Abstract
Current web applications incorporate third-party content hosted at different origins that offer a series of online services, as well as a suit of reusable libraries. Since those services and libraries constantly demand access to privacy-sensitive data for implementing normal operations, web developers and users must trust them not to induce privacy exfiltration. However, due to a common feature of all-or-nothing fashion, the security mechanisms of present web browsers are essentially insufficient for mitigating the risks caused by third-party code.
This paper presents JSFfox, a JavaScript confinement system which enforces flexible information-flow policies for Firefox. Under JSFfox, not only the compartments but also the transferred message that contains the sensitive data are associated with information-flow labels, which can be tracked for enforcing substantial policies. We characterize a wide range of web applications for demonstrating the motivations and requirements of JSFfox’s design and implement the secure versions of those applications, which guarantees flexibility for developers as well as privacy for users. We develop a functional prototype of JSFfox built on top of Firefox, and the experimental results show that JSFfox has a fully backward-compatibility with current web and introduces a negligible overhead compared with the legacy Firefox.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
An origin is a source of authority encoded by the protocol (e.g., http), domain name (e.g., a.com), and port (e.g., 80) of a resource URL.
- 2.
For clarity, we use a.com as the hostname-based tag; while the complete tag certainly include the scheme and port.
References
Agten, P., Van Acker, S., Brondsema, Y., Phung, P.H., Desmet, L., Piessens, F.: JSand: complete client-side sandboxing of third-party JavaScript without browser modifications. In: Proceedings of the 28th Annual Computer Security Applications Conference, pp. 1–10. ACM (2012)
Alexa: The alexa top 500 sites on the web (2016). http://www.alexa.com/topsites
Barth, A., Jackson, C., Mitchell, J.C.: Robust defenses for cross-site request forgery. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, pp. 75–88. ACM (2008)
Bashir, M.A., Arshad, S., Robertson, W., Wilson, C.: Tracing information flows between ad exchanges using retargeted ads. In: Proceedings of the 25th USENIX Security Symposium, pp. 481–496 (2016)
Bauer, L., Cai, S., Jia, L., Passaro, T., Stroucken, M., Tian, Y.: Run-time monitoring and formal analysis of information flows in chromium. In: Proceedings of the 22nd Annual Network and Distributed System Security Symposium (2015)
Bauer, L., Cai, S., Jia, L., Passaro, T., Tian, Y.: Analyzing the dangers posed by chrome extensions. In: Proceedings of the 2nd IEEE Conference on Communications and Network Security, pp. 184–192. IEEE (2014)
Boda, K., Földes, Á.M., Gulyás, G.G., Imre, S.: User tracking on the web via cross-browser fingerprinting. In: Laud, P. (ed.) NordSec 2011. LNCS, vol. 7161, pp. 31–46. Springer, Heidelberg (2012). doi:10.1007/978-3-642-29615-4_4
Caja, G.: A source-to-source translator for securing javascript- based web content (2014). http://code.google.com/p/google-caja/
De Groef, W., Devriese, D., Nikiforakis, N., Piessens, F.: Flowfox: a web browser with flexible and precise information flow control. In: Proceedings of the 19th ACM Conference on Computer and Communications Security, pp. 748–759. ACM (2012)
Devriese, D., Piessens, F.: Noninterference through secure multi-execution. In: Proceedings of the 31st IEEE Symposium on Security and Privacy, pp. 109–124 (2010)
Martani, F.: XSS, passwords theft using JavaScript (2015). http://www.martani.net/2009/08/xss-steal-passwords-using-javascript.html
Hedin, D., Birgisson, A., Bello, L., Sabelfeld, A.: JSFlow: tracking information flow in JavaScript and its APIs. In: Proceedings of the 29th Annual ACM Symposium on Applied Computing, pp. 1663–1671. ACM (2014)
Howell, J., Parno, B., Douceur, J.R.: Embassies: radically refactoring the web. In: Proceedings of the 10th USENIX Symposium on Networked Systems Design and Implementation, pp. 529–545 (2013)
Ingram, L., Walfish, M.: Treehouse: JavaScript sandboxes to help web developers help themselves. In: Proceedings of the 23rd USENIX Conference on Annual Technical Conference, pp. 13–13. USENIX Association (2012)
Meyerovich, L.A., Livshits, B.: Conscript: specifying and enforcing fine-grained security policies for JavaScript in the browser. In: Proceedings of the 31st IEEE Symposium on Security and Privacy, pp. 481–496. IEEE (2010)
Nikiforakis, N., Invernizzi, L., Kapravelos, A., Van Acker, S., Joosen, W., Kruegel, C., Piessens, F., Vigna, G.: You are what you include: large-scale evaluation of remote JavaScript inclusions. In: Proceedings of the 19th ACM Conference on Computer and Communications Security, pp. 736–747. ACM (2012)
Nikiforakis, N., Meert, W., Younan, Y., Johns, M., Joosen, W.: SessionShield: lightweight protection against session hijacking. In: Erlingsson, Ú., Wieringa, R., Zannone, N. (eds.) ESSoS 2011. LNCS, vol. 6542, pp. 87–100. Springer, Heidelberg (2011). doi:10.1007/978-3-642-19125-1_7
Resig, J.: Dromaeo JavaScript performance test suite (2016). http://dromaeo.com/
Son, S., Shmatikov, V.: The postman always rings twice: attacking and defending postmessage in html5 websites. In: Proceedings of the 20th Annual Network and Distributed System Security Symposium (2013)
Stefan, D., Yang, E.Z., Marchenko, P., Russo, A., Herman, D., Karp, B., Mazieres, D.: Protecting users by confining JavaScript with cowl. In: Proceedings of the 11th USENIX Symposium on Operating Systems Design and Implementation, pp. 131–146 (2014)
Van Acker, S., De Ryck, P., Desmet, L., Piessens, F., Joosen, W.: WebJail: least-privilege integration of third-party components in web mashups. In: Proceedings of the 27th Annual Computer Security Applications Conference, pp. 307–316. ACM (2011)
W3C: Content security policy level 3 (2016). http://www.w3.org/TR/CSP/
W3C: Cross-origin resource sharing (2014). http://www.w3.org/TR/cors/
W3C: HTML5 web messaging. http://www.w3.org/TR/webmessaging/. Accessed 4 Apr 2015
W3C: Web workers (2015). http://www.w3.org/TR/workers/
Wagner, G., Gal, A., Wimmer, C., Eich, B., Franz, M.: Compartmental memory management in a modern web browser. ACM SIGPLAN Notices 46(11), 119–128 (2011)
Yip, A., Narula, N., Krohn, M., Morris, R.: Privacy-preserving browser-side scripting with BFlow. In: Proceedings of the 4th ACM European Conference on Computer Systems, pp. 233–246. ACM (2009)
Acknowledgement
This work is supported by National Natural Science Foundation of China under grant No.61370106, and National High-tech R&D Program of China (863 Program) under grant No.2015AA016001.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Qiang, W., Guo, J., Jin, H., Li, W. (2017). JSFfox: Run-Timely Confining JavaScript for Firefox. In: Pieprzyk, J., Suriadi, S. (eds) Information Security and Privacy. ACISP 2017. Lecture Notes in Computer Science(), vol 10343. Springer, Cham. https://doi.org/10.1007/978-3-319-59870-3_8
Download citation
DOI: https://doi.org/10.1007/978-3-319-59870-3_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-59869-7
Online ISBN: 978-3-319-59870-3
eBook Packages: Computer ScienceComputer Science (R0)