research-article

FlowFox: a web browser with flexible and precise information flow control

Authors:

Willem De Groef,

Dominique Devriese,

Nick Nikiforakis,

Frank PiessensAuthors Info & Claims

CCS '12: Proceedings of the 2012 ACM conference on Computer and communications security

Pages 748 - 759

https://doi.org/10.1145/2382196.2382275

Published: 16 October 2012 Publication History

Abstract

We present FlowFox, the first fully functional web browser that implements a precise and general information flow control mechanism for web scripts based on the technique of secure multi-execution. We demonstrate how FlowFox subsumes many ad-hoc script containment countermeasures developed over the last years. We also show that FlowFox is compatible with the current web, by investigating its behavior on the Alexa top-500 web sites, many of which make intricate use of JavaScript.

The performance and memory cost of FlowFox is substantial (a performance cost of around 20% on macro benchmarks for a simple two level policy), but not prohibitive. Our prototype implementation shows that information flow enforcement based on secure multi-execution can be implemented in full-scale browsers. It can support powerful, yet precise policies refining the same-origin-policy in a way that is compatible with existing websites.

References

[1]

D. Akhawe, A. Barth, P. E. Lam, J. Mitchell, and D. Song. Towards a Formal Foundation of Web Security. In Proceedings of the IEEE Computer Security Foundations Symposium, pages 290--304, 2010.

Digital Library

[2]

P. Akritidis, M. Costa, M. Castro, and S. Hand. Baggy Bounds Checking: An Efficient and Backwards-Compatible Defense against Out-of-Bounds Errors. In Proceedings of the USENIX Security Symposium, pages 51--66, 2009.

Digital Library

[3]

A. Askarov and A. Sabelfeld. Tight Enforcement of Information-Release Policies for Dynamic Languages. In Proceedings of the IEEE Computer Security Foundations Symposium, pages 43--59, 2009.

Digital Library

[4]

T. H. Austin and C. Flanagan. Permissive Dynamic Information Flow Analysis. In Proceedings of the ACM SIGPLAN Workshop on Programming Languages and Analysis for Security, pages 3:1--3:12, 2010.

Digital Library

[5]

T. H. Austin and C. Flanagan. Multiple Facets for Dynamic Information Flow. In Proceedings of the ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, 2012.

Digital Library

[6]

L. D. Baron. Preventing attacks on a user's history through css :visited selectors. http://dbaron.org/mozilla/visited-privacy, 2010.

[7]

A. Barth, C. Jackson, and J. C. Mitchell. Robust Defenses for Cross-Site Request Forgery. In Proceedings of the ACM Conference on Computer and Communications Security, pages 75--88, 2008.

Digital Library

[8]

A. Barth, C. Jackson, and J. C. Mitchell. Securing Frame Communication in Browsers. In Proceedings of the USENIX Security Symposium, 2008.

Digital Library

[9]

G. Barthe, J. M. Crespo, D. Devriese, F. Piessens, and E. Rivas. Secure Multi-Execution through Static Program Transformation. Proceedings of the International Conference on Formal Techniques for Distributed Systems, pages 186--202, 2012.

Digital Library

[10]

N. Bielova, D. Devriese, F. Massacci, and F. Piessens. Reactive non-interference for a browser model. In Proceedings of the International Conference on Network and System Security, 2011.

[11]

A. Bohannon and B. C. Pierce. Featherweight Firefox: Formalizing the Core of a Web Browser. In Proceedings of the USENIX Conference on Web Application Development, pages 123--135, 2010.

Digital Library

[12]

A. Bohannon, B. C. Pierce, V. Sjöberg, S. Weirich, and S. Zdancewic. Reactive Noninterference. In Proceedings of the ACM Conference on Computer and Communications Security, pages 79--90, 2009.

Digital Library

[13]

R. Capizzi, A. Longo, V. Venkatakrishnan, and A. Sistla. Preventing Information Leaks through Shadow Executions. In Proceedings of the Annual Computer Security Applications Conference, pages 322--331, 2008.

Digital Library

[14]

R. Chugh, J. A. Meister, R. Jhala, and S. Lerner. Staged Information Flow for JavaScript. ACM SIGPLAN Notices, 44(6):50--62, 2009.

Digital Library

[15]

D. Crockford. Adsafe. http://www.adsafe.org/, December 2009.

[16]

M. Daniel, J. Honoroff, and C. Miller. Engineering Heap Over flow Exploits with JavaScript. In Proceedings of the USENIX Workshop on Offensive Technologies, 2008.

Digital Library

[17]

P. De Ryck, L. Desmet, P. Philippaerts, and F. Piessens. A Security Analysis of Next Generation Web Standards. Technical report, European Network and Information Security Agency (ENISA), 2011.

[18]

D. Devriese and F. Piessens. Noninterference Through Secure Multi-Execution. In Proceedings of the IEEE Symposium on Security and Privacy, pages 109--124, 2010.

Digital Library

[19]

Facebook. Fbjs. http://developers.facebook.com/docs/fbjs/, 2011.

[20]

D. Flanagan. JavaScript: The Definitive Guide. O'Reilly Media, Inc., 6th edition, 2011.

Digital Library

[21]

D. Hedin and A. Sabelfeld. Information-Flow Security for a Core of JavaScript. In Proceedings of the IEEE Computer Security Foundations Symposium, 2012.

Digital Library

[22]

W3c: Html5. http://dev.w3.org/html5/spec/Overview.html.

[23]

D. Jang, R. Jhala, S. Lerner, and H. Shacham. An Empirical Study of Privacy-Violating Information Flows in JavaScript Web Applications. In Proceedings of the ACM Conference on Computer and Communications Security, pages 270--283, 2010.

Digital Library

[24]

M. Jaskelioff and A. Russo. Secure Multi-Execution in Haskell. In Proceedings of Andrei Ershov International Conference on Perspectives of System Informatics, 2011.

Digital Library

[25]

M. Johns. On JavaScript Malware and related threats - Web page based attacks revisited. Journal in Computer Virology, 4(3):161 -- 178, August 2008.

[26]

R. W. M. Jones and P. H. J. Kelly. Backwards-compatible bounds checking for arrays and pointers in C programs. In Proceedings of the International Workshop on Automatic Debugging, pages 13--26, 1997.

[27]

V. Kashyap, B. Wiedermann, and B. Hardekopf. Timing- and Termination-Sensitive Secure Information Flow: Exploring a New Approach. In Proceedings of the IEEE Conference on Security and Privacy, pages 413--428, 2011.

Digital Library

[28]

G. Le Guernic. Confidentiality Enforcement Using Dynamic Information Flow Analyses. PhD thesis, Kansas State University, 2007.

Digital Library

[29]

S. Maffeis, J. C. Mitchell, and A. Taly. Object Capabilities and Isolation of Untrusted Web Applications. In Proceedings of the IEEE Symposium on Security and Privacy, pages 125--140, 2010.

Digital Library

[30]

J. Magazinius, A. Askarov, and A. Sabelfeld. A Lattice-based Approach to Mashup Security. In Proceedings of the ACM Symposium on Information, Computer and Communications Security, pages 15--23, 2010.

Digital Library

[31]

M. S. Miller, M. Samuel, B. Laurie, I. Awad, and M. Stay. Caja: Safe active content in sanitized javascript. http://google-caja.googlecode.com/files/caja-spec-2008-01-15.pdf, January 2008.

[32]

N. Nikiforakis, L. Invernizzi, A. Kapravelos, S. Van Acker, W. Joosen, C. Kruegel, F. Piessens, and G. Vigna. You Are What You Include: Large-scale Evaluation of Remote JavaScript Inclusions. In Proceedings of the ACM Conference on Computer and Communications Security, 2012.

Digital Library

[33]

N. Nikiforakis, W. Meert, Y. Younan, M. Johns, and W. Joosen. SessionShield: Lightweight protection against session hijacking. In Proceedings of the International Symposium on Engineering Secure Software and Systems, pages 87--100, 2011.

Digital Library

[34]

N. Provos, P. Mavrommatis, M. A. Rajab, and F. Monrose. All Your iFRAMEs Point to Us. In Proceedings of the USENIX Security Symposium, pages 1--15, 2008.

Digital Library

[35]

N. Provos, D. McNamee, P. Mavrommatis, K. Wang, and N. Modadugu. The Ghost In The Browser Analysis of Web-based Malware. In Proceedings of the USENIX Workshop on Hot Topics in Understanding Botnets, 2007.

Digital Library

[36]

A. Russo and A. Sabelfeld. Securing Timeout Instructions in Web Applications. In Proceedings of the IEEE Computer Security Foundations Symposium, pages 92--106, 2009.

Digital Library

[37]

A. Russo, A. Sabelfeld, and A. Chudnov. Tracking Information Flow in Dynamic Tree Structures. In Proceedings of the European Symposium on Research in Computer Security, pages 86--103, 2009.

Digital Library

[38]

A. Sabelfeld and A. C. Myers. Language-Based Information-Flow Security. IEEE Journal on Selected Areas of Communications, 21(1):5--19, January 2003.

Digital Library

[39]

K. Singh, A. Moshchuk, H. J. Wang, and W. Lee. On the Incoherencies in Web Browser Access Control Policies. In Proceedings of the IEEE Symposium on Security and Privacy, pages 463--478, 2010.

Digital Library

[40]

M. Ter Louw, K. T. Ganesh, and V. Venkatakrishnan. Adjail: Practical Enforcement of Confidentiality and Integrity Policies on Web Advertisements. In Proceedings of the USENIX Security Symposium, pages 24--24, 2010.

Digital Library

[41]

P. Vogt, F. Nentwich, N. Jovanovic, E. Kirda, C. Krugel, and G. Vigna. Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis. In Proceedings of the Annual Network & Distributed System Security Symposium, 2007.

[42]

Z. Weinberg, E. Y. Chen, P. R. Jayaraman, and C. Jackson. I Still Know What You Visited Last Summer: User interaction and side-channel attacks on browsing history. In Proceedings of the IEEE Symposium on Security and Privacy, 2011.

Digital Library

[43]

W. Xu, S. Bhatkar, and R. Sekar. Taint-Enhanced Policy Enforcement: A Practical Approach to Defeat a Wide Range of Attacks. In Proceedings of the USENIX Security Symposium, pages 121--136, 2006.

Digital Library

[44]

A. Yip, N. Narula, M. Krohn, and R. Morris. Privacy-preserving browser-side scripting with BFlow. In Proceedings of the ACM European Conference on Computer Systems, pages 233--246. ACM, 2009.

Digital Library

[45]

Y. Younan, W. Joosen, and F. Piessens. Runtime countermeasures for code injection attacks against C and C++ programs. ACM Computing Surveys, 44(3):17:1--17:28, 2012.

Digital Library

[46]

Y. Younan, P. Philippaerts, L. Cavallaro, R. Sekar, F. Piessens, and W. Joosen. PAriCheck: An Efficient Pointer Arithmetic Checker for C Programs. In Proceedings of the ACM Symposium on Information, Computer and Communications Security, pages 145--156, 2010.

Digital Library

Cited By

Gumarac M(2024)Extent of spending behavior, problems encountered, and financial knowledge across generational cohorts among state universities and colleges employeesInternational Journal of ADVANCED AND APPLIED SCIENCES10.21833/ijaas.2024.02.02411:2(230-237)Online publication date: Mar-2024
https://doi.org/10.21833/ijaas.2024.02.024
Ogawa EYamazaki TShioya RErtl MKirsch C(2024)Dynamic Possible Source Count Analysis for Data Leakage PreventionProceedings of the 21st ACM SIGPLAN International Conference on Managed Programming Languages and Runtimes10.1145/3679007.3685065(98-111)Online publication date: 13-Sep-2024
https://dl.acm.org/doi/10.1145/3679007.3685065
Wang ZMeng WLyu MMeng WJensen CCremers CKirda E(2023)Fine-Grained Data-Centric Content Protection Policy for Web ApplicationsProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3623217(2845-2859)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3623217
Show More Cited By

Index Terms

FlowFox: a web browser with flexible and precise information flow control

Recommendations

Isolating web programs in modern browser architectures
EuroSys '09: Proceedings of the 4th ACM European conference on Computer systems

Many of today's web sites contain substantial amounts of client-side code, and consequently, they act more like programs than simple documents. This creates robustness and performance challenges for web browsers. To give users a robust and responsive ...
An empirical study of privacy-violating information flows in JavaScript web applications
CCS '10: Proceedings of the 17th ACM conference on Computer and communications security

The dynamic nature of JavaScript web applications has given rise to the possibility of privacy violating information flows. We present an empirical study of the prevalence of such flows on a large number of popular websites. We have (1) designed an ...
App isolation: get the security of multiple browsers with just one
CCS '11: Proceedings of the 18th ACM conference on Computer and communications security

Many browser-based attacks can be prevented by using separate browsers for separate web sites. However, most users access the web with only one browser. We explain the security benefits that using multiple browsers provides in terms of two concepts: ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '12: Proceedings of the 2012 ACM conference on Computer and communications security

October 2012

1088 pages

ISBN:9781450316514

DOI:10.1145/2382196

General Chair:
Ting Yu
North Carolina State University, USA
,
Program Chairs:
George Danezis
Microsoft Research Cambridge, UK
,
Virgil Gligor
Carnegie Mellon University, USA

Copyright © 2012 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 16 October 2012

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS'12

Sponsor:

SIGSAC

CCS'12: the ACM Conference on Computer and Communications Security

October 16 - 18, 2012

North Carolina, Raleigh, USA

Acceptance Rates

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

91
Total Citations
View Citations
1,184
Total Downloads

Downloads (Last 12 months)42
Downloads (Last 6 weeks)2

Reflects downloads up to 27 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Gumarac M(2024)Extent of spending behavior, problems encountered, and financial knowledge across generational cohorts among state universities and colleges employeesInternational Journal of ADVANCED AND APPLIED SCIENCES10.21833/ijaas.2024.02.02411:2(230-237)Online publication date: Mar-2024
https://doi.org/10.21833/ijaas.2024.02.024
Ogawa EYamazaki TShioya RErtl MKirsch C(2024)Dynamic Possible Source Count Analysis for Data Leakage PreventionProceedings of the 21st ACM SIGPLAN International Conference on Managed Programming Languages and Runtimes10.1145/3679007.3685065(98-111)Online publication date: 13-Sep-2024
https://dl.acm.org/doi/10.1145/3679007.3685065
Wang ZMeng WLyu MMeng WJensen CCremers CKirda E(2023)Fine-Grained Data-Centric Content Protection Policy for Web ApplicationsProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3623217(2845-2859)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3623217
McCall MBichhawat AJia LMeng WJensen CCremers CKirda E(2023)Tainted Secure Multi-Execution to Restrict Attacker InfluenceProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3623110(1732-1745)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3623110
Blaabjerg JAskarov A(2023)OblivIO: Securing Reactive Programs by Oblivious Execution with Bounded Traffic Overheads2023 IEEE 36th Computer Security Foundations Symposium (CSF)10.1109/CSF57540.2023.00014(292-307)Online publication date: Jul-2023
https://doi.org/10.1109/CSF57540.2023.00014
Ghosal SShyamasundar R(2022)Preventing Privacy-Violating Information Flows in JavaScript Applications Using Dynamic LabellingInformation Systems Security10.1007/978-3-031-23690-7_12(202-219)Online publication date: 11-Dec-2022
https://doi.org/10.1007/978-3-031-23690-7_12
Zhang MMeng WSpinellis DGousios GChechik MDi Penta M(2021)JSISOLATE: lightweight in-browser JavaScript isolationProceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3468264.3468577(193-204)Online publication date: 20-Aug-2021
https://dl.acm.org/doi/10.1145/3468264.3468577
Smith MSnyder PLivshits BStefan DKim YKim JVigna GShi E(2021)SugarCoat: Programmatically Generating Privacy-Preserving, Web-Compatible Resource Replacements for Content BlockingProceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security10.1145/3460120.3484578(2844-2857)Online publication date: 12-Nov-2021
https://dl.acm.org/doi/10.1145/3460120.3484578
B. S. RN. V. NShyamasundar RLobo JDi Pietro RChowdhury O(2021)Towards Unifying RBAC with Information Flow ControlProceedings of the 26th ACM Symposium on Access Control Models and Technologies10.1145/3450569.3463570(45-54)Online publication date: 11-Jun-2021
https://dl.acm.org/doi/10.1145/3450569.3463570
Polinsky IDatta PBates AEnck WLobo JDi Pietro RChowdhury O(2021)SCIFFS: Enabling Secure Third-Party Security Analytics using Serverless ComputingProceedings of the 26th ACM Symposium on Access Control Models and Technologies10.1145/3450569.3463567(175-186)Online publication date: 11-Jun-2021
https://dl.acm.org/doi/10.1145/3450569.3463567
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten