Presentation is loading. Please wait.

Presentation is loading. Please wait.

Privacy-Preserving Browser-Side Scripting With BFlow Alexander Yip, Neha Narula, Maxwell Krohn, Robert Morris Massachusetts Institute of Technology.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Privacy-Preserving Browser-Side Scripting With BFlow Alexander Yip, Neha Narula, Maxwell Krohn, Robert Morris Massachusetts Institute of Technology."— Presentation transcript:

1 Privacy-Preserving Browser-Side Scripting With BFlow Alexander Yip, Neha Narula, Maxwell Krohn, Robert Morris Massachusetts Institute of Technology

2 Web Sites Support 3 rd Party JavaScript Extensions Snippets of the last few blog posts Display the last few reader comments Blogger.com supports “widgets” – read and modify blog posts

3 Confidential Blogs Are Vulnerable to 3 rd Party JavaScript v

4 A 3 rd Party JavaScript Leak Attack private_data = document.getElementById(“posts”); widget.innerHTML = private_data; widget.innerHTML += ‘ ’; Widget’s JavaScript source code: HTTP Request: GET /sell_pet_food_online.gif HTTP/1.0 attacker.com Server Alice’s Browser Blogger JS + Attacker JS Widget has access to private blog content Widget leaks private blog content to attacker.com Blogger.com wants to provide data to widgets Browser security policy permits JS to send data freely Wrote a malicious blogger.com widget in one hour Shows private blog content in widget’s box

5 Zlxcoizvuowqjlsavzmzlvcjlsadfjfoqwojerl,clvzlxcvjaoi sjqklqwerljdsalzzx,vcnadsoqoiewqoirulnzdlkfjaoique oqejlnlvkjxzcoivuaqoeruqowejrlkasdnzcvzxvalsdfou qoweurozxcvjlkajoqewjrlsdznlkzxvjzl lkjljvojubjjcjif oitotouroiejfjlf Check Spelling! Dan’s Spell Checker Problem: Extensibility vs. Privacy Encrypt Mail Decrypt Mail Joe’s Encryption Widget (Choose one) Either choose cool extensibility features – e.g. Blogger.com widgets Or choose privacy and no 3 rd party code – e.g. Gmail

6 Solution: BFlow Eliminate the choice between features & privacy Add information flow control (IFC) – To JavaScript in the browser – Track private data inside the browser and server Prohibit communication that leaks private data

7 Challenges Fit JavaScript environment into an IFC model – Preserve JavaScript communication channels Send to top- level frame Send to sub-frame Google Maps Server Private address Fit JavaScript environment into an IFC model – Preserve JavaScript communication channels – Mashups with private data Fit JavaScript environment into an IFC model – Preserve JavaScript communication channels – Mashups with private data Easy to adopt – Minimize changes to JS that uses existing communication channels – Minimize changes required on the server – Easy for end-users to start using

8 Contributions An IFC model for the JS runtime environment Easy to deploy and adopt implementation – Installs in browser with 2 clicks – Requires no changes to JavaScript interpreter Only small changes to JavaScript communication API A platform that supports real blogger.com widgets

9 BFlow Overview Browser Reference Monitor Trusted Protection Zone Untrusted Protection Zones Blog Web Server attacker.com Server Label: Saw Alice’s private data Reference Monitor knows when a zone reads private data Label: Saw Alice’s private data Blog Server Supplies Some HTML/JS Blog Server “labels” private data with a “tag” 3 rd Party Supplies Widget HTML/JS

10 BFlow Overview Browser Reference Monitor Blog Web Server attacker.com Server Declassification: Fetch Map Image from Google Maps, OK! Google Maps Server BFlow prevents the malicious widget from leaking private data Have not seen private data: Can send requests to any server Have seen private data: Can only send requests to the data’s server

11 Design Outline Tags and Labels Protection Zones Reference Monitor Server

12 Tags And Labels A label is a set of tags – Describes what private data an object contains – Each zone, HTTP request, and response has a label Each tag identifies a kind of private data – Alice’s tag: blogger.com:alice – Bob’s tag: blogger.com:bob e.g. Alice’s blog has label L={blogger.com:alice} A label is a set of tags – Describes what private data an object contains – Each zone, HTTP request, and response has a label

13 Data Flow Rule Data may flow only if L data  L receiver Data LabelReceiver LabelMay Receive {x}{x,y}Yes {x}{}No Data Receiver JavaScript ?

14 Protection Zones A zone is a group of browser HTML – Regular JavaScript runs inside a frame inside a zone – All frames in a zone share the same label Trusted zone – Top-level frame is in the site’s trusted zone – Contains JavaScript written only by the site’s developers – Need not abide by information flow restrictions Untrusted zones – Contain 3 rd party JavaScript – Must abide by information flow restrictions

15 Example Zones & Labels Zone A L={} Zone B L={blogger.com:alice} Trusted Zone (No Label) Zone C L={} Zone D L={blogger.com:alice}

16 How Do Untrusted Zones Get Labels? L={}L={blogger.com:alice} Blog Web Server Browser Reference Monitor Trusted zone sets untrusted zone’s label augment_label (blogger.com:alice)

17 Works With Existing JS Channels Channel 1: A frame can always send to its child frame – L parent  L child Frame 2 L={X.com:A, X.com:B} Web Page Showing Inherent JavaScript Channels Frame 1 L={X.com:A} Top-level Frame from X.com Frame 1 may not add X.com:C to its label No sub-frame from X.com may add a tag from Y.com Channel 2: A frame can always send to the top-level frame – To avoid leaking data, untrusted zones may contain only tags from the web site in the top-level frame Channel 1: A frame can always send to its child frame – L parent  L child

18 Why Zones Instead Of Frames? Some JavaScript consists of multiple frames Group JavaScript into modules by label – All frames in the same zone can always communicate – Trusted JavaScript sets the label of a multi-frame widget only once – Existing multi-frame widgets need not coordinate label changes e.g. Cbox chat widget Bottom frame writes messages to top frame

19 BFlow‘s JavaScript Model All JavaScript will work if the IFC rules allow – AJAX, eval() The IFC rule (L data  L receiver ) affects – access to DOM variables & cookies – postMessage(), fragment-ID messages – HTTP requests and responses

20 HTTP Request Rules Trusted zone T – can send to any server (always) – can receive a response from any server (always) Untrusted zone Z – can send to the server where secret data came from (always) can receive the response (when L response  L Z ) – can send to 3 rd party server E (when L Z = {}) or web site has a declassification exception for (server E, URL) can receive the response (always)

21 The BFlow Server API Propagate label from HTTP requests to responses – Read label contained in each request – Attach the label to any response that uses labeled data Blog Web Server HTTP Response Contents: sell_petfood_online Label: L = {blogger.com:alice} L={blogger.com:alice} Zone A L={blogger.com:alice} HTTP Request: POST save_post?content=sell_petfood_online Label: L = {blogger.com:alice} Zone B L={blogger.com:alice}

22 BFlow Implementation Browser Reference Monitor Firefox Extension 1100 Lines of code Users can install with 2 clicks JavaScript communication API changed slightly No changes to JavaScript interpreter

23 Zone Isolation Domain name: Zone2.blogger Domain name: Zone1.blogger Repurpose browser’s same-origin policy (SOP) – Zones communicate via reference monitor No direct communication Repurpose browser’s same-origin policy (SOP) – Zones communicate via reference monitor – SOP is conservative: no DOM read/write across zones even if labels would allow

24 Applications BF-Socialnet – Social network that supports 3 rd party JS extensions – Protects private user data (see paper) BFlogger – Blog mockup that supports blogger.com widgets – Ported 12 existing widgets to BFlogger

25 BFlow Preserves Privacy Wrote a malicious Blogger.com widget – Successfully leaks data from confidential blogs Ported widget to BFlogger – BFlow prevents malicious widget from leaking data attacker.com Server No requests to attacker.com after reading private data

26 BFlow Runs Existing JavaScript WidgetLines of Code Lines Changed Uses Secret Data? Twitter250No Flickr100No Buzz10No Youtube19820No Calendar19450No Weather37900No Popular Posts161Yes Commenters151Yes Recent Posts742Yes Random Post342Yes Cbox-chat80189Yes High because we made Chat store data on the BFlow server to protect chat data Better privacy with little or no changes

27 Existing Research Can’t grant read access without also leaking [MashupOS] Requires rewriting JavaScript & manual jail config [Caja] Don’t support untrusted JavaScript [Swift, SIF] User must make disclosure decisions [NoMoXSS] Certificates [Java]

28 Conclusion 3 rd party JavaScript can leak confidential user data BFlow provides a new web security model – Tracks information flow between client & server – 3 rd party JavaScript can safely compute and display – Enables new features in web sites e.g. 3 rd party Gmail extensions Questions

Download ppt "Privacy-Preserving Browser-Side Scripting With BFlow Alexander Yip, Neha Narula, Maxwell Krohn, Robert Morris Massachusetts Institute of Technology."

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.

Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.
ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.

ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.
JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.

JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.
The Case for JavaScript Transactions Mohan Dhawan, Chung-chieh Shan, Vinod Ganapathy Department of Computer Science Rutgers University PLAS 2010.

The Case for JavaScript Transactions Mohan Dhawan, Chung-chieh Shan, Vinod Ganapathy Department of Computer Science Rutgers University PLAS 2010.
Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks Yinzhi Cao, Vinod Yegneswaran, Phillip Porras, and Yan Chen.

Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks Yinzhi Cao, Vinod Yegneswaran, Phillip Porras, and Yan Chen.
Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.

Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.
Georgios Kontaxis, Michalis Polychronakis Angelos D. Keromytis, Evangelos P. Markatos Siddhant Ujjain (2009cs10219) Deepak Sharma (2009cs10185)

Georgios Kontaxis, Michalis Polychronakis Angelos D. Keromytis, Evangelos P. Markatos Siddhant Ujjain (2009cs10219) Deepak Sharma (2009cs10185)
Presented by Vaibhav Rastogi.  Advent of Web 2.0 and Mashups  Inclusion of untrusted third party content a necessity  Need to restrict the functionality.

Presented by Vaibhav Rastogi.  Advent of Web 2.0 and Mashups  Inclusion of untrusted third party content a necessity  Need to restrict the functionality.
An Evaluation of the Google Chrome Extension Security Architecture

An Evaluation of the Google Chrome Extension Security Architecture
Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.

Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology.

The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology.
Tcl Agent : A flexible and secure mobile-agent system Paper by Robert S. Gray Dartmouth College Presented by Vipul Sawhney University of Pennsylvania.

Tcl Agent : A flexible and secure mobile-agent system Paper by Robert S. Gray Dartmouth College Presented by Vipul Sawhney University of Pennsylvania.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
Happy Hacking HTML5! Group members: Dongyang Zhang Wei Liu Weizhou He Yutong Wei Yuxin Zhu.

Happy Hacking HTML5! Group members: Dongyang Zhang Wei Liu Weizhou He Yutong Wei Yuxin Zhu.
Frame isolation and the same origin policy Collin Jackson CS 142 Winter 2009.

Frame isolation and the same origin policy Collin Jackson CS 142 Winter 2009.
Boris Tshibangu. What is a proxy server? A proxy server is a server (a computer system or an application) that acts as an intermediary for requests from.

Boris Tshibangu. What is a proxy server? A proxy server is a server (a computer system or an application) that acts as an intermediary for requests from.
1 Subspace: Secure Cross Domain Communication for Web Mashups Collin Jackson and Helen J. Wang Mamadou H. Diallo.

1 Subspace: Secure Cross Domain Communication for Web Mashups Collin Jackson and Helen J. Wang Mamadou H. Diallo.

Similar presentations

Ads by Google