Abstract
Rich client-side applications written in HTML5 proliferate on diverse platforms, access sensitive data, and need to maintain data-confinement invariants. Applications currently enforce these invariants using implicit, ad-hoc mechanisms. We propose a new primitive called a data-confined sandbox or DCS. A DCS enables complete mediation of communication channels with a small TCB. Our primitive extends currently standardized primitives and has negligible performance overhead and a modest compatibility cost. We retrofit our design on four real-world HTML5 applications and demonstrate that a small amount of effort enables strong data-confinement guarantees.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Chromium Bug Tracker: http://crbug.com/107538
Agten, P., Acker, S.V., Brondsema, Y., Phung, P.H., Desmet, L., Piessens, F.: JSand: Complete client-side sandboxing of third-party javascript without browser modifications. In: ACSAC (2012)
Akhawe, D., Barth, A., Lam, P., Mitchell, J., Song, D.: Towards a Formal Foundation of Web Security. In: CSF (2010)
Akhawe, D., Saxena, P., Song, D.: Privilege Separation in HTML5 Applications. In: USENIX Security (2012)
Akhawe, D., Li, F., He, W., Saxena, P., Song, D.: Data-confined html5 applications. Technical Report UCB/EECS-2013-20, EECS Department, University of California, Berkeley (March 2013)
Barth, A.: Timing Attacks on CSS Shaders (2011), http://goo.gl/Mos4a
Brumley, D., Song, D.: Privtrans: Automatically Partitioning Programs for Privilege Separation. In: USENIX Security (2004)
Cabuk, S., Brodley, C.E., Shields, C.: Ip covert timing channels: design and detection. In: CCS (2004)
Chen, E., Gorbaty, S., Singhal, A., Jackson, C.: Self-exfiltration: The dangers of browser-enforced information flow control. In: W2SP (2012)
Chia, P.H., Yamamoto, Y., Asokan, N.: Is this app safe?: A large scale study on application permissions and risk signals. In: WWW (2012)
Chugh, R., Meister, J.A., Jhala, R., Lerner, S.: Staged information flow for JavaScript. In: PLDI (2009)
Clipperz: http://www.clipperz.com/
Code Release: https://github.com/devd/data-confined-html5-applications
Crockford, D.: AdSafe, http://www.adsafe.org/
Hayes, G.: Hacking caja part 2, http://www.thespanner.co.uk/2012/09/18/hacking-caja-part-2/
Google: Caja, http://developers.google.com/caja/
Google: Chrome web store, https://chrome.google.com/webstore
Google: Chromium os, http://www.chromium.org/chromium-os
Google: Seccomp sandbox for linux, http://code.google.com/p/seccompsandbox/
Google Caja Bug 51: http://code.google.com/p/google-caja/issues/detail?id=51
Google Caja Bug 1093: http://code.google.com/p/google-caja/issues/detail?id=1093
Google Caja: http://code.google.com/p/google-caja/issues/detail?id=520
Guha, A., Fredrikson, M., Livshits, B., Swamy, N.: Verified security for browser extensions. In: IEEE S&P (2011)
Hanna, S., Shin, E., Akhawe, D., Boehm, A., Saxena, P., Song, D.: The emperor’s new apis: On the (in) secure usage of new client-side primitives. In: W2SP (2010)
Heiderich, M., Frosch, T., Holz, T.: IceShield: Detection and mitigation of malicious websites with a frozen DOM. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 281–300. Springer, Heidelberg (2011)
Heiderich, M., Niemietz, M., Schuster, F., Holz, T., Schwenk, J.: Scriptless attacks: stealing the pie without touching the sill. In: CCS (2012)
Ingram, L., Walfish, M.: Treehouse: Javascript sandboxes to help web developers help themselves. In: USENIX ATC (2012)
Jackson, C., Bortz, A., Boneh, D., Mitchell, J.C.: Protecting browser state from web privacy attacks. In: WWW (2006)
Jupiter-IT: EJS Javascript Templates, http://embeddedjs.com/
Khatiwala, T., Swaminathan, R., Venkatakrishnan, V.: Data Sandboxing: A Technique for Enforcing Confidentiality Policies. In: ACSAC (2006)
Maffeis, S., Mitchell, J.C., Taly, A.: Object capabilities and isolation of untrusted web applications. In: IEEE S&P (2010)
Microsoft: Metro Apps, http://msdn.microsoft.com/en-us/windows/apps/
Mozilla: Boot2gecko, https://wiki.mozilla.org/B2G
phpMyAdmin: http://www.phpmyadmin.net/
Politz, J.G., Eliopoulos, S.A., Guha, A., Krishnamurthi, S.: ADsafety: type-based verification of javascriptsandboxing. In: USENIX Security (2011)
Provos, N.: Improving host security with system call policies. In: Proceedings of the 12th Conference on USENIX Security Symposium, vol. 12, p. 18. USENIX Association, Berkeley (2003)
Richards, G., Lebresne, S., Burg, B., Vitek, J.: An analysis of the dynamic behavior of javascript programs. ACM SIGPLAN Notices (2010)
Riley, S.: 5 OpenSource EMRs worth reviewing (2011), http://bit.ly/hUa6l1
Saltzer, J., Schroeder, M.: The protection of information in computer systems. Proceedings of the IEEE 63(9), 1278–1308 (1975)
Singh, K., Moshchuk, A., Wang, H., Lee, W.: On the incoherencies in web browser access control policies. In: IEEE S&P (2010)
Sun, S., Hawkey, K., Beznosov, K.: Systematically breaking and fixing openid security: Formal analysis, semi-automated empirical evaluation, and practical countermeasures. Computers & Security (2012)
Tizen: https://www.tizen.org/
Wang, R., Chen, S., Wang, X.: Signing me onto your accounts through facebook and google: a traffic-guided security study of commercially deployed single-sign-on web services. In: IEEE S&P (2012)
Xu, Y., Bailey, M., Jahanian, F., Joshi, K., Hiltunen, M., Schlichting, R.: An exploration of l2 cache covert channels in virtualized environments. In: CCSW (2011)
Zalewski, M.: Postcards from the post-xss world, http://lcamtuf.coredump.cx/postxss/
Zhang, Y., Juels, A., Reiter, M.K., Ristenpart, T.: Cross-VM side channels and their use to extract private keys. In: CCS (2012)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Akhawe, D., Li, F., He, W., Saxena, P., Song, D. (2013). Data-Confined HTML5 Applications. In: Crampton, J., Jajodia, S., Mayes, K. (eds) Computer Security – ESORICS 2013. ESORICS 2013. Lecture Notes in Computer Science, vol 8134. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-40203-6_41
Download citation
DOI: https://doi.org/10.1007/978-3-642-40203-6_41
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-40202-9
Online ISBN: 978-3-642-40203-6
eBook Packages: Computer ScienceComputer Science (R0)