FLOWFOX A WEB BROWSER WITH FLEXIBLE AND PRECISE INFORMATION CONTROL ROADMAP 1. Background 2. Threat Model 3. Design 4. Security Policies 5. Implementation 6. Evaluation BACKGROUND same-origin-policy (SOP) has holes 1. Examples to bypass SOP XMLHTTPRequest? 1. More powerful security enforcement mechanisms are required. BACKGROUND Information flow control Any program can be seen as a machine with inputs and outputs. Inputs can be classified high credential input and low credential input. The same for output. BACKGROUND Example for Information flow analysis High Input: document.getElementById(‘emai l.input’).text Low Output: *.src=* BACKGROUND Noninterference A program is defined to be noninterferent if its outputs cannot be influenced by inputs at a higher security level than their own. Termination-insensitive noninterference 1. A version of Noninterference. 2. Under the assumption that a program always terminates normally, information is only disclosed by the program when it terminates. 3. Many existing tools can effectively determine a program as long as the assumption holds BACKGROUND Termination-insensitive noninterference Vs. Terminationsensitive noninterference BACKGROUND In Context of web security Many state-of-art information flow systems can detect information leak for this case BACKGROUND Timing-insensitive noninterference Assumption: the execution result has nothing to do with the execution time BACKGROUND Secure Multi-Execution ([18]) 1. An information flow control enforcement mechanism 2. As its name suggests, secure multi-execution will execute a program multiple times, once for each security level. 3. SME regime will guarantee non-interference 4. FlowFox implements SME BACKGROUND Secure Multi-Execution Rule Image.src Document. cookie Image.width BACKGROUND Example of Secure Multi-Execution BACKGROUND Secure Multi-Execution Pros: 1. Secure multi-execution is sound: 2. Secure multi-execution is precise Cons: 1. Cost in CPU time and memory use THREAT MODEL Examples 1. Session Hijacking 2. Malicious Advertisements (Plugins) 3. History Sniffing and Behavior Tracking FLOWFOX DESIGN Two Design Alternatives 1. Multi-execute entire browser: 1. Easy to implement 2. Too Coarse grained and imprecise FLOWFOX DESIGN Two Design Alternatives 2. Multi-execute the web scripts (FlowFox) 1. Treat all interactions with the browser API as inputs and outputs 2. Fine grained 3. Hard to implement SECURITY POLICIES 1. DOM API will be specified policy 2. FlowFox policy specifies two things 1. Security levels to DOM APIs 2. Default value to each DOM API call 3. Policy Rule SECURITY POLICIES 4. Examples IMPLEMENTATION 1. Implemented on top of Mozilla Firefox and consists of about 1400 new lines of C/C++ code 2. SME-aware JavaScript Engine 1. JSContext has a security level field 2. Each property of JSObject has a security level field 3. Only properties with the same security level as the coordinating JSContext are visible 3. SME/IO Process 4. Event Handling 1. Low events will be handled by both the low and high executions 2. High events will only be handled by the high execution. EVALUATION 1. Security 1. Is FlowFox Non-interferent 1. Two reasons FlowFox could fail to be non-interferent 1. Violate the assumptions underlying the soundness proof 2. Exist implementation level vulnerabilities 2. Hard to guarantee. EVALUATION 1. Security 1. Examples of mitigating threats 1. Leaking Session Cookies 2. History Sniffing 3. Tracking Libraries EVALUATION 2. Compatibility 1. Two regular FireFox browsers and one FlowFox browser 2. A simple policy that makes reading document.cookie high 3. Crawler dumps a screenshot of each of the three browsers to a bitmap 4. First, compare the bitmaps belonging to two FireFox browsers and find the same area (unmasked area). 5. Second, compare the unmasked areas for bitmaps belonging to FireFox and FlowFox browsers. EVALUATION 3. Micro Benchmark 1. Measure the overhead of executing pure JavaScript. 2. Measure the overhead for I/O intensive applications. 3. Executing pure JavaScript incurs large overhead 4. IO test shows only a negligible impact overhead EVALUATION 4. Macro Benchmark 1. Measure the impact on the latency perceived by a browser user 2. The results show that the user-perceived latency for real-life web applications is acceptable EVALUATION 5. Memory Benchmark 1. Measuring 500 different websites 2. FlowFox incurred a memory overhead of 88%