Information Flow Control for Event Handling and the DOM in Web Browsers

Web browsers routinely handle private information. Owing to a lax security model, browsers and JavaScript in particular, are easy targets for leaking sensitive data. Prior work has extensively studied information flow control (IFC) as a mechanism for securing browsers. However, two central aspects of web browsers - the Document Object Model (DOM) and the event handling mechanism - have so far evaded thorough scrutiny in the context of IFC. This paper advances the state-of-the-art in this regard. Based on standard specifications and the code of an actual browser engine, we build formal models of both the DOM (up to Level 3) and the event handling loop of a typical browser, enhance the models with fine-grained taints and checks for IFC, prove our enhancements sound and test our ideas through an instrumentation of WebKit, an in-production browser engine. In doing so, we observe several channels for information leak that arise due to subtleties of the event loop and its interaction with the DOM.

[1]  Shriram Krishnamurthi,et al.  Modeling and Reasoning about DOM Events , 2012, WebApps.

[2]  Dominique Devriese,et al.  Reactive non-interference for a browser model , 2011, 2011 5th International Conference on Network and System Security.

[3]  Wouter Joosen,et al.  You are what you include: large-scale evaluation of remote javascript inclusions , 2012, CCS.

[4]  Deepak Garg,et al.  Information Flow Control in WebKit's JavaScript Bytecode , 2014, POST.

[5]  Alejandro Russo,et al.  Tracking Information Flow in Dynamic Tree Structures , 2009, ESORICS.

[6]  Philippa Gardner,et al.  DOM: Towards a Formal Specification , 2008, PLAN-X.

[7]  Thomas H. Austin,et al.  Permissive dynamic information flow analysis , 2010, PLAS '10.

[8]  Sorin Lerner,et al.  An empirical study of privacy-violating information flows in JavaScript web applications , 2010, CCS '10.

[9]  Adam Barth,et al.  The Web Origin Concept , 2011, RFC.

[10]  David Sands,et al.  Termination-Insensitive Noninterference Leaks More Than Just a Bit , 2008, ESORICS.

[11]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[12]  David A. Schmidt,et al.  Automata-Based Confidentiality Monitoring , 2006, ASIAN.

[13]  Per Larsen,et al.  Towards Precise and Efficient Information Flow Control in Web Browsers , 2013, TRUST.

[14]  Thomas H. Austin,et al.  Efficient purely-dynamic information flow analysis , 2009, PLAS '09.

[15]  Alan Cleary,et al.  Information flow analysis for javascript , 2011, PLASTIC '11.

[16]  Arnar Birgisson,et al.  JSFlow: tracking information flow in JavaScript and its APIs , 2014, SAC.

[17]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[18]  Andrei Sabelfeld,et al.  Information-Flow Security for a Core of JavaScript , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[19]  Tamara Rezk,et al.  An Information Flow Monitor for a Core of DOM - Introducing References and Live Primitives , 2014, TGC.

[20]  Christopher Krügel,et al.  Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis , 2007, NDSS.

[21]  Alejandro Russo,et al.  From Dynamic to Static and Back: Riding the Roller Coaster of Information-Flow Control Research , 2009, Ershov Memorial Conference.

[22]  Gurvan Le Guernic Automaton-based Confidentiality Monitoring of Concurrent Programs , 2007, 20th IEEE Computer Security Foundations Symposium (CSF'07).

[23]  Andrew C. Myers,et al.  Programming Languages for Information Security , 2002 .

[24]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[25]  Andrei Sabelfeld,et al.  Tight Enforcement of Information-Release Policies for Dynamic Languages , 2009, 2009 22nd IEEE Computer Security Foundations Symposium.

[26]  Benjamin C. Pierce,et al.  Featherweight Firefox: Formalizing the Core of a Web Browser , 2010, WebApps.

[27]  Frank Piessens,et al.  JSand: complete client-side sandboxing of third-party JavaScript without browser modifications , 2012, ACSAC '12.

[28]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[29]  Deian Stefan,et al.  Protecting Users by Confining JavaScript with COWL , 2014, OSDI.

[30]  Alejandro Russo,et al.  Dynamic vs. Static Flow-Sensitive Security Analysis , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[31]  Dominique Devriese,et al.  Noninterference through Secure Multi-execution , 2010, 2010 IEEE Symposium on Security and Privacy.

[32]  Dominique Devriese,et al.  FlowFox: a web browser with flexible and precise information flow control , 2012, CCS '12.

[33]  Jan Vitek,et al.  The Eval That Men Do - A Large-Scale Study of the Use of Eval in JavaScript Applications , 2011, ECOOP.

[34]  Haining Wang,et al.  Characterizing insecure javascript practices on the web , 2009, WWW '09.

[35]  Ankur Taly,et al.  Language-Based Isolation of Untrusted JavaScript , 2009, 2009 22nd IEEE Computer Security Foundations Symposium.

[36]  David Sands,et al.  On flow-sensitive security types , 2006, POPL '06.

[37]  John C. Mitchell,et al.  Third-Party Web Tracking: Policy and Technology , 2012, 2012 IEEE Symposium on Security and Privacy.