Presentation is loading. Please wait.

Presentation is loading. Please wait.

FLOWFOX A WEB BROWSER WITH FLEXIBLE AND PRECISE INFORMATION CONTROL.

Published bySybil Davidson Modified over 8 years ago

Similar presentations

Presentation on theme: "FLOWFOX A WEB BROWSER WITH FLEXIBLE AND PRECISE INFORMATION CONTROL."— Presentation transcript:

1 FLOWFOX A WEB BROWSER WITH FLEXIBLE AND PRECISE INFORMATION CONTROL

2 ROADMAP 1.Background 2.Threat Model 3.Design 4.Security Policies 5.Implementation 6.Evaluation

3 BACKGROUND same-origin-policy (SOP) has holes 1.Examples to bypass SOP 1.More powerful security enforcement mechanisms are required. XMLHTTPRequest ?

4 BACKGROUND Information flow control Any program can be seen as a machine with inputs and outputs. Inputs can be classified high credential input and low credential input. The same for output.

5 BACKGROUND Example for Information flow analysis High Input: document.getElementById(‘emai l.input’).text Low Output: *.src=*

6 BACKGROUND Noninterference A program is defined to be noninterferent if its outputs cannot be influenced by inputs at a higher security level than their own. Termination-insensitive noninterference 1.A version of Noninterference. 2.Under the assumption that a program always terminates normally, information is only disclosed by the program when it terminates. 3.Many existing tools can effectively determine a program as long as the assumption holds

7 BACKGROUND Termination-insensitive noninterference Vs. Termination- sensitive noninterference

8 BACKGROUND In Context of web security Many state-of-art information flow systems can detect information leak for this case

9 BACKGROUND Timing-insensitive noninterference Assumption: the execution result has nothing to do with the execution time

10 BACKGROUND Secure Multi-Execution ([18]) 1.An information flow control enforcement mechanism 2.As its name suggests, secure multi-execution will execute a program multiple times, once for each security level. 3.SME regime will guarantee non-interference 4.FlowFox implements SME

11 BACKGROUND Secure Multi-Execution Rule Image.src Document. cookie Document. cookie Image.width

12 BACKGROUND Example of Secure Multi-Execution

13 BACKGROUND Secure Multi-Execution Pros: 1. Secure multi-execution is sound: 2. Secure multi-execution is precise Cons: 1. Cost in CPU time and memory use

14 THREAT MODEL Examples 1.Session Hijacking 2.Malicious Advertisements (Plugins) 3.History Sniffing and Behavior Tracking

15 FLOWFOX DESIGN Two Design Alternatives 1.Multi-execute entire browser: 1.Easy to implement 2.Too Coarse grained and imprecise

16 FLOWFOX DESIGN Two Design Alternatives 2. Multi-execute the web scripts (FlowFox) 1.Treat all interactions with the browser API as inputs and outputs 2.Fine grained 3.Hard to implement

17 SECURITY POLICIES 1.DOM API will be specified policy 2.FlowFox policy specifies two things 1.Security levels to DOM APIs 2.Default value to each DOM API call 3.Policy Rule

18 SECURITY POLICIES 4. Examples

19 IMPLEMENTATION 1.Implemented on top of Mozilla Firefox and consists of about 1400 new lines of C/C++ code 2.SME-aware JavaScript Engine 1.JSContext has a security level field 2.Each property of JSObject has a security level field 3.Only properties with the same security level as the coordinating JSContext are visible 3.SME/IO Process 4.Event Handling 1.Low events will be handled by both the low and high executions 2.High events will only be handled by the high execution.

20 EVALUATION 1.Security 1.Is FlowFox Non-interferent 1.Two reasons FlowFox could fail to be non-interferent 1.Violate the assumptions underlying the soundness proof 2.Exist implementation level vulnerabilities 2.Hard to guarantee.

21 EVALUATION 1.Security 1.Examples of mitigating threats 1.Leaking Session Cookies 2.History Sniffing 3.Tracking Libraries

22 EVALUATION 2.Compatibility 1.Two regular FireFox browsers and one FlowFox browser 2.A simple policy that makes reading document.cookie high 3.Crawler dumps a screenshot of each of the three browsers to a bitmap 4.First, compare the bitmaps belonging to two FireFox browsers and find the same area (unmasked area). 5.Second, compare the unmasked areas for bitmaps belonging to FireFox and FlowFox browsers.

23 EVALUATION 3.Micro Benchmark 1.Measure the overhead of executing pure JavaScript. 2.Measure the overhead for I/O intensive applications. 3.Executing pure JavaScript incurs large overhead 4.IO test shows only a negligible impact overhead

24 EVALUATION 4.Macro Benchmark 1.Measure the impact on the latency perceived by a browser user 2.The results show that the user-perceived latency for real-life web applications is acceptable

25 EVALUATION 5.Memory Benchmark 1.Measuring 500 different websites 2.FlowFox incurred a memory overhead of 88%

Download ppt "FLOWFOX A WEB BROWSER WITH FLEXIBLE AND PRECISE INFORMATION CONTROL."

Similar presentations

Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.

Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.
Analyzing Information Flow in JavaScript-based Browser Extensions Mohan Dhawan and Vinod Ganapathy Department of Computer Science Rutgers University 25.

Analyzing Information Flow in JavaScript-based Browser Extensions Mohan Dhawan and Vinod Ganapathy Department of Computer Science Rutgers University 25.
The Top 10 Reasons Why Federated Can’t Succeed And Why it Will Anyway.

The Top 10 Reasons Why Federated Can’t Succeed And Why it Will Anyway.
GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.

GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.
WEB BROWSER SECURITY By Robert Sellers Brian Bauer.

WEB BROWSER SECURITY By Robert Sellers Brian Bauer.
Using Replicated Execution for a More Secure and Reliable Browser Authors: Hui Xue, Nathan Dautenhahn, Samuel T. King University of Illinois at Urbana.

Using Replicated Execution for a More Secure and Reliable Browser Authors: Hui Xue, Nathan Dautenhahn, Samuel T. King University of Illinois at Urbana.
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
1 Perracotta: Mining Temporal API Rules from Imperfect Traces Jinlin Yang David Evans Deepali Bhardwaj Thirumalesh Bhat Manuvir Das.

1 Perracotta: Mining Temporal API Rules from Imperfect Traces Jinlin Yang David Evans Deepali Bhardwaj Thirumalesh Bhat Manuvir Das.
1 14th ACM Conference on Computer and Communications Security, Alexandria, VA Shuo Chen †, David Ross ‡, Yi-Min Wang † † Internet Services Research Center.

1 14th ACM Conference on Computer and Communications Security, Alexandria, VA Shuo Chen †, David Ross ‡, Yi-Min Wang † † Internet Services Research Center.
On the Incoherencies in Web Browser Access Control Policies Authors: Kapil Singh, et al Presented by Yi Yang.

On the Incoherencies in Web Browser Access Control Policies Authors: Kapil Singh, et al Presented by Yi Yang.
The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology.

The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology.
CS 290C: Formal Models for Web Software Lecture 10: Language Based Modeling and Analysis of Navigation Errors Instructor: Tevfik Bultan.

CS 290C: Formal Models for Web Software Lecture 10: Language Based Modeling and Analysis of Navigation Errors Instructor: Tevfik Bultan.
ACTIVE X By Ethan Huang. OUTLINE What is ActiveX? Component of ActiveX Why ActiveX? ActiveX and Java Security Issue.

ACTIVE X By Ethan Huang. OUTLINE What is ActiveX? Component of ActiveX Why ActiveX? ActiveX and Java Security Issue.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
XP 1 Working with Cascading Style Sheets Creating a Style for Online Scrapbooks Tutorial 7.

XP 1 Working with Cascading Style Sheets Creating a Style for Online Scrapbooks Tutorial 7.
Threads CSCI 444/544 Operating Systems Fall 2008.

Threads CSCI 444/544 Operating Systems Fall 2008.
Web Same-Origin-Policy Lab Zutao Zhu 11/06/2009. Outline Background Setting SOP.

Web Same-Origin-Policy Lab Zutao Zhu 11/06/2009. Outline Background Setting SOP.
C++ vs. Java: Similiarities & Differences Dr. Jeyakesavan Veerasamy Director of CS UTDesign program & CS Teaching Faculty University.

C++ vs. Java: Similiarities & Differences Dr. Jeyakesavan Veerasamy Director of CS UTDesign program & CS Teaching Faculty University.
Aaron Blankstein and Michael J. Freedman Princeton University Tuan Tran.

Aaron Blankstein and Michael J. Freedman Princeton University Tuan Tran.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Similar presentations

Ads by Google