Information Flow Control for Event Handling and the DOM in Web Browsers
作者: Vineet Rajani , Abhishek Bichhawat , Deepak Garg , Christian Hammer
DOI: 10.1109/CSF.2015.32
关键词:
摘要: Web browsers routinely handle private information. Owing to a lax security model, and JavaScript in particular, are easy targets for leaking sensitive data. Prior work has extensively studied information flow control (IFC) as mechanism securing browsers. However, two central aspects of web -- the Document Object Model (DOM) event handling have so far evaded thorough scrutiny context IFC. This paper advances state-of-the-art this regard. Based on standard specifications code an actual browser engine, we build formal models both DOM (up Level 3) loop typical browser, enhance with fine-grained taints checks IFC, prove our enhancements sound test ideas through instrumentation WebKit, in-production engine. In doing so, observe several channels leak that arise due subtleties its interaction DOM.
mpg.de
mpi-sws.org
acm.org 
sci-hub.se 参考文章(37)
Ana Almeida-Matos, José Fragoso Santos, Tamara Rezk, An Information Flow Monitor for a Core of DOM trustworthy global computing. pp. 1- 16 ,(2014) , 10.1007/978-3-662-45917-1_1
Benjamin C. Pierce, Aaron Bohannon, Featherweight Firefox: formalizing the core of a web browser usenix conference on web application development. pp. 11- 11 ,(2010)
Abhishek Bichhawat, Vineet Rajani, Deepak Garg, Christian Hammer, Information Flow Control in WebKit’s JavaScript Bytecode principles of security and trust. pp. 159- 178 ,(2014) , 10.1007/978-3-642-54792-8_9
Benjamin S. Lerner, Shriram Krishnamurthi, Matthew J. Carroll, Dan P. Kimmel, Hannah Quay-De La Vallee, Modeling and reasoning about DOM events usenix conference on web application development. pp. 1- 1 ,(2012)
Engin Kirda, Christopher Krügel, Nenad Jovanovic, Giovanni Vigna, Philipp Vogt, Florian Nentwich, Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis. network and distributed system security symposium. ,(2007)
Alejandro Russo, Andrei Sabelfeld, Andrey Chudnov, Tracking information flow in dynamic tree structures european symposium on research in computer security. pp. 86- 103 ,(2009) , 10.1007/978-3-642-04444-1_6
Stephan Arthur Zdancewic, Andrew Myers, Programming languages for information security Cornell University. ,(2002)
Gurvan Le Guernic, Anindya Banerjee, Thomas Jensen, David A. Schmidt, Automata-based confidentiality monitoring ASIAN'06 Proceedings of the 11th Asian computing science conference on Advances in computer science: secure software and related issues. pp. 75- 89 ,(2006) , 10.1007/978-3-540-77505-8_7
Andrei Sabelfeld, Alejandro Russo, From dynamic to static and back: riding the roller coaster of information-flow control research international andrei ershov memorial conference on perspectives of system informatics. ,vol. 5947, pp. 352- 365 ,(2009) , 10.1007/978-3-642-11486-1_30
Christian Hammer, Jan Vitek, Brian Burg, Gregor Richards, The eval that men do: A large-scale study of the use of eval in javascript applications european conference on object-oriented programming. pp. 52- 78 ,(2011) , 10.5555/2032497.2032503