Privacy-preserving browser-side scripting with BFlow

Some web sites provide interactive extensions using browser scripts, often without inspecting the scripts to verify that they are benign and bug-free. Others handle users' confidential data and display it via the browser. Such new features contribute to the power of online services, but their combination would allow attackers to steal confidential data. This paper presents BFlow, a security system that uses information flow control to allow the combination while preventing attacks on data confidentiality. BFlow allows untrusted JavaScript to compute with, render, and store confidential data, while preventing leaks of that data. BFlow tracks confidential data as it flows within the browser, between scripts on a page and between scripts and web servers. Using these observations and assistance from participating web servers, BFlow prevents scripts that have seen confidential data from leaking it, all without disrupting the JavaScript communication techniques used in complex web pages. To achieve these ends, BFlow augments browsers with a new "protection zone" abstraction. We have implemented a BFlow browser reference monitor and server support. To evaluate BFlow's confidentiality protection and flexibility, we have built a BFlow-protected blog that supports Blogger's third party JavaScript extensions. BFlow is compatible with every legitimate Blogger extension that we have found, yet it prevents malicious extensions from leaking confidential data.

[1]  Butler W. Lampson,et al.  A note on the confinement problem , 1973, CACM.

[2]  Benjamin Livshits,et al.  Spectator: Detection and Containment of JavaScript Worms , 2008, USENIX Annual Technical Conference.

[3]  Eddie Kohler,et al.  Making information flow explicit in HiStar , 2006, OSDI '06.

[4]  Christopher Krügel,et al.  Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis , 2007, NDSS.

[5]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[6]  Eddie Kohler,et al.  Information flow control for standard OS abstractions , 2007, SOSP.

[7]  Giovanni Vigna,et al.  Detecting malicious JavaScript code in Mozilla , 2005, 10th IEEE International Conference on Engineering of Complex Computer Systems (ICECCS'05).

[8]  Xin Zheng,et al.  Secure web applications via automatic partitioning , 2007, SOSP.

[9]  Roxana Geambasu,et al.  Organizing and sharing distributed personal web-service data , 2008, WWW.

[10]  Steve Vandebogart,et al.  Labels and event processes in the Asbestos operating system , 2005, TOCS.

[11]  James A. Reeds,et al.  Multilevel security in the UNIX tradition , 1992, Softw. Pract. Exp..

[12]  Helen J. Wang,et al.  BrowserShield: vulnerability-driven filtering of dynamic HTML , 2006, OSDI '06.

[13]  Collin Jackson,et al.  Securing frame communication in browsers , 2008, CACM.

[14]  Guy L. Steele,et al.  The Java Language Specification , 1996 .

[15]  Eddie Kohler,et al.  Manageable fine-grained information flow , 2008, Eurosys '08.

[16]  Guy L. Steele,et al.  Java(TM) Language Specification, The (3rd Edition) (Java (Addison-Wesley)) , 2005 .

[17]  Michael Walfish,et al.  World Wide Web Without Walls , 2007, HotNets.

[18]  Charles Reis,et al.  Architectural Principles for Safe Web Programs , 2007, HotNets.

[19]  D. Elliott Bell,et al.  Secure Computer System: Unified Exposition and Multics Interpretation , 1976 .

[20]  Andrew C. Myers,et al.  SIF: Enforcing Confidentiality and Integrity in Web Applications , 2007, USENIX Security Symposium.

[21]  Michael Hicks,et al.  Defeating script injection attacks with browser-enforced embedded policies , 2007, WWW '07.

[22]  Helen J. Wang,et al.  Protection and communication abstractions for web browsers in MashupOS , 2007, SOSP.

[23]  Andrew C. Myers,et al.  A decentralized model for information flow control , 1997, SOSP.

[24]  Dorothy E. Denning,et al.  The SeaView security model , 1988, Proceedings. 1988 IEEE Symposium on Security and Privacy.