Enabling Reconstruction of Attacks on Users via Efficient Browsing Snapshots
Abstract
In this talk, I present ChromePic, a web browser
equipped with a novel forensic engine that aims to greatly enhance
the browser’s logging capabilities. ChromePic’s main goal is to
enable a fine-grained post-mortem reconstruction and trace-back
of web attacks without incurring the high overhead of record-and-replay
systems. In particular, we aim to enable the reconstruction
of attacks that target users and have a significant visual component,
such as social engineering and phishing attacks. To this end,
ChromePic records a detailed snapshot of the state of a web
page, including a screenshot of how the page is rendered and a
“deep” DOM snapshot, at every significant interaction between
the user and the page. If an attack is later suspected, these fine-grained
logs can be used to reconstruct the attack and trace back
the sequence of steps the user followed to reach the attack page.
We developed ChromePic by implementing several careful
modifications and optimizations to the Chromium code base, to
minimize overhead and make always-on logging practical. ChromePic can successfully capture and
aid the reconstruction of attacks on users. Our evaluation includes
the analysis of an in-the-wild social engineering download attack
on Android, a phishing attack, and two different clickjacking
attacks, as well as a user study aimed at accurately measuring the
overhead introduced by our forensic engine. The experimental results
show that browsing snapshots can be logged very efficiently,
making the logging events practically unnoticeable to users.