You are here: Home Contents V17 N3 V17N3_Wadkar.html
Personal tools

A Framework for Secure Web Browsing, Using Trusted Platform Module (TPM)

 

 

Full text
View
Purchase

Source
Journal of Information Systems Security
Volume 17, Number 3 (2021)
Pages 163187
ISSN 1551-0123 (Print)
ISSN 1551-0808 (Online)
Authors
Harshad S. Wadkar — MKSSS’s Cummins College of Engineering for Women, India
Arun Mishra — Defence Institute of Advanced Technology, India
Publisher
Information Institute Publishing, Washington DC, USA

 

 

Abstract

The web browser is one of the most used applications to access the internet, available on desktops, laptops, and hand-held devices. These browsers have opened many avenues for a web attacker (hacker) to steal a user’s data stored on the user’s machine and in transit (from a web browser to the webserver). Cross-site scripting, insecure data transfer, and information disclosure are the most significantly reported browser-based attacks. The security misconfiguration of the browser is one of the main contributors to browser based attacks like information leakage, sharing of data with the third party; insecure data transfer. There is a need to reduce or minimize browser-based attacks by designing a framework for secure web browsing. The paper proposes a framework containing three modules. The first module is used to assess browser configuration using a machine learning algorithm. Once the browser is configured for secure browsing, the second module controls access to browser configuration files so that no malicious process can tamper those. The second module is proposed by making use of Trusted Platform Module. The compromised operating system gives the attacker complete access to all the data of an application (browser), regardless of how well the application is built and secured. To give the user trust in his (her) web browsing activity, there is a need to harden the host operating system configuration. To consider this aspect, a finite state machine model is proposed to assess the operating system configuration. This assessment will help the user to modify operating system parameter compositions. Our experiments showed that Firefox with a secure configuration provides better security and a reasonable page load performance compared to Chrome, Edge, and Firefox with default configurations. The paper proposes a novel approach for configuring the browser for secure browsing and maintaining the environment in a secure state and controlling it.

 

 

Keywords

Browser security, Security misconfiguration, Trusted system.

 

 

References

Brinkmann, M. (2017). Overview of Firefox’s about:config security and privacy preferences. http://www.ghacks.net/overview-firefox-aboutconfig-security-privacy-preferences (Date accessed: 26/04/2020).

Howard, M., Pincus, J., and Wing, J. M. (2005). Measuring relative attack surfaces. In Computer security in the 21st century, Springer, 109–137.

Jussila, J. (2018). HTTP cookie weaknesses, attack methods and defense mechanisms: a systematic literature review.

Kallin, J. and Valbuena, I. (2019). Excess XSS: A comprehensive tutorial on cross-site scripting. http://excess-xss:com/ (Date accessed: 06/04/2020).

Kobie, N. (2011). Chrome and Firefox Users Warned to Turn off WebGL. http://www.alphr.com/news/security/367279/chrome-and-firefoxusers-warned-to-turn-off-webgl. (Date accessed: 26/04/2020).

Lampson, B.W. (1973). A note on the confinement problem. Communications of the ACM, 16: 613–615.

Laperdrix, P., Rudametkin, W. and Baudry, B. (2016). Beauty and the Beast: Diverting Modern Web Browsers to Build Unique Browser Fingerprints. 2016 IEEE Symposium on Security and Privacy (SP), IEEE, 878–894.

Laperdrix, P., Bielova, N., Baudry, B. and Avoine, G. (2019). Browser Fingerprinting: A survey. ArXiv, abs/1905.01051.

Manadhata, P. K. and Wing, J. M. (2010). An attack surface metric. IEEE Transactions on Software Engineering, IEEE, 37(3): 371–386.

Pinto, E. (2015). CIS Mozilla Firefox 38 ESR benchmark v1.0.0. http://kb:mozillazine:org/About:config entries. (Date accessed: 26/04/2020).

Scarfone, K. and Mell, P. (2010). The Common Configuration Scoring System (CCSS): Metrics for Software Security Configuration Vulnerabilities. NIST Interagency Report, NIST, 7502.

Tomlinson, A. (2008). Introduction to the TPM. Smart Cards, Tokens, Security and Ap plications, Springer, 155–172.

Strohmeier, D. (2017). browser pageloadspeed, https://github.com/onkeltom/browser pageloadspeed. (Date accessed: 06/04/2020).

Strohmeier, D. and Dolanjski, P. (2017). Comparing Browser Page Load Time: An Introduction to Methodology, https://hacks.mozilla.org/2017/11/comparing-browser-page load-time-an-introduction-to-methodology/. (Date accessed: 06/04/2020).

alexa.com. The top 500 sites on the web. https://www.alexa.com/topsites/category (Date accessed: 26/04/2020).

barracuda.com. (2016). Cross-Site Scripting Attack, https://campus.barracuda.com/product/webapplicationfirewall/doc/
42048066/cross site-scripting-attack/. (Date accessed: 06/04/2020).

bleachbit.org. Clean your system and free disk space. https://www.bleachbit.org/ (Date accessed: 26/04/2020).

cisecurity.org. CIS Ubuntu Linux Benchmarks. https://www.cisecurity.org/benchmark/ubuntu linux/. (Date accessed: 26/04/2020).

cisofy.com. Lynis - security auditing and hardening tool for linux/unix. https://cisofy.com/lynis/. (Date accessed: 26/04/2020).

compciv.org. (2020). Downloading files with curl, http://www.compciv.org/recipes/cli/downloading-with-curl/. (Date accessed: 06/04/2020).

cortland.edu. (2020). Gopher, https://web.cortland.edu/flteach/methods/obj1/gopher.html. (Date accessed: 06/04/2020).

hostingfacts.com. (2020). Internet Statistics & Facts (including mobile) for 2020, https://hostingfacts.com/internet-facts-stats/ (Date accessed: 06/04/2020).

howtogeek.com. (2016). How to Use wget, the Ultimate Command Line Downloading Tool, https://www.howtogeek.com/281663/how-to-use-wget-the-ultimate command-line-downloading-tool/. (Date accessed: 06/04/2020).

infosecinstitute.com. (2020). Phishing attack overview. https://resources:infosecinstitute:com/category/enterprise/phishing/
phishing-attack overview/. (Date accessed: 26/04/2020).

Internetworldstats.com. (2020). World Internet Users Statistics and 2020 World Population Stats, https://www.internetworldstats.com/stats.htm. (Date accessed: 06/04/2020).

microsoft.com. (2017). Trusted Platform Module 2.0. https://docs.microsoft.com/en us/windows-hardware/design/device-experiences/oem-tpm. (Accessed: 26/04/2020).

mitre.org. (2019). CAPEC VIEW: Mechanisms of Attack. https://capec.mitre.org/data/definitions/1000.html. (Date accessed: 26/04/2020).

mitre.org. (2020). CWE-352: Cross-site request forgery (csrf ). https://cwe.mitre.org/data/definitions/352.html. (Date accessed: 26/04/2020).

open-scap.org. Openscap security guide. https://static.open-scap.org/ssg-guides/ssg firefox-guide-stig-firefox-upstream.html (Date accessed: 26/04/2020).

open-scap.org. Openscap security guide. https://static.open-scap.org/ssg-guides/ssg-ubuntu1604-guide-default.html (Date accessed: 26/04/2020).

owasp.org. (2020). Man in-the-browser attack. https://owasp:org/www-community/attacks/Man-in-the-browse attack. (Date accessed: 26/04/2020).

pentestpartners.com. (2020). Clickjacking explained, in detail. https://www.pentestpartners.com/security-blog/clickjacking-explained-in-detail/ (Date accessed: 26/04/2020).

statista.com. (2020). Global digital population 2020 — Statista, https://www.statista.com/statistics/617136/digital-population-worldwide/. (Date accessed: 06/04/2020).

w3.org. (2012). Navigation Timing, https://www.w3.org/TR/navigation-timing/ (Date accessed: 06/04/2020).

w3.org. (2019). Mitigating Browser Fingerprinting in Web, https://www.w3.org/TR/fingerprinting-guidance/0. (Date accessed: 14/05/2019).

2018 WhiteHat Application Security Statistics Report: The Evolution of the Secure Software Lifecycle, 13.