Site isolation

Last updated March 10, 2024

Site isolation is a feature in certain web browsers that allow cross-origin sites to be isolated from each other. The feature was originally proposed by Charles Reis and others, with subsequent iterations from Microsoft, in the form of their implementation of the feature in the Gazelle research browser. However, the feature failed to gain traction due to issues surrounding its implementation and performance concerns.

In 2018, following the disclosure of the Spectre and Meltdown vulnerabilities to the public, Google started work on adding site isolation in Chrome eventually culminating in a 2019 release of the feature. In 2021, Firefox also launched their own version of site isolation which they had been working on under the codename Project Fission.

Despite the security benefits of this feature, researchers have also found security issues surrounding various aspects of this feature. These include issues with the perceived protection against transient attacks such as Spectre and Meltdown, as well as new timing and resource exhaustion attacks enabled by this feature.

Background

Until 2017, the predominant security architecture of major browsers adhered to the process-per-browsing-instance model. This entailed the browser comprising distinct sandboxed processes, including the browser process, GPU process, networking process, and rendering process. The rendering process would engage with other privileged services when necessary to execute elevated actions when viewing a web page.^[1]^[2]

Although this model successfully prevented problems associated with malicious JavaScript gaining access to the operating system, it lacked the capability to isolate websites from each other adequately.^[3] Despite these concerns, the adoption of a more robust model faced limited traction due to perceived issues with newer models, particularly those related to performance and memory.^[4]^[5]

In 2017, the disclosure of Spectre and Meltdown exploits, however, altered this landscape. Previously accessing arbitrary memory was complicated requiring a compromised renderer. However with Spectre, attacks were developed that abused Javascript features to read almost all memory in the rendering process, including memory storing potentially sensitive information from previously rendered cross-origin pages.^[6]^[7] This exposed the issues of the process-per-instance security model. Consequently, a new security architecture that allowed the separation of the rendering of different web pages into entirely isolated processes was required.^[8]^[7]

History

In 2009, Reis et al. proposed the first version of the process-per-site model to isolate web pages based on the page's web origin.^[9] This was improved upon in 2009 by the Gazelle research browser, which separated specific document frames based on their web principal, a security barrier that corresponded with the specific document that was being loaded.^[10]^[11] Around the same time, work was also being done on the OP (which would later become the OP2 browser), IBOS, Tahoma and the SubOS browsers all of which proposed different paradigms to solve the issue of process separation amongst sites.^[12]^[13]

Modern implementation

In 2019, Reis, et al of the Google Chrome project presented a paper at USENIX Security ^[14] that detailed changes to their existing browser security model in response to the recent research proving that the Spectre attack could be used inside the rendering process of the browser.^[15]^[16] The paper proposed changes to the model that borrowed from Reis et al.'s work in 2009.^[17] Chrome's implementation of site isolation would use web origins as a primary differentiator of a 'site' at a process level.^[18]^[19] Additionally, the Chrome team also implemented the idea of website frames being executed out of process, a feature that had been suggested by the authors of the Gazelle web browser, as well as the OP and OP2 web browsers.^[12] This required a significant re-engineering of Chrome's process handling code, involving to more than 4000 commits from 320 contributors over a period of 5 years.^[20]

Chrome's implementation of site isolation allowed it to eliminate multiple universal cross-site scripting (uXSS) attacks.^[21] uXSS attacks allow attackers to compromise the same-origin policy, granting unrestricted access to inject and load attacker controlled javascript on other website.^[22] The Chrome team found that all 94 uXSS attacks reported between 2014 and 2018 would be rendered ineffective by the deployment of site isolation.^[23] In addition to this, the Chrome team also claimed that their implementation of site isolation would be effective at preventing variations of the Spectre and Meltdown group of timing attacks that relied on the victim address space being on the same process as the attacker process.^[16]

In March 2021, the Firefox development team announced that they would also roll out their implementation of site isolation. This feature had been in development for multiple months under the codename Project Fission.^[24] Firefox's implementation fixed a few of the flaws that had been found in Chrome's implementation namely the fact that similar web pages were still vulnerable to uXSS attacks.^[25]^[26] The project also required a rewrite of the process handling code in Firefox.^[27]

Reception

Before 2019, site isolation had only been implemented by research browsers. Site isolation was considered to be resource intensive^[5] due to an increase in the amount of memory space taken up by the processes.^[28] This performance overhead was reflected in real world implementations as well.^[29] Chrome's implementation of site isolation on average took one to two cores more than the same without site isolation.^[5] Additionally, engineers working on the site isolation project observed a 10 to 13 percent increase in memory usage when site isolation was used.^[30]^[31]

Chrome was the industry's first major web browser to adopt site isolation as a defense against uXSS and transient execution attacks.^[32] To do this, they overcame multiple performance and compatibility hurdles, and in doing so, they kickstarted an industry-wide effort to improve browser security. However, despite this, certain aspects of Spectre's defenses have been found lacking.^[6] In particular, site isolation's ability to defend against timing attacks has been found to be incomplete.^[33] In 2021, Agarwal et al. were able to develop an exploit called Spook.js that was able to break Chrome's Spectre defenses and exfiltrate data across web page in different origins.^[34] In the same year, researchers at Microsoft, were able to leverage site isolation to perform a variety of timing attacks that allowed them to leak cross-origin information by careful manipulation of the inter-process communication protocols employed by site isolation.^[35]

In 2023, researchers at Ruhr University Bochum showed that they were able to leverage the process architecture required by site isolation to exhaust system resources and also perform advanced attacks like DNS poisoning.^[36]

Related Research Articles

JavaScript, often abbreviated as JS, is a programming language and core technology of the World Wide Web, alongside HTML and CSS. As of 2024, 98.8% of websites use JavaScript on the client side for webpage behavior, often incorporating third-party libraries. All major web browsers have a dedicated JavaScript engine to execute the code on users' devices.

Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). It uses encryption for secure communication over a computer network, and is widely used on the Internet. In HTTPS, the communication protocol is encrypted using Transport Layer Security (TLS) or, formerly, Secure Sockets Layer (SSL). The protocol is therefore also referred to as HTTP over TLS, or HTTP over SSL.

Mozilla Firefox, or simply Firefox, is a free and open-source web browser developed by the Mozilla Foundation and its subsidiary, the Mozilla Corporation. It uses the Gecko rendering engine to display web pages, which implements current and anticipated web standards. Firefox is available for Windows 10 or later versions, macOS, and Linux. Its unofficial ports are available for various Unix and Unix-like operating systems, including FreeBSD, OpenBSD, NetBSD, illumos, and Solaris Unix. It is also available for Android and iOS. However, as with all other iOS web browsers, the iOS version uses the WebKit layout engine instead of Gecko due to platform requirements. An optimized version is also available on the Amazon Fire TV as one of the two main browsers available with Amazon's Silk Browser.

Cross-site scripting (XSS) is a type of security vulnerability that can be found in some web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. During the second half of 2007, XSSed documented 11,253 site-specific cross-site vulnerabilities, compared to 2,134 "traditional" vulnerabilities documented by Symantec. XSS effects vary in range from petty nuisance to significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site's owner network.

NoScript is a free and open-source extension for Firefox- and Chromium-based web browsers, written and maintained by Giorgio Maone, a software developer and member of the Mozilla Security Group.

Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) computer networking protocol by which a client indicates which hostname it is attempting to connect to at the start of the handshaking process. The extension allows a server to present one of multiple possible certificates on the same IP address and TCP port number and hence allows multiple secure (HTTPS) websites to be served by the same IP address without requiring all those sites to use the same certificate. It is the conceptual equivalent to HTTP/1.1 name-based virtual hosting, but for HTTPS. This also allows a proxy to forward client traffic to the right server during TLS/SSL handshake. The desired hostname is not encrypted in the original SNI extension, so an eavesdropper can see which site is being requested. The SNI extension was specified in 2003 in RFC 3546

A device fingerprint or machine fingerprint is information collected about the software and hardware of a remote computing device for the purpose of identification. The information is usually assimilated into a brief identifier using a fingerprinting algorithm. A browser fingerprint is information collected specifically by interaction with the web browser of the device.

Google Chrome is a web browser developed by Google. It was first released in 2008 for Microsoft Windows, built with free software components from Apple WebKit and Mozilla Firefox. Versions were later released for Linux, macOS, iOS, and also for Android, where it is the default browser. The browser is also the main component of ChromeOS, where it serves as the platform for web applications.

Private browsing, also known as incognito mode or private mode, is a feature available in web browsers that allows users to browse the internet without leaving any traces of their online activity on their device. In this mode, the browser initiates a temporary session separate from its main session and user data. The browsing history is not recorded, and local data related to the session, like Cookies and Web cache, are deleted once the session ends. The primary purpose of these modes is to ensure that data and history from a specific browsing session do not remain on the device or get accessed by another user of the same device.

<span class="mw-page-title-main">Clickjacking</span> Malicious technique of tricking a Web user

Clickjacking is a malicious technique of tricking a user into clicking on something different from what the user perceives, thus potentially revealing confidential information or allowing others to take control of their computer while clicking on seemingly innocuous objects, including web pages.

HTTP Strict Transport Security (HSTS) is a policy mechanism that helps to protect websites against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers should automatically interact with it using only HTTPS connections, which provide Transport Layer Security (TLS/SSL), unlike the insecure HTTP used alone. HSTS is an IETF standards track protocol and is specified in RFC 6797.

Web tracking is the practice by which operators of websites and third parties collect, store and share information about visitors’ activities on the World Wide Web. Analysis of a user's behaviour may be used to provide content that enables the operator to infer their preferences and may be of interest to various parties, such as advertisers. Web tracking can be part of visitor management.

Content Security Policy (CSP) is a computer security standard introduced to prevent cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context. It is a Candidate Recommendation of the W3C working group on Web Application Security, widely supported by modern web browsers. CSP provides a standard method for website owners to declare approved origins of content that browsers should be allowed to load on that website—covered types are JavaScript, CSS, HTML frames, web workers, fonts, images, embeddable objects such as Java applets, ActiveX, audio and video files, and other HTML5 features.

Firefox was created by Dave Hyatt and Blake Ross as an experimental branch of the Mozilla browser, first released as Firefox 1.0 on November 9, 2004. Starting with version 5.0, a rapid release cycle was put into effect, resulting in a new major version release every six weeks. This was gradually accelerated further in late 2019, so that new major releases occur on four-week cycles starting in 2020.

Browser security is the application of Internet security to web browsers in order to protect networked data and computer systems from breaches of privacy or malware. Security exploits of browsers often use JavaScript, sometimes with cross-site scripting (XSS) with a secondary payload using Adobe Flash. Security exploits can also take advantage of vulnerabilities that are commonly exploited in all browsers.

PDF.js is a JavaScript library that renders Portable Document Format (PDF) files using the web standards-compliant HTML5 Canvas. The project is led by the Mozilla Corporation after Andreas Gal launched it in 2011.

HTTPS Everywhere is a discontinued free and open-source browser extension for Google Chrome, Microsoft Edge, Mozilla Firefox, Opera, Brave, Vivaldi and Firefox for Android, which was developed collaboratively by The Tor Project and the Electronic Frontier Foundation (EFF). It automatically makes websites use a more secure HTTPS connection instead of HTTP, if they support it. The option "Encrypt All Sites Eligible" makes it possible to block and unblock all non-HTTPS browser connections with one click. Due to the widespread adoption of HTTPS on the World Wide Web, and the integration of HTTPS-only mode on major browsers, the extension was retired in January 2023.

Self-XSS is a social engineering attack used to gain control of victims' web accounts. In a Self-XSS attack, the victim of the attack unknowingly runs malicious code in their own web browser, thus exposing personal information to the attacker, a kind of vulnerability known as cross-site scripting.

In public key cryptography, a certificate may be revoked before it expires, which signals that it is no longer valid. Without revocation, an attacker could exploit such a compromised or misissued certificate until expiry. Hence, revocation is an important part of a public key infrastructure. Revocation is performed by the issuing certificate authority, which produces a cryptographically authenticated statement of revocation.

Cross-site leaks, also known as XS-Leaks, are a class of internet security attacks that allow an attacker to access sensitive information about a user's interactions with other websites. This is done by using techniques that abuse features in the web browser that have historically been known to leak information about other websites.

References

Citations

↑ Reis & Gribble 2009, pp. 225–226.
↑ Dong et al. 2013, pp. 78–79.
↑ Jia et al. 2016, pp. 791–792.
↑ Dong et al. 2013, p. 89.
1 2 3 Zhu, Wei & Tiwari 2022, p. 114.
1 2 Jin et al. 2022, p. 1525.
1 2 Röttger & Janc.
↑ Rogowski et al. 2017, pp. 336–367.
↑ Reis & Gribble 2009, pp. 224–225.
↑ Paul 2009.
↑ Wang et al. 2009, pp. 1–2.
1 2 Reis, Moshchuk & Oskov 2019, p. 1674.
↑ Dong et al. 2013, p. 80.
↑ Gierlings, Brinkmann & Schwenk 2023, p. 7049.
↑ Kocher et al. 2020, pp. 96–97.
1 2 Reis, Moshchuk & Oskov 2019, p. 1661.
↑ Reis, Moshchuk & Oskov 2019, pp. 1663, 1664.
↑ Bishop 2021, pp. 25–26.
↑ Rokicki, Maurice & Laperdrix 2021, p. 476.
↑ Reis, Moshchuk & Oskov 2019, p. 1667.
↑ Kim & Lee 2023, p. 757.
↑ Kim et al. 2022, p. 1007.
↑ Reis, Moshchuk & Oskov 2019, p. 1668.
↑ Cimpanu 2019.
↑ Narayan et al. 2020, p. 714.
↑ Kokatsu 2020.
↑ Layzell 2019.
↑ Reis & Gribble 2009, pp. 229–230.
↑ Wang et al. 2009, pp. 12–13.
↑ Warren 2018.
↑ Reis, Moshchuk & Oskov 2019, p. 1671.
↑ Jin et al. 2022, p. 1526.
↑ Jin et al. 2022, p. 1527.
↑ Agarwal et al. 2022, pp. 1529, 1530.
↑ Jin et al. 2022, pp. 1525, 1530.
↑ Gierlings, Brinkmann & Schwenk 2023, pp. 7037–7038.

Sources

Reis, Charles; Gribble, Steven D. (April 2009). "Isolating web programs in modern browser architectures". Proceedings of the 4th ACM European conference on Computer systems. ACM. pp. 219–232. doi:10.1145/1519065.1519090. ISBN 978-1-60558-482-9. S2CID 8028056. Archived from the original on 2023-12-24. Retrieved 2023-12-24.
Rogowski, Roman; Morton, Micah; Li, Forrest; Monrose, Fabian; Snow, Kevin Z.; Polychronakis, Michalis (2017). "Revisiting Browser Security in the Modern Era: New Data-Only Attacks and Defenses". 2017 IEEE European Symposium on Security and Privacy (EuroS&P). pp. 366–381. doi:10.1109/EuroSP.2017.39. ISBN 978-1-5090-5762-7. S2CID 7325479. Archived from the original on 2020-02-10. Retrieved 2023-12-24.
Röttger, Stephen; Janc, Artur. "A Spectre proof-of-concept for a Spectre-proof web". Google Online Security Blog. Archived from the original on 2023-12-24. Retrieved 2023-12-24.
Dong, Xinshu; Hu, Hong; Saxena, Prateek; Liang, Zhenkai (2013). Crampton, Jason; Jajodia, Sushil; Mayes, Keith (eds.). A Quantitative Evaluation of Privilege Separation in Web Browser Designs. Lecture Notes in Computer Science. Berlin, Heidelberg: Springer. pp. 75–93. doi:10.1007/978-3-642-40203-6_5. ISBN 978-3-642-40203-6. Archived from the original on 2023-12-29. Retrieved 2023-12-29.
Warren, Tom (2018-07-12). "Chrome now uses more RAM because of Spectre security fixes". The Verge. Archived from the original on 2022-10-25. Retrieved 2023-12-30.
Reis, Charles; Moshchuk, Alexander; Oskov, Nasko (2019). Site Isolation: Process Separation for Web Sites within the Browser. pp. 1661–1678. ISBN 978-1-939133-06-9. Archived from the original on 2023-11-28. Retrieved 2023-12-24.
Zhu, Yongye; Wei, Shijia; Tiwari, Mohit (2022). "Revisiting Browser Performance Benchmarking From an Architectural Perspective". IEEE Computer Architecture Letters. 21 (2): 113–116. doi:10.1109/LCA.2022.3210483. S2CID 252641754. Archived from the original on 2023-07-30. Retrieved 2023-12-24.
Paul, Ryan (2009-07-10). "Inside Gazelle, Microsoft Research's "browser OS"". Ars Technica. Retrieved 2024-03-07.
Jin, Zihao; Kong, Ziqiao; Chen, Shuo; Duan, Haixin (2022). "Timing-Based Browsing Privacy Vulnerabilities Via Site Isolation". 2022 IEEE Symposium on Security and Privacy (SP). pp. 1525–1539. doi:10.1109/SP46214.2022.9833710. ISBN 978-1-6654-1316-9. S2CID 247570554. Archived from the original on 2022-07-28. Retrieved 2023-12-24.
Layzell, Nika (2019-02-04). "NIKA:\fission-news-1\>". mystor.github.io. Archived from the original on 2023-12-29. Retrieved 2023-12-30.
Agarwal, Ayush; o'Connell, Sioli; Kim, Jason; Yehezkel, Shaked; Genkin, Daniel; Ronen, Eyal; Yarom, Yuval (2022). "Spook.js: Attacking Chrome Strict Site Isolation via Speculative Execution". 2022 IEEE Symposium on Security and Privacy (SP). pp. 699–715. doi:10.1109/SP46214.2022.9833711. ISBN 978-1-6654-1316-9. S2CID 251140823. Archived from the original on 2022-10-27. Retrieved 2023-12-24.
Rokicki, Thomas; Maurice, Clémentine; Laperdrix, Pierre (2021). "SoK: In Search of Lost Time: A Review of JavaScript Timers in Browsers". 2021 IEEE European Symposium on Security and Privacy (EuroS&P) (PDF). pp. 472–486. doi:10.1109/EuroSP51992.2021.00039. ISBN 978-1-6654-1491-3. S2CID 263897590. Archived (PDF) from the original on 2022-12-17. Retrieved 2023-12-24.
Wang, Helen; Grier, Chris; Moshchuk, Alexander; King, Samuel T.; Choudhury, Piali; Venter, Herman; King, Sam (2009-02-19). "The Multi-Principal OS Construction of the Gazelle Web Browser". SSYM'09: Proceedings of the 18th Conference on USENIX Security Symposium. Archived from the original on 2023-09-04. Retrieved 2023-12-29.
Jia, Yaoqi; Chua, Zheng Leong; Hu, Hong; Chen, Shuo; Saxena, Prateek; Liang, Zhenkai (2016-10-24). ""The Web/Local" Boundary is Fuzzy: A Security Study of Chrome's Process-based Sandboxing". Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. CCS '16. New York, NY, USA: Association for Computing Machinery. pp. 791–804. doi:10.1145/2976749.2978414. ISBN 978-1-4503-4139-4. S2CID 7573477.
Bishop, Douglas L. (2021). Improvements of User's Security and Privacy in a Web Browser (Thesis). University of Dayton. Archived from the original on 2023-12-24. Retrieved 2023-12-24.
Cimpanu, Catalin (2019-02-06). "Firefox to get a 'site isolation' feature, similar to Chrome". ZDNET. Archived from the original on 2023-12-29. Retrieved 2023-12-29.
Narayan, Shravan; Disselkoen, Craig; Garfinkel, Tal; Froyd, Nathan; Rahm, Eric; Lerner, Sorin; Shacham, Hovav; Stefan, Deian (2020). Retrofitting Fine Grain Isolation in the Firefox Renderer. pp. 699–716. ISBN 978-1-939133-17-5. Archived from the original on 2023-12-24. Retrieved 2023-12-24.
Gierlings, Matthias; Brinkmann, Marcus; Schwenk, Jörg (2023). Isolated and Exhausted: Attacking Operating Systems via Site Isolation in the Browser. pp. 7037–7054. ISBN 978-1-939133-37-3. Archived from the original on 2023-12-24. Retrieved 2023-12-24.
Kokatsu, Jun (2020-11-10). "Deep Dive into Site Isolation (Part 1)". Microsoft Browser Vulnerability Research. Archived from the original on 2023-12-24. Retrieved 2023-12-24.
Kim, Young Min; Lee, Byoungyoung (2023). Extending a Hand to Attackers: Browser Privilege Escalation Attacks via Extensions. pp. 7055–7071. ISBN 978-1-939133-37-3. Archived from the original on 2023-12-24. Retrieved 2023-12-24.
Kocher, Paul; Horn, Jann; Fogh, Anders; Genkin, Daniel; Gruss, Daniel; Haas, Werner; Hamburg, Mike; Lipp, Moritz; Mangard, Stefan; Prescher, Thomas; Schwarz, Michael; Yarom, Yuval (2020-06-18). "Spectre attacks: exploiting speculative execution". Communications of the ACM. 63 (7): 93–101. doi:10.1145/3399742. ISSN 0001-0782. S2CID 373888.
Kim, Sunwoo; Kim, Young Min; Hur, Jaewon; Song, Suhwan; Lee, Gwangmu; Lee, Byoungyoung (2022). {FuzzOrigin}: Detecting {UXSS} vulnerabilities in Browsers through Origin Fuzzing. pp. 1008–1023. ISBN 978-1-939133-31-1.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[FOOTNOTEReisGribble2009225–226-1] Reis & Gribble 2009, pp. 225–226.

[FOOTNOTEDongHuSaxenaLiang201378–79-2] Dong et al. 2013, pp. 78–79.

[FOOTNOTEJiaChuaHuChen2016791–792-3] Jia et al. 2016, pp. 791–792.

[FOOTNOTEDongHuSaxenaLiang201389-4] Dong et al. 2013, p. 89.

[FOOTNOTEZhuWeiTiwari2022114-5] 1 2 3 Zhu, Wei & Tiwari 2022, p. 114.

[FOOTNOTEJinKongChenDuan20221525-6] 1 2 Jin et al. 2022, p. 1525.

[FOOTNOTERöttgerJanc-7] 1 2 Röttger & Janc.

[FOOTNOTERogowskiMortonLiMonrose2017336–367-8] Rogowski et al. 2017, pp. 336–367.

[FOOTNOTEReisGribble2009224–225-9] Reis & Gribble 2009, pp. 224–225.

[FOOTNOTEPaul2009-10] Paul 2009.

[FOOTNOTEWangGrierMoshchukKing20091–2-11] Wang et al. 2009, pp. 1–2.

[FOOTNOTEReisMoshchukOskov20191674-12] 1 2 Reis, Moshchuk & Oskov 2019, p. 1674.

[FOOTNOTEDongHuSaxenaLiang201380-13] Dong et al. 2013, p. 80.

[FOOTNOTEGierlingsBrinkmannSchwenk20237049-14] Gierlings, Brinkmann & Schwenk 2023, p. 7049.

[FOOTNOTEKocherHornFoghGenkin202096–97-15] Kocher et al. 2020, pp. 96–97.

[FOOTNOTEReisMoshchukOskov20191661-16] 1 2 Reis, Moshchuk & Oskov 2019, p. 1661.

[FOOTNOTEReisMoshchukOskov20191663,_1664-17] Reis, Moshchuk & Oskov 2019, pp. 1663, 1664.

[FOOTNOTEBishop202125–26-18] Bishop 2021, pp. 25–26.

[FOOTNOTERokickiMauriceLaperdrix2021476-19] Rokicki, Maurice & Laperdrix 2021, p. 476.

[FOOTNOTEReisMoshchukOskov20191667-20] Reis, Moshchuk & Oskov 2019, p. 1667.

[FOOTNOTEKimLee2023757-21] Kim & Lee 2023, p. 757.

[FOOTNOTEKimKimHurSong20221007-22] Kim et al. 2022, p. 1007.

[FOOTNOTEReisMoshchukOskov20191668-23] Reis, Moshchuk & Oskov 2019, p. 1668.

[FOOTNOTECimpanu2019-24] Cimpanu 2019.

[FOOTNOTENarayanDisselkoenGarfinkelFroyd2020714-25] Narayan et al. 2020, p. 714.

[FOOTNOTEKokatsu2020-26] Kokatsu 2020.

[FOOTNOTELayzell2019-27] Layzell 2019.

[FOOTNOTEReisGribble2009229–230-28] Reis & Gribble 2009, pp. 229–230.

[FOOTNOTEWangGrierMoshchukKing200912–13-29] Wang et al. 2009, pp. 12–13.

[FOOTNOTEWarren2018-30] Warren 2018.

[FOOTNOTEReisMoshchukOskov20191671-31] Reis, Moshchuk & Oskov 2019, p. 1671.

[FOOTNOTEJinKongChenDuan20221526-32] Jin et al. 2022, p. 1526.

[FOOTNOTEJinKongChenDuan20221527-33] Jin et al. 2022, p. 1527.

[FOOTNOTEAgarwalo'ConnellKimYehezkel20221529,_1530-34] Agarwal et al. 2022, pp. 1529, 1530.

[FOOTNOTEJinKongChenDuan20221525,_1530-35] Jin et al. 2022, pp. 1525, 1530.

[FOOTNOTEGierlingsBrinkmannSchwenk20237037–7038-36] Gierlings, Brinkmann & Schwenk 2023, pp. 7037–7038.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

[17]

[18]

[19]

[20]

[21]

[22]

[23]

[24]

[25]

[26]

[27]

[28]

[29]

[30]

[31]

[32]

[33]

[34]

[35]

[36]

v t e Information security
Related security categories	Computer security Automotive security Cybercrime Cybersex trafficking Computer fraud Cybergeddon Cyberterrorism Cyberwarfare Electromagnetic warfare Information warfare Internet security Mobile security Network security Copy protection Digital rights management	vectorial version
Threats	Adware Advanced persistent threat Arbitrary code execution Backdoors Hardware backdoors Code injection Crimeware Cross-site scripting Cross-site leaks DOM clobbering History sniffing Cryptojacking Botnets Data breach Drive-by download Browser Helper Objects Viruses Data scraping Denial-of-service attack Eavesdropping Email fraud Email spoofing Exploits Hacktivism Insecure direct object reference Keystroke loggers Logic bombs Time bombs Fork bombs Zip bombs Fraudulent dialers Malware Payload Phishing Voice Polymorphic engine Privilege escalation Ransomware Rootkits Scareware Shellcode Spamming Social engineering Spyware Software bugs Trojan horses Hardware Trojans Remote access trojans Vulnerability Web shells Wiper Worms SQL injection Rogue security software Zombie
Defenses	Application security Secure coding Secure by default Secure by design Misuse case Computer access control Authentication Multi-factor authentication Authorization Computer security software Antivirus software Security-focused operating system Data-centric security Obfuscation (software) Data masking Encryption Firewall Intrusion detection system Host-based intrusion detection system (HIDS) Anomaly detection Security information and event management (SIEM) Mobile secure gateway Runtime application self-protection Site isolation