Protecting sensitive web content from client-side vulnerabilities with CRYPTONS

Proceedings of the ACM Conference on Computer and Communications Security

Volumn , Issue , 2013, Pages 1311-1324

  Dong, Xinshu ^a   Chen, Zhaofeng ^b   Siadati, Hossein ^c   Tople, Shruti ^a   Saxena, Prateek ^a   Liang, Zhenkai ^a  

^a NATIONAL UNIVERSITY OF SINGAPORE   (Singapore)

^b PEKING UNIVERSITY   (China)

^c POLYTECHNIC UNIVERSITY   (United States)

Author keywords

browser security; data protection; web security

Indexed keywords

BROWSER SECURITY; CLIENT SIDES; CLIENT-SIDE APPLICATION; DATA PROTECTION; REAL-WORLD; SENSITIVE DATAS; WEB CONTENT; WEB SECURITY;

ABSTRACTING; SEMANTICS; WEB BROWSERS; WEBSITES;

SECURITY OF DATA;

EID: 84888989716     PISSN: 15437221     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/2508859.2516743     Document Type: Conference Paper

References (75)

1. Summary of source code modification in case studies. http://compsec.comp. nus.edu.sg/crypton/summary.pdf.
2. D. Akhawe, P. Saxena, and D. Song. Privilege separation in html5 applications. In Proceedings of the 21st USENIX Security Symposium, 2012.
3. M. Balduzzi, M. Egele, E. Kirda, D. Balzarotti, and C. Kruegel. A solution for the automated detection of clickjacking attacks. In Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security, ASIACCS '10, 2010.
4. A. Barth, A. P. Felt, P. Saxena, and A. Boodman. Protecting browsers from extension vulnerabilities. In Proceedings of the 17th Annual Network and Distributed System Security Symposium, NDSS '10, 2010.
5. A. Barth, C. Jackson, C. Reis, and T. G. C. Team. The security architecture of the chromium browser. http://seclab.stanford.edu/websec/ chromium/chromium-security-architecture.pdf.
6. Bitbucket. https://bitbucket.org/.
7. A. Bittau, P. Marchenko, M. Handley, and B. Karp. Wedge: splitting applications into reduced-privilege compartments. In Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation, NSDI '08, 2008.
8. H. Bojinov, D. Sanchez, P. Reber, D. Boneh, and P. Lincoln. Neuroscience meets cryptography: designing crypto primitives secure against rubber hose attacks. In Proceedings of the 21st USENIX Security Symposium, 2012.
9. J. Bonneau, C. Herley, P. C. v. Oorschot, and F. Stajano. The quest to replace passwords: A framework for comparative evaluation of web authentication schemes. In Proceedings of the 2012 IEEE Symposium on Security and Privacy, 2012.
10. K. Borders, E. V. Weele, B. Lau, and A. Prakash. Protecting confidential data on personal computers with storage capsules. In Proceedings of the 18th USENIX Security Symposium, 2009.
11. D. Brumley and D. Boneh. Remote timing attacks are practical. In Proceedings of the 12th USENIX Security Symposium, 2003.
12. D. Brumley and D. Song. Privtrans: automatically partitioning programs for privilege separation. In Proceedings of the 13th USENIX Security Symposium, 2004.
13. CairoGraphics. cairo-glyph-t. http://cairographics.org/manual/cairo-text. html#cairo-glyph-t.
14. N. Carlini, A. P. Felt, and D. Wagner. An evaluation of the google chrome extension security architecture. In Proceedings of the 21st USENIX Security Symposium, 2012.
15. L. Cavallaro, P. Saxena, and R. Sekar. On the limits of information flow techniques for malware analysis and containment. In Proceedings of the 5th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA '08, 2008.
16. E. Y. Chen, J. Bau, C. Reis, A. Barth, and C. Jackson. App isolation: get the security of multiple browsers with just one. In Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS '11, 2011.
17. E. Y. Chen, S. Gorbaty, A. Singhal, and C. Jackson. Self-exfiltration: The dangers of browser-enforced information flow control. In Proceedings of the Workshop of Web 2.0 Security & Privacy 2012, 2012.
18. S. Chen, R. Wang, X. Wang, and K. Zhang. Side-channel leaks in web applications: A reality today, a challenge tomorrow. In Proceedings of the 2010 IEEE Symposium on Security and Privacy, 2010.
19. Y.-Y. Chen, P. A. Jamkhedkar, and R. B. Lee. A software-hardware architecture for self-protecting data. In Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS '12, 2012.
20. Y. Cheng and X. Ding. Virtualization based password protection against malware in untrusted operating systems. In Proceedings of the 5th International Conference on Trust and Trustworthy Computing, TRUST '12, 2012.
21. R. S. Cox, S. D. Gribble, H. M. Levy, and J. G. Hansen. A safety-oriented platform for web applications. In Proceedings of the 2006 IEEE Symposium on Security and Privacy, 2006.
22. S. Crites, F. Hsu, and H. Chen. Omash: enabling secure web mashups via object abstractions. In Proceedings of the 15th ACM Conference on Computer and Communications Security, CCS '08, 2008.
23. A. R. Developers. Ajaxim rpg. http://ajaximrpg.sourceforge.net/.
24. X. Dong, H. Hong, Z. Liang, and P. Saxena. A quantitative evaluation of privilege separation in web browser designs. In Proceedings of the 18th European Conference on Research in Computer Security, ESORICS '13, 2013.
25. X. Dong, M. Tran, Z. Liang, and X. Jiang. Adsentry: comprehensive and flexible confinement of javascript-based advertisements. In Proceedings of the 27th Annual Computer Security Applications Conference, ACSAC '11, 2011.
26. DoubleVerify. Doubleverify uncovers ad fraud tied to copyright infringement sites, costing online advertisers $6.8 million per month. http://www.doubleverify.com/resources/research/DV-Fraud-Lab-Report-2013-05/, May 2013.
27. J. Engler, C. Karlof, E. Shi, and D. Song. Is it too late for pake? In Proceedings of Web 2.0 Security and Privacy Workshop 2009, 2009.
28. I. E. T. Force. Rfc 6101: The secure sockets layer (ssl) protocol version 3.0. http://tools.ietf.org/html/rfc6101, 2011.
29. M. Foundation. Mozilla foundation security advisories. http://www.mozilla.org/security/announce/.
30. W. Foundation. Wordpress. http://wordpress.org/.
31. S. Garera, N. Provos, M. Chew, and A. D. Rubin. A framework for detection and measurement of phishing attacks. In Proceedings of the 2007 ACM Workshop on Recurring Malcode, WORM '07, 2007.
32. Github. https://github.com.
33. C. Grier, S. Tang, and S. King. Designing and implementing the op and op2 web browsers. ACM Transactions on the Web, 2011.
34. M. Heiderich. Towards elimination of xss attacks with a trusted and capability controlled dom. http://heideri.ch/thesis.
35. B. Hicks, S. Rueda, D. King, T. Moyer, J. Schiffman, Y. Sreenivasan, P. McDaniel, and T. Jaeger. An architecture for enforcing end-to-end access control over web applications. In Proceedings of the 15th ACM Symposium on Access Control Models and Technologies, SACMAT '10, 2010.
36. L.-S. Huang, A. Moshchuk, H. J. Wang, S. Schechter, and C. Jackson. Clickjacking: attacks and defenses. In Proceedings of the 21st USENIX Security Symposium, 2012.
37. Intel. Trusted compute pools with intel® trusted execution technology. http://www.intel.com/txt.
38. Internet Engineering Task Force (IETF). Rfc 6454: The web origin concept. http://www.ietf.org/rfc/rfc6454.txt.
39. C. Jackson, D. R. Simon, D. S. Tan, and A. Barth. An evaluation of extended validation and picture-in-picture phishing attacks. In Proceedings of the 11th International Conference on Financial Cryptography and 1st International Conference on Usable Security, FC'07/USEC'07, 2007.
40. K. Jayaraman, W. Du, B. Rajagopalan, and S. J. Chapin. Escudo: A fine-grained protection model for web browsers. In Proceedings of the 30th International Conference on Distributed Computing Systems, ICDCS '10, 2010.
41. N. Kobeissi, A. Breault, and E. Gill. Cryptocat. https://crypto.cat/.
42. B. Köpf and M. Dürmuth. A provably secure and efficient countermeasure against timing attacks. In Proceedings of the 2009 22nd IEEE Computer Security Foundations Symposium, CSF '09, 2009.
43. LastPass. Lastpass password manager. https://lastpass.com/.
44. A. Libonati, J. M. McCune, and M. K. Reiter. Usability testing a malware-resistant input mechanism. In Proceedings of the 18th Annual Network and Distributed System Security Symposium, NDSS '11, 2011.
45. D. Lie, C. Thekkath, M. Mitchell, P. Lincoln, D. Boneh, J. Mitchell, and M. Horowitz. Architectural support for copy and tamper resistant software. In Proceedings of the 9th International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS-IX, 2000.
46. M. T. Louw, K. T. Ganesh, and V. N. Venkatakrishnan. Adjail: practical enforcement of confidentiality and integrity policies on web advertisements. In Proceedings of the 19th USENIX Security Symposium, 2010.
47. T. Luo and W. Du. Contego: capability-based access control for web browsers. In Proceedings of the 4th International Conference on Trust and Trustworthy Computing, TRUST '11, 2011.
48. P. Maniatis, D. Akhawe, K. Fall, E. Shi, S. McCamant, and D. Song. Do you know where your data are?: secure data capsules for deployable data protection. In Proceedings of the 13th Workshop on Hot Topics in Operating Systems, HotOS-XIII, 2011.
49. J. M. McCune, A. Perrig, and M. K. Reiter. Safe passage for passwords and other sensitive data. In Proceedings of the 16th Annual Network and Distributed System Security Symposium, NDSS '09, 2009.
50. L. A. Meyerovich and B. Livshits. Conscript: Specifying and enforcing fine-grained security policies for javascript in the browser. In Proceedings of the 2010 IEEE Symposium on Security and Privacy, 2010.
51. Mozilla. Firefox os. https://developer.mozilla.org/en-US/docs/Mozilla/ Firefox-OS.
52. C. Nie. Dynamic root of trust in trusted computing. http://www.tml.tkk. fi/Publications/C/25/papers/Nie-final.pdf.
53. D. of Defense Standard. Department of defense trusted computer system evaluation criteria, 5200.28-std, 1985.
54. K. Patil, X. Dong, X. Li, Z. Liang, and X. Jiang. Towards fine-grained access control in javascript contexts. In Proceedings of the 31st International Conference on Distributed Computing Systems, ICDCS '11, 2011.
55. T. C. Projects. Chromium os. http://www.chromium.org/chromium-os.
56. T. C. Projects. Linuxsandboxing. https://code.google.com/p/chromium/wiki/ LinuxSandboxing#The-seccomp-bpf-sandbox.
57. T. C. Projects. Sandbox. http://www.chromium.org/developers/design- documents/sandbox.
58. F. Roesner, T. Kohno, A. Moshchuk, B. Parno, H. J. Wang, and C. Cowan. User-driven access control: Rethinking permission granting in modern operating systems. In Proceedings of the 2012 IEEE Symposium on Security and Privacy, 2012.
59. C. Rohlf and Y. Ivnitskiy. Attacking clientside jit compilers. http://www.matasano.com/research/Attacking-Clientside-JIT-Compilers-Paper.pdf.
60. J. H. Saltzer and M. D. Schroeder. The protection of information in computer systems. In Proceedings of the IEEE, 1975.
61. N. Santos, R. Rodrigues, K. P. Gummadi, and S. Saroiu. Policy-sealed data: A new abstraction for building trusted cloud services. In Proceedings of the 21st USENIX Security Symposium, 2012.
62. P. Saxena, D. Akhawe, S. Hanna, F. Mao, S. McCamant, and D. Song. A symbolic execution framework for javascript. In Proceedings of the 2010 IEEE Symposium on Security and Privacy, 2010.
63. S. Tang, H. Mai, and S. T. King. Trust and protection in the illinois browser operating system. In Proceedings of the 9th USENIX Symposium on Operating Systems Design and Implementation, OSDI '10, 2010.
64. Y. Tang, P. Ames, S. Bhamidipati, A. Bijlani, R. Geambasu, and N. Sarda. Cleanos: limiting mobile data exposure with idle eviction. In Proceedings of the 10th USENIX Symposium on Operating Systems Design and Implementation, OSDI '12, 2012.
65. T. R. Team. Roundcube. http://www.roundcube.net/.
66. P. Vogt, F. Nentwich, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna. Cross-site scripting prevention with dynamic data tainting and static analysis. In Proceedings of the 14th Annual Network and Distributed System Security Symposium, NDSS '07, 2007.
67. W3C. Content security policy 1.0. http://www.w3.org/TR/CSP/.
68. R. Wahbe, S. Lucco, T. E. Anderson, and S. L. Graham. Efficient software-based fault isolation. In Proceedings of the 14th ACM Symposium on Operating Systems Principles, SOSP '93, 1993.
69. H. J. Wang, C. Grier, A. Moshchuk, S. T. King, P. Choudhury, and H. Venter. The multi-principal os construction of the gazelle web browser. In Proceedings of the 18th USENIX Security Symposium, 2009.
70. D. Wendlandt, D. G. Andersen, and A. Perrig. Perspectives: improving ssh-style host authentication with multi-path probing. In USENIX 2008 Annual Technical Conference, ATC '08, 2008.
71. Z. E. Ye and S. Smith. Trusted paths for browsers. In Proceedings of the 11th USENIX Security Symposium, 2002.
72. C. Yue and H. Wang. Anti-phishing in offense and defense. In Proceedings of the 2008 Annual Computer Security Applications Conference, ACSAC '08, 2008.
73. Y. Zhang, J. I. Hong, and L. F. Cranor. Cantina: a content-based approach to detecting phishing web sites. In Proceedings of the 16th International Conference on World Wide Web, WWW '07, 2007.
74. Y. Zhou and D. Evans. Protecting private web content from embedded scripts. In Proceedings of the 16th European Conference on Research in Computer Security, ESORICS '11, 2011.
75. Z. Zhou, V. D. Gligor, J. Newsome, and J. M. McCune. Building verifiable trusted path on commodity x86 computers. In Proceedings of the 2012 IEEE Symposium on Security and Privacy, 2012.