Information Flow Control for Browser Clients

浏览器客户端的信息流控制

• 批准号: 227985203
• 负责人: Dr. Deepak Garg, Ph.D.
• 金额: --
• 依托单位: Lehrstuhl für Software Engineering
• 依托单位国家: 德国
• 项目类别: Priority Programmes
• 财政年份: 2012
• 资助国家: 德国
• 起止时间: 2011-12-31 至 2016-12-31
• 项目状态: 已结题
• 来源: https://gepris.dfg.de/gepris/projekt/227985203?language=en
• 关键词: Information; Flow; Control; Browser; Clients

Modern web applications often compose JavaScript from mutually distrusting sources (e.g., a trusted office suite that is supported by untrusted ad-networks). However, current browsers support only coarse-grained isolation of code from different sources, which results in confidentiality and integrity issues that manifest in Internet worms and identity thefts. Information flow control (IFC) is effective at countering such threats. Accordingly, there has been extensive research in IFC for dynamic languages that resemble JavaScript in the past 5 years. However, the state of the art in this area is either limited to subsets of JavaScript or requires additional code annotations to track implicit flows.In recent work, we developed an IFC mechanism for full JavaScript that does not require any code annotations, modeled the intermediate representation of a production JavaScript infrastructure and proved our IFC analysis sound for a standard security property, noninterference. Herein, we propose to scale that research infrastructure to realistic web applications that require client-side confidentiality and integrity properties. We plan to focus on two dimensions that are critical to realistic web pages: permissiveness of our analysis and expressiveness of our security policies, in particular, policies for declassification.Concretely, we propose to improve the permissiveness of our existing IFC for JavaScript using state of the art static and dynamic program analyses and speculative execution, and to refine on the corresponding theoretical foundations. In addition, we plan to extend our IFC mechanism to new industry standards like HTML5 persistent data, which are crucial for upcoming web applications. We also plan to integrate declassification policies to protect user data from malicious JavaScript and to protect website data from users. Further, we will integrate speculative execution, which improves permissiveness, allows for graceful recovery from policy violations and supports richer declassification policies. Finally, we will evaluate our IFC framework on realistic web pages using targetted case studies.

现代网络应用程序通常根据相互不信任的来源(例如，由不信任的广告网络支持的信任的办公套件)来编写Java脚本。然而，当前的浏览器只支持粗粒度地隔离来自不同来源的代码，这导致了表现在互联网蠕虫和身份盗窃中的机密性和完整性问题。信息流控制(IFC)是应对此类威胁的有效手段。因此，在过去的5年里，IFC对类似于JavaScript的动态语言进行了广泛的研究。在最近的工作中，我们为完整的JavaScript开发了一种不需要任何代码注释的IFC机制，对生产JavaScript基础设施的中间表示进行了建模，并证明了我们的IFC分析符合标准的安全属性，即不干扰。在此，我们建议将研究基础设施扩展到需要客户端机密性和完整性属性的现实Web应用程序。我们计划将重点放在对现实网页至关重要的两个维度上：我们分析的允许性和我们的安全策略的表现力，特别是解密策略。具体地说，我们建议使用最新的静态和动态程序分析和推测执行来提高我们现有的IFC对Java脚本的允许性，并完善相应的理论基础。此外，我们计划将我们的IFC机制扩展到HTML5永久数据等新的行业标准，这些标准对即将到来的网络应用程序至关重要。我们还计划整合解密策略，以保护用户数据不受恶意JavaScript的影响，并保护网站数据不受用户的影响。此外，我们将整合投机性执行，这提高了容许性，允许从违反政策的行为中优雅地恢复，并支持更丰富的解密政策。最后，我们将使用有针对性的案例研究来评估我们的IFC框架在现实网页上的表现。