Professional Documents
Culture Documents
Flowfox: A Web Browser With Flexible and Precise Information Flow Control
Flowfox: A Web Browser With Flexible and Precise Information Flow Control
The remainder of this paper is organized as follows: in With these information assets and attacker model in
Section 2 we define our threat model, and give examples mind, we give concrete example threats that are in scope,
of threats that are in scope and out of scope for this pa- and threats we consider out-of-scope for this paper.
per. Section 3 gives a high-level overview of the design of
FlowFox, and Section 4 discusses key implementation as-
2.1 In-scope Threats
pects. In Section 5, we evaluate FlowFox with respect to Here are some concrete examples of threats that can be
compatibility, security and performance. Section 6 discusses mitigated by FlowFox. We will return to these examples
related work, and Section 7 concludes. further in the paper.
Threats Not Related to Scripting. It is relatively easy to see that executing a program un-
This includes e.g. attacks at the network level (eavesdrop- der the SME regime will guarantee non-interference: the
ping on or tampering with network traffic) or CSRF attacks copy that does output at level L only sees inputs of level L
that do not make use of scripts [7]. and hence the output could not have been influenced by in-
puts of level H. For a more general description of the SME
mechanism, and a soundness proof, the reader is referred to
3. FLOWFOX Devriese and Piessens [18], and to Kashyap et al. [27].
In this section we describe the design of FlowFox. First,
we briefly recap some notions of information flow security 3.3 In-Browser SME
and the secure multi-execution (SME) enforcement mecha- An important design decision when implementing SME for
nism. Then we discuss how SME can be applied to browsers, web scripts is how to deal with the browser API exposed to
3 if (i.width > 50) { /* layout the page differently */ }
Script Script Script L Script H For this example, we label reading document.cookie as
confidential input, and we label setting the src property of
Browser L Browser H Browser
an Image object (which results in an HTTP request to the
given URL) as public output. Reading the width property of
Operating System Operating System the image (also a DOM API call) is labeled as public input.
We discuss how this script is executed in FlowFox. First,
it is executed at the low level. Here, reading the cookie
results in a default value, e.g. the empty string. Then the
image is fetched – without leaking the actual cookie content
Figure 1: Two design alternatives.
– and when reading the width of the image (resulting e.g. in
100), the value that was read is stored for reuse in the high
scripts. A first option is to multi-execute the entire browser: execution:
the API interactions would become internal interactions and 1 var url = "http://host/image.jpg?=" + document.cookie "";
each SME copy of the browser would have its own copy of 2 var i = new Image(); i.src = url;
the DOM. Both Bielova et al. [10] and Capizzi et al. [13] 3 if (i.width > 50) { /* layout the page differently */ }
applied this strategy in their implementations.
The alternate strategy is to only multi-execute the web Next, the script is executed at the high level. In this level,
scripts and to treat all interactions with the browser API the setting of the src property is suppressed. The reading
as inputs and outputs. Both designs are shown in Figure 1. of the width property is replaced by the reuse of the value
Both designs have their advantages and disadvantages. read at the low level.
When multi-executing the entire browser, the information 1 var url = "http://host/image.jpg?=" + document.cookie;
flow policy has to label inputs and outputs at the abstrac- 2 var i = new Image(); i.src = url;
tion level provided by the operating system. The policy can 3 if (i.width100 > 50) { /* layout the page differently */ }
talk about I/O to files and network connections, or about
windows and mouse events. Multi-execution can be im- This example shows how, even though the script is exe-
plemented relatively easily by running multiple processes. cuted twice, each browser API call is performed only once.
However, at this level of abstraction, the SME enforcement As a consequence, if the original script was non-interferent,
mechanism lacks the necessary context information to give the script executed under multi-execution behaves exactly
an appropriate label to e.g. mouse events. The operating the same. In other words, SME is precise: the behavior of
system does not know to which tab, or which HTML element secure programs is not modified by the enforcement mecha-
in that tab a specific mouse click or key press is directed. nism. This is relatively easy to see: if low outputs did not
It can also not distinguish individual HTML elements that depend on high inputs to start from, then replacing high
scripts are reading from or writing to. inputs with default values will not impact the low outputs.
When multi-executing only the scripts, the information flow We refer again to [18, §IV.A] for a formal proof.
policy has to label inputs and outputs at the abstraction
level offered by the browser API. The policy can talk about 3.4 Security Policies
reading from or writing to the text content of specific HTML In FlowFox every DOM API call is interpreted as an
elements, and can assign appropriate labels to such in- output message to the DOM (the invocation with the actual
put and output operations. However, implementing multi- parameters), followed by an input from the DOM (the return
execution is harder, as it now entails making cross-cutting value).1 DOM events delivered to scripts are interpreted as
modifications to the source code of a full-blown browser – inputs. The policy deals with events by giving appropriate
e.g. a system call interface is cleaner from a design per- labels to the DOM API calls that register handlers.
spective than a prototypical web browser and as such easier Hence a FlowFox policy must specify two things. First,
to modify. Also, policies become more complex, as there it assigns security levels to DOM API calls. Second, a de-
are much more methods in the browser API than there are fault return value must be specified for each DOM API call
system calls. that could potentially be skipped by the SME enforcement
FlowFox takes the second approach, as the first ap- mechanism (see Rule 3 in Section 3.2).
proach is too coarse grained and imprecise to counter rel-
evant threats. The first approach (taken by [13, 10]) can Policy Rule. A policy rule has the form R[D] : C1 →
e.g. not protect against a script leaking an e-mail typed by l1 , . . . , Cn → ln ,→ dv where R is a rule name, D is a DOM
the user into a web mail application to any third party with API method name, the Ci are boolean expressions, the li
whom the browser has an active session in another tab, be- are security levels and dv is a JavaScript value.
cause the security enforcement mechanism cannot determine
to which origin the user text input is directed. Policy rules are evaluated in the context of a specific
Hence, browser API interactions are treated as inputs and invocation of the DOM API method D, and the boolean
outputs in FlowFox, and should be labeled with an appro- expressions Ci are JavaScript expressions and can access
priate security label. Based on a simple example, we show the receiver object (arg0 ) and arguments (argi ) of that in-
how this works. Consider malicious code, trying to disclose vocation. Given such an invocation, a policy rule associates
the cookie information as part of a session hijacking attack: 1
For API methods that return void, this can be optimized;
1 var url = "http://host/image.jpg?=" + document.cookie; they can be considered just outputs, but we ignore that op-
2 var i = new Image(); i.src = url; timization in the discussion below.
a level and a default value with the invocation as follows. #1
The default value is just the value dv. The conditions Ci
{L, window, Object}
are evaluated from left to right. If Cj is the first one that
evaluates to true, the level associated with the invocation {H, window, Object}
is lj . If none of them evaluate to true, the level associated
{L, Math, Object} #2
with the invocation is L.
Policies are specified as a sequence of policy rules, and #3 {H, Math, Object} {L, sin, Function}
associate a level and default value with any given DOM ...
{L, a, Object} {H, sin, Function}
API invocation as follows. For an invocation of DOM API ...
method D, if there is a policy rule for D, that rule is used #4 {H, a, Object}
to determine level and default value. If there is no rule in ...
{L, b, Object} #5
the policy for D, that call is considered to have level L, with
default value undefined. The default value for invocations {H, b, Numeric} {L, c, Numeric}
classified at L is irrelevant, as the SME rules will never re- ... ...
quire a default value for such invocations.
Making API calls low by default, supports the writing of 7
short and simple policies. The empty policy (everything low)
corresponds to standard browser behavior. By selectively
making some API calls high, we can protect the information
returned by these calls. It can only flow to calls that also Figure 2: Extended JSObjects with support for SME.
have been made high.
JavaScript properties that are part of the DOM API can #1
be considered to consist of a getter method and a setter
method. For simplicity, we provide some syntactic sugar for {L, window, Object}
#2
setting policies on properties: for a property P (e.g. doc- #3 {L, Math, Object}
ument.cookie), a single policy rule specifies a level l and ... {L, sin, Function}
default value dv. The getter method then gets the level l {L, a, Object} ...
and default value dv and the setter method gets the level l {L, b, Object}
and the default value true – for a setter, the return value is a ... #5
boolean indicating whether the setter completed succesfully. {L, c, Numeric}
7 ...
Examples.
Policy rule R1 specifies that reading and writing of doc-
ument.cookie is classified as H, with default value (the
empty String): Figure 3: Extended JSObjects in a JSContext viewed
R1 [document.cookie] : true → H ,→ under security level L.
As a second example, consider some methods of XML-
HttpRequest objects (abbreviated below as xhr). The as- Every execution of JavaScript code happens in a specific
signed level depends on the origin to where the request is context, internally known as a JSContext. We augment the
sent: JSContext data structure to contain the current security
(
R2 [xhr.open] : sameorigin(arg1 ) → H ,→ true level and a boolean variable to indicate if SME is enabled.
JSObjects in SpiderMonkey represent the regular JavaScript
R3 [xhr.send] : sameorigin(arg0 .origin) → H ,→ true
objects living in a JSContext. Each property of a JSObject
with sameorigin() evaluating to true if its first ar- has related meta information, contained in a Shape data
gument points to the same origin as the document structure. Such a Shape is one of the key elements in our
the script is part of. Finally, the following policy implementation.
ensures that keypress events are treated as high inputs: By extending Shapes with an extra field for the security
level, we allow JSObjects to have the same property (with
(
R4 [onkeypress] : true → H ,→ true
a potentially different value) on every security level. The
R5 [addEventListener] : arg1 = ”keypress” → H ,→ true result of this modification is a JSObject behaving differently,
depending on the security level of the overall JSContext.
4. IMPLEMENTATION We represent the augmented Shape by the triplet {security
FlowFox is implemented on top of Mozilla Firefox 8.0.1 level, property name, property value} as shown in Figure 2.
and consists of about ±1400 new lines of C/C++ code. We Only properties with shapes of the same security level as the
discuss the most interesting aspects of this implementation. coordinating JSContext are considered when manipulating a
property of a JSObject. Figure 3 shows the visible JSObject
4.1 SME-aware JavaScript Engine graph of Figure 2 when operating in a JSContext with a low
The SpiderMonkey software library is the JavaScript en- security level.
gine of the Mozilla Firefox architecture. It is written in With these extensions in place, implementing the multi-
C/C++. The rationale behind our changes to SpiderMon- execution part is straightforward: we add a loop over all
key, is to allow JavaScript objects to operate (and poten- available security levels (starting with the bottom element of
tially behave divergently) on different security levels. our lattice) around the code that is responsible for compiling
1 process (methodName, args, curLevel) { 1 function handler (e) {
2 l, dv = policy(methodName, args); 2 new Image().src = "http://host/?=" + e.charCode;
3 if (curLevel == l) { 3 }
4 result = perform_call(); 4 $("target1").onkeypress = handler;
5 resultCache.store(result,methodName,args); 5 $("target2").addEventListener( "keypress", handler, false);
6 return result;
7 } else if (curLevel > l) {
8 result = resultCache.retrieve(methodName, args);
9 return result; Figure 5: Example of an event handler leaking pri-
10 } else if (curLevel < l) { vate information.
11 return dv;
12 }
13 }
augmented the event listener data structure with the SME
state and the security level. We adjust accordingly both the
Figure 4: Implementation of the SME I/O rules. security level and the SME state of the current JSContext
at the moment of execution of an event handler.
Take as an example the code in Figure 5 that tries to leak
and executing JavaScript code. Before each loop, we update the pressed key code. With the policy discussed in Section
the associated security level of the JSContext. 3.4 that makes keypress a H event, the leak will be closed:
the handler will only be installed in the high execution, and
4.2 Implementation of the SME I/O Rules that execution will skip the image load that leaks the pressed
key.
The next important aspect of our implementation is how
we intercept all DOM API calls, and enforce the SME I/O
rules on them. 5. EVALUATION
To intercept DOM API calls, we proceed as follows. Every We evaluate our FlowFox prototype in three major ar-
DOM call from a JavaScript program to its corresponding eas: compatibility with major websites, security guarantees
entry in the C/C++ implemented DOM, needs to convert offered, and performance and memory overhead.
JavaScript values back and forth to their C/C++ counter-
parts. Within the Mozilla framework, the XPConnect layer 5.1 Compatibility
handles this task. The existence of this translation layer
Since SME is precise [18, §IV.A], theory predicts that
enables us to easily intercept all the DOM API calls. We
FlowFox should not modify the behavior of the browser
instrumented this layer with code that processes each DOM
for sites that comply with the policy. Moreover, SME can
API call according to the SME I/O rules. We show pseudo
sometimes fix interferent executions by providing appropri-
code in Figure 4.
ate default values to the low execution. We perform two
For an intercepted invocation of a DOM API method
experiments to confirm these hypotheses.
methodName with arguments args in the execution at level
In a first experiment, we measure what impact Flow-
curLevel, the processing of the intercepted invocation goes
Fox has for users on the visual appearance of websites. We
as follows.
construct an automated crawler that instructs two Firefox
First (line 2) we consult the policy to determine the level
browser and one FlowFox browser to visit the Alexa top
and default value associated with this invocation as detailed
500 websites2 . FlowFox is configured with a simple policy
in Section 3.4. Further processing depends on the relative
that makes reading document.cookie high. Most websites
ordering of the level of the invocation (l) and the level of the
are expected to comply with this policy. After loading of
current execution (curLevel). If they are equal (lines 3-6),
the websites has completed, the crawler dumps a screenshot
we allow the call to proceed, and store the result in a cache
of each of the three browsers to a bitmap. We then com-
for later reuse in executions at higher levels. If the current
pare these bitmaps in the following way. First, we compute
execution is at a higher level (lines 7-9), we retrieve the result
a mask that masks out each pixel in the bitmap that is dif-
for this call from the result cache – the result is guaranteed
ferent in the bitmaps obtained from the two regular Firefox
to exists because of the loop with its associated security
browsers. The mask covers the areas of the site that are
level starting at the bottom element and going upwards –
different on each load (such as slideshow images, advertise-
and reuse it in the execution at this level. The actual DOM
ments, timestamps, and so forth). Masks are usually small.
method is not called. Finally, if the level of the current
Figure 6 shows the distribution of the relative sizes of the
execution is below the level of the DOM API invocation,
unmasked area of the bitmaps: 100% means that the two
then we do not perform the call but return the appropriate
Firefox browsers rendered the page exactly the same; not a
default value (lines 10-11).
single pixel on the screen is different. The main reasons for
a larger mask – observed after manual inspection – were (i)
4.3 Event Handling content shifts on the y-axis of the screen because of e.g. a
As discussed above, labels for events are specified in the horizontal bar in one the two instances or (ii) varying screen-
policy by labeling the methods/properties that register event filling images.
handlers. As a consequence, low events will be handled by Next, we compute the difference between the FlowFox
both the low and high execution (in respectively a low and generated bitmap and either of the two Firefox generated
high context). High events will only be handled by the high bitmaps over the unmasked area. It does not matter which
execution. This is the correct way to deal with events in Firefox instance we compare to, as their bitmaps are of
SME [10]. course equal for the unmasked area. Figure 7 shows the
Hence, we have to execute an event handler in a JSCon-
2
text with the same security level as it was installed. We http://www.alexa.com/topsite
60% for which we worked out and recorded a specific, complex
50% use case scenario of an authenticated user interacting with
Frequency
40% that web site. We played these in FlowFox with the ses-
30% sion cookie policy. In addition, we selected some sites that
20% perform behavior tracking, and browsed them in a way that
10% triggers this tracking (e.g. selecting and copying text) with
0% a policy that protects against tracking (see Section 5.2.2).
Appendix A contains an overview of a representative sample
0%
20
40
60
80
10
of our use cases recordings.
%
0%
For all scenarios, the behavior of FlowFox was for the
user indistinguishable from the Firefox browser. For the
behavior tracking sites, the information leaks were closed
Figure 6: Distribution of the relative size of the un- – i.e. FlowFox fixed the executions in the sense that the
masked surface for the top-500 web sites. original script behavior was preserved, except the leakage of
sensitive information was replaced with default values. This
has no impact on user experience, as the user does not notice
80%
70% these leaks in Firefox either.
60% This second experiment confirms our conclusions from the
Frequency
20
40
60
80
10
%
0%
de
ear
ray
reg
ric
spl
io
lta
ha
ay
ley
exp
pto
tra
am
fac
ya
blo
go
wi
rds
blu
ho
kip
-bo
og
ce
eb
azo
gg
e
le
o
oo
er
ed
yer
ia
Figure 9: Latency induced by FlowFox on scenarios.
Figure 8: Experimental results for the micro bench-
marks.
second compatibility experiment for both the unmodified
Mozilla Firefox 8.0.1 browser and FlowFox. The results
We used the Google Chrome v8 Benchmark suite ver- in Figure 9 show the average execution time (including the
sion 6 5 – a collection of pure JavaScript benchmarks used standard deviation) of each scenario for both browsers. In
to tune the Google Chrome project – to benchmark the order to realistically simulate a typical browsing environ-
JavaScript interpreter of our prototype. To simulate I/O ment, caching was enabled during browsing, but cleared be-
intensive applications, we reused the I/O test from Devriese tween different browser runs. The results show that the
and Piessens [18, §V.B]. This test simulates interleaved in- user-perceived latency for real-life web applications is at an
puts and outputs at all available security levels while simu- acceptable scale.
lating a 10ms I/O latency.
We measured timings for three different runs: (i) the 5.3.3 Memory Benchmarks
original unmodified SpiderMonkey, (ii) SpiderMonkey with Finally, we provide a measurement of the memory
our modifications but without multi-executing (every bench- cost of FlowFox. During the compatibility experiment,
mark was essentially executed at a low security level with all where FlowFox was browsing to 500 different websites,
available DOM calls assigned a low security level) and (iii) we measured the memory consumption for each site via
SpiderMonkey with SME enabled. about:memory after the onload event. On average, Flow-
The results of this experiment in Figure 8 show that our Fox incurred a memory overhead of 88%.
modifications have the largest impact – even when not multi-
executing – for applications that extensively exploit data 6. RELATED WORK
structures, like splay and raytrace. The results also con-
firm our expectations that our prototype implementation We discuss related work on (i) information flow security
more or less doubles execution time when actively multi- and specific enforcement mechanisms and (ii) general web
executing with two security levels. The io test shows only a script security countermeasures.
negligible impact overhead, because while one security level
blocks on I/O, the other level can continue to execute. The Information Flow Security.
results are in line with previous research results of another Information flow security is an established research area,
SME implementation [18]. and too broad to survey here. For many years, it was dom-
Since web scripts can be I/O intensive, the small perfor- inated by research into static enforcement techniques. We
mance impact on I/O intensive code is important, and one point the reader to the well-known survey by Sabelfeld and
can expect macro-benchmarks for web scenarios to be sub- Myers [38] for a discussion of general, static approaches to
stantially better than 200%. information flow enforcement.
Dynamic techniques have seen renewed interest in the last
5.3.2 Macro Benchmarks decade. Le Guernic’s PhD thesis [28] gives an extensive sur-
The goal of the second performance experiment is to mea- vey up to 2007, but since then, significant new results have
sure the impact on the latency perceived by a browser user. been achieved. Recent works propose run time monitors for
We used the web application testing framework Selenium information flow security, often with a particular focus on
to record and automatically replay six scenarios from our JavaScript, or on the web context. Sabelfeld et al. have
proposed monitoring algorithms that can handle DOM-like
5 structures [37], dynamic code evaluation [3] and timeouts
http://v8.googlecode.com/svn/data/benchmarks/v6/
revision 10404. [36]. In a very recent paper, Hedin and Sabelfeld [21] pro-
pose dynamic mechanisms for all the core JavaScript lan- other existing proposals, and we point the reader to their
guage features. Austin and Flanagan [4] have developed paper for a more extensive discussion of work in this area.
alternative, sometimes more permissive techniques. These Isolation is easier to achieve than non-interference, but it
run time monitoring based techniques are likely more effi- is also more restrictive: often access needs to be denied to
cient than the technique proposed in this paper, but they make sure the script can not leak the information, but it
lack the precision of secure multi-execution: such monitors would be perfectly fine to have the script use the informa-
will block the execution of some non-interferent programs. tion locally in the browser.
Secure multi-execution (SME) is another dynamic tech- Taint tracking is an approximation to information flow
nique that was developed independently by several re- security, that only takes explicit flows into account. It
searchers. Capizzi et al. [13] proposed shadow executions: can be implemented more efficiently than dynamic infor-
they propose to run two executions of processes for the H mation flow enforcement techniques, and several authors
(secret) and L (public) security level to provide strong con- have proposed taint tracking systems for web security. Two
fidentiality guarantees. They applied their technique also representative examples are Xu et al. [43], who propose
to Mozilla Firefox but they multi-execute the entire browser taint-enhanced policy enforcement as a general approach to
and hence can’t enforce the same script policies as Flow- mitigate implementation-level vulnerabilities, and Vogt et
Fox can, as we discussed in Section 3.3. Devriese and al. [41] who propose taint tracking to defend against cross-
Piessens [18] were the first to prove the strong soundness site scripting.
and precision guarantees that SME offers. They also report Besides these general alternative approaches, many ad-hoc
on a JavaScript implementation that requires a modified vir- countermeasures for specific classes of web script security
tual machine, but without integrating it in a browser. problems have been proposed – because of space constraints,
These initial results were improved and extended in sev- we don’t provide a full list. We discussed the examples of
eral ways: Kashyap et al. [27], generalize the technique of AdJail [40], SessionShield [33] and history sniffing [42] in the
secure multi-execution to a family of techniques that they paper.
call the scheduling approach to non-interference, and they
analyze how the scheduling strategy can impact the secu-
rity properties offered. Jaskelioff and Russo [24] propose a
7. CONCLUSIONS
monadic library to realize secure multi-execution in Haskell, We have discussed the design, implementation and evalu-
and Barthe et al. [9] propose a program transformation ation of FlowFox, a browser that extends Mozilla Firefox
that simulates SME. Bielova et al. [10] propose a variant with a general, flexible and sound information flow control
of secure multi-execution suitable for reactive systems such mechanism. FlowFox provides evidence that information
as browsers. This paper develops the theory of SME for flow control can be implemented in a full-scale web browser,
reactive systems, but the implementation is only for a sim- and that doing so, supports powerful security policies with-
ple browser model written in OCaml. Finally, Austin and out compromising compatibility.
Flanagan [5] develop a more efficient implementation tech- All our research material – including the prototype imple-
nique. Their multi-faceted evaluation technique could lead mentation and the Selenium test cases – is available online at
to a substantial improvement in performance for FlowFox, http://distrinet.cs.kuleuven.be/software/FlowFox/.
especially for policies with many levels.
Also static or hybrid techniques specifically for informa- 8. ACKNOWLEDGMENTS
tion flow security in JavaScript or in browsers have been
The authors thank Andrei Sabelfeld, Nataliia Bielova,
proposed, but these techniques either are quite restrictive
Fabio Massacci and the anonymous reviewers for their feed-
and/or can not handle the full JavaScript language. Bo-
back on draft versions of this paper. The development of
hannan et al. [12, 11] define a notion of non-interference
FlowFox was strongly influenced by discussions with and
for reactive systems, and show how a model browser can
feedback from the WebSand and SPION project teams.
be formalized as such a reactive system. Chugh et al. [14]
This research is partially funded by the Research Fund
have developed a novel multi-stage static technique for en-
KU Leuven, the EU-funded FP7 projects NESSoS and Web-
forcing information flow security in JavaScript. BFlow [44]
Sand and by the IWT-SBO project SPION. Dominique De-
provides a framework for building privacy-preserving web
vriese holds a Ph.D. fellowship of the Research Foundation
applications and includes a coarse-grained dynamic infor-
- Flanders (FWO).
mation flow control monitor.
With the financial support from the Prevention of and
Fight against Crime Programme of the European Union
Other Web Script Security Countermeasures. European Commission – Directorate-General Home Affairs.
Information flow security is one promising approach to This publication reflects the views only of the authors, and
web script security, but two other general-purpose ap- the European Commission cannot be held responsible for
proaches have been applied to script security as well: isola- any use which may be made of the information contained
tion and taint-tracking. therein.
Isolation or sandboxing based approaches develop tech-
niques where scripts can be included in web pages with-
out giving them (full) access to the surrounding page and 9. REFERENCES
the browser API. Several practical systems have been pro- [1] D. Akhawe, A. Barth, P. E. Lam, J. Mitchell, and
posed, including ADSafe [15], Caja [31] and Facebook D. Song. Towards a Formal Foundation of Web
JavaScript [19]. Maffeis et al. [29] formalize the key mech- Security. In Proceedings of the IEEE Computer
anisms underlying these sandboxes and prove they can be Security Foundations Symposium, pages 290–304,
used to create secure sandboxes. They also discuss several 2010.
[2] P. Akritidis, M. Costa, M. Castro, and S. Hand. [18] D. Devriese and F. Piessens. Noninterference Through
Baggy Bounds Checking: An Efficient and Secure Multi-Execution. In Proceedings of the IEEE
Backwards-Compatible Defense against Symposium on Security and Privacy, pages 109–124,
Out-of-Bounds Errors. In Proceedings of the USENIX 2010.
Security Symposium, pages 51–66, 2009. [19] Facebook. Fbjs.
[3] A. Askarov and A. Sabelfeld. Tight Enforcement of http://developers.facebook.com/docs/fbjs/, 2011.
Information-Release Policies for Dynamic Languages. [20] D. Flanagan. JavaScript: The Definitive Guide.
In Proceedings of the IEEE Computer Security O’Reilly Media, Inc., 6th edition, 2011.
Foundations Symposium, pages 43–59, 2009. [21] D. Hedin and A. Sabelfeld. Information-Flow Security
[4] T. H. Austin and C. Flanagan. Permissive Dynamic for a Core of JavaScript. In Proceedings of the IEEE
Information Flow Analysis. In Proceedings of the ACM Computer Security Foundations Symposium, 2012.
SIGPLAN Workshop on Programming Languages and [22] W3c: Html5.
Analysis for Security, pages 3:1–3:12, 2010. http://dev.w3.org/html5/spec/Overview.html.
[5] T. H. Austin and C. Flanagan. Multiple Facets for [23] D. Jang, R. Jhala, S. Lerner, and H. Shacham. An
Dynamic Information Flow. In Proceedings of the Empirical Study of Privacy-Violating Information
ACM SIGPLAN-SIGACT Symposium on Principles of Flows in JavaScript Web Applications. In Proceedings
Programming Languages, 2012. of the ACM Conference on Computer and
[6] L. D. Baron. Preventing attacks on a user’s history Communications Security, pages 270–283, 2010.
through css :visited selectors. [24] M. Jaskelioff and A. Russo. Secure Multi-Execution in
http://dbaron.org/mozilla/visited-privacy, 2010. Haskell. In Proceedings of Andrei Ershov International
[7] A. Barth, C. Jackson, and J. C. Mitchell. Robust Conference on Perspectives of System Informatics,
Defenses for Cross-Site Request Forgery. In 2011.
Proceedings of the ACM Conference on Computer and [25] M. Johns. On JavaScript Malware and related threats
Communications Security, pages 75–88, 2008. - Web page based attacks revisited. Journal in
[8] A. Barth, C. Jackson, and J. C. Mitchell. Securing Computer Virology, 4(3):161 – 178, August 2008.
Frame Communication in Browsers. In Proceedings of [26] R. W. M. Jones and P. H. J. Kelly.
the USENIX Security Symposium, 2008. Backwards-compatible bounds checking for arrays and
[9] G. Barthe, J. M. Crespo, D. Devriese, F. Piessens, and pointers in C programs. In Proceedings of the
E. Rivas. Secure Multi-Execution through Static International Workshop on Automatic Debugging,
Program Transformation. Proceedings of the pages 13–26, 1997.
International Conference on Formal Techniques for [27] V. Kashyap, B. Wiedermann, and B. Hardekopf.
Distributed Systems, pages 186–202, 2012. Timing- and Termination-Sensitive Secure Information
[10] N. Bielova, D. Devriese, F. Massacci, and F. Piessens. Flow: Exploring a New Approach. In Proceedings of
Reactive non-interference for a browser model. In the IEEE Conference on Security and Privacy, pages
Proceedings of the International Conference on 413–428, 2011.
Network and System Security, 2011. [28] G. Le Guernic. Confidentiality Enforcement Using
[11] A. Bohannon and B. C. Pierce. Featherweight Firefox: Dynamic Information Flow Analyses. PhD thesis,
Formalizing the Core of a Web Browser. In Kansas State University, 2007.
Proceedings of the USENIX Conference on Web [29] S. Maffeis, J. C. Mitchell, and A. Taly. Object
Application Development, pages 123–135, 2010. Capabilities and Isolation of Untrusted Web
[12] A. Bohannon, B. C. Pierce, V. Sjöberg, S. Weirich, Applications. In Proceedings of the IEEE Symposium
and S. Zdancewic. Reactive Noninterference. In on Security and Privacy, pages 125–140, 2010.
Proceedings of the ACM Conference on Computer and [30] J. Magazinius, A. Askarov, and A. Sabelfeld. A
Communications Security, pages 79–90, 2009. Lattice-based Approach to Mashup Security. In
[13] R. Capizzi, A. Longo, V. Venkatakrishnan, and Proceedings of the ACM Symposium on Information,
A. Sistla. Preventing Information Leaks through Computer and Communications Security, pages 15–23,
Shadow Executions. In Proceedings of the Annual 2010.
Computer Security Applications Conference, pages [31] M. S. Miller, M. Samuel, B. Laurie, I. Awad, and
322–331, 2008. M. Stay. Caja: Safe active content in sanitized
[14] R. Chugh, J. A. Meister, R. Jhala, and S. Lerner. javascript. http://google-caja.googlecode.com/
Staged Information Flow for JavaScript. ACM files/caja-spec-2008-01-15.pdf, January 2008.
SIGPLAN Notices, 44(6):50–62, 2009. [32] N. Nikiforakis, L. Invernizzi, A. Kapravelos,
[15] D. Crockford. Adsafe. http://www.adsafe.org/, S. Van Acker, W. Joosen, C. Kruegel, F. Piessens, and
December 2009. G. Vigna. You Are What You Include: Large-scale
[16] M. Daniel, J. Honoroff, and C. Miller. Engineering Evaluation of Remote JavaScript Inclusions. In
Heap Overflow Exploits with JavaScript. In Proceedings of the ACM Conference on Computer and
Proceedings of the USENIX Workshop on Offensive Communications Security, 2012.
Technologies, 2008. [33] N. Nikiforakis, W. Meert, Y. Younan, M. Johns, and
[17] P. De Ryck, L. Desmet, P. Philippaerts, and W. Joosen. SessionShield: Lightweight protection
F. Piessens. A Security Analysis of Next Generation against session hijacking. In Proceedings of the
Web Standards. Technical report, European Network International Symposium on Engineering Secure
and Information Security Agency (ENISA), 2011. Software and Systems, pages 87–100, 2011.
[34] N. Provos, P. Mavrommatis, M. A. Rajab, and [41] P. Vogt, F. Nentwich, N. Jovanovic, E. Kirda,
F. Monrose. All Your iFRAMEs Point to Us. In C. Krügel, and G. Vigna. Cross Site Scripting
Proceedings of the USENIX Security Symposium, Prevention with Dynamic Data Tainting and Static
pages 1–15, 2008. Analysis. In Proceedings of the Annual Network &
[35] N. Provos, D. McNamee, P. Mavrommatis, K. Wang, Distributed System Security Symposium, 2007.
and N. Modadugu. The Ghost In The Browser [42] Z. Weinberg, E. Y. Chen, P. R. Jayaraman, and
Analysis of Web-based Malware. In Proceedings of the C. Jackson. I Still Know What You Visited Last
USENIX Workshop on Hot Topics in Understanding Summer: User interaction and side-channel attacks on
Botnets, 2007. browsing history. In Proceedings of the IEEE
[36] A. Russo and A. Sabelfeld. Securing Timeout Symposium on Security and Privacy, 2011.
Instructions in Web Applications. In Proceedings of [43] W. Xu, S. Bhatkar, and R. Sekar. Taint-Enhanced
the IEEE Computer Security Foundations Symposium, Policy Enforcement: A Practical Approach to Defeat a
pages 92–106, 2009. Wide Range of Attacks. In Proceedings of the USENIX
[37] A. Russo, A. Sabelfeld, and A. Chudnov. Tracking Security Symposium, pages 121–136, 2006.
Information Flow in Dynamic Tree Structures. In [44] A. Yip, N. Narula, M. Krohn, and R. Morris.
Proceedings of the European Symposium on Research Privacy-preserving browser-side scripting with BFlow.
in Computer Security, pages 86–103, 2009. In Proceedings of the ACM European Conference on
[38] A. Sabelfeld and A. C. Myers. Language-Based Computer Systems, pages 233–246. ACM, 2009.
Information-Flow Security. IEEE Journal on Selected [45] Y. Younan, W. Joosen, and F. Piessens. Runtime
Areas of Communications, 21(1):5–19, January 2003. countermeasures for code injection attacks against C
[39] K. Singh, A. Moshchuk, H. J. Wang, and W. Lee. On and C++ programs. ACM Computing Surveys,
the Incoherencies in Web Browser Access Control 44(3):17:1–17:28, 2012.
Policies. In Proceedings of the IEEE Symposium on [46] Y. Younan, P. Philippaerts, L. Cavallaro, R. Sekar,
Security and Privacy, pages 463–478, 2010. F. Piessens, and W. Joosen. PAriCheck: An Efficient
[40] M. Ter Louw, K. T. Ganesh, and V. Venkatakrishnan. Pointer Arithmetic Checker for C Programs. In
Adjail: Practical Enforcement of Confidentiality and Proceedings of the ACM Symposium on Information,
Integrity Policies on Web Advertisements. In Computer and Communications Security, pages
Proceedings of the USENIX Security Symposium, 145–156, 2010.
pages 24–24, 2010.
APPENDIX
A. SCENARIOS