Establishing Browser Security Guarantees through Formal Shim Verification

Web browsers mediate access to valuable private data in domains ranging from health care to banking. Despite this critical role, attackers routinely exploit browser vulnerabilities to exfiltrate private data and take over the underlying system. We present QUARK, a browser whose kernel has been implemented and verified in Coq. We give a specification of our kernel, show that the implementation satisfies the specification, and finally show that the specification implies several security properties, including tab non-interference, cookie integrity and confidentiality, and address bar integrity.

[1]  James W. Mickens,et al.  Atlantis: robust, extensible execution environments for web applications , 2011, SOSP '11.

[2]  Helen J. Wang,et al.  On the Incoherencies in Web Browser Access Control Policies , 2010, 2010 IEEE Symposium on Security and Privacy.

[3]  Niels Provos,et al.  Preventing Privilege Escalation , 2003, USENIX Security Symposium.

[4]  Michael Hicks,et al.  Defeating script injection attacks with browser-enforced embedded policies , 2007, WWW '07.

[5]  Helen J. Wang,et al.  MashupOS: Operating System Abstractions for Client Mashups , 2007, HotOS.

[6]  Samuel T. King,et al.  Trust and Protection in the Illinois Browser Operating System , 2010, OSDI.

[7]  Lars Birkedal,et al.  Polymorphism and separation in hoare type theory , 2006, ICFP '06.

[8]  Dan Boneh,et al.  Protecting browsers from dns rebinding attacks , 2007, CCS '07.

[9]  Samuel T. King,et al.  Secure Web Browsing with the OP Web Browser , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[10]  Sabrina De Capitani di Vimercati,et al.  Proceedings of the 13th ACM conference on Computer and communications security , 2006, CCS 2006.

[11]  Eric Yawei Chen,et al.  App isolation: get the security of multiple browsers with just one , 2011, CCS '11.

[12]  Sorin Lerner Path-Sensitive Program Veri cation in Polynomial Time , 2002 .

[13]  Информатика Public Suffix List , 2010 .

[14]  Xuejun Yang,et al.  Finding and understanding bugs in C compilers , 2011, PLDI '11.

[15]  Sid Stamm,et al.  Reining in the web with content security policy , 2010, WWW '10.

[16]  Todd Millstein,et al.  Automatic predicate abstraction of C programs , 2001, PLDI '01.

[17]  Adam Barth,et al.  The Security Architecture of the Chromium Browser , 2009 .

[18]  Michael Norrish,et al.  seL4: formal verification of an OS kernel , 2009, SOSP '09.

[19]  Joseph Tassarotti,et al.  RockSalt: better, faster, stronger SFI for the x86 , 2012, PLDI.

[20]  Sorin Lerner,et al.  An empirical study of privacy-violating information flows in JavaScript web applications , 2010, CCS '10.

[21]  Benjamin Livshits,et al.  NOZZLE: A Defense Against Heap-spraying Code Injection Attacks , 2009, USENIX Security Symposium.

[22]  Benjamin C. Pierce,et al.  Reactive noninterference , 2009, CCS.

[23]  Dawn Xiaodong Song,et al.  Towards a Formal Foundation of Web Security , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[24]  Úlfar Erlingsson,et al.  Language-independent sandboxing of just-in-time compilation and self-modifying code , 2011, PLDI '11.

[25]  Sorin Lerner,et al.  Staged information flow for javascript , 2009, PLDI '09.

[26]  Ajay Chander,et al.  JavaScript instrumentation for browser security , 2007, POPL '07.

[27]  Xavier Leroy,et al.  Formal certification of a compiler back-end or: programming a compiler with a proof assistant , 2006, POPL '06.

[28]  Dongseok Jang,et al.  Analyzing the Crossdomain Policies of Flash Applications , 2011 .

[29]  Helen J. Wang,et al.  A Systematic Approach to Uncover Security Flaws in GUI Logic , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[30]  C. Jackson,et al.  Beware of Finer-Grained Origins , 2008 .

[31]  J. Gregory Morrisett,et al.  Trace-based verification of imperative programs with I/O , 2011, J. Symb. Comput..

[32]  Steve Hanna,et al.  A Symbolic Execution Framework for JavaScript , 2010, 2010 IEEE Symposium on Security and Privacy.

[33]  Sorin Lerner,et al.  ESP: path-sensitive program verification in polynomial time , 2002, PLDI '02.

[34]  Lars Birkedal,et al.  Ynot: dependent types for imperative programs , 2008, ICFP.

[35]  J. Gregory Morrisett,et al.  Toward a verified relational database management system , 2010, POPL '10.

[36]  Thomas A. Henzinger,et al.  Lazy abstraction , 2002, POPL '02.

[37]  Collin Jackson,et al.  Robust defenses for cross-site request forgery , 2008, CCS.

[38]  Collin Jackson,et al.  Protecting browsers from cross-origin CSS attacks , 2010, CCS '10.

[39]  Helen J. Wang,et al.  The Multi-Principal OS Construction of the Gazelle Web Browser , 2009, USENIX Security Symposium.

[40]  Andreas Podelski,et al.  Terminator: Beyond Safety , 2006, CAV.