Secure multi-execution of web scripts: Theory and practice
作者: Willem De Groef , Dominique Devriese , Nick Nikiforakis , Frank Piessens
DOI: 10.3233/JCS-130495
关键词: Internet security 、 Enforcement 、 Web modeling 、 Web application security 、 Scripting language 、 Web browser 、 Computer security 、 Computer science 、 Macro
摘要: Secure Multi-Execution (SME) is a precise and general information flow control mechanism that was claimed to be good fit for implementing security in browsers. We validate this claim by developing FlowFox, the first fully functional web browser implements an scripts based on technique of secure multi-execution. provide evidence FlowFox proving non-interference formal model essence showing how it stops real attacks. usefulness subsumes many ad-hoc script-containment countermeasures developed over last years. An experimental evaluation Alexa top-500 sites provides compatibility, shows compatible with current web, even make intricate use JavaScript.The performance memory cost substantial (a around 20% macro benchmarks simple two-level policy), but not prohibitive. Our prototype implementation enforcement multi-execution can implemented full-scale It support powerful, yet policies refining same-origin-policy way existing websites.
kuleuven.be 
acm.org 
sci-hub.se 参考文章(55)
Mike Ter Louw, V. N. Venkatakrishnan, Karthik Thotta Ganesh, AdJail: practical enforcement of confidentiality and integrity policies on web advertisements usenix security symposium. pp. 24- 24 ,(2010)
Benjamin C. Pierce, Aaron Bohannon, Featherweight Firefox: formalizing the core of a web browser usenix conference on web application development. pp. 11- 11 ,(2010)
Engin Kirda, Christopher Krügel, Nenad Jovanovic, Giovanni Vigna, Philipp Vogt, Florian Nentwich, Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis. network and distributed system security symposium. ,(2007)
Gilles Barthe, Juan Manuel Crespo, Dominique Devriese, Frank Piessens, Exequiel Rivas, Secure Multi-Execution through Static Program Transformation Formal Techniques for Distributed Systems. ,vol. 7273, pp. 186- 202 ,(2012) , 10.1007/978-3-642-30793-5_12
Panayiotis Mavrommatis, Niels Provos, Dean McNamee, Nagendra Modadugu, Ke Wang, The ghost in the browser analysis of web-based malware conference on workshop on hot topics in understanding botnets. pp. 4- 4 ,(2007)
Paul H. J. Kelly, Richard W. M. Jones, Backwards-Compatible Bounds Checking for Arrays and Pointers in C Programs Proceedings of the 3rd International Workshop on Automatic Debugging; 1997 (AADEBUG-97). pp. 13- 26 ,(1997)
Peter Eckersley, How unique is your web browser privacy enhancing technologies. pp. 1- 18 ,(2010) , 10.1007/978-3-642-14527-8_1
Martin Johns, On JavaScript Malware and related threats Journal in Computer Virology. ,vol. 4, pp. 161- 178 ,(2008) , 10.1007/S11416-007-0076-7
Alejandro Russo, Andrei Sabelfeld, Andrey Chudnov, Tracking information flow in dynamic tree structures european symposium on research in computer security. pp. 86- 103 ,(2009) , 10.1007/978-3-642-04444-1_6
Sandeep Bhatkar, R. Sekar, Wei Xu, Taint-enhanced policy enforcement: a practical approach to defeat a wide range of attacks usenix security symposium. pp. 9- ,(2006)