research-article

Protecting sensitive web content from client-side vulnerabilities with CRYPTONS

Authors:

Hossein Siadati,

Prateek Saxena,

Zhenkai LiangAuthors Info & Claims

CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security

Pages 1311 - 1324

https://doi.org/10.1145/2508859.2516743

Published: 04 November 2013 Publication History

Abstract

Web browsers isolate web origins, but do not provide direct abstractions to isolate sensitive data and control computation over it within the same origin. As a result, guaranteeing security of sensitive web content requires trusting all code in the browser and client-side applications to be vulnerability-free. In this paper, we propose a new abstraction, called Crypton, which supports intra-origin control over sensitive data throughout its life cycle. To securely enforce the semantics of Cryptons, we develop a standalone component called Crypton-Kernel, which extensively leverages the functionality of existing web browsers without relying on their large TCB. Our evaluation demonstrates that the Crypton abstraction supported by the Crypton-Kernel is widely applicable to popular real-world applications with millions of users, including webmail, chat, blog applications, and Alexa Top 50 websites, with low performance overhead.

References

[1]

Summary of source code modification in case studies. http://compsec.comp.nus.edu.sg/crypton/summary.pdf.

[2]

D. Akhawe, P. Saxena, and D. Song. Privilege separation in html5 applications. In Proceedings of the 21st USENIX Security Symposium, 2012.

Digital Library

[3]

M. Balduzzi, M. Egele, E. Kirda, D. Balzarotti, and C. Kruegel. A solution for the automated detection of clickjacking attacks. In Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security, ASIACCS '10, 2010.

Digital Library

[4]

A. Barth, A. P. Felt, P. Saxena, and A. Boodman. Protecting browsers from extension vulnerabilities. In Proceedings of the 17th Annual Network and Distributed System Security Symposium, NDSS '10, 2010.

[5]

A. Barth, C. Jackson, C. Reis, and T. G. C. Team. The security architecture of the chromium browser. http://seclab.stanford.edu/websec/chromium/chromium-security-architecture.pdf.

[6]

Bitbucket. https://bitbucket.org/.

[7]

A. Bittau, P. Marchenko, M. Handley, and B. Karp. Wedge: splitting applications into reduced-privilege compartments. In Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation, NSDI '08, 2008.

Digital Library

[8]

H. Bojinov, D. Sanchez, P. Reber, D. Boneh, and P. Lincoln. Neuroscience meets cryptography: designing crypto primitives secure against rubber hose attacks. In Proceedings of the 21st USENIX Security Symposium, 2012.

Digital Library

[9]

J. Bonneau, C. Herley, P. C. v. Oorschot, and F. Stajano. The quest to replace passwords: A framework for comparative evaluation of web authentication schemes. In Proceedings of the 2012 IEEE Symposium on Security and Privacy, 2012.

Digital Library

[10]

K. Borders, E. V. Weele, B. Lau, and A. Prakash. Protecting confidential data on personal computers with storage capsules. In Proceedings of the 18th USENIX Security Symposium, 2009.

Digital Library

[11]

D. Brumley and D. Boneh. Remote timing attacks are practical. In Proceedings of the 12th USENIX Security Symposium, 2003.

Digital Library

[12]

D. Brumley and D. Song. Privtrans: automatically partitioning programs for privilege separation. In Proceedings of the 13th USENIX Security Symposium, 2004.

Digital Library

[13]

CairoGraphics. cairo_glyph_t. http://cairographics.org/manual/cairo-text.html#cairo-glyph-t.

[14]

N. Carlini, A. P. Felt, and D. Wagner. An evaluation of the google chrome extension security architecture. In Proceedings of the 21st USENIX Security Symposium, 2012.

Digital Library

[15]

L. Cavallaro, P. Saxena, and R. Sekar. On the limits of information flow techniques for malware analysis and containment. In Proceedings of the 5th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA '08, 2008.

Digital Library

[16]

E. Y. Chen, J. Bau, C. Reis, A. Barth, and C. Jackson. App isolation: get the security of multiple browsers with just one. In Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS '11, 2011.

Digital Library

[17]

E. Y. Chen, S. Gorbaty, A. Singhal, and C. Jackson. Self-exfiltration: The dangers of browser-enforced information flow control. In Proceedings of the Workshop of Web 2.0 Security & Privacy 2012, 2012.

[18]

S. Chen, R. Wang, X. Wang, and K. Zhang. Side-channel leaks in web applications: A reality today, a challenge tomorrow. In Proceedings of the 2010 IEEE Symposium on Security and Privacy, 2010.

Digital Library

[19]

Y.-Y. Chen, P. A. Jamkhedkar, and R. B. Lee. A software-hardware architecture for self-protecting data. In Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS '12, 2012.

Digital Library

[20]

Y. Cheng and X. Ding. Virtualization based password protection against malware in untrusted operating systems. In Proceedings of the 5th International Conference on Trust and Trustworthy Computing, TRUST '12, 2012.

Digital Library

[21]

R. S. Cox, S. D. Gribble, H. M. Levy, and J. G. Hansen. A safety-oriented platform for web applications. In Proceedings of the 2006 IEEE Symposium on Security and Privacy, 2006.

Digital Library

[22]

S. Crites, F. Hsu, and H. Chen. Omash: enabling secure web mashups via object abstractions. In Proceedings of the 15th ACM Conference on Computer and Communications Security, CCS '08, 2008.

Digital Library

[23]

A. R. Developers. Ajaxim rpg. http://ajaximrpg.sourceforge.net/.

[24]

X. Dong, H. Hong, Z. Liang, and P. Saxena. A quantitative evaluation of privilege separation in web browser designs. In Proceedings of the 18th European Conference on Research in Computer Security, ESORICS '13, 2013.

[25]

X. Dong, M. Tran, Z. Liang, and X. Jiang. Adsentry: comprehensive and flexible confinement of javascript-based advertisements. In Proceedings of the 27th Annual Computer Security Applications Conference, ACSAC '11, 2011.

Digital Library

[26]

DoubleVerify. Doubleverify uncovers ad fraud tied to copyright infringement sites, costing online advertisers $6.8 million per month. http://www.doubleverify.com/resources/research/DV-Fraud-Lab-Report-2013-05/, May 2013.

[27]

J. Engler, C. Karlof, E. Shi, and D. Song. Is it too late for pake' In Proceedings of Web 2.0 Security and Privacy Workshop 2009, 2009.

[28]

I. E. T. Force. Rfc 6101: The secure sockets layer (ssl) protocol version 3.0. http://tools.ietf.org/html/rfc6101, 2011.

[29]

M. Foundation. Mozilla foundation security advisories. http://www.mozilla.org/security/announce/.

[30]

W. Foundation. Wordpress. http://wordpress.org/.

[31]

S. Garera, N. Provos, M. Chew, and A. D. Rubin. A framework for detection and measurement of phishing attacks. In Proceedings of the 2007 ACM Workshop on Recurring Malcode, WORM '07, 2007.

Digital Library

[32]

Github. https://github.com.

[33]

C. Grier, S. Tang, and S. King. Designing and implementing the op and op2 web browsers. ACM Transactions on the Web, 2011.

Digital Library

[34]

M. Heiderich. Towards elimination of xss attacks with a trusted and capability controlled dom. http://heideri.ch/thesis.

[35]

B. Hicks, S. Rueda, D. King, T. Moyer, J. Schiffman, Y. Sreenivasan, P. McDaniel, and T. Jaeger. An architecture for enforcing end-to-end access control over web applications. In Proceedings of the 15th ACM Symposium on Access Control Models and Technologies, SACMAT '10, 2010.

Digital Library

[36]

L.-S. Huang, A. Moshchuk, H. J. Wang, S. Schechter, and C. Jackson. Clickjacking: attacks and defenses. In Proceedings of the 21st USENIX Security Symposium, 2012.

Digital Library

[37]

Intel. Trusted compute pools with intel R trusted execution technology. http://www.intel.com/txt.

[38]

Internet Engineering Task Force (IETF). Rfc 6454: The web origin concept. http://www.ietf.org/rfc/rfc6454.txt.

[39]

C. Jackson, D. R. Simon, D. S. Tan, and A. Barth. An evaluation of extended validation and picture-in-picture phishing attacks. In Proceedings of the 11th International Conference on Financial Cryptography and 1st International Conference on Usable Security, FC'07/USEC'07, 2007.

Digital Library

[40]

K. Jayaraman, W. Du, B. Rajagopalan, and S. J. Chapin. Escudo: A fine-grained protection model for web browsers. In Proceedings of the 30th International Conference on Distributed Computing Systems, ICDCS '10, 2010.

Digital Library

[41]

N. Kobeissi, A. Breault, and E. Gill. Cryptocat. https://crypto.cat/.

[42]

B. Köpf and M. Dürmuth. A provably secure and efficient countermeasure against timing attacks. In Proceedings of the 2009 22nd IEEE Computer Security Foundations Symposium, CSF '09, 2009.

Digital Library

[43]

LastPass. Lastpass password manager. https://lastpass.com/.

[44]

A. Libonati, J. M. McCune, and M. K. Reiter. Usability testing a malware-resistant input mechanism. In Proceedings of the 18th Annual Network and Distributed System Security Symposium, NDSS '11, 2011.

[45]

D. Lie, C. Thekkath, M. Mitchell, P. Lincoln, D. Boneh, J. Mitchell, and M. Horowitz. Architectural support for copy and tamper resistant software. In Proceedings of the 9th International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS-IX, 2000.

Digital Library

[46]

M. T. Louw, K. T. Ganesh, and V. N. Venkatakrishnan. Adjail: practical enforcement of confidentiality and integrity policies on web advertisements. In Proceedings of the 19th USENIX Security Symposium, 2010.

Digital Library

[47]

T. Luo and W. Du. Contego: capability-based access control for web browsers. In Proceedings of the 4th International Conference on Trust and Trustworthy Computing, TRUST'11, 2011.

Digital Library

[48]

P. Maniatis, D. Akhawe, K. Fall, E. Shi, S. McCamant, and D. Song. Do you know where your data are?: secure data capsules for deployable data protection. In Proceedings of the 13th Workshop on Hot Topics in Operating Systems, HotOS-XIII, 2011.

Digital Library

[49]

J. M. McCune, A. Perrig, and M. K. Reiter. Safe passage for passwords and other sensitive data. In Proceedings of the 16th Annual Network and Distributed System Security Symposium, NDSS '09, 2009.

[50]

L. A. Meyerovich and B. Livshits. Conscript: Specifying and enforcing fine-grained security policies for javascript in the browser. In Proceedings of the 2010 IEEE Symposium on Security and Privacy, 2010.

Digital Library

[51]

Mozilla. Firefox os. https://developer.mozilla.org/en-US/docs/Mozilla/Firefox_OS.

[52]

C. Nie. Dynamic root of trust in trusted computing. http://www.tml.tkk.fi/Publications/C/25/papers/Nie_final.pdf.

[53]

D. of Defense Standard. Department of defense trusted computer system evaluation criteria, 5200.28-std, 1985.

[54]

K. Patil, X. Dong, X. Li, Z. Liang, and X. Jiang. Towards fine-grained access control in javascript contexts. In Proceedings of the 31st International Conference on Distributed Computing Systems, ICDCS '11, 2011.

Digital Library

[55]

T. C. Projects. Chromium os. http://www.chromium.org/chromium-os.

[56]

T. C. Projects. Linuxsandboxing. https://code.google.com/p/chromium/wiki/LinuxSandboxing#The_seccomp-bpf_sandbox.

[57]

T. C. Projects. Sandbox. http://www.chromium.org/developers/design-documents/sandbox.

[58]

F. Roesner, T. Kohno, A. Moshchuk, B. Parno, H. J. Wang, and C. Cowan. User-driven access control: Rethinking permission granting in modern operating systems. In Proceedings of the 2012 IEEE Symposium on Security and Privacy, 2012.

Digital Library

[59]

C. Rohlf and Y. Ivnitskiy. Attacking clientside jit compilers. http://www.matasano.com/research/Attacking_Clientside_JIT_Compilers_Paper.pdf.

[60]

J. H. Saltzer and M. D. Schroeder. The protection of information in computer systems. In Proceedings of the IEEE, 1975.

[61]

N. Santos, R. Rodrigues, K. P. Gummadi, and S. Saroiu. Policy-sealed data: A new abstraction for building trusted cloud services. In Proceedings of the 21st USENIX Security Symposium, 2012.

Digital Library

[62]

P. Saxena, D. Akhawe, S. Hanna, F. Mao, S. McCamant, and D. Song. A symbolic execution framework for javascript. In Proceedings of the 2010 IEEE Symposium on Security and Privacy, 2010.

Digital Library

[63]

S. Tang, H. Mai, and S. T. King. Trust and protection in the illinois browser operating system. In Proceedings of the 9th USENIX Symposium on Operating Systems Design and Implementation, OSDI '10, 2010.

Digital Library

[64]

Y. Tang, P. Ames, S. Bhamidipati, A. Bijlani, R. Geambasu, and N. Sarda. Cleanos: limiting mobile data exposure with idle eviction. In Proceedings of the 10th USENIX Symposium on Operating Systems Design and Implementation, OSDI'12, 2012.

Digital Library

[65]

T. R. Team. Roundcube. http://www.roundcube.net/.

[66]

P. Vogt, F. Nentwich, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna. Cross-site scripting prevention with dynamic data tainting and static analysis. In Proceedings of the 14th Annual Network and Distributed System Security Symposium, NDSS '07, 2007.

[67]

W3C. Content security policy 1.0. http://www.w3.org/TR/CSP/.

[68]

R. Wahbe, S. Lucco, T. E. Anderson, and S. L. Graham. Efficient software-based fault isolation. In Proceedings of the 14th ACM Symposium on Operating Systems Principles, SOSP '93, 1993.

Digital Library

[69]

H. J. Wang, C. Grier, A. Moshchuk, S. T. King, P. Choudhury, and H. Venter. The multi-principal os construction of the gazelle web browser. In Proceedings of the 18th USENIX Security Symposium, 2009.

Digital Library

[70]

D. Wendlandt, D. G. Andersen, and A. Perrig. Perspectives: improving ssh-style host authentication with multi-path probing. In USENIX 2008 Annual Technical Conference, ATC '08, 2008.

Digital Library

[71]

Z. E. Ye and S. Smith. Trusted paths for browsers. In Proceedings of the 11th USENIX Security Symposium, 2002.

Digital Library

[72]

C. Yue and H. Wang. Anti-phishing in offense and defense. In Proceedings of the 2008 Annual Computer Security Applications Conference, ACSAC '08, 2008.

Digital Library

[73]

Y. Zhang, J. I. Hong, and L. F. Cranor. Cantina: a content-based approach to detecting phishing web sites. In Proceedings of the 16th International Conference on World Wide Web, WWW '07, 2007.

Digital Library

[74]

Y. Zhou and D. Evans. Protecting private web content from embedded scripts. In Proceedings of the 16th European Conference on Research in Computer Security, ESORICS'11, 2011.

Digital Library

[75]

Z. Zhou, V. D. Gligor, J. Newsome, and J. M. McCune. Building verifiable trusted path on commodity x86 computers. In Proceedings of the 2012 IEEE Symposium on Security and Privacy, 2012.

Digital Library

Cited By

Yang ZXu RLin QWu SMao JLiang Z(2024)Securing Web Inputs Using Parallel Session AttachmentsSecurity and Privacy in Communication Networks10.1007/978-3-031-64954-7_10(189-208)Online publication date: 15-Oct-2024
https://doi.org/10.1007/978-3-031-64954-7_10
Bichhawat ARajani VGarg DHammer C(2021)Permissive runtime information flow control in the presence of exceptionsJournal of Computer Security10.3233/JCS-211385(1-41)Online publication date: 30-Mar-2021
https://doi.org/10.3233/JCS-211385
Ni JLiu ZLi NZhang CCui BKong H(2021)Protecting Web Application Code and Sensitive Data with Symmetric and Identity-Based CryptosystemsData Science10.1007/978-981-16-5943-0_17(204-216)Online publication date: 10-Sep-2021
https://doi.org/10.1007/978-981-16-5943-0_17
Show More Cited By

Index Terms

Protecting sensitive web content from client-side vulnerabilities with CRYPTONS
1. Security and privacy
  1. Systems security
    1. Operating systems security
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime

Recommendations

Browserprint: an Analysis of the Impact of Browser Features on Fingerprintability and Web Privacy
Information Security
Abstract
Web browsers are indispensable applications in our daily lives. Millions of users use web browsers for a wide range of activities such as social media, online shopping, emails, or surfing the web. The evolution of increasingly more complicated web ...
Towards Enabling Secure Web-Based Cloud Services using Client-Side Encryption
CCSW'20: Proceedings of the 2020 ACM SIGSAC Conference on Cloud Computing Security Workshop

The recent years have brought an influx of privacy conscious applications, that enable strong security guarantees for end-users via end-to-end or client-side encryption. Unfortunately, this application paradigm is not easily transferable to web-based ...
Hidden-Web induced by client-side scripting: an empirical study
ICWE'13: Proceedings of the 13th international conference on Web Engineering

Client-side JavaScript is increasingly used for enhancing web application functionality, interactivity, and responsiveness. Through the execution of JavaScript code in browsers, the DOM tree representing a webpage at runtime, can be incrementally ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security

November 2013

1530 pages

ISBN:9781450324779

DOI:10.1145/2508859

General Chair:
Ahmad-Reza Sadeghi
TU Darmstadt, CASED, Intel ICRI-SC, Germany
,
Program Chairs:
Virgil Gligor
Carnegie Mellon University, USA
,
Moti Yung
Columbia University, USA

Copyright © 2013 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 04 November 2013

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS'13

Sponsor:

SIGSAC

CCS'13: 2013 ACM SIGSAC Conference on Computer and Communications Security

November 4 - 8, 2013

Berlin, Germany

Acceptance Rates

CCS '13 Paper Acceptance Rate 105 of 530 submissions, 20%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

14
Total Citations
View Citations
622
Total Downloads

Downloads (Last 12 months)11
Downloads (Last 6 weeks)0

Reflects downloads up to 09 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Yang ZXu RLin QWu SMao JLiang Z(2024)Securing Web Inputs Using Parallel Session AttachmentsSecurity and Privacy in Communication Networks10.1007/978-3-031-64954-7_10(189-208)Online publication date: 15-Oct-2024
https://doi.org/10.1007/978-3-031-64954-7_10
Bichhawat ARajani VGarg DHammer C(2021)Permissive runtime information flow control in the presence of exceptionsJournal of Computer Security10.3233/JCS-211385(1-41)Online publication date: 30-Mar-2021
https://doi.org/10.3233/JCS-211385
Ni JLiu ZLi NZhang CCui BKong H(2021)Protecting Web Application Code and Sensitive Data with Symmetric and Identity-Based CryptosystemsData Science10.1007/978-981-16-5943-0_17(204-216)Online publication date: 10-Sep-2021
https://doi.org/10.1007/978-981-16-5943-0_17
Freyberger MHe WAkhawe DMazurek MMittal P(2018)Cracking ShadowCrypt: Exploring the Limitations of Secure I/O Systems in Internet BrowsersProceedings on Privacy Enhancing Technologies10.1515/popets-2018-00122018:2(47-63)Online publication date: 20-Feb-2018
https://doi.org/10.1515/popets-2018-0012
Mao JBian JBai GWang RChen YXiao YLiang Z(2018)Detecting Malicious Behaviors in JavaScript ApplicationsIEEE Access10.1109/ACCESS.2018.27953836(12284-12294)Online publication date: 2018
https://doi.org/10.1109/ACCESS.2018.2795383
Goltzsche DWulf CMuthukumaran DRieck KPietzuch PKapitza RGiuffrida CStavrou A(2017)TrustJSProceedings of the 10th European Workshop on Systems Security10.1145/3065913.3065917(1-6)Online publication date: 23-Apr-2017
https://dl.acm.org/doi/10.1145/3065913.3065917
Bichhawat ARajani VJain JGarg DHammer C(2017)WebPol: Fine-Grained Information Flow Policies for Web BrowsersComputer Security – ESORICS 201710.1007/978-3-319-66402-6_15(242-259)Online publication date: 12-Aug-2017
https://doi.org/10.1007/978-3-319-66402-6_15
Papagiannis IWatcharapichat PMuthukumaran DPietzuch P(2016)BrowserFlowProceedings of the 17th International Middleware Conference10.1145/2988336.2988345(1-13)Online publication date: 28-Nov-2016
https://dl.acm.org/doi/10.1145/2988336.2988345
Shinde SChua ZNarayanan VSaxena PChen XWang XHuang X(2016)Preventing Page Faults from Telling Your SecretsProceedings of the 11th ACM on Asia Conference on Computer and Communications Security10.1145/2897845.2897885(317-328)Online publication date: 30-May-2016
https://dl.acm.org/doi/10.1145/2897845.2897885
Zhang CHe HWang XLi YGao XQi Y(2016)Enhancing Data Secrecy with Segmentation Based Isolation2016 13th Web Information Systems and Applications Conference (WISA)10.1109/WISA.2016.48(203-208)Online publication date: Sep-2016
https://doi.org/10.1109/WISA.2016.48
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents