计算机应用 ›› 2018, Vol. 38 ›› Issue (3): 693-698.DOI: 10.11772/j.issn.1001-9081.2017082139

• 网络空间安全 • 上一篇    下一篇

浏览器缓存污染防御策略

戴成瑞, 陈伟   

  1. 南京邮电大学 计算机学院, 南京 210023
  • 收稿日期:2017-09-05 修回日期:2017-11-06 出版日期:2018-03-10 发布日期:2018-03-07
  • 通讯作者: 陈伟
  • 作者简介:戴成瑞(1993-),男,江苏南京人,硕士研究生,主要研究方向:网络安全、操作系统安全;陈伟(1979-),男,江苏淮安人,教授,博士,主要研究方向:网络安全、隐私保护。
  • 基金资助:
    国家自然科学基金资助项目(61602258)。

Defense strategy against browser cache pollution

DAI Chengrui, CHEN Wei   

  1. College of Computer Science and Technology, Nanjing University of Posts and Telecommunications, Nanjing Jiangsu 210023, China
  • Received:2017-09-05 Revised:2017-11-06 Online:2018-03-10 Published:2018-03-07
  • Supported by:
    This work is partially supported by the National Natural Science Foundation of China (61602258).

摘要: 浏览器缓存主要用于提高用户对网络资源的请求速度,然而攻击者可以通过中间人攻击等方式实施缓存污染攻击。传统的缓存污染防御策略无法全面覆盖各种攻击方式,为此提出一种可调控的浏览器缓存污染防御策略。这种策略部署于用户与服务器之间,对用户所请求的缓存资源进行随机数判断、请求相应延时判断、资源代表性判断、哈希验证和众包策略,可以有效防御浏览器缓存污染问题。实验选取200个JavaScript资源文件作为实验样本,利用中间人攻击的方式污染其中100个样本,在访问这些资源的同时启用防御脚本,分析污染样本的检测率和正常样本的误判率。实验结果表明,在松弛条件下,污染样本的命中率达到87%,正常样本误判率为0%;而在严格条件下,污染样本的命中率达到95%,正常样本误判率为4%。同时所有实验样本的请求响应时间差分别为5277ms和6013ms,均小于全部重新加载资源的时间差,在防御了绝大部分的受污染资源的同时还缩短了用户访问的时间。该策略简化了缓存污染攻击防御的流程并可以通过不同的参数在用户体验性和安全性中取得平衡。

关键词: Web安全, 缓存污染防御策略, 中间人攻击, 用户行为, 用户体验

Abstract: Browser cache is mainly used to speed up the user's request for network resources, however, an attacker can implement cache pollution attack via man-in-the-middle attacks. The general defense strategies against browser cache pollution cannot cover different types of network attack, therefore, a controllable browser cache pollution defense strategy was proposed. The proposed strategy was deployed between the client and the server. The strategy includes random number judgement, request-response delay judgement, resource representation judgement, hash verification and crowdsourcing strategy, by which the browser cache pollution problems were effectively defended. 200 JavaScript resource files were selected as experiment samples and 100 of them were polluted via man-in-the-middle attack. By accessing these resources, defense scripts were enabled to analyze the detection rate of contaminated samples and the false positive rate of normal samples. The experimental results show that under the loose conditions, the hit rate of contaminated samples reaches 87% and false positive rate of normal samples is 0%; while under the strict conditions, the hit rate of contaminated sample reaches 95% and false positive rate of normal samples is 4%. At the same time, the request response time difference of all experimental samples is 5277ms and 6013ms respectively, which are both less than the time difference of reloading all the resources. The proposed strategy defends most of the polluted resources and shortens the time of user access. The strategy simplifies the process of cache pollution prevention, and also makes tradeoff between the security and usability with different parameters to satisfy different users.

Key words: Web security, cache pollution defense strategy, man-in-the-middle attack, user behavior, user experience

中图分类号: