ABSTRACT
Performing detailed forensic analysis of real-world web security incidents targeting users, such as social engineering and phishing attacks, is a notoriously challenging and time-consuming task. To reconstruct web-based attacks, forensic analysts typically rely on browser cache files and system logs. However, cache files and logs provide only sparse information often lacking adequate detail to reconstruct a precise view of the incident. To address this problem, we need an always-on and lightweight (i.e., low overhead) forensic data collection system that can be easily integrated with a variety of popular browsers, and that allows for recording enough detailed information to enable a full reconstruction of web security incidents, including phishing attacks.
To this end, we propose WebCapsule, a novel record and replay forensic engine for web browsers. WebCapsule functions as an always-on system that aims to record all non-deterministic inputs to the core web rendering engine embedded in popular browsers, including all user interactions with the rendered web content, web traffic, and non-deterministic signals and events received from the runtime environment. At the same time, WebCapsule aims to be lightweight and introduce low overhead. In addition, given a previously recorded trace, WebCapsule allows a forensic analyst to fully replay and analyze past web browsing sessions in a controlled isolated environment.
We design WebCapsule to also be portable, so that it can be integrated with minimal or no changes into a variety of popular web-rendering applications and platforms. To achieve this goal, we build WebCapsule as a self-contained instrumented version of Google's Blink rendering engine and its tightly coupled V8 JavaScript engine.
We evaluate WebCapsule on numerous real-world phishing attack instances, and demonstrate that such attacks can be recorded and fully replayed. In addition, we show that WebCapsule can record complex browsing sessions on popular websites and different platforms (e.g., Linux and Android) while imposing reasonable overhead, thus making always-on recording practical.
- Acid3. http://acid3.acidtests.org.Google Scholar
- Andrica, S., and Candea, G. Warr: A tool for high-fidelity web application record and replay. In Proceedings of the 2011 IEEE/IFIP 41st International Conference on Dependable Systems&Networks (Washington, DC, USA, 2011), DSN '11, IEEE Computer Society, pp. 403--410. Google ScholarDigital Library
- Blink web rendering engine. http://www.chromium.org/blink.Google Scholar
- Blink scheduler. https://goo.gl/wzqXgC - https://goo.gl/I8YGu3 - https://goo.gl/RBkhCo.Google Scholar
- Burg, B., Bailey, R., Ko, A. J., and Ernst, M. D. Interactive record/replay for web application debugging. In Proceedings of the 26th Annual ACM Symposium on User Interface Software and Technology (New York, NY, USA, 2013), UIST '13, ACM, pp. 473--484. Google ScholarDigital Library
- Choi, J.-D., and Srinivasan, H. Deterministic replay of java multithreaded applications. In Proceedings of the SIGMETRICS Symposium on Parallel and Distributed Tools (New York, NY, USA, 1998), SPDT '98, ACM, pp. 48--59. Google ScholarDigital Library
- Chrome devtools. https://developer.chrome.com/devtools/docs/integrating.Google Scholar
- Chromeshell. https://code.google.com/p/chromium/wiki/AndroidBuildInstructions.Google Scholar
- Denning, D. E., and Branstad, D. K. A taxonomy for key escrow encryption systems. Commun. ACM 39, 3 (Mar. 1996), 34--40. Google ScholarDigital Library
- Dromaeo javascript test suite. http://dromaeo.com.Google Scholar
- Dunlap, G. W., King, S. T., Cinar, S., Basrai, M. A., and Chen, P. M. Revirt: Enabling intrusion analysis through virtual-machine logging and replay. In Proceedings of the 5th Symposium on Operating Systems Design and implementation (New York, NY, USA, 2002), OSDI '02, ACM, pp. 211--224. Google ScholarDigital Library
- Etminani, K., Delui, A., Yanehsari, N., and Rouhani, M. Web usage mining: Discovery of the users' navigational patterns using som. In Networked Digital Technologies, 2009. NDT '09. First International Conference on (2009), pp. 224--249.Google ScholarCross Ref
- Gomez, L., Neamtiu, I., T.Azim, and T.Millstein. Reran: Timeing- and touch-sensitive record and replay for android. In Proceedings of the 2013 ICSE (2013). Google ScholarDigital Library
- Google instant predictions. https://support.google.com/websearch/answer/186645?hl=en.Google Scholar
- Hong, S.-S., and Wu, S. On interactive internet traffic replay. In Recent Advances in Intrusion Detection, A. Valdes and D. Zamboni, Eds., vol. 3858 of Lecture Notes in Computer Science. Springer Berlin Heidelberg, 2006, pp. 247--264. Google ScholarDigital Library
- Jones, K. J. Forensic analysis of internet explorer activity files. http://www.mcafee.com/us/resources/white-papers/foundstone/wp-pasco.pdf.Google Scholar
- Mickens, J., Elson, J., and Howell, J. Mugshot: Deterministic capture and replay for javascript applications. In Proceedings of the 7th USENIX Conference on Networked Systems Design and Implementation (Berkeley, CA, USA, 2010), NSDI'10, USENIX Association, pp. 11--11. Google ScholarDigital Library
- Neasbitt, C., R.Perdisci, Li, K., and Nelms, T. Clickminer: Towards forensic reconstruction of uesr-browser interactions from network traces. In Proceedings of the 2014 ACM Computer and Communication Security Conference (CCS) (2014). Google ScholarDigital Library
- Rsa netwitness. https://www.emc.com/collateral/data-sheet/rsa-netwitness-nextgen.pdf.Google Scholar
- Oh, J., Lee, S., and Lee, S. Advanced evidence collection and analysis of web browser activity. Digit. Investig. 8 (Aug. 2011), S62--S70. Google ScholarDigital Library
- Panda. https://github.com/moyix/panda/blob/master/docs/record_replay.md.Google Scholar
- Reis, C., and Gribble, S. D. Isolating web programs in modern browser architectures. In Proceedings of the 4th ACM European Conference on Computer Systems (New York, NY, USA, 2009), EuroSys '09, ACM, pp. 219--232. Google ScholarDigital Library
- Selenium webdriver. http://docs.seleniumhq.org/projects/webdriver/.Google Scholar
- Tcpreplay. http://tcpreplay.synfin.net/.Google Scholar
- Timelapse htmlparser. https://github.com/burg/timelapse/blob/timelapse/Source/WebCore/html/parser/HTMLDocumentParser.cpp; see "The timing of yields is nondeterministic, so just don't yield during capture/replay".Google Scholar
- Timelapse wiki. https://github.com/burg/timelapse/wiki/Frequently-asked-questions.Google Scholar
- Adding traces to chromium. http://www.chromium.org/developers/how-tos/trace-event-profiling-tool/tracing-event-instrumentation.Google Scholar
- V8 javascript engine. https://developers.google.com/v8/.Google Scholar
- VMWare Inc. Replay debugging on linux, October 2009. http://www.vmware.com/pdf/ws7_replay_linux_technote.pdf.Google Scholar
- The webkit open source project. https://www.webkit.org.Google Scholar
- Webview. http://developer.android.com/guide/webapps/webview.html.Google Scholar
- Wikipedia - acid3. http://en.wikipedia.org/wiki/Acid3.Google Scholar
- Xie, G., Iliofotou, M., Karagiannis, T., Faloutsos, M., and Jin, Y. Resurf: Reconstructing web-surfing activity from network traffic. In IFIP Networking Conference, 2013 (2013).Google Scholar
Index Terms
- WebCapsule: Towards a Lightweight Forensic Engine for Web Browsers
Recommendations
MalCrawler: A Crawler for Seeking and Crawling Malicious Websites
ICDCIT 2017: 13th International Conference on Distributed Computing and Internet Technology - Volume 10109Over the years, internet has become the major source of security threat to computer systems. With the number of people browsing internet increasing exponentially in the last couple of years, browser based attacks have become the preferred means of ...
Client-side cross-site scripting protection
Web applications are becoming the dominant way to provide access to online services. At the same time, web application vulnerabilities are being discovered and disclosed at an alarming rate. Web applications often make use of JavaScript code that is ...
Web security in a windows system as PrivacyDefender in private browsing mode
Recently, due to the advance and development of Internet technology and its development, web browsers have become essential applications. A web browser is not only used to surf the Internet, but also plays an important role as a portable operating ...
Comments