2014 IEEE 27th Computer Security Foundations Symposium 2014
DOI: 10.1109/csf.2014.33
|View full text |Cite
|
Sign up to set email alerts
|

Provably Sound Browser-Based Enforcement of Web Session Integrity

Abstract: Enforcing protection at the browser side has recently become a popular approach for securing web authentication. Though interesting, existing attempts in the literature only address specific classes of attacks, and thus fall short of providing robust foundations to reason on web authentication security. In this paper we provide such foundations, by introducing a novel notion of web session integrity, which allows us to capture many existing attacks and spot some new ones. We then propose FF+, a security-enhanc… Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
2
1
1
1

Citation Types

0
25
0

Year Published

2014
2014
2019
2019

Publication Types

Select...
3
2
1

Relationship

4
2

Authors

Journals

citations
Cited by 19 publications
(25 citation statements)
references
References 24 publications
0
25
0
Order By: Relevance
“…Similarly to the HTTP-Only flag, the Secure flag can be selectively applied to authentication cookies at the client-side, thus achieving additional protection against powerful network attackers [Bugliesi et al 2014a[Bugliesi et al , 2014b. Another solution against eavesdropping is HSTS [Hodges et al 2012], a browser security policy that forces any HTTP communication attempt to protected domains to be upgraded to HTTPS.…”
Section: Eavesdroppingmentioning
confidence: 99%
See 1 more Smart Citation
“…Similarly to the HTTP-Only flag, the Secure flag can be selectively applied to authentication cookies at the client-side, thus achieving additional protection against powerful network attackers [Bugliesi et al 2014a[Bugliesi et al , 2014b. Another solution against eavesdropping is HSTS [Hodges et al 2012], a browser security policy that forces any HTTP communication attempt to protected domains to be upgraded to HTTPS.…”
Section: Eavesdroppingmentioning
confidence: 99%
“…A complementary line of defense, advocated in a series of recent papers, may be built directly within the browser through client-side protection mechanisms [Tang et al 2011;De Ryck et al 2012Bugliesi et al 2014aBugliesi et al , 2014b. The key idea underlying such mechanisms is to apply the security practices neglected by the server by detecting authentication cookies at the client-side and enforcing a more conservative browser behavior when accessing them, for instance by applying them the HTTP-Only flag when it is not set by the web developers.…”
Section: Introductionmentioning
confidence: 97%
“…Later, Bohannon and Pierce [8] developed Featherweight Firefox, a formal model of a simple browser, with the purpose of formally studying confidentiality and integrity policies for browsers, including reactive non-interference policies. This browser model did not yet model session management, and very recently Bugliesi et al [10] developed Flyweight Firefox, a variant of Featherweight Firefox, and provided a formal definition of web session integrity as well as a provably sound enforcement mechanism. The advantage of our approach is that, by providing information flow control instead of access control, we can more precisely enforce session integrity.…”
Section: Formal Models Of Web Session Integritymentioning
confidence: 99%
“…We can do substantially better: instead of dropping such requests, we can strip the session cookie from the request as in other client-side CSRF protection systems [10,14]. We assume the existence of a function strip L…”
Section: Enforcementmentioning
confidence: 99%
See 1 more Smart Citation