flowfox

advertisement
FLOWFOX
A WEB BROWSER WITH FLEXIBLE AND
PRECISE INFORMATION CONTROL
ROADMAP
1. Background
2. Threat Model
3. Design
4. Security Policies
5. Implementation
6. Evaluation
BACKGROUND
same-origin-policy (SOP) has holes
1. Examples to bypass SOP
XMLHTTPRequest?
1. More powerful security enforcement
mechanisms are required.
BACKGROUND
Information flow control
Any program can be seen as a machine with
inputs and outputs. Inputs can be classified high
credential input and low credential input. The
same for output.
BACKGROUND
Example for Information flow analysis
High Input:
document.getElementById(‘emai
l.input’).text
Low Output:
*.src=*
BACKGROUND
Noninterference
A program is defined to be noninterferent if its
outputs cannot be influenced by inputs at a higher
security level than their own.
Termination-insensitive noninterference
1. A version of Noninterference.
2. Under the assumption that a program always
terminates normally, information is only disclosed
by the program when it terminates.
3. Many existing tools can effectively determine a
program as long as the assumption holds
BACKGROUND
Termination-insensitive noninterference Vs. Terminationsensitive noninterference
BACKGROUND
In Context of web security
Many state-of-art
information flow
systems can detect
information leak for this
case
BACKGROUND
Timing-insensitive noninterference
Assumption: the execution result has nothing to do
with the execution time
BACKGROUND
Secure Multi-Execution ([18])
1. An information flow control enforcement
mechanism
2. As its name suggests, secure multi-execution
will execute a program multiple times, once for
each security level.
3. SME regime will guarantee non-interference
4. FlowFox implements SME
BACKGROUND
Secure Multi-Execution Rule
Image.src
Document.
cookie
Image.width
BACKGROUND
Example of Secure Multi-Execution
BACKGROUND
Secure Multi-Execution
Pros:
1. Secure multi-execution is sound:
2. Secure multi-execution is precise
Cons:
1. Cost in CPU time and memory use
THREAT MODEL
Examples
1. Session Hijacking
2. Malicious Advertisements (Plugins)
3. History Sniffing and Behavior Tracking
FLOWFOX DESIGN
Two Design Alternatives
1. Multi-execute entire browser:
1. Easy to implement
2. Too Coarse grained and imprecise
FLOWFOX DESIGN
Two Design Alternatives
2. Multi-execute the web scripts (FlowFox)
1. Treat all interactions with the browser API as
inputs and outputs
2. Fine grained
3. Hard to implement
SECURITY POLICIES
1. DOM API will be specified policy
2. FlowFox policy specifies two things
1. Security levels to DOM APIs
2. Default value to each DOM API call
3. Policy Rule
SECURITY POLICIES
4. Examples
IMPLEMENTATION
1. Implemented on top of Mozilla Firefox and consists of
about 1400 new lines of C/C++ code
2. SME-aware JavaScript Engine
1. JSContext has a security level field
2. Each property of JSObject has a security level field
3. Only properties with the same security level as the
coordinating JSContext are visible
3. SME/IO Process
4. Event Handling
1. Low events will be handled by both the low and high
executions
2. High events will only be handled by the high execution.
EVALUATION
1. Security
1. Is FlowFox Non-interferent
1. Two reasons FlowFox could fail to be
non-interferent
1. Violate the assumptions underlying
the soundness proof
2. Exist implementation level
vulnerabilities
2. Hard to guarantee.
EVALUATION
1. Security
1. Examples of mitigating threats
1. Leaking Session Cookies
2. History Sniffing
3. Tracking Libraries
EVALUATION
2. Compatibility
1. Two regular FireFox browsers and one FlowFox
browser
2. A simple policy that makes reading
document.cookie high
3. Crawler dumps a screenshot of each of the
three browsers to a bitmap
4. First, compare the bitmaps belonging to two
FireFox browsers and find the same area
(unmasked area).
5. Second, compare the unmasked areas for
bitmaps belonging to FireFox and FlowFox
browsers.
EVALUATION
3. Micro Benchmark
1. Measure the overhead of
executing pure JavaScript.
2. Measure the overhead for
I/O intensive applications.
3. Executing pure JavaScript
incurs large overhead
4. IO test shows only a
negligible impact overhead
EVALUATION
4. Macro Benchmark
1. Measure the impact on
the latency perceived by
a browser user
2. The results show that the
user-perceived latency
for real-life web
applications is
acceptable
EVALUATION
5. Memory Benchmark
1. Measuring 500 different websites
2. FlowFox incurred a memory overhead
of 88%
Download