Run-time Monitoring and Formal Analysis of Information Flows in Chromium
作者: Lujo Bauer , Shaoying Cai , Limin Jia , Timothy Passaro , Michael Stroucken
关键词:
摘要: Web browsers are a key enabler of wide range online services, from shopping and email to banking health services. Because these services frequently involve handling sensitive data, web browser security policies mechanisms has been implemented or proposed mitigate the dangers posed by malicious code sites. This paper describes an approach for specifying enforcing flexible information-flow on Chromium browser. Complementing efforts that focus enforcement JavaScript, our focuses existing encompasses broad features, pages scripts DOM elements, events, persistent state, extensions. In approach, which is coarse-grained, light-weight implementation taint tracking, entities in annotated with labels specify policy track information flows. We develop detailed formal model we prove noninterference. also corresponding prototype system built top Chromium. demonstrate, experimentally confirm, can enforce many policies, as well practically useful beyond those enforceable standard browsers.
ndss-symposium.org
core.ac.uk
internetsociety.org参考文章(36)
Jiangang Wang, Xiaohong Li, Xuhui Liu, Xinshu Dong, Junjie Wang, Zhenkai Liang, Zhiyong Feng, An Empirical Study of Dangerous Behaviors in Firefox Extensions Lecture Notes in Computer Science. pp. 188- 203 ,(2012) , 10.1007/978-3-642-33383-5_12
Benjamin C. Pierce, Aaron Bohannon, Featherweight Firefox: formalizing the core of a web browser usenix conference on web application development. pp. 11- 11 ,(2010)
Abhishek Bichhawat, Vineet Rajani, Deepak Garg, Christian Hammer, Information Flow Control in WebKit’s JavaScript Bytecode principles of security and trust. pp. 159- 178 ,(2014) , 10.1007/978-3-642-54792-8_9
Seth Fogie, Anton Rager, Robert Hansen, Petko D. Petkov, Jeremiah Grossman, XSS Attacks: Cross Site Scripting Exploits and Defense ,(2007)
Limin Jia, Jassim Aljuraidan, Elli Fragkaki, Lujo Bauer, Michael Stroucken, Kazuhide Fukushima, Shinsaku Kiyomoto, Yutaka Miyake, Run-Time Enforcement of Information-Flow Properties on Android european symposium on research in computer security. pp. 775- 792 ,(2013) , 10.1007/978-3-642-40203-6_43
Károly Boda, Ádám Máté Földes, Gábor György Gulyás, Sándor Imre, User tracking on the web via cross-browser fingerprinting nordic conference on secure it systems. pp. 31- 46 ,(2011) , 10.1007/978-3-642-29615-4_4
Stephan Arthur Zdancewic, Andrew Myers, Programming languages for information security Cornell University. ,(2002)
Aaron Boodman, Adrienne Porter Felt, Prateek Saxena, Adam Barth, Protecting Browsers from Extension Vulnerabilities network and distributed system security symposium. ,(2010)
Alexander Moshchuk, Chris Grier, Helen J. Wang, Herman Venter, Piali Choudhury, Samuel T. King, The multi-principal OS construction of the gazelle web browser usenix security symposium. pp. 417- 432 ,(2009)
Lin-Shung Huang, Alex Moshchuk, Helen J Wang, Stuart Schecter, Collin Jackson, None, Clickjacking: attacks and defenses usenix security symposium. pp. 22- 22 ,(2012)