FlowFox: A web browser with flexible and precise information flow control

Proceedings of the ACM Conference on Computer and Communications Security

Volumn , Issue , 2012, Pages 748-759

  De Groef, Willem ^a   Devriese, Dominique ^a   Nikiforakis, Nick ^a   Piessens, Frank ^a  

^a UNIVERSITY OF LEUVEN   (Belgium)

Author keywords

Information flow; Web browser architecture; Web security

Indexed keywords

GENERAL INFORMATION; INFORMATION FLOW CONTROL; INFORMATION FLOWS; JAVASCRIPT; MEMORY COST; PERFORMANCE COSTS; PROTOTYPE IMPLEMENTATIONS; WEB SECURITY;

BENCHMARKING; FLOW CONTROL; WEB BROWSERS; WEBSITES;

SECURITY OF DATA;

EID: 84869386885     PISSN: 15437221     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/2382196.2382275     Document Type: Conference Paper

References (46)

1. D. Akhawe, A. Barth, P. E. Lam, J. Mitchell, and D. Song. Towards a Formal Foundation of Web Security. In Proceedings of the IEEE Computer Security Foundations Symposium, pages 290-304, 2010.
2. P. Akritidis, M. Costa, M. Castro, and S. Hand. Baggy Bounds Checking: An Efficient and Backwards-Compatible Defense against Out-of-Bounds Errors. In Proceedings of the USENIX Security Symposium, pages 51-66, 2009.
3. A. Askarov and A. Sabelfeld. Tight Enforcement of Information-Release Policies for Dynamic Languages. In Proceedings of the IEEE Computer Security Foundations Symposium, pages 43-59, 2009.
4. T. H. Austin and C. Flanagan. Permissive Dynamic Information Flow Analysis. In Proceedings of the ACM SIGPLAN Workshop on Programming Languages and Analysis for Security, pages 3:1-3:12, 2010.
5. T. H. Austin and C. Flanagan. Multiple Facets for Dynamic Information Flow. In Proceedings of the ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, 2012.
6. L. D. Baron. Preventing attacks on a user's history through css :visited selectors. http://dbaron.org/mozilla/visited-privacy, 2010.
7. A. Barth, C. Jackson, and J. C. Mitchell. Robust Defenses for Cross-Site Request Forgery. In Proceedings of the ACM Conference on Computer and Communications Security, pages 75-88, 2008.
8. A. Barth, C. Jackson, and J. C. Mitchell. Securing Frame Communication in Browsers. In Proceedings of the USENIX Security Symposium, 2008.
9. G. Barthe, J. M. Crespo, D. Devriese, F. Piessens, and E. Rivas. Secure Multi-Execution through Static Program Transformation. Proceedings of the International Conference on Formal Techniques for Distributed Systems, pages 186-202, 2012.
10. N. Bielova, D. Devriese, F. Massacci, and F. Piessens. Reactive non-interference for a browser model. In Proceedings of the International Conference on Network and System Security, 2011.
11. A. Bohannon and B. C. Pierce. Featherweight Firefox: Formalizing the Core of a Web Browser. In Proceedings of the USENIX Conference on Web Application Development, pages 123-135, 2010.
12. A. Bohannon, B. C. Pierce, V. Sjöberg, S. Weirich, and S. Zdancewic. Reactive Noninterference. In Proceedings of the ACM Conference on Computer and Communications Security, pages 79-90, 2009.
13. R. Capizzi, A. Longo, V. Venkatakrishnan, and A. Sistla. Preventing Information Leaks through Shadow Executions. In Proceedings of the Annual Computer Security Applications Conference, pages 322-331, 2008.
14. R. Chugh, J. A. Meister, R. Jhala, and S. Lerner. Staged Information Flow for JavaScript. ACM SIGPLAN Notices, 44(6):50-62, 2009.
15. D. Crockford. Adsafe. http://www.adsafe.org/, December 2009.
16. M. Daniel, J. Honoroff, and C. Miller. Engineering Heap Overflow Exploits with JavaScript. In Proceedings of the USENIX Workshop on Offensive Technologies, 2008.
17. P. De Ryck, L. Desmet, P. Philippaerts, and F. Piessens. A Security Analysis of Next Generation Web Standards. Technical report, European Network and Information Security Agency (ENISA), 2011.
18. D. Devriese and F. Piessens. Noninterference Through Secure Multi-Execution. In Proceedings of the IEEE Symposium on Security and Privacy, pages 109-124, 2010.
19. Facebook. Fbjs. http://developers.facebook.com/docs/fbjs/, 2011.
20. D. Flanagan. JavaScript: The Definitive Guide. O'Reilly Media, Inc., 6th edition, 2011.
21. D. Hedin and A. Sabelfeld. Information-Flow Security for a Core of JavaScript. In Proceedings of the IEEE Computer Security Foundations Symposium, 2012.
22. W3c: Html5. http://dev.w3.org/html5/spec/Overview.html.
23. D. Jang, R. Jhala, S. Lerner, and H. Shacham. An Empirical Study of Privacy-Violating Information Flows in JavaScript Web Applications. In Proceedings of the ACM Conference on Computer and Communications Security, pages 270-283, 2010.
24. M. Jaskelioff and A. Russo. Secure Multi-Execution in Haskell. In Proceedings of Andrei Ershov International Conference on Perspectives of System Informatics, 2011.
25. M. Johns. On JavaScript Malware and related threats - Web page based attacks revisited. Journal in Computer Virology, 4(3):161-178, August 2008.
26. R. W. M. Jones and P. H. J. Kelly. Backwards-compatible bounds checking for arrays and pointers in C programs. In Proceedings of the International Workshop on Automatic Debugging, pages 13-26, 1997.
27. V. Kashyap, B. Wiedermann, and B. Hardekopf. Timing- and Termination-Sensitive Secure Information Flow: Exploring a New Approach. In Proceedings of the IEEE Conference on Security and Privacy, pages 413-428, 2011.
28. G. Le Guernic. Confidentiality Enforcement Using Dynamic Information Flow Analyses. PhD thesis, Kansas State University, 2007.
29. S. Maffeis, J. C. Mitchell, and A. Taly. Object Capabilities and Isolation of Untrusted Web Applications. In Proceedings of the IEEE Symposium on Security and Privacy, pages 125-140, 2010.
30. J. Magazinius, A. Askarov, and A. Sabelfeld. A Lattice-based Approach to Mashup Security. In Proceedings of the ACM Symposium on Information, Computer and Communications Security, pages 15-23, 2010.
31. M. S. Miller, M. Samuel, B. Laurie, I. Awad, and M. Stay. Caja: Safe active content in sanitized javascript. http://google-caja.googlecode.com/files/ caja-spec-2008-01-15.pdf, January 2008.
32. N. Nikiforakis, L. Invernizzi, A. Kapravelos, S. Van Acker, W. Joosen, C. Kruegel, F. Piessens, and G. Vigna. You Are What You Include: Large-scale Evaluation of Remote JavaScript Inclusions. In Proceedings of the ACM Conference on Computer and Communications Security, 2012.
33. N. Nikiforakis, W. Meert, Y. Younan, M. Johns, and W. Joosen. SessionShield: Lightweight protection against session hijacking. In Proceedings of the International Symposium on Engineering Secure Software and Systems, pages 87-100, 2011.
34. N. Provos, P. Mavrommatis, M. A. Rajab, and F. Monrose. All Your iFRAMEs Point to Us. In Proceedings of the USENIX Security Symposium, pages 1-15, 2008.
35. N. Provos, D. McNamee, P. Mavrommatis, K. Wang, and N. Modadugu. The Ghost In The Browser Analysis of Web-based Malware. In Proceedings of the USENIX Workshop on Hot Topics in Understanding Botnets, 2007.
36. A. Russo and A. Sabelfeld. Securing Timeout Instructions in Web Applications. In Proceedings of the IEEE Computer Security Foundations Symposium, pages 92-106, 2009.
37. A. Russo, A. Sabelfeld, and A. Chudnov. Tracking Information Flow in Dynamic Tree Structures. In Proceedings of the European Symposium on Research in Computer Security, pages 86-103, 2009.
38. A. Sabelfeld and A. C. Myers. Language-Based Information-Flow Security. IEEE Journal on Selected Areas of Communications, 21(1):5-19, January 2003.
39. K. Singh, A. Moshchuk, H. J. Wang, and W. Lee. On the Incoherencies in Web Browser Access Control Policies. In Proceedings of the IEEE Symposium on Security and Privacy, pages 463-478, 2010.
40. M. Ter Louw, K. T. Ganesh, and V. Venkatakrishnan. Adjail: Practical Enforcement of Confidentiality and Integrity Policies on Web Advertisements. In Proceedings of the USENIX Security Symposium, pages 24-24, 2010.
41. P. Vogt, F. Nentwich, N. Jovanovic, E. Kirda, C. Krügel, and G. Vigna. Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis. In Proceedings of the Annual Network & Distributed System Security Symposium, 2007.
42. Z. Weinberg, E. Y. Chen, P. R. Jayaraman, and C. Jackson. I Still Know What You Visited Last Summer: User interaction and side-channel attacks on browsing history. In Proceedings of the IEEE Symposium on Security and Privacy, 2011.
43. W. Xu, S. Bhatkar, and R. Sekar. Taint-Enhanced Policy Enforcement: A Practical Approach to Defeat a Wide Range of Attacks. In Proceedings of the USENIX Security Symposium, pages 121-136, 2006.
44. A. Yip, N. Narula, M. Krohn, and R. Morris. Privacy-preserving browser-side scripting with BFlow. In Proceedings of the ACM European Conference on Computer Systems, pages 233-246. ACM, 2009.
45. Y. Younan, W. Joosen, and F. Piessens. Runtime countermeasures for code injection attacks against C and C++ programs. ACM Computing Surveys, 44(3):17:1-17:28, 2012.
46. Y. Younan, P. Philippaerts, L. Cavallaro, R. Sekar, F. Piessens, and W. Joosen. PAriCheck: An Efficient Pointer Arithmetic Checker for C Programs. In Proceedings of the ACM Symposium on Information, Computer and Communications Security, pages 145-156, 2010.