Foundations of web script security

A web browser works with data and scripts from different sources, and these sources are not all trusted equally by the user of the browser. This fact requires web browser designers to take special care in order to keep information secure within the browser: data from one source should not be stolen or corrupted by a script from another source. This aspect of web browser design is what we will call web script security. The effectiveness of security checks designed to enforce web script security must ultimately be judged in terms of their effect on the outwardly visible behavior of the browser. In light of this fact, this dissertation defines a policy for web script security to refer to a logical constraint on a browser's behavior, stated exclusively in terms of the aspects that are outwardly visible, either to the network or to the user. Such end-to-end policies are naturally appealing. However, there is a reason they are rarely used for real-world systems: it is usually very unclear how to write down precise, flexible security policies of this sort. Supposing that one could write down such policies for web script security, a second obstacle would then arise: the problem of drawing a precise connection between such end-to-end policies and the security mechanisms that one would actually implement in a browser. This dissertation demonstrates that such information security policies for web browsers can in fact be written down—precisely and without reference to security enforcement mechanisms implemented inside the browser. Moreover, the mechanisms for enforcing those policies can be designed and formally proved correct within mathematical models of web browsers that are detailed enough to capture the inherent complexities of the domain. This dissertation supports these claims by (1) introducing mathematical tools for stating and proving end-to-end information security properties for software systems that are driven by buffered, asynchronous I/O; (2) introducing a particular mathematical model of a web browser that is accompanied by a security policy for confidentiality and is equipped with security mechanisms intended to enforce the policy; and (3) offering a proof that the security mechanisms in the model do enforce the policy, a proof which has been mechanized and verified in the Coq proof assistant.

[1]  Anshu Aggarwal,et al.  HTTP: The Definitive Guide , 2002 .

[2]  Sorin Lerner,et al.  Staged information flow for javascript , 2009, PLDI '09.

[3]  Chris Wilson,et al.  Document Object Model (DOM) Level 1 Specification (Second Edition) , 2000 .

[4]  D. E. Bell,et al.  Secure Computer Systems : Mathematical Foundations , 2022 .

[5]  Marco Pistoia,et al.  Beyond Stack Inspection: A Unified Access-Control and Information-Flow Security Model , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[6]  Christopher Krügel,et al.  Noxes: a client-side solution for mitigating cross-site scripting attacks , 2006, SAC '06.

[7]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[8]  Tsutomu Matsumoto,et al.  Information-Flow-Based Access Control for Web Browsers , 2009, IEICE Trans. Inf. Syst..

[9]  Ankur Taly,et al.  Object Capabilities and Isolation of Untrusted Web Applications , 2010, 2010 IEEE Symposium on Security and Privacy.

[10]  Gerwin Klein,et al.  Provable Security: How Feasible Is It? , 2011, HotOS.

[11]  Yi-Min Wang,et al.  An analysis of browser domain-isolation bugs and a light-weight transparent defense mechanism , 2007, CCS '07.

[12]  Christopher Krügel,et al.  Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis , 2007, NDSS.

[13]  Gerwin Klein,et al.  Operating system verification—An overview , 2009 .

[14]  Frederic T. Chong,et al.  Execution leases: A hardware-supported mechanism for enforcing strong non-interference , 2009, 2009 42nd Annual IEEE/ACM International Symposium on Microarchitecture (MICRO).

[15]  Jonas Magazinius,et al.  A lattice-based approach to mashup security , 2010, ASIACCS '10.

[16]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[17]  Frederic T. Chong,et al.  Complete information flow tracking from the gates up , 2009, ASPLOS.

[18]  Thomas H. Austin,et al.  Efficient purely-dynamic information flow analysis , 2009, PLAS '09.

[19]  David Clark,et al.  Non-Interference for Deterministic Interactive Programs , 2009, Formal Aspects in Security and Trust.

[20]  Benjamin C. Pierce,et al.  Featherweight Firefox: Formalizing the Core of a Web Browser , 2010, WebApps.

[21]  Helen J. Wang,et al.  On the Incoherencies in Web Browser Access Control Policies , 2010, 2010 IEEE Symposium on Security and Privacy.

[22]  L. J. Fraim Scomp: A Solution to the Multilevel Security Problem , 1983, Computer.

[23]  Myla Archer,et al.  Formal specification and verification of data separation in a separation kernel for an embedded system , 2006, CCS '06.

[24]  Richard E. Smith Cost profile of a highly assured, secure operating system , 2001, TSEC.

[25]  William L. Harrison,et al.  Achieving information flow security through precise control of effects , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[26]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[27]  Robert Tappan Morris,et al.  Privacy-preserving browser-side scripting with BFlow , 2009, EuroSys '09.

[28]  Hao Chen,et al.  Noncespaces: Using Randomization to Enforce Information Flow Tracking and Thwart Cross-Site Scripting Attacks , 2009, NDSS.

[29]  Eddie Kohler,et al.  Making information flow explicit in HiStar , 2006, OSDI '06.

[30]  Bill Kennedy,et al.  HTML & XHTML: The Definitive Guide (6th Edition) , 2006 .

[31]  Wouter Joosen,et al.  Browser protection against cross-site request forgery , 2009, SecuCode '09.

[32]  James Riely,et al.  Information Flow vs. Resource Access in the Asynchronous Pi-Calculus , 2000, ICALP.

[33]  William L. Harrison,et al.  Achieving information flow security through monadic control of effects , 2009, J. Comput. Secur..

[34]  Kevin Borders,et al.  Quantifying Information Leaks in Outbound Web Traffic , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[35]  Lennart Beringer,et al.  Relational bytecode correlations , 2010, J. Log. Algebraic Methods Program..

[36]  Vijayalakshmi Atluri,et al.  Role-based Access Control , 1992 .

[37]  Xi Wang,et al.  Improving application security with data flow assertions , 2009, SOSP '09.

[38]  K. J. Bma Integrity considerations for secure computer systems , 1977 .

[39]  Dominique Devriese,et al.  Reactive non-interference for the browser: extended version , 2011 .

[40]  Christopher Krügel,et al.  Preventing Cross Site Request Forgery Attacks , 2006, 2006 Securecomm and Workshops.

[41]  Eran Tromer,et al.  Noninterference for a Practical DIFC-Based Operating System , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[42]  Michael J. Nash,et al.  The Chinese Wall security policy , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[43]  Simon N. Foley,et al.  Aggregation and Separation as Noninterference Properties , 1992, J. Comput. Secur..

[44]  Landon P. Cox,et al.  TightLip: Keeping Applications from Spilling the Beans , 2007, NSDI.

[45]  Andrew Boyton A Verified Shared Capability Model , 2009, Electron. Notes Theor. Comput. Sci..

[46]  Roy T. Fielding,et al.  Hypertext Transfer Protocol - HTTP/1.0 , 1996, RFC.

[47]  François Pottier A simple view of type-secure information flow in the /spl pi/-calculus , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[48]  Robert S. Boyer,et al.  Computational Logic , 1990, ESPRIT Basic Research Series.

[49]  Andrew C. Myers,et al.  Secure Information Flow via Linear Continuations , 2002, High. Order Symb. Comput..

[50]  Collin Jackson,et al.  Robust defenses for cross-site request forgery , 2008, CCS.

[51]  Olivier Ly,et al.  Using Coq to Verify Java Card Applet Isolation Properties , 2003, TPHOLs.

[52]  Peter Thiemann Towards a Type System for Analyzing JavaScript Programs , 2005, ESOP.

[53]  Matthew Wilding,et al.  A Separation Kernel Formal Security Policy , 2003, ACL 2003.

[54]  Anindya Banerjee,et al.  Secure information flow and pointer con .nement in a java-like language , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[55]  Ankur Taly,et al.  An Operational Semantics for JavaScript , 2008, APLAS.

[56]  Christopher Krügel,et al.  A solution for the automated detection of clickjacking attacks , 2010, ASIACCS '10.

[57]  Richard Robinson,et al.  Formal Security Analysis of Electronic Software Distribution Systems , 2008, SAFECOMP.

[58]  Roberto Gorrieri,et al.  An Information Flow Security Property for CCS , 1993 .

[59]  D. Greve,et al.  A Summary of Intrinsic Partitioning Verification , 2004 .

[60]  John McLean,et al.  Reasoning About Security Models , 1987, 1987 IEEE Symposium on Security and Privacy.

[61]  Gerwin Klein,et al.  seL4 Enforces Integrity , 2011, ITP.

[62]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[63]  John M. Rushby,et al.  Proof of separability: A verification technique for a class of a security kernels , 1982, Symposium on Programming.

[64]  Anil Somayaji,et al.  No Web Site Left Behind : Are We Making Web Security Only for the Elite ? , 2010 .

[65]  Shriram Krishnamurthi,et al.  The Essence of JavaScript , 2010, ECOOP.

[66]  Alejandro Russo,et al.  Tracking Information Flow in Dynamic Tree Structures , 2009, ESORICS.

[67]  José Meseguer,et al.  Unwinding and Inference Control , 1984, 1984 IEEE Symposium on Security and Privacy.

[68]  Michael R. Clarkson,et al.  Information-flow security for interactive programs , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[69]  Marco Giunti,et al.  Preventing Intrusions through Non-Interference , 2006 .

[70]  David von Oheimb Information Flow Control Revisited: Noninfluence = Noninterference + Nonleakage , 2004, ESORICS.

[71]  Philippa Gardner,et al.  Local Hoare reasoning about DOM , 2008, PODS.

[72]  E. Stewart Lee,et al.  A general theory of security properties , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[73]  C. Weissman Security controls in the ADEPT-50 time-sharing system , 1899, AFIPS '69 (Fall).

[74]  Timothy Fraser,et al.  LOMAC: Low Water-Mark integrity protection for COTS environments , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[75]  Michael Hicks,et al.  Defeating script injection attacks with browser-enforced embedded policies , 2007, WWW '07.

[76]  Paul Walton,et al.  A Model for Information , 2014, Inf..

[77]  Alejandro Russo,et al.  Security for Multithreaded Programs Under Cooperative Scheduling , 2006, Ershov Memorial Conference.

[78]  Florian Kerschbaum,et al.  Simple cross-site attack prevention , 2007, 2007 Third International Conference on Security and Privacy in Communications Networks and the Workshops - SecureComm 2007.

[79]  Julien Lironcourt Internet Security Seminar Analyzing Information Flow in JavaScript-based Browser Extensions , 2010 .

[80]  Fred B. Schneider,et al.  Enforceable security policies , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[81]  Peter Thiemann,et al.  Recency Types for Analyzing Scripting Languages , 2010, ECOOP.

[82]  Kai Engelhardt,et al.  Data Refinement: Model-Oriented Proof Methods and their Comparison , 1998 .

[83]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[84]  Henry M. Levy,et al.  Capability-Based Computer Systems , 1984 .

[85]  Andrew C. Myers,et al.  Mostly-static decentralized information flow control , 1999 .

[86]  Leo A. Meyerovich,et al.  Object views: fine-grained sharing in browsers , 2010, WWW '10.

[87]  Zachary Weinberg,et al.  I Still Know What You Visited Last Summer: Leaking Browsing History via User Interaction and Side Channel Attacks , 2011, 2011 IEEE Symposium on Security and Privacy.

[88]  Peter Thiemann A Type Safe DOM API , 2005, DBPL.

[89]  Dominique Devriese,et al.  Noninterference through Secure Multi-execution , 2010, 2010 IEEE Symposium on Security and Privacy.

[90]  Jonathan K. Millen,et al.  Verifying Security , 1981, CSUR.

[91]  T. Redmond,et al.  Noninterference and intrusion detection , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[92]  Ramaswamy Chandramouli,et al.  Role-Based Access Control, Second Edition , 2007 .

[93]  David Flanagan,et al.  JavaScript: The Definitive Guide , 1996 .

[94]  Dawn Xiaodong Song,et al.  Document Structure Integrity: A Robust Basis for Cross-site Scripting Defense , 2009, NDSS.

[95]  Sophia Drossopoulou,et al.  Towards Type Inference for JavaScript , 2005, ECOOP.

[96]  Ilaria Castellani,et al.  Typing noninterference for reactive programs , 2007, J. Log. Algebraic Methods Program..

[97]  Michael Hicks,et al.  Fable: A Language for Enforcing User-defined Security Policies , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[98]  Michael Norrish,et al.  seL4: formal verification of an OS kernel , 2009, SOSP '09.

[99]  A. W. Roscoe CSP and determinism in security modelling , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.

[100]  Levent Erkök,et al.  Formalizing Information Flow in a Haskell Hypervisor , 2007 .

[101]  Sorin Lerner,et al.  An empirical study of privacy-violating information flows in JavaScript web applications , 2010, CCS '10.

[102]  Roberto Gorrieri,et al.  Classification of Security Properties (Part I: Information Flow) , 2000, FOSAD.

[103]  Onur Aciiçmez,et al.  Alhambra: a system for creating, enforcing, and testing browser security policies , 2010, WWW '10.

[104]  Torben Amtoft,et al.  A logic for information flow in object-oriented programs , 2006, POPL '06.

[105]  Daryl McCullough,et al.  Noninterference and the composability of security properties , 1988, Proceedings. 1988 IEEE Symposium on Security and Privacy.

[106]  Alejandro Russo,et al.  Dynamic vs. Static Flow-Sensitive Security Analysis , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[107]  Dawn Xiaodong Song,et al.  Towards a Formal Foundation of Web Security , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[108]  Ajay Chander,et al.  JavaScript instrumentation for browser security , 2007, POPL '07.

[109]  Alejandro Russo,et al.  From Dynamic to Static and Back: Riding the Roller Coaster of Information-Flow Control Research , 2009, Ershov Memorial Conference.

[110]  Arnaud Le Hors,et al.  Document Object Model (DOM) Level 2 Core Specification - Version 1.0 , 2000 .

[111]  Zohar Manna,et al.  Temporal Verification of Reactive Systems , 1995, Springer New York.

[112]  François Pottier,et al.  Information flow inference for ML , 2003, TOPL.

[113]  Jonathan K. Millen,et al.  Non-interference, who needs it? , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[114]  Benjamin C. Pierce,et al.  Reactive noninterference , 2009, CCS.

[115]  Martin Johns,et al.  The State of the Cross-domain Nation , 2011 .

[116]  Ellis Choen,et al.  Information transmission in computational systems , 1977, SOSP 1977.

[117]  Steven Pemberton,et al.  Cascading Style Sheets Level 2 Revision 1 (CSS 2.1) Specification , 2010 .

[118]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[119]  John Rushby,et al.  Noninterference, Transitivity, and Channel-Control Security Policies 1 , 2005 .

[120]  Ira S. Moskowitz,et al.  The Pump: a decade of covert fun , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[121]  James W. Gray,et al.  Probabilistic interference , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[122]  Andrew C. Myers,et al.  Protecting privacy using the decentralized label model , 2003, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[123]  John Rushby A Separation Kernel Formal Security Policy in PVS , 2004 .

[124]  Frederic T. Chong,et al.  Crafting a usable microkernel, processor, and I/O system with strict and provable information flow security , 2011, 2011 38th Annual International Symposium on Computer Architecture (ISCA).

[125]  D. Elliott Bell,et al.  Secure Computer System: Unified Exposition and Multics Interpretation , 1976 .

[126]  Alejandro Russo,et al.  Securing Timeout Instructions in Web Applications , 2009, 2009 22nd IEEE Computer Security Foundations Symposium.

[127]  Giuseppe Castagna,et al.  Information Flow Security for XML Transformations , 2003, ASIAN.

[128]  Roberto Gorrieri,et al.  Non Interference for the Analysis of Cryptographic Protocols , 2000, ICALP.

[129]  David Sands,et al.  Just Forget It - The Semantics and Enforcement of Information Erasure , 2008, ESOP.

[130]  Adam Barth Principles of the Same-Origin Policy , 2011 .

[131]  Dominique Devriese,et al.  Reactive non-interference for a browser model , 2011, 2011 5th International Conference on Network and System Security.

[132]  Huang Qiang,et al.  Noninterference Policy For Trusted Virtual Machine Monitors , 2006, 2006 8th international Conference on Signal Processing.

[133]  A. W. Roscoe,et al.  What is intransitive noninterference? , 1999, Proceedings of the 12th IEEE Computer Security Foundations Workshop.

[134]  Eric A. Meyer CSS The Definitive Guide , 2007 .

[135]  Úlfar Erlingsson,et al.  End-to-End Web Application Security , 2007, HotOS.

[136]  A. Goldberg,et al.  Formal construction of the Mathematically Analyzed Separation Kernel , 2000, Proceedings ASE 2000. Fifteenth IEEE International Conference on Automated Software Engineering.

[137]  Gilles Barthe,et al.  Formally Verifying Isolation and Availability in an Idealized Model of Virtualization , 2011, FM.

[138]  John McLean,et al.  Security models and information flow , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[139]  Peter Thiemann,et al.  Type Analysis for JavaScript , 2009, SAS.

[140]  Joseph Y. Halpern,et al.  Secrecy in Multiagent Systems , 2008, TSEC.