nach oben

Erschienen in:

2015 | OriginalPaper | Buchkapitel

CrowdFlow: Efficient Information Flow Security

verfasst von : Christoph Kerschbaumer, Eric Hennigan, Per Larsen, Stefan Brunthaler, Michael Franz

Erschienen in: Information Security

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

The widespread use of JavaScript (JS) as the dominant web programming language opens the door to attacks such as Cross Site Scripting that steal sensitive information from users. Information flow tracking successfully addresses current browser security shortcomings, but current implementations incur a significant runtime overhead cost that prevents adoption.

We present a novel approach to information flow security that distributes the tracking workload across all page visitors by probabilistically switching between two JavaScript execution modes. Our framework reports attempts to steal information from a user’s browser to a third party that maintains a blacklist of malicious URLs. Participating users can then benefit from receiving warnings about blacklisted URLs, similar to anti-phishing filters.

Our measurements indicate that our approach is both efficient and effective. First, our technique is efficient because it reduces performance impact by an order of magnitude. Second, our system is effective, i.e., it detects 99.45 % of all information flow violations on the Alexa Top 500 pages using a conservative 5 % sampling rate. Most sites need fewer samples in practice; and will therefore incur even less overhead.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Vorheriges Kapitel Fine-Grained Access Control for HTML5-Based Mobile Applications in Android

Nächstes Kapitel DroidTest: Testing Android Applications for Leakage of Private Information

Nur mit Berechtigung zugänglich

OWASP: The open web application security project (2012). https://www.owasp.org/. Accessed April 2013

The MITRE Corporation: Common weakness enumeration: A community-developed dictionary of software weakness types (2012). http://cwe.mitre.org/top25/. Accessed April 2013

Microsoft: Microsoft Security Intelligence Report, vol. 13, January–June 2012 (2012). http://www.microsoft.com/security/sir/default.aspx. Accessed April 2013

Jang, D., Jhala, R., Lerner, S., Shacham, H.: An empirical study of privacy-violating information flows in JavaScript web applications. In: Proceedings of the ACM Conference on Computer and Communications Security, pp. 270–283. ACM (2010)

Vogt, P., Nentwich, F., Jovanovic, N., Kruegel, C., Kirda, E., Vigna, G.: Cross site scripting prevention with dynamic data tainting and static analysis. In: Proceedings of the Annual Network and Distributed System Security Symposium. The Internet Society (2007)

Groef, W.D., Devriese, D., Nikiforakis, N., Piessens, F.: FlowFox: a web browser with flexible and precise information flow control. In: Proceedings of the ACM Conference on Computer and Communications Security, pp. 748–759. ACM (2012)

Just, S., Cleary, A., Shirley, B., Hammer, C.: Information flow analysis for JavaScript. In: Proceedings of the ACM SIGPLAN International Workshop on Programming Language and Systems Technologies for Internet Clients, pp. 9–18. ACM (2011)

Austin, T.H., Flanagan, C.: Multiple facets for dynamic information flow. In: Proceedings of the ACM SIGPLAN-SIGACT Symposium on Principals of Programming Languages, pp. 165–178. ACM (2012)

Kerschbaumer, C., Hennigan, E., Larsen, P., Brunthaler, S., Franz, M.: Towards precise and efficient information flow control in web browsers. In: [42]

10.

Enck, W., Gilbert, P., Chun, B.G., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N.: TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In: Proceedings of the USENIX Symposium on Operating Systems Design and Implementation, pp. 393–407 (2010)

11.

Provos, N.: Safe browsing - protecting web users for 5 years and counting (2012). http://googleonlinesecurity.blogspot.com/2012/06/safe-browsing-protecting-web-users-for.html. Accessed April 2013

12.

Microsoft: SmartScreen Filter (2012). http://windows.microsoft.com/en-US/internet-explorer/products/ie-9/features/smartscreen-filter. Accessed April 2013

13.

WebKit: The webkit open source project (2012). http://www.webkit.org. Accessed April 2013

14.

SunSpider: SunSpider JavaScript benchmark (2012). http://www2.webkit.org/perf/sunspider-0.9/sunspider.html. Accessed April 2013

15.

Google: V8 Benchmark Suite (2013). https://developers.google.com/v8/benchmarks. Accessed April 2013

16.

Alexa: Alexa Global Top Sites. http://www.alexa.com/topsites. Accessed April 2013

17.

W3C - World Wide Web Consortium: Document object model (DOM) level 3 core specification (2004). http://www.w3.org/TR/2004/REC-DOM-Level-3-Core-20040407/DOM3-Core.pdf. Accessed April 2013

18.

Russo, A., Sabelfeld, A., Chudnov, A.: Tracking information flow in dynamic tree structures. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 86–103. Springer, Heidelberg (2009) CrossRef

19.

Nikiforakis, N., Invernizzi, L., Kapravelos, A., Acker, S.V., Joosen, W., Kruegel, C., Piessens, F., Vigna, G.: You are what you include: large-scale evaluation of remote javascript inclusions. In: Proceedings of the ACM Conference on Computer and Communications Security, pp. 736–747. ACM (2012)

20.

Mozilla Foundation: Same origin policy for JavaScript (2008). https://developer.mozilla.org/En/Same_origin_policy_for_JavaScript. Accessed April 2013

21.

W3C: Content security policy 1.0 (2013). http://www.w3.org/TR/CSP/. Accessed July 2013

22.

Myers, A.C., Liskov, B.: Protecting privacy using the decentralized label model. ACM Trans. Softw. Eng. Methodol. 9, 410–442 (2000)CrossRef

23.

Myers, A.C., Zheng, L., Zdancewic, S., Chong, S., Nystrom, N.: Jif: Java information flow (2001). http://www.cs.cornell.edu/jif. Accessed April 2013

24.

Hennigan, E., Kerschbaumer, C., Larsen, P., Brunthaler, S., Franz, M.: First-class labels: using information flow to debug security holes. In: [42]

25.

Sabelfeld, A., Myers, A.C.: Language-based information-flow security. IEEE J. Sel. Areas Commun. 21, 5–19 (2003)CrossRef

26.

Ecma International: Standard ECMA-262. The ECMAScript language specification (2009). http://www.ecma-international.org/publications/standards/Ecma-262.htm. Accessed April 2013

27.

Anonymous: Web statistics when crawling the alexa top 500 web pages. Technical report, Anonymous (2013)

28.

Jim, T., Swamy, N., Hicks, M.: Defeating script injection attacks with browser-enforced embedded policies. In: Proceedings of the ACM International Conference on World Wide Web. ACM (2007)

29.

Myers, A.C.: Jflow: practical mostly-static information flow control. In: Proceedings of the ACM SIGPLAN-SIGACT Symposium on Principals of Programming Languages, pp. 228–241. ACM (1999)

30.

Zdancewic, S.A.: Programming Languages for information security. Ph.D. thesis, Cornell University (2002)

31.

The Tor Project: Tor: Anonymity Online (2013). https://www.torproject.org/. Accessed April 2013

32.

Greathouse, J.L., LeBlanc, C., Austin, T., Bertacco, V.: Highly scalable distributed dataflow analysis. In: Proceedings of the IEEE/ACM International Symposium on Code Generation and Optimization, pp. 277–288. IEEE (2011)

33.

Greathouse, J.L., Austin, T.: The potential of sampling for dynamic analysis. In: Proceedings of the ACM SIGPLAN Workshop on Programming Languages and Analysis for Security, pp. 3.1–3.6. ACM (2011)

34.

Austin, T.H., Flanagan, C.: Permissive dynamic information flow analysis. In: Proceedings of the ACM SIGPLAN Workshop on Programming Languages and Analysis for Security, pp. 1–12. ACM (2010)

35.

Devriese, D., Peissens, F.: Noninterference through secure multi-execution. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 109–124. IEEE (2010)

36.

Hedin, D., Sabelfeld, A.: Information-flow security for a core of JavaScript. In: Proceedings of the IEEE Computer Security Foundations Symposium, pp. 3–18. IEEE (2012)

37.

Austin, T.H., Flanagan, C.: Efficient purely-dynamic information flow analysis. In: Proceedings of the ACM SIGPLAN Workshop on Programming Languages and Analysis for Security, pp. 113–124. ACM (2009)

38.

Chugh, R., Meister, J.A., Jhala, R., Lerner, S.: Staged information flow for JavaScript. In: Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation, pp. 50–62. ACM (2009)

39.

Nadji, Y., Saxena, P., Song, D.: Document structure integrity: a robust basis for cross-site scripting defense. In: Proceedings of the Annual Network and Distributed System Security Symposium. The Internet Society (2009)

40.

Canali, D., Cova, M., Vigna, G., Kruegel, C.: Prophiler: a fast filter for the large-scale detection of malicious web pages. In: Proceedings of the ACM International Conference on World Wide Web, pp. 197–206. ACM (2011)

41.

Thomas, K., Grie, C., Ma, J., Paxson, V., Song, D.: Design and evaluation of a real-time url spam filtering service. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 447–462. IEEE (2011)

42.

Proceedings of the 6th International Conference on Trust and Trustworthy Computing, TRUST 2013, London, UK, June 17–19. Springer (2013)

Titel: CrowdFlow: Efficient Information Flow Security
verfasst von: Christoph Kerschbaumer
Eric Hennigan
Per Larsen
Stefan Brunthaler
Michael Franz
Verlag: Springer International Publishing
Buch: Information Security
Print ISBN: 978-3-319-27658-8

Electronic ISBN: 978-3-319-27659-5

Copyright-Jahr: 2015
DOI: https://doi.org/10.1007/978-3-319-27659-5_23

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner