Presentation is loading. Please wait.

Presentation is loading. Please wait.

Privacy-Preserving Browser-Side Scripting With BFlow Alexander Yip, Neha Narula, Maxwell Krohn, Robert Morris Massachusetts Institute of Technology.

Similar presentations


Presentation on theme: "Privacy-Preserving Browser-Side Scripting With BFlow Alexander Yip, Neha Narula, Maxwell Krohn, Robert Morris Massachusetts Institute of Technology."— Presentation transcript:

1 Privacy-Preserving Browser-Side Scripting With BFlow Alexander Yip, Neha Narula, Maxwell Krohn, Robert Morris Massachusetts Institute of Technology

2 Web Sites Support 3 rd Party JavaScript Extensions Snippets of the last few blog posts Display the last few reader comments Blogger.com supports “widgets” – read and modify blog posts

3 Confidential Blogs Are Vulnerable to 3 rd Party JavaScript v

4 A 3 rd Party JavaScript Leak Attack private_data = document.getElementById(“posts”); widget.innerHTML = private_data; widget.innerHTML += ‘ ’; Widget’s JavaScript source code: HTTP Request: GET /sell_pet_food_online.gif HTTP/1.0 attacker.com Server Alice’s Browser Blogger JS + Attacker JS Widget has access to private blog content Widget leaks private blog content to attacker.com Blogger.com wants to provide data to widgets Browser security policy permits JS to send data freely Wrote a malicious blogger.com widget in one hour Shows private blog content in widget’s box

5 Zlxcoizvuowqjlsavzmzlvcjlsadfjfoqwojerl,clvzlxcvjaoi sjqklqwerljdsalzzx,vcnadsoqoiewqoirulnzdlkfjaoique oqejlnlvkjxzcoivuaqoeruqowejrlkasdnzcvzxvalsdfou qoweurozxcvjlkajoqewjrlsdznlkzxvjzl lkjljvojubjjcjif oitotouroiejfjlf Check Spelling! Dan’s Spell Checker Problem: Extensibility vs. Privacy Encrypt Mail Decrypt Mail Joe’s Encryption Widget (Choose one) Either choose cool extensibility features – e.g. Blogger.com widgets Or choose privacy and no 3 rd party code – e.g. Gmail

6 Solution: BFlow Eliminate the choice between features & privacy Add information flow control (IFC) – To JavaScript in the browser – Track private data inside the browser and server Prohibit communication that leaks private data

7 Challenges Fit JavaScript environment into an IFC model – Preserve JavaScript communication channels Send to top- level frame Send to sub-frame Google Maps Server Private address Fit JavaScript environment into an IFC model – Preserve JavaScript communication channels – Mashups with private data Fit JavaScript environment into an IFC model – Preserve JavaScript communication channels – Mashups with private data Easy to adopt – Minimize changes to JS that uses existing communication channels – Minimize changes required on the server – Easy for end-users to start using

8 Contributions An IFC model for the JS runtime environment Easy to deploy and adopt implementation – Installs in browser with 2 clicks – Requires no changes to JavaScript interpreter Only small changes to JavaScript communication API A platform that supports real blogger.com widgets

9 BFlow Overview Browser Reference Monitor Trusted Protection Zone Untrusted Protection Zones Blog Web Server attacker.com Server Label: Saw Alice’s private data Reference Monitor knows when a zone reads private data Label: Saw Alice’s private data Blog Server Supplies Some HTML/JS Blog Server “labels” private data with a “tag” 3 rd Party Supplies Widget HTML/JS

10 BFlow Overview Browser Reference Monitor Blog Web Server attacker.com Server Declassification: Fetch Map Image from Google Maps, OK! Google Maps Server BFlow prevents the malicious widget from leaking private data Have not seen private data: Can send requests to any server Have seen private data: Can only send requests to the data’s server

11 Design Outline Tags and Labels Protection Zones Reference Monitor Server

12 Tags And Labels A label is a set of tags – Describes what private data an object contains – Each zone, HTTP request, and response has a label Each tag identifies a kind of private data – Alice’s tag: blogger.com:alice – Bob’s tag: blogger.com:bob e.g. Alice’s blog has label L={blogger.com:alice} A label is a set of tags – Describes what private data an object contains – Each zone, HTTP request, and response has a label

13 Data Flow Rule Data may flow only if L data  L receiver Data LabelReceiver LabelMay Receive {x}{x,y}Yes {x}{}No Data Receiver JavaScript ?

14 Protection Zones A zone is a group of browser HTML – Regular JavaScript runs inside a frame inside a zone – All frames in a zone share the same label Trusted zone – Top-level frame is in the site’s trusted zone – Contains JavaScript written only by the site’s developers – Need not abide by information flow restrictions Untrusted zones – Contain 3 rd party JavaScript – Must abide by information flow restrictions

15 Example Zones & Labels Zone A L={} Zone B L={blogger.com:alice} Trusted Zone (No Label) Zone C L={} Zone D L={blogger.com:alice}

16 How Do Untrusted Zones Get Labels? L={}L={blogger.com:alice} Blog Web Server Browser Reference Monitor Trusted zone sets untrusted zone’s label augment_label (blogger.com:alice)

17 Works With Existing JS Channels Channel 1: A frame can always send to its child frame – L parent  L child Frame 2 L={X.com:A, X.com:B} Web Page Showing Inherent JavaScript Channels Frame 1 L={X.com:A} Top-level Frame from X.com Frame 1 may not add X.com:C to its label No sub-frame from X.com may add a tag from Y.com Channel 2: A frame can always send to the top-level frame – To avoid leaking data, untrusted zones may contain only tags from the web site in the top-level frame Channel 1: A frame can always send to its child frame – L parent  L child

18 Why Zones Instead Of Frames? Some JavaScript consists of multiple frames Group JavaScript into modules by label – All frames in the same zone can always communicate – Trusted JavaScript sets the label of a multi-frame widget only once – Existing multi-frame widgets need not coordinate label changes e.g. Cbox chat widget Bottom frame writes messages to top frame

19 BFlow‘s JavaScript Model All JavaScript will work if the IFC rules allow – AJAX, eval() The IFC rule (L data  L receiver ) affects – access to DOM variables & cookies – postMessage(), fragment-ID messages – HTTP requests and responses

20 HTTP Request Rules Trusted zone T – can send to any server (always) – can receive a response from any server (always) Untrusted zone Z – can send to the server where secret data came from (always) can receive the response (when L response  L Z ) – can send to 3 rd party server E (when L Z = {}) or web site has a declassification exception for (server E, URL) can receive the response (always)

21 The BFlow Server API Propagate label from HTTP requests to responses – Read label contained in each request – Attach the label to any response that uses labeled data Blog Web Server HTTP Response Contents: sell_petfood_online Label: L = {blogger.com:alice} L={blogger.com:alice} Zone A L={blogger.com:alice} HTTP Request: POST save_post?content=sell_petfood_online Label: L = {blogger.com:alice} Zone B L={blogger.com:alice}

22 BFlow Implementation Browser Reference Monitor Firefox Extension 1100 Lines of code Users can install with 2 clicks JavaScript communication API changed slightly No changes to JavaScript interpreter

23 Zone Isolation Domain name: Zone2.blogger Domain name: Zone1.blogger Repurpose browser’s same-origin policy (SOP) – Zones communicate via reference monitor No direct communication Repurpose browser’s same-origin policy (SOP) – Zones communicate via reference monitor – SOP is conservative: no DOM read/write across zones even if labels would allow

24 Applications BF-Socialnet – Social network that supports 3 rd party JS extensions – Protects private user data (see paper) BFlogger – Blog mockup that supports blogger.com widgets – Ported 12 existing widgets to BFlogger

25 BFlow Preserves Privacy Wrote a malicious Blogger.com widget – Successfully leaks data from confidential blogs Ported widget to BFlogger – BFlow prevents malicious widget from leaking data attacker.com Server No requests to attacker.com after reading private data

26 BFlow Runs Existing JavaScript WidgetLines of Code Lines Changed Uses Secret Data? Twitter250No Flickr100No Buzz10No Youtube19820No Calendar19450No Weather37900No Popular Posts161Yes Commenters151Yes Recent Posts742Yes Random Post342Yes Cbox-chat80189Yes High because we made Chat store data on the BFlow server to protect chat data Better privacy with little or no changes

27 Existing Research Can’t grant read access without also leaking [MashupOS] Requires rewriting JavaScript & manual jail config [Caja] Don’t support untrusted JavaScript [Swift, SIF] User must make disclosure decisions [NoMoXSS] Certificates [Java]

28 Conclusion 3 rd party JavaScript can leak confidential user data BFlow provides a new web security model – Tracks information flow between client & server – 3 rd party JavaScript can safely compute and display – Enables new features in web sites e.g. 3 rd party Gmail extensions Questions


Download ppt "Privacy-Preserving Browser-Side Scripting With BFlow Alexander Yip, Neha Narula, Maxwell Krohn, Robert Morris Massachusetts Institute of Technology."

Similar presentations


Ads by Google