On the Incoherencies in Web Browser Access Control Policies

Singh, Kapil; Moshchuk, Alexander; Wang, Helen J.; Lee, Wenke

doi:10.1109/sp.2010.35

Cited by 49 publications

(43 citation statements)

References 4 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Network channels are commonly utilized in HTML5 applications. In contrast, the use of client-side channels is rare-for example, Wang et al report that cross-origin window.location read and writes occur in less than 0.1% of pages [42]. Therefore, we find that it is acceptable to disable cross-origin client-side channels completely, and force the child to use the blessed postMessage channel to the parent to access these.…”

Section: Data-confined Sandbox: a New Primitivementioning

confidence: 73%

Data-Confined HTML5 Applications

Akhawe

et al. 2013

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Rich client-side applications written in HTML5 proliferate diverse platforms such as mobile devices, commodity PCs, and the web platform. These client-side HTML5 applications are increasingly accessing sensitive data, including users' personal and social data, sensor data, and capability-bearing tokens. To fulfill their security and privacy guarantees, these applications need to maintain certain data-confinement invariants. These invariants are not explicitly stated in today's HTML5 applications and are enforced using ad-hoc mechanisms. The complexity of web applications, coupled with hard-to-analyze client-side languages, leads to low-assurance data-confinement mechanisms in which the whole application needs to be in the TCB to ensure data-confinement invariants.We propose a new mechanism called a data-confined sandbox or DCS. A DCS enables complete mediation of communication channels in a high-assurance, small-TCB manner. Our primitive extends currently standardized primitives and has negligible performance overhead and a modest compatibility cost to retrofit into existing applications. We re-implement four real-world HTML5 applications with our proposed design with a small amount of effort, achieving much stronger data-confinement guarantees. We also study over twenty HTML5 applications and find that dataconfinement invariants are implicit in the vast majority of them and crucial to achieving their privacy expectations.

show abstract

Section: Data-confined Sandbox: a New Primitivementioning

confidence: 73%

Data-Confined HTML5 Applications

Akhawe

et al. 2013

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…One page can use document.domain to change its origin to a superdomain [50]. If developers give b.com more permissions than its sub-domain a.b.com, a page in a.b.com can change its origin to b.com, and can thus gain more privileges.…”

Section: A Principal Increasing Privilegementioning

confidence: 99%

Fine-Grained Access Control for HTML5-Based Mobile Applications in Android

Jin

Wang

Luo

et al. 2015

Lecture Notes in Computer Science

View full text Add to dashboard Cite

HTML5-based mobile applications are becoming more and more popular because they can run on different platforms. Several newly introduced mobile OS natively support HTML5-based applications. For those that do not provide native support, such as Android, iOS, and Windows Phone, developers can develop HTML5-based applications using middlewares, such as PhoneGap [17]. In these platforms, programs are loaded into a web component, called WebView, which can render HTML5 pages and execute JavaScript code. In order for the program to access the system resources, which are isolated from the content inside WebView due to its sandbox, bridges need to be built between JavaScript and the native code (e.g. Java code in Android). Unfortunately, such bridges break the existing protection that was originally built into WebView.In this paper, we study the potential risks of HTML5-based applications, and investigate how the existing mobile systems' access control supports these applications. We focus on Android and the PhoneGap middleware. However, our ideas can be applied to other platforms. Our studies indicate that Android does not provide an adequate access control for this kind of applications. We propose a finegrained access control mechanism for the bridge in Android system. We have implemented our scheme in Android and have evaluated its effectiveness and performance.

show abstract

“…For example, De Ryck et al perform a security analysis of some of the upcoming standards in [28], finding them to be be of high quality but also highlighting potential security risks. Singh et al [44] discover potentially dangerous incoherencies amongst different browser access control policies.…”

Section: Browser Securitymentioning

confidence: 99%

BrowserAudit: automated testing of browser security features

Hothersall-Thomas

Maffeis

Novakovic

2015

Proceedings of the 2015 International Symposium on Software Testing and Analysis

View full text Add to dashboard Cite

The security of the client side of a web application relies on browser features such as cookies, the same-origin policy and HTTPS. As the client side grows increasingly powerful and sophisticated, browser vendors have stepped up their offering of security mechanisms which can be leveraged to protect it. These are often introduced experimentally and informally and, as adoption increases, gradually become standardised (e.g., CSP, CORS and HSTS). Considering the diverse landscape of browser vendors, releases, and customised versions for mobile and embedded devices, there is a compelling need for a systematic assessment of browser security.We present BrowserAudit, a tool for testing that a deployed browser enforces the guarantees implied by the main standardised and experimental security mechanisms. It includes more than 400 fully-automated tests that exercise a broad range of security features, helping web users, application developers and security researchers to make an informed security assessment of a deployed browser. We validate BrowserAudit by discovering both fresh and known security-related bugs in major browsers.

show abstract

On the Incoherencies in Web Browser Access Control Policies

Cited by 49 publications

References 4 publications

Data-Confined HTML5 Applications

Data-Confined HTML5 Applications

Fine-Grained Access Control for HTML5-Based Mobile Applications in Android

BrowserAudit: automated testing of browser security features

Contact Info

Product

Resources

About