SaTC: CORE: Medium: Towards a Usable, Practical, and Provably Secure Browser Infrastructure

SaTC：核心：中：迈向可用、实用且可证明安全的浏览器基础设施

• 批准号: 1704542
• 负责人: Limin Jia
• 金额: $ 120万
• 依托单位: Carnegie-Mellon University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2017
• 资助国家: 美国
• 起止时间: 2017-09-01 至 2022-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1704542&HistoricalAwards=false
• 关键词: SaTC; CORE; Medium; Towards; Usable

Web browsers have become the predominant software platform for interacting with services such as shopping, banking, and health care. Many of the same technologies that enable these applications, such as third-party JavaScript and browser extensions, also have the unintended effect of making users' private information vulnerable to theft or misuse. Existing security policies and mechanisms---such as the same origin policy (SOP), the content security policy (CSP), and permission systems for extensions---are too coarse grained and not sufficient to protect users' data. Prior work has proposed information flow control (IFC) as a solution. However, existing IFC solutions are not yet practical: they suffer from poor usability and struggle to interoperate with other enforcement mechanisms that protect parts of web applications or browser state. The goal of this project is to construct a practical, usable, and secure browser infrastructure.The project will develop a modular model for a provably secure browser infrastructure using compositional principles. This model will be instantiated with concrete enforcement mechanisms to develop a browser that meets the functionality standards of current browser platforms. An important part of the project is to understand users' perceptions and expectations with respect to security goals; to extract practical IFC policies based on user data; and to build mechanisms that help users safely navigate the web. Finally, the project will develop testing and validation benchmarks and use these benchmarks to compare the effectiveness and the cost of different enforcement mechanisms. The results of this project will lay the foundation for building practical web browsers that have information flow security built in. This project targets technology that people use every day and has the potential to help not only web application developers but all web users.

网络浏览器已成为与购物，银行和医疗保健等服务互动的主要软件平台。许多启用这些应用程序的技术，例如第三方JavaScript和浏览器扩展程序，也具有使用户的私人信息容易受到盗窃或滥用的影响。现有的安全策略和机制 - 例如相同的原始策略（SOP），内容安全策略（CSP）和用于扩展的许可系统 - - 粘贴太粗，不足以保护用户的数据。先前的工作已提出信息流控制（IFC）作为解决方案。但是，现有的IFC解决方案尚不实际：它们的可用性差和与其他保护Web应用程序或浏览器状态的某些执行机制互操作的努力。该项目的目的是构建一个实用，可用且安全的浏览器基础架构。该项目将使用组成原则为可证明安全的浏览器基础架构开发模块化模型。 该模型将通过具体执法机制实例化，以开发符合当前浏览器平台功能标准的浏览器。该项目的重要部分是了解用户对安全目标的看法和期望；根据用户数据提取实用的IFC策略；并建立帮助用户安全浏览网络的机制。 最后，该项目将开发测试和验证基准，并使用这些基准来比较不同执行机制的有效性和成本。该项目的结果将为建立具有信息流安全性的实用Web浏览器奠定基础。该项目针对人们每天使用的技术，并有可能不仅可以帮助Web应用程序开发人员，而且可以帮助所有Web用户。

项目成果

Gradual Security Types and Gradual Guarantees

渐进式保障类型和渐进式保障

• DOI: 10.1109/csf51468.2021.00015
• 发表时间: 2021
• 期刊: 2021 IEEE 34th Computer Security Foundations Symposium (CSF
• 作者: Bichhawat, Abhishek;McCall, McKenna;Jia, Limin
• 通讯作者: Jia, Limin

OmniCrawl: Comprehensive Measurement of Web Tracking With Real Desktop and Mobile Browsers

• DOI: 10.2478/popets-2022-0012
• 发表时间: 2021-11
• 期刊: Proceedings on Privacy Enhancing Technologies
• 作者: Darion Cassel;Su-Chin Lin;Alessio Buraggina;William Wang;Andrew Zhang;Lujo Bauer;H. Hsiao;Limin Jia;Timothy Libert

Reconciling noninterference and gradual typing

协调无干扰和渐进打字

• DOI: 10.1145/3373718.3394778
• 发表时间: 2020
• 期刊: Proceedings of the 35th Annual ACM/IEEE Symposium on Logic in Computer Science
• 作者: de Amorim, Arthur Azevedo;Fredrikson, Matt;Jia, Limin
• 通讯作者: Jia, Limin

Knowledge-Based Security of Dynamic Secrets for Reactive Programs

反应式程序动态秘密的基于知识的安全性

• DOI: 10.1109/csf.2018.00020
• 发表时间: 2018
• 期刊: 2018 IEEE 31st Computer Security Foundations Symposium (CSF
• 作者: McCall, McKenna;Zhang, Hengruo;Jia, Limin
• 通讯作者: Jia, Limin

Riding out DOMsday: Towards Detecting and Preventing DOM Cross-Site Scripting

• DOI: 10.14722/ndss.2018.23309
• 发表时间: 2018
• 期刊: Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security
• 作者: William Melicher;Anupam Das;Mahmood Sharif;Lujo Bauer;Limin Jia