The Project Zero team at Google has created a new tool for testing browser DOM engines and has unleashed it on today's top five browsers, finding most bugs in Apple's Safari.
The tool — named Domato — is a fuzzer, a security testing toolkit that feeds a software application with random data and analyzes the output for abnormalities.
Google engineer Ivan Fratric created Domato with the goal of fuzzing DOM engines, the browser components that read HTML code and organize it into the DOM (Document Object Model), which is then "painted" and displayed inside the browser window that human users view on their screens.
Google: DOM engine bugs should be a priority
Fratric says he focused on DOM engines because it's "a rare case that a vendor will publish a security update that doesn’t contain fixes for at least several DOM engine bugs," showing how prevalent they are today.
He also argues that while Flash bugs provide a cross-browser attack surface, once Flash reaches end-of-life (in 2020), attackers will focus their efforts on DOM engines, the browser's biggest attack surface.
With Domato he wants to help browser vendors test and patch as many security bugs in their respective DOM engines before it is too late.
Google test finds 17 security bugs in Safari's DOM engine
To prove Domato's capabilities, Fratric took today's top five browsers — Chrome, Firefox, Internet Explorer, Edge, and Safari — and subjected them to 100 million fuzz tests with Domato.
Results showed that Safari had by far the worst DOM engine, with 17 new bugs discovered after Fratric's test. Second was Edge with 6, then IE and Firefox with 4, and last was Chrome with only 2 new issues.
Non-security bugs were ignored, and Fratric also pointed out that if Microsoft wouldn't have added MemGC (user-after-free exploit mitigation) in IE and Edge, those browsers would have faired much worse.
Vendor
|
Browser
|
Engine
|
Number of Bugs
|
Project Zero Bug IDs
|
Google
|
Chrome
|
Blink
|
2
|
994, 1024
|
Mozilla
|
Firefox
|
Gecko
|
4*
|
1130, 1155, 1160, 1185
|
Microsoft
|
Internet Explorer
|
Trident
|
4
|
1011, 1076, 1118, 1233
|
Microsoft
|
Edge
|
EdgeHtml
|
6
|
1011, 1254, 1255, 1264, 1301, 1309
|
Apple
|
Safari
|
WebKit
|
17
|
999, 1038, 1044, 1080, 1082, 1087, 1090, 1097, 1105, 1114, 1241, 1242, 1243, 1244, 1246, 1249, 1250
|
Total
|
31**
|
Google said it contacted each browser vendor and reported the newly found bugs, and also provided copies of the Domato engine so each vendor can perform more extensive tests.
Fratric has also open-sourced the Domato source code on GitHub and hopes that others adapt it to work on other applications, not just browser DOM engines.
Domato is just the latest fuzzing tool released by Google engineers, who appear to be in love with this technique when it comes to discovering security bugs. Previous tools include OSS-Fuzz and syzkaller.
Image credits: Julynn B., Apple, Bleeping Computer
Comments
Occasional - 6 years ago
Thanks for including the "MemGC (user-after-free exploit mitigation)" link; as it provides a good deal of topic background. That link also includes a MemGC link, with even more on MS browser defense strategy information.
Speaking of strategies: from the linked MS article "Make it difficult and costly to find, exploit, and leverage software vulnerabilities" - did open-sourcing Domato just make it easier and cheaper? Bit like publishing a zero-day? Old dilemma; and even Microsoft is offering bounties for finding vulnerabilities.
Would be interesting to see Damato test runs done on earlier browser builds. Browsers development is dynamic; and the changes are not linear. Not only might browsers leapfrog each other in DOM security, with new releases; but lots of folks still run older versions (especially where the vendor has dead-ended support for an OS).
Steve Holle - 6 years ago
It wouldn't surprise me to find that Microsoft is depending on "difficult and costly" as a defense strategy rather than finding and fixing vulnerabilities. How can they even know if vulnerabilities have already been exploited?
"Security by Obscurity" doesn't work.
Occasional - 6 years ago
"Security by Obscurity" doesn't work." - as a comprehensive defense: you're right, it doesn't (but to be fair, MS is not "depending" on it).
Attackers have widely varied skillsets, resources, risk vs. reward and ROI expectations. Article says a team at Google created the tool (pretty much top tier as far as skillsets and resources). Open-source the code, and you save others that R&D cost. Now, millions of wannabes can go online and add this tool to their no cost, no-skills-required, Hack in the Box toolkit.
To make the deal sweeter: "...open-sourced the Domato source code on GitHub and hopes that others adapt it to work on other applications, not just browser DOM engines." Which is good news for the mid-tier of the attacker spectrum: ones not rich or skilled enough to create the tool, but are capable of adapting it.
Couldn't the Project Zero team have gotten the good without the bad, by just passing along the code to legit vendors and cyber security companies, on request? It would leak out after a while, anyway - but that lead time could have meant fewer Zero Days.
Macka_ - 6 years ago
I think your foot notes (*, **) are mixed up
Occasional - 6 years ago
Good catch. Don't know if the table is CC's or Project Zero's. Amazing how many errors you can find, in IT books, whitepapers and articles (often in the code examples). Probably the pressure to get them out before they're outdated or on the down side of the hype cycle.
What's scary is how often it happens with production code. Readers can be understanding; compilers never are.