Object Capabilities and Isolation of Untrusted Web Applications

Maffeis, Sergio; Mitchell, John C.; Taly, Ankur

doi:10.1109/sp.2010.16

Cited by 82 publications

(88 citation statements)

References 11 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This attack was already addressed in [25] where it is credited to Maffeis (see also [19]). It is also the basis of a recently described attack on ADsafe [18]. (This paper significantly extends the defence mechanism of [25] for this class of attack).…”

Section: Self Protecting Javascriptmentioning

confidence: 79%

Safe Wrappers and Sane Policies for Self Protecting JavaScript

Magazinius

Phung

Sands

2012

Information Security Technology for Applications

View full text Add to dashboard Cite

Abstract. Phung et al (ASIACCS'09) describe a method for wrapping built-in methods of JavaScript programs in order to enforce security policies. The method is appealing because it requires neither deep transformation of the code nor browser modification. Unfortunately the implementation outlined suffers from a range of vulnerabilities, and policy construction is restrictive and error prone. In this paper we address these issues to provide a systematic way to avoid the identified vulnerabilities, and make it easier for the policy writer to construct declarative policies -i.e. policies upon which attacker code has no side effects.

show abstract

Section: Self Protecting Javascriptmentioning

confidence: 79%

Safe Wrappers and Sane Policies for Self Protecting JavaScript

Magazinius

Phung

Sands

2012

Information Security Technology for Applications

View full text Add to dashboard Cite

show abstract

“…Akhawe et al [2] focus on privilege separation in HTML5 web applications by utilizing standardized browser primitives in order to maintain a least privilege design. Maffeis et al [39] formalize the key mechanisms underlying these sandboxes and prove they can be used to create secure sandboxes. They also discuss several other existing proposals, and we point the reader to their paper for a more extensive discussion of work in this area.…”

Section: Limitations and Future Workmentioning

confidence: 99%

Secure multi-execution of web scripts: Theory and practice

Groef

Devriese

Nikiforakis

et al. 2014

JCS

View full text Add to dashboard Cite

Secure Multi-Execution (SME) is a precise and general information flow control mechanism that was claimed to be a good fit for implementing information flow security in browsers. We validate this claim by developing FlowFox, the first fully functional web browser that implements an information flow control mechanism for web scripts based on the technique of secure multi-execution. We provide evidence for the security of FlowFox by proving non-interference for a formal model of the essence of FlowFox, and by showing how it stops real attacks. We provide evidence of usefulness by showing how FlowFox subsumes many ad-hoc script-containment countermeasures developed over the last years. An experimental evaluation on the Alexa top-500 web sites provides evidence for compatibility, and shows that FlowFox is compatible with the current web, even on sites that make intricate use of JavaScript.The performance and memory cost of FlowFox is substantial (a performance cost of around 20% on macro benchmarks for a simple two-level policy), but not prohibitive. Our prototype implementation shows that information flow enforcement based on secure multi-execution can be implemented in full-scale browsers. It can support powerful, yet compatible policies refining the same-origin-policy in a way that is compatible with existing websites.

show abstract

“…Another approach to interpose on all data communication channels is to do static analysis of the application source code [1,10,22,34]. However, static analysis methods have a high compatibility cost, because they cannot reason about code that uses dynamic constructs like eval, which are used pervasively in existing applications [38,39] and modern JavaScript libraries [28].…”

Section: Insufficiency Of Existing Mechanismsmentioning

confidence: 99%

“…Second, client-side HTML5 applications (including browser extensions, HTML5 web applications and Windows 8 Metro applications) have numerous channels to communicate with distrusting principals, and no unified monitoring interface like the OS system call interface exists. Previous proposals include numerous mechanisms that limit cross-origin communication channels like the iframe sandbox [3], Content Security Policy [43], HTTP Strict Transport Security [26,29], web workers [27], code analysis [1,34], or code rewriting [10].As we explain in §2.3, none of these offer comprehensive mediation, and most of them are not easy to retrofit into existing applications at a low compatibility cost [49].…”

Section: Introductionmentioning

confidence: 99%

Data-Confined HTML5 Applications

Akhawe

et al. 2013

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Rich client-side applications written in HTML5 proliferate diverse platforms such as mobile devices, commodity PCs, and the web platform. These client-side HTML5 applications are increasingly accessing sensitive data, including users' personal and social data, sensor data, and capability-bearing tokens. To fulfill their security and privacy guarantees, these applications need to maintain certain data-confinement invariants. These invariants are not explicitly stated in today's HTML5 applications and are enforced using ad-hoc mechanisms. The complexity of web applications, coupled with hard-to-analyze client-side languages, leads to low-assurance data-confinement mechanisms in which the whole application needs to be in the TCB to ensure data-confinement invariants.We propose a new mechanism called a data-confined sandbox or DCS. A DCS enables complete mediation of communication channels in a high-assurance, small-TCB manner. Our primitive extends currently standardized primitives and has negligible performance overhead and a modest compatibility cost to retrofit into existing applications. We re-implement four real-world HTML5 applications with our proposed design with a small amount of effort, achieving much stronger data-confinement guarantees. We also study over twenty HTML5 applications and find that dataconfinement invariants are implicit in the vast majority of them and crucial to achieving their privacy expectations.

show abstract

Object Capabilities and Isolation of Untrusted Web Applications

Cited by 82 publications

References 11 publications

Safe Wrappers and Sane Policies for Self Protecting JavaScript

Safe Wrappers and Sane Policies for Self Protecting JavaScript

Secure multi-execution of web scripts: Theory and practice

Data-Confined HTML5 Applications

Contact Info

Product

Resources

About