ShadowCrypt: Encrypted web applications for everyone

Proceedings of the ACM Conference on Computer and Communications Security

Volumn , Issue , 2014, Pages 1028-1039

  He, Warren ^a   Akhawe, Devdatta ^a   Jain, Sumeet ^a   Shi, Elaine ^b   Song, Dawn ^a  

^a UNIVERSITY OF CALIFORNIA   (United States)

^b UNIVERSITY OF MARYLAND   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

INDUSTRIAL RESEARCH;

DESIGN POINTS; DIFFERENT DOMAINS; ENCRYPTED DATA; EVALUATION RESULTS; PRACTICAL USE; RECENT RESEARCHES; SECURITY ADVANTAGE; WEB APPLICATION; DESIGN SPACES;

CRYPTOGRAPHY;

EID: 84910651389     PISSN: 15437221     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/2660267.2660326     Document Type: Conference Paper

References (52)

1. 6WUNDERKINDER. Let's talk comments for wunderlist and our 5+ million users. http://goo.gl/PcjOR6.
2. AGARWAL, N., RENFRO, S., AND BEJAR, A. Phishing forbidden. Queue 5, 5 (2007), 28-32.
3. AGARWAL, N., RENFRO, S., AND BEJAR, A. Yahoo!'s sign-in seal and current anti-phishing solutions. In Proceedings of Web 2.0 Security & Privacy Workshop (2007).
4. BELLARE, M., RISTENPART, T., ROGAWAY, P., AND STEGERS, T. Format-preserving encryption. In Selected Areas in Cryptography (2009), pp. 295-312.
5. BETHENCOURT, J., SAHAI, A., AND WATERS, B. Ciphertext-policy attribute-based encryption. In Proceedings of the 2007 IEEE Symposium on Security and Privacy (2007), SP '07, pp. 321-334.
6. BONEH, D., SAHAI, A., AND WATERS, B. Functional encryption: Definitions and challenges. In Proceedings of the 8th Conference on Theory of Cryptography (2011), TCC'11, pp. 253-273.
7. CASH, D., JARECKI, S., JUTLA, C. S., KRAWCZYK, H., ROSU, M.-C., AND STEINER, M. Highly-scalable searchable symmetric encryption with support for boolean queries. In CRYPTO (2013), pp. 353-373.
8. CHEN, A. Gcreep: Google engineer stalked teens, spied on chats. http://gawker.com/5637234/.
9. CHRISTODORESCU, M. Private use of untrusted web servers via opportunistic encryption. W2SP 2008: Web 2.0 Security and Privacy 2008 (2008).
10. CONSTANTIN, L. Mega: Bug bounty programme resulted in seven vulnerabilities fixed so far, Feb. 2013. http://www.computerworld.co.nz/article/488585/.
11. CONSTINE, J. Twitter and linkedin manage tasks with asana, new api means robots can too. http://goo.gl/M8monn.
12. Cryptocat blog: Xss vulnerability discovered and fixed, Aug. 2012. http://goo.gl/Nq7tVk.
13. Dromaeo: Javascript performance testing. http://dromaeo.com/.
14. FAHL, S., HARBACH, M., MUDERS, T., AND SMITH, M. Confidentiality as a service-usable security for the cloud. In Trust, Security and Privacy in Computing and Communications (TrustCom), 2012 IEEE 11th International Conference on (2012), IEEE, pp. 153-162.
15. GALLAGHER, J. Thanks a million! http://blog.trello.com/thanks-a-million/.
16. GENTRY, C. Fully homomorphic encryption using ideal lattices. In STOC (2009), pp. 169-178.
17. GIFFIN, D. B., LEVY, A., STEFAN, D., TEREI, D., MAZIERES, D., MITCHELL, J., AND RUSSO, A. Hails: Protecting data privacy in untrusted web applications. In 10th Symposium on Operating Systems Design and Implementation (OSDI) (2012), pp. 47-60.
18. GLAZKOV, D. [shadow]: Consider isolation. https://www.w3.org/Bugs/Public/show-bug.cgi?id=16509.
19. GLAZKOV, D. Shadow dom. http://goo.gl/G4j3L4.
20. GOEL, V., AND WYATT, E. Facebook privacy change is subject of f.t.c. inquiry. http://nyti.ms/19IWMV8.
21. GOLDREICH, O., AND OSTROVSKY, R. Software protection and simulation on oblivious RAMs. J. ACM (1996).
22. GOOGLE. Content scripts. http://goo.gl/G2r47g.
23. GORDON, S. D., KATZ, J., KOLESNIKOV, V., KRELL, F., MALKIN, T., RAYKOVA, M., AND VAHLIS, Y. Secure two-party computation in sublinear (amortized) time. In ACM Conference on Computer and Communications Security (CCS) (2012).
24. HEIDERICH, M., NIEMIETZ, M., SCHUSTER, F., HOLZ, T., AND SCHWENK, J. Scriptless attacks: stealing the pie without touching the sill. In Proceedings of the 2012 ACM conference on Computer and communications security (2012), ACM, pp. 760-771.
25. HUANG, L.-S., MOSHCHUK, A., WANG, H. J., SCHECHTER, S., AND JACKSON, C. Clickjacking: Attacks and defenses. In Proceedings of the 21st USENIX Conference on Security Symposium (Berkeley, CA, USA, 2012), Security'12, USENIX Association, pp. 22-22.
26. JAIN, A., AND TIKIR, M. Is the web getting faster? http://goo.gl/kFXL7r.
27. KEYBASE. Keybase. https://keybase.io/.
28. KURT OPSAHL. Facebook's eroding privacy policy: A timeline. http://goo.gl/BkRknm.
29. Lastpass blog: Cross site scripting vulnerability reported, fixed, Feb. 2011. http://goo.gl/4MDNjU.
30. LU, S., AND OSTROVSKY, R. How to garble ram programs. In EUROCRYPT (2013).
31. MANIATIS, P., AKHAWE, D., FALL, K., SHI, E., MCCAMANT, S., AND SONG, D. Do you know where your data are?: Secure data capsules for deployable data protection. In Proceedings of the 13th USENIX Conference on Hot Topics in Operating Systems (Berkeley, CA, USA, 2011), HotOS'13, USENIX Association, pp. 22-22.
32. MAONE, G., HUANG, D. L.-S., GONDROM, T., AND HILL, B. User interface security directives for content security policy. http://www.w3.org/TR/UISecurity/.
33. MCGREGOR, S. Zerobin. http://goo.gl/blY1zx.
34. MEENAN, P. Webpagetest - website performance and optimization test. http://www.webpagetest.org/.
35. MOZILLA DEVELOPER NETWORK, AND INDIVIDUAL CONTRIBUTORS. Xpconnect wrappers. http://goo.gl/8eZzQ8.
36. PARNO, B., MCCUNE, J., AND PERRIG, A. Bootstrapping trust in commodity computers. In Security and Privacy (SP), 2010 IEEE Symposium on (2010), pp. 414-429.
37. POPA, R. A., REDFIELD, C. M. S., ZELDOVICH, N., AND BALAKRISHNAN, H. Cryptdb: Protecting confidentiality with encrypted query processing. In Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles (New York, NY, USA, 2011), SOSP '11, ACM, pp. 85-100.
38. POPA, R. A., STARK, E., VALDEZ, S., HELFER, J., ZELDOVICH, N., AND BALAKRISHNAN, H. Securing web applications by blindfolding the server. NDSI (2014).
39. PRIVLY. Privly. http://priv.ly/.
40. RECURITY LABS GMBH. Openpgp.js. http://openpgpjs.org/.
41. ROESNER, F., KOHNO, T., MOSHCHUK, A., PARNO, B., WANG, H. J., AND COWAN, C. User-driven access control: Rethinking permission granting in modern operating systems. In Security and Privacy (SP), 2012 IEEE Symposium on (2012), IEEE, pp. 224-238.
42. SAHAI, A., AND WATERS, B. Fuzzy identity-based encryption. In EUROCRYPT (2005), pp. 457-473.
43. Shadowcrypt code release. http://shadowcrypt-release.weebly.com/.
44. SONG, D. X., WAGNER, D., AND PERRIG, A. Practical techniques for searches on encrypted data. In Proceedings of the 2000 IEEE Symposium on Security and Privacy (Washington, DC, USA, 2000), IEEE Computer Society.
45. STARK, E., HAMBURG, M., AND BONEH, D. Symmetric cryptography in javascript. In Computer Security Applications Conference, 2009. ACSAC'09. Annual (2009), IEEE, pp. 373-381.
46. STONE, P. Pixel perfect timing attacks with html5.
47. THE CHROMIUM AUTHORS. Design plans for out-of-process iframes. http://goo.gl/VqR4sv.
48. Virtru. http://www.virtru.com.
49. WIKIPEDIA. Global surveillance disclosures (2013-present). http://goo.gl/3YWjY9.
50. YANG, J., YESSENOV, K., AND SOLAR-LEZAMA, A. A language for automatically enforcing privacy policies. ACM SIGPLAN Notices 47, 1 (2012), 85-96.
51. YAO, A. C.-C. How to generate and exchange secrets. In IEEE symposium on Foundations of Computer Science (FOCS) (1986).
52. ZALEWSKI, M. Postcards from the post-xss world. http://lcamtuf.coredump.cx/postxss/.