Abstract
Web browsers handle content from different sources making them prone to various attacks. Currently, users rely either on web developers or on different browser extensions for protection against different attacks. In this paper, we propose a simple architecture for defining client-side policy using a policy language MySecPol. The client-side policy gives the users control over the content being served to them. Users can define their policy independent of the browser or the Operating System (OS). The policy is then realized by integrating it into the browser with appropriate mechanisms. The policy specification can combine various security mechanisms providing a robust protection. We describe an implementation of MySecPol as a Chromium extension. We also show how several of the existing approaches are captured as instances of MySecPol. We have further evaluated the system with real-world websites for testing soundness of the approach by checking the functionality of these sites relative to different policies. We have also compared our system with several related works.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Bichhawat, A., Rajani, V., Jain, J., Garg, D., Hammer, C.: WebPol: fine-grained information flow policies for web browsers. CoRR abs/1706.06932 (2017). http://arxiv.org/abs/1706.06932
Cao, Y., Li, Z., Rastogi, V., Chen, Y., Wen, X.: Virtual browser: a virtualized browser to sandbox third-party JavaScripts with enhanced security. In: Proceedings of the 7th ACM CCS. ASIACCS 2012, pp. 8–9. ACM, New York (2012). https://doi.org/10.1145/2414456.2414460
World Wide Web Consortium: Subresource integrity (2016). https://www.w3.org/TR/SRI/
Council of European Union: Council regulation (EU) no 679/2016. In: Official Journal of the European Union, vol. L119 (4 May 2016), pp. 1–88 (2016). https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679
Crockford, D.: ADsafe: making JavaScript safe for advertising (2008). http://www.adsafe.org/
De Groef, W., Devriese, D., Nikiforakis, N., Piessens, F.: FlowFox: a web browser with flexible and precise information flow control. In: Proceedings of the 2012 ACM CCS. CCS 2012, pp. 748–759. ACM, New York (2012). https://doi.org/10.1145/2382196.2382275
De Ryck, P., Desmet, L., Heyman, T., Piessens, F., Joosen, W.: CsFire: transparent client-side mitigation of malicious cross-domain requests. In: Massacci, F., Wallach, D., Zannone, N. (eds.) ESSoS 2010. LNCS, vol. 5965, pp. 18–34. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-11747-3_2
De Ryck, P., Nikiforakis, N., Desmet, L., Joosen, W.: TabShots: client-side detection of tabnabbing attacks. In: Proceedings of the 8th ACM SIGSAC. ASIA CCS 2013, pp. 447–456. ACM, New York (2013). https://doi.org/10.1145/2484313.2484371
MDN Web Docs: EvalInSandbox reference (2017). https://developer.mozilla.org/en-US/docs/Mozilla/Tech/XPCOM/Language_Bindings/Components.utils.evalInSandbox
MDN Web Docs: Javascript strict mode reference (2018). https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Strict_mode
Electronic Frontier Foundation: HTTPS everywhere, June 2018. https://github.com/efforg/https-everywhere
Gallagher, N.: Chrome tab limit (2013). https://github.com/necolas/chrome-tab-limit
W3C Working Group: Content security policy (2015). https://www.w3.org/TR/CSP1/
Hill, R.: uMatrix, July 2018. https://github.com/gorhill/uMatrix
Abine Inc.: Abine blur, May 2018. https://www.abine.com/index.htm
Ghostery Inc.: Ghostery, June 2018. https://www.ghostery.com/
InformAction: Noscript (2018). https://noscript.net/
Lingamneni, S.: Simpleblock (2017). https://github.com/slingamn/simpleblock
Loscocco, P., Smalley, S.: Integrating flexible support for security policies into the Linux operating system. In: Proceedings of the FREENIX Track: 2001 USENIX Annual Technical Conference, pp. 29–42. USENIX Association, Berkeley (2001). http://dl.acm.org/citation.cfm?id=647054.715771
Mao, Z., Li, N., Molloy, I.: Defeating cross-site request forgery attacks with browser-enforced authenticity protection. In: Dingledine, R., Golle, P. (eds.) FC 2009. LNCS, vol. 5628, pp. 238–255. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03549-4_15
Miller, M.S., Samuel, M., Laurie, B., Awad, I., Stay, M.: Caja: safe active content in sanitized Javascript, 1 June 2017. https://developers.google.com/caja/
Meyerovich, L.A., Livshits, B.: ConScript: specifying and enforcing fine-grained security policies for Javascript in the browser. In: Proceedings of the 2010 IEEE Symposium on Security and Privacy. SP 2010, pp. 481–496 (2010)
Mrowetz, M.: Performance-analyser, May 2015. https://github.com/micmro/performance-bookmarklet/
WhiteHat Security: Application security statistics report 2017 (2017). https://info.whitehatsec.com/rs/675-YBI-674/images/WHS%202017%20Application%20Security%20Report%20FINAL.pdf?
Telikicherla, K.C., Agrawall, A., Choppella, V.: A formal model of web security showing malicious cross origin requests and its mitigation using CORP. In: Proceedings of the 3rd ICISSP, pp. 516–523 (2017). https://doi.org/10.5220/0006261105160523
Weichselbaum, L., Spagnuolo, M., Lekies, S., Janc, A.: CSP is dead, long live CSP On the insecurity of whitelists and the future of content security policy. In: Proceedings of the 23rd ACM CCS, Vienna, Austria (2016)
Zhou, Y., Evans, D.: Understanding and monitoring embedded web scripts. In: Proceedings of the 2015 IEEE Symposium on Security and Privacy. SP 2015, pp. 850–865, IEEE Computer Society, Washington, DC (2015). https://doi.org/10.1109/SP.2015.57
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer Nature Switzerland AG
About this paper
Cite this paper
Pathania, A., Radhika, B.S., Shyamasundar, R. (2018). MySecPol: A Client-Side Policy Language for Safe and Secure Browsing. In: Ganapathy, V., Jaeger, T., Shyamasundar, R. (eds) Information Systems Security. ICISS 2018. Lecture Notes in Computer Science(), vol 11281. Springer, Cham. https://doi.org/10.1007/978-3-030-05171-6_22
Download citation
DOI: https://doi.org/10.1007/978-3-030-05171-6_22
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-05170-9
Online ISBN: 978-3-030-05171-6
eBook Packages: Computer ScienceComputer Science (R0)