Toward Principled Browser Security

To ensure the confidentiality and integrity of web content, modern web browsers enforce isolation between content and scripts from different domains with the same-origin policy (SOP). However, many web applications require cross-origin sharing of code and data. This conflict between isolation and sharing has led to an ad hoc implementation of the SOP that has proven vulnerable to such attacks as cross-site scripting, cross-site request forgery, and browser privacy leaks. In this paper, we argue that information flow control (IFC) not only subsumes the same-origin policy but is also more flexible and sound. IFC not only provides stronger confidentiality and integrity for today's web sites, but also better supports complex sites such as mashups, which are notoriously difficult to implement securely under the SOP.

[1]  A. Barth,et al.  Attacks on JavaScript Mashup Communication , 2009 .

[2]  Ankur Taly,et al.  Language-Based Isolation of Untrusted JavaScript , 2009, 2009 22nd IEEE Computer Security Foundations Symposium.

[3]  Dominique Devriese,et al.  Reactive non-interference for a browser model , 2011, 2011 5th International Conference on Network and System Security.

[4]  Collin Jackson,et al.  Robust defenses for cross-site request forgery , 2008, CCS.

[5]  Robert Tappan Morris,et al.  Privacy-preserving browser-side scripting with BFlow , 2009, EuroSys '09.

[6]  James Newsom,et al.  Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software, Network and Distributed System Security Symposium Conference Proceedings : 2005 , 2005 .

[7]  Collin Jackson,et al.  Securing frame communication in browsers , 2008, CACM.

[8]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[9]  Ankur Taly,et al.  Object Capabilities and Isolation of Untrusted Web Applications , 2010, 2010 IEEE Symposium on Security and Privacy.

[10]  Jonas Magazinius,et al.  A lattice-based approach to mashup security , 2010, ASIACCS '10.

[11]  Dominique Devriese,et al.  FlowFox: a web browser with flexible and precise information flow control , 2012, CCS '12.

[12]  Úlfar Erlingsson,et al.  Automated Analysis of Security-Critical JavaScript APIs , 2011, 2011 IEEE Symposium on Security and Privacy.

[13]  Wenke Lee,et al.  xBook: Redesigning Privacy Control in Social Networking Platforms , 2009, USENIX Security Symposium.

[14]  Marianne Winslett,et al.  VEX: Vetting Browser Extensions for Security Vulnerabilities , 2010, USENIX Security Symposium.

[15]  Andrew C. Myers,et al.  Protecting privacy using the decentralized label model , 2003, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[16]  Michael Walfish,et al.  World Wide Web Without Walls , 2007, HotNets.

[17]  Helen J. Wang,et al.  MashupOS: Operating System Abstractions for Client Mashups , 2007, HotOS.

[18]  Deian Stefan,et al.  Flexible dynamic information flow control in Haskell , 2012, Haskell '11.

[19]  Ashvin Goel,et al.  Securing Script-Based Extensibility in Web Browsers , 2010, USENIX Security Symposium.

[20]  Dick Hardt,et al.  The OAuth 2.0 Authorization Framework , 2012, RFC.

[21]  Adam Barth,et al.  The Web Origin Concept , 2011, RFC.

[22]  David A. Wagner,et al.  The Effectiveness of Application Permissions , 2011, WebApps.

[23]  Lukasz Olejnik,et al.  Web Browser History Detection as a Real-World Privacy Threat , 2010, ESORICS.

[24]  Deian Stefan,et al.  Addressing covert termination and timing channels in concurrent information flow systems , 2012, ICFP '12.

[25]  E. Chen,et al.  Self-Exfiltration : The Dangers of Browser-Enforced Information Flow Control , 2012 .

[26]  Eddie Kohler,et al.  Information flow control for standard OS abstractions , 2007, SOSP.

[27]  Eddie Kohler,et al.  Making information flow explicit in HiStar , 2006, OSDI '06.

[28]  Deian Stefan,et al.  Disjunction Category Labels , 2011, NordSec.

[29]  Andrei Sabelfeld,et al.  Information-Flow Security for a Core of JavaScript , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[30]  Artur Janc,et al.  Feasibility and Real-World Implications of Web Browser History Detection , 2010 .