Skip to main content
SpringerLink
Log in

MySecPol: A Client-Side Policy Language for Safe and Secure Browsing

  • Conference paper
  • First Online:
Book cover Information Systems Security (ICISS 2018)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11281))

Included in the following conference series:

Abstract

Web browsers handle content from different sources making them prone to various attacks. Currently, users rely either on web developers or on different browser extensions for protection against different attacks. In this paper, we propose a simple architecture for defining client-side policy using a policy language MySecPol. The client-side policy gives the users control over the content being served to them. Users can define their policy independent of the browser or the Operating System (OS). The policy is then realized by integrating it into the browser with appropriate mechanisms. The policy specification can combine various security mechanisms providing a robust protection. We describe an implementation of MySecPol as a Chromium extension. We also show how several of the existing approaches are captured as instances of MySecPol. We have further evaluated the system with real-world websites for testing soundness of the approach by checking the functionality of these sites relative to different policies. We have also compared our system with several related works.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Bichhawat, A., Rajani, V., Jain, J., Garg, D., Hammer, C.: WebPol: fine-grained information flow policies for web browsers. CoRR abs/1706.06932 (2017). http://arxiv.org/abs/1706.06932

  2. Cao, Y., Li, Z., Rastogi, V., Chen, Y., Wen, X.: Virtual browser: a virtualized browser to sandbox third-party JavaScripts with enhanced security. In: Proceedings of the 7th ACM CCS. ASIACCS 2012, pp. 8–9. ACM, New York (2012). https://doi.org/10.1145/2414456.2414460

  3. World Wide Web Consortium: Subresource integrity (2016). https://www.w3.org/TR/SRI/

  4. Council of European Union: Council regulation (EU) no 679/2016. In: Official Journal of the European Union, vol. L119 (4 May 2016), pp. 1–88 (2016). https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679

  5. Crockford, D.: ADsafe: making JavaScript safe for advertising (2008). http://www.adsafe.org/

  6. De Groef, W., Devriese, D., Nikiforakis, N., Piessens, F.: FlowFox: a web browser with flexible and precise information flow control. In: Proceedings of the 2012 ACM CCS. CCS 2012, pp. 748–759. ACM, New York (2012). https://doi.org/10.1145/2382196.2382275

  7. De Ryck, P., Desmet, L., Heyman, T., Piessens, F., Joosen, W.: CsFire: transparent client-side mitigation of malicious cross-domain requests. In: Massacci, F., Wallach, D., Zannone, N. (eds.) ESSoS 2010. LNCS, vol. 5965, pp. 18–34. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-11747-3_2

    Chapter  Google Scholar 

  8. De Ryck, P., Nikiforakis, N., Desmet, L., Joosen, W.: TabShots: client-side detection of tabnabbing attacks. In: Proceedings of the 8th ACM SIGSAC. ASIA CCS 2013, pp. 447–456. ACM, New York (2013). https://doi.org/10.1145/2484313.2484371

  9. MDN Web Docs: EvalInSandbox reference (2017). https://developer.mozilla.org/en-US/docs/Mozilla/Tech/XPCOM/Language_Bindings/Components.utils.evalInSandbox

  10. MDN Web Docs: Javascript strict mode reference (2018). https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Strict_mode

  11. Electronic Frontier Foundation: HTTPS everywhere, June 2018. https://github.com/efforg/https-everywhere

  12. Gallagher, N.: Chrome tab limit (2013). https://github.com/necolas/chrome-tab-limit

  13. W3C Working Group: Content security policy (2015). https://www.w3.org/TR/CSP1/

  14. Hill, R.: uMatrix, July 2018. https://github.com/gorhill/uMatrix

  15. Abine Inc.: Abine blur, May 2018. https://www.abine.com/index.htm

  16. Ghostery Inc.: Ghostery, June 2018. https://www.ghostery.com/

  17. InformAction: Noscript (2018). https://noscript.net/

  18. Lingamneni, S.: Simpleblock (2017). https://github.com/slingamn/simpleblock

  19. Loscocco, P., Smalley, S.: Integrating flexible support for security policies into the Linux operating system. In: Proceedings of the FREENIX Track: 2001 USENIX Annual Technical Conference, pp. 29–42. USENIX Association, Berkeley (2001). http://dl.acm.org/citation.cfm?id=647054.715771

  20. Mao, Z., Li, N., Molloy, I.: Defeating cross-site request forgery attacks with browser-enforced authenticity protection. In: Dingledine, R., Golle, P. (eds.) FC 2009. LNCS, vol. 5628, pp. 238–255. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03549-4_15

    Chapter  Google Scholar 

  21. Miller, M.S., Samuel, M., Laurie, B., Awad, I., Stay, M.: Caja: safe active content in sanitized Javascript, 1 June 2017. https://developers.google.com/caja/

  22. Meyerovich, L.A., Livshits, B.: ConScript: specifying and enforcing fine-grained security policies for Javascript in the browser. In: Proceedings of the 2010 IEEE Symposium on Security and Privacy. SP 2010, pp. 481–496 (2010)

    Google Scholar 

  23. Mrowetz, M.: Performance-analyser, May 2015. https://github.com/micmro/performance-bookmarklet/

  24. WhiteHat Security: Application security statistics report 2017 (2017). https://info.whitehatsec.com/rs/675-YBI-674/images/WHS%202017%20Application%20Security%20Report%20FINAL.pdf?

  25. Telikicherla, K.C., Agrawall, A., Choppella, V.: A formal model of web security showing malicious cross origin requests and its mitigation using CORP. In: Proceedings of the 3rd ICISSP, pp. 516–523 (2017). https://doi.org/10.5220/0006261105160523

  26. Weichselbaum, L., Spagnuolo, M., Lekies, S., Janc, A.: CSP is dead, long live CSP On the insecurity of whitelists and the future of content security policy. In: Proceedings of the 23rd ACM CCS, Vienna, Austria (2016)

    Google Scholar 

  27. Zhou, Y., Evans, D.: Understanding and monitoring embedded web scripts. In: Proceedings of the 2015 IEEE Symposium on Security and Privacy. SP 2015, pp. 850–865, IEEE Computer Society, Washington, DC (2015). https://doi.org/10.1109/SP.2015.57

Download references

Author information

Authors and Affiliations

  1. Indian Institute of Technology Bombay, Mumbai, India

    Amit Pathania, B. S. Radhika & Rudrapatna Shyamasundar

Authors
  1. Amit Pathania
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. B. S. Radhika
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Rudrapatna Shyamasundar
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Amit Pathania .

Editor information

Editors and Affiliations

  1. Indian Institute of Science, Bangalore, India

    Vinod Ganapathy

  2. Pennsylvania State University, University Park, PA, USA

    Trent Jaeger

  3. Indian Institute of Technology Bombay, Mumbai, India

    R.K. Shyamasundar

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Pathania, A., Radhika, B.S., Shyamasundar, R. (2018). MySecPol: A Client-Side Policy Language for Safe and Secure Browsing. In: Ganapathy, V., Jaeger, T., Shyamasundar, R. (eds) Information Systems Security. ICISS 2018. Lecture Notes in Computer Science(), vol 11281. Springer, Cham. https://doi.org/10.1007/978-3-030-05171-6_22

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-05171-6_22

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-05170-9

  • Online ISBN: 978-3-030-05171-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation