Rick Kunh, "Testing and Verification of Security Policy," online, June 2016. [Visited: March 2018].
  21. National Institute of Standards and Technology, "XCCDF - The Extensible Configuration Checklist Description Format," online, September 2011. [Visited: March 2018].
  22. Timothy Nelson, Christopher Barratt, Daniel J. Dougherty, Kathi Fisler, and Shriram Krishnamurthi, "The Margrave Tool for Firewall Analysis," in Proc. of USENIX Large Installation System Administration Conference (LISA), San Jose, CA, November 07-12, 2010.
  23. Dan Dougherty and Kathi Fisler and Shriram Krishnamurthi, "The Margrave Policy Analyzer," online, May 2015. [Visited: March 2018].
  24. J. B. Bernabe, J. M. M. Perez, J. M. A. Calero, J. D. J. Re, F. J. Clemente, G. M. Perez, and A. F. Skarmeta, "Security policy specification," Network and Traffic Engineering in Emerging Distributed Computing Applications, J. Abawajy, M. Pathan, M. Rahman, and M. M. Deris, Eds. Oxford: IGI Global, ch. 04, pp. 66-93, 2013.
  25. National Institute of Standards and Technology, "Emerging Specification Listing," online, March 2018. [Visited: March 2018].
  26. Ananth A. Jillepalli, Daniel Conte de Leon, Stuart Steiner, Frederick T. Sheldon, and Michael A. Haney, "Hardening the client-side: A guide to enterprise-level hardening of web browsers," in Proc. of 2017 IEEE 15th Dependable, Autonomic and Secure Computing (DASC-2017), Nov. 2017.

Cited by

  1. STRIDE and HARM Based Cloud Network Vulnerability Detection Scheme vol.29, pp.3, 2018, https://doi.org/10.13089/jkiisc.2019.29.3.599