Secure multi-execution of web scripts: Theory and practice

Groef, Willem De; Devriese, Dominique; Nikiforakis, Nick; Piessens, Frank

doi:10.3233/jcs-130495

Cited by 12 publications

(20 citation statements)

References 42 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Hence, the policy can record in its state which channels are open. However, this support for dynamic channels is not present in the formal model of FlowFox [13], and hence no formal guarantees are provided when using this feature.…”

Section: Related Workmentioning

confidence: 96%

Monitoring Reactive Systems with Dynamic Channels

Zanarini

Jaskelioff

2014

Proceedings of the Ninth Workshop on Programming Languages and Analysis for Security

View full text Add to dashboard Cite

Given the increasingly sensitive data that web applications deal with, a lot of attention has been put into their security. Dynamic methods for ensuring confidentiality of secret data, such as monitors, are usually preferred due to their permissiveness and ability to adapt to dynamic features of web languages. One dynamic approach to confidentiality is through secure multi-execution, a technique which transforms programs into secure ones. A recent refinement of this technique led to a monitor for reactive systems such as web applications which is precise, in the sense that it raises an alarm exactly when a security condition is violated, and transparent, in the sense that the semantics of secure programs is preserved. A limitation of this and other approaches based on secure multi-execution is that there is a fixed set of channels with a fixed security level. However, most web applications create channels dynamically, even by doing something as trivial as adding a button to a page. Moreover, the security level of such new channel would be chosen dynamically. In this work, we overcome the limitation of assuming a fixed set of channels and introduce a model of reactive systems with dynamic channels and present a precise and transparent monitor for it.

show abstract

Section: Related Workmentioning

confidence: 96%

Monitoring Reactive Systems with Dynamic Channels

Zanarini

Jaskelioff

2014

Proceedings of the Ninth Workshop on Programming Languages and Analysis for Security

View full text Add to dashboard Cite

show abstract

“…Our prototype implementation is constructed as a modification of the FlowFox browser [12,13]. Crucial for our implementation is the ability to keep track of all sites a user is logged into and to make sure that the labelling of JavaScript API calls can be dependent on this login history.…”

Section: Methodsmentioning

confidence: 99%

“…Our work is directly based on existing information flow secure browsers that use the mechanism of secure multi-execution [16] for information flow control. The theoretical development is based on Bielova et al [6], whereas the implementation extends the FlowFox browser [12,13]. Alternative dynamic information flow control mechanisms for browser scripts are usually monitors.…”

Section: Information Flow Control For the Webmentioning

confidence: 99%

Client Side Web Session Integrity as a Non-interference Property

Khan

Calzavara

Bugliesi

et al. 2014

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Abstract. Sessions on the web are fragile. They have been attacked successfully in many ways, by network-level attacks, by direct attacks on session cookies (the main mechanism for implementing the session concept) and by application-level attacks where the integrity of sessions is violated by means of cross-site request forgery or malicious script inclusion. This paper defines a variant of non-interference -the classical security notion from information flow security -that can be used to formally define the notion of client-side application-level web session integrity. The paper also develops and proves correct an enforcement mechanism. Combined with state-of-the-art countermeasures for network-level and cookie-level attacks, this enforcement mechanism gives very strong assurance about the client-side preservation of session integrity for authenticated sessions.

show abstract

“…Bielova and Rezk [4] give a detailed survey and comparison of all kinds of dynamic information flow mechanisms, and we refer the reader to that paper for a detailed discussion. Both lines of work on dynamic information flow control (execution monitoring and multi-execution) have been applied to JavaScript in the browser [13,16], and both have dealt with the problem of interfacing with libraries in a relatively ad-hoc way -essentially by manual programming of models of the library functions, or by treating API calls as I/O operations [14]. Rajani et al [29] propose detailed and rigorous formal models of the DOM and event-handling parts of the browser, and find several potential information leaks.…”

Section: Examplesmentioning

confidence: 99%

“…Consider, for instance, the following example, that makes use of the standard JavaScript function Array.every which, given a predicate, returns true if every element in the array on which every is called, is in the extension of the predicate. In both JSFlow [17,16] and FlowFox [13,14], accurate modeling of many library functions, such as Array.every, requires hand-written, deep models. This is both labor-intensive and hard to maintain, not scaling to models for a rich set of libraries, as would be needed in a rich execution environment such as a browser or node.js [25,26,24].…”

Section: Introductionmentioning

confidence: 99%

A Principled Approach to Tracking Information Flow in the Presence of Libraries

Hedin

Sjösten

Piessens

et al. 2017

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Abstract. There has been encouraging progress on information flow control for programs in increasingly complex programming languages, tracking the propagation of information from input sources to output sinks. Yet, programs are typically deployed in an environment with rich APIs and powerful libraries, posing challenges for information flow control when the code for these APIs and libraries is either unavailable or written in a different language. This paper presents a principled approach to tracking information flow in the presence of libraries. With the goal to strike the balance between security and precision, we present a framework that explores the middle ground between the "shallow", signature-based modeling of libraries and the "deep", stateful approach, where library models need to be supplied manually. We formalize our approach for a core language, extend it with lists and higher-order functions, and establish soundness results with respect to the security condition of noninterference.

show abstract

Secure multi-execution of web scripts: Theory and practice

Cited by 12 publications

References 42 publications

Monitoring Reactive Systems with Dynamic Channels

Monitoring Reactive Systems with Dynamic Channels

Client Side Web Session Integrity as a Non-interference Property

A Principled Approach to Tracking Information Flow in the Presence of Libraries

Contact Info

Product

Resources

About