Every single week brings the discovery of new security bugs in major web browsers. This seemingly endless cycle poses a constant threat to user security and privacy, as criminals and even governments pay serious money for browser exploits. But what lies at the origin of these bugs? In this talk, we delve into the root causes and distil the most important insights from the perspectives of both attackers and defenders.

In search of these root causes, we performed the first extensive lifecycle analysis of 75 bugs affecting the Content Security Policy (CSP), a cornerstone policy of the Web. To facilitate this, we developed the automated bisection tool "BugHog", which is shared under an open-source license to fellow security researchers. Leveraging this tool, we pinpointed the introducing and fixing source code revisions for each bug, unveiling several shortcomings in the bug prevention and bug handling practices of browser vendors.

For instance, we found that the implementation of policy inheritance between browsing contexts is not only more prone to enable bypasses, but is likely to affect multiple CSP directives as well. Furthermore, we identified instances where bug report mishandling led to public disclosure before an effective fix was landed, or where bugs could have been reduced in lifespan or even completely avoided if inter-vendor vulnerability sharing practices were more rigorous. Surprisingly, we even discovered four disclosed security bugs that were still affecting current major release versions of Firefox and Safari at the time of the evaluation.

By:
Gertjan Franken | Researcher, DistriNet, KU Leuven
Tom Van Goethem | PhD researcher, DistriNet, KU Leuven

Full Abstract:
[ Ссылка ]

свернуть