WebShield: Enabling Various Web Defense Techniques without Client Side Modifications

Zhichun Li; Tang Yi; Yinzhi Cao; Vaibhav Rastogi; Yan Chen; Bin Liu; Clint Sbisa

WebShield: Enabling Various Web Defense Techniques without Client Side Modifications

Zhichun Li, Tang Yi, Yinzhi Cao, Vaibhav Rastogi, Yan Chen, Bin Liu, Clint Sbisa

Computer Science

Research output: Contribution to conference › Paper › peer-review

17 Scopus citations

Abstract

Today, web attacks are increasing in frequency, severity and sophistication. Existing solutions are either host-based which suffer deployment problems or middlebox approaches that can only accommodate certain security protection mechanisms with limited protection. In this paper, we propose four design principles for general middlebox frameworks of web protection, and apply these principles to design WebShield, which can enable various host-based security mechanisms. In particular, we run all the JavaScript from remote web servers only at shadow browser instances inside the middlebox, and only run our trusted JavaScript rendering agent at client browsers. The trusted rendering agent turns browsers into a thin web terminal by reconstructing the encoded DOM of a webpage. We implement a prototype of WebShield. Evaluation demonstrates that a general JavaScript rendering agent can render webpages precisely and be just slightly slower than direct access. We further demonstrate that our design can work well with interactive web applications such as JavaScript games. WebShield can detect attacks deeply embedded in dynamic HTML pages including the ones in complex Web 2.0 applications, and can also detect both known and unknown vulnerabilities. We further show that WebShield is scalable for deployment.

Original language	English (US)
State	Published - 2011
Event	18th Symposium on Network and Distributed System Security, NDSS 2011 - San Diego, United States Duration: Feb 6 2011 → Feb 9 2011

Conference

Conference	18th Symposium on Network and Distributed System Security, NDSS 2011
Country/Territory	United States
City	San Diego
Period	2/6/11 → 2/9/11

Funding

We would like to thank Shamiq Islam for his contribution in the early stage of this project. This work was supported by US NSF CNS-0831508, China NSFC (60625201, 60873250, 61073171), China 973 project (2007CB310701), and Tsinghua University Initiative Scientific Research Program. Opinions, findings, and conclusions are those of the authors and do not necessarily reflect the views of the funding sources.

ASJC Scopus subject areas

Computer Networks and Communications
Control and Systems Engineering
Safety, Risk, Reliability and Quality

Cite this

@conference{a0e59bd26ece4517bdb17c90cbf13840,

title = "WebShield: Enabling Various Web Defense Techniques without Client Side Modifications",

abstract = "Today, web attacks are increasing in frequency, severity and sophistication. Existing solutions are either host-based which suffer deployment problems or middlebox approaches that can only accommodate certain security protection mechanisms with limited protection. In this paper, we propose four design principles for general middlebox frameworks of web protection, and apply these principles to design WebShield, which can enable various host-based security mechanisms. In particular, we run all the JavaScript from remote web servers only at shadow browser instances inside the middlebox, and only run our trusted JavaScript rendering agent at client browsers. The trusted rendering agent turns browsers into a thin web terminal by reconstructing the encoded DOM of a webpage. We implement a prototype of WebShield. Evaluation demonstrates that a general JavaScript rendering agent can render webpages precisely and be just slightly slower than direct access. We further demonstrate that our design can work well with interactive web applications such as JavaScript games. WebShield can detect attacks deeply embedded in dynamic HTML pages including the ones in complex Web 2.0 applications, and can also detect both known and unknown vulnerabilities. We further show that WebShield is scalable for deployment.",

author = "Zhichun Li and Tang Yi and Yinzhi Cao and Vaibhav Rastogi and Yan Chen and Bin Liu and Clint Sbisa",

note = "Publisher Copyright: {\textcopyright} 2011 Proceedings of the Symposium on Network and Distributed System Security, NDSS 2011. All Rights Reserved.; 18th Symposium on Network and Distributed System Security, NDSS 2011 ; Conference date: 06-02-2011 Through 09-02-2011",

year = "2011",

language = "English (US)",

}

TY - CONF

T1 - WebShield

T2 - 18th Symposium on Network and Distributed System Security, NDSS 2011

AU - Li, Zhichun

AU - Yi, Tang

AU - Cao, Yinzhi

AU - Rastogi, Vaibhav

AU - Chen, Yan

AU - Liu, Bin

AU - Sbisa, Clint

PY - 2011

Y1 - 2011

N2 - Today, web attacks are increasing in frequency, severity and sophistication. Existing solutions are either host-based which suffer deployment problems or middlebox approaches that can only accommodate certain security protection mechanisms with limited protection. In this paper, we propose four design principles for general middlebox frameworks of web protection, and apply these principles to design WebShield, which can enable various host-based security mechanisms. In particular, we run all the JavaScript from remote web servers only at shadow browser instances inside the middlebox, and only run our trusted JavaScript rendering agent at client browsers. The trusted rendering agent turns browsers into a thin web terminal by reconstructing the encoded DOM of a webpage. We implement a prototype of WebShield. Evaluation demonstrates that a general JavaScript rendering agent can render webpages precisely and be just slightly slower than direct access. We further demonstrate that our design can work well with interactive web applications such as JavaScript games. WebShield can detect attacks deeply embedded in dynamic HTML pages including the ones in complex Web 2.0 applications, and can also detect both known and unknown vulnerabilities. We further show that WebShield is scalable for deployment.

AB - Today, web attacks are increasing in frequency, severity and sophistication. Existing solutions are either host-based which suffer deployment problems or middlebox approaches that can only accommodate certain security protection mechanisms with limited protection. In this paper, we propose four design principles for general middlebox frameworks of web protection, and apply these principles to design WebShield, which can enable various host-based security mechanisms. In particular, we run all the JavaScript from remote web servers only at shadow browser instances inside the middlebox, and only run our trusted JavaScript rendering agent at client browsers. The trusted rendering agent turns browsers into a thin web terminal by reconstructing the encoded DOM of a webpage. We implement a prototype of WebShield. Evaluation demonstrates that a general JavaScript rendering agent can render webpages precisely and be just slightly slower than direct access. We further demonstrate that our design can work well with interactive web applications such as JavaScript games. WebShield can detect attacks deeply embedded in dynamic HTML pages including the ones in complex Web 2.0 applications, and can also detect both known and unknown vulnerabilities. We further show that WebShield is scalable for deployment.

UR - http://www.scopus.com/inward/record.url?scp=85030494194&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85030494194&partnerID=8YFLogxK

M3 - Paper

AN - SCOPUS:85030494194

Y2 - 6 February 2011 through 9 February 2011

ER -

WebShield: Enabling Various Web Defense Techniques without Client Side Modifications

Abstract

Conference

Funding

ASJC Scopus subject areas

Other files and links

Fingerprint

Cite this