Contego: Capability-Based Access Control for Web Browsers

Luo, Tongbo; Du, Wenliang

doi:10.1007/978-3-642-21599-5_17

Tongbo Luo²¹ &
Wenliang Du²¹

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 6740))

Included in the following conference series:

International Conference on Trust and Trustworthy Computing

2276 Accesses
7 Citations

Abstract

Over the last two decades, the Web has significantly transformed our lives. Along with the increased activities on the Web come the attacks. A recent report shows that 83% of web sites have had at least one serious vulnerability. As the Web becomes more and more sophisticated, the number of vulnerable sites is unlikely to decrease. A fundamental cause of these vulnerabilities is the inadequacy of the browser’s access control model in dealing with the features in today’s Web. We need better access control models for browsers.

Today’s web pages behave more and more like a system, with dynamic elements interacting with one another within each web page. A well-designed access control model is needed to mediate these interactions to ensure security. The capability-based access control model has many properties that are desirable for the Web. This paper designs a capability-based access control model for web browsers. We demonstrate how such a model can be beneficial to the Web, and how common vulnerabilities can be easily prevented using this model. We have implemented this model in the Google Chrome browser.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 39.99; Price excludes VAT (USA)

Softcover Book: USD 54.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

References

Crockford, D.: ADSafe, http://www.adsafe.org
Dalton, M., Kozyrakis, C., Zeldovich, N.: Nemesis: Preventing authentication & access control vulnerabilities inweb applications. In: Proceedings of the Eighteenth Usenix Security Symposium (Usenix Security), Montreal, Canada (2009)
Google Scholar
Gundy, M.V., Chen, H.: Noncespaces: Using randomization to enforce information flow tracking and thwart cross-site scripting attacks. In: Proceedings of the 16th Annual Network and Distributed System Security Symposium (NDSS), San Diego, CA (February 2009)
Google Scholar
Jackson, C., Bortz, A., Boneh, D., Mitchell, J.C.: Protecting browser state from web privacy attacks. In: WWW 2006 (2006)
Google Scholar
Jayaraman, K., Du, W., Rajagopalan, B., Chapin, S.J.: Escudo: A fine-grained protection model for web browsers. In: Proceedings of the 30th International Conference on Distributed Computing Systems (ICDCS), Genoa, Italy (June 21-25, 2010)
Google Scholar
Jim, T., Swamy, N., Hicks, M.: Defeating script injection attacks with browser-enforced embedded policies. In: WWW 2007,
Google Scholar
Karlof, C., Shankar, U., Tygar, J.D., Wagner, D.: Dynamic pharming attacks and locked same-origin policies for web browsers. In: CCS 2007 (2007)
Google Scholar
Livshits, B., Erlingsson, U.: Using web application construction frameworks to protect against code injection attacks. In: PLAS 2007 (2007)
Google Scholar
Luo, T., Du., W.: Contego: Capability-based access control for web browsers (full version), http://www.cis.syr.edu/~wedu/Research/paper/contego_full.pdf
Meyerovich, L.A., Livshits, V.B.: Conscript: Specifying and enforcing fine-grained security policies for javascript in the browser. In: IEEE Symposium on Security and Privacy, pp. 481–496 (2010)
Google Scholar
Nadji, Y., Saxena, P., Song, D.: Document structure integrity: A robust basis for cross-site scripting defense. In: Proceedings of the 16th Annual Network and Distributed System Security Symposium (NDSS), San Diego, CA (February 2009)
Google Scholar
Parno, B., McCune, J.M., Wendlandt, D., Andersen, D.G., Perrig, A.: CLAMP: Practical prevention of large-scale data leaks. In: Proc. IEEE Symposium on Security and Privacy, Oakland, CA (May 2009)
Google Scholar
WhiteHat Security. Whitehat website security statistic report, 10th edn. (2010)
Google Scholar

Download references

Author information

Authors and Affiliations

Department of Electrical Engineering & Computer Science, Syracuse University, Syracuse, New York, USA
Tongbo Luo & Wenliang Du

Authors

Tongbo Luo
View author publications
You can also search for this author in PubMed Google Scholar
Wenliang Du
View author publications
You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

Carnegie Mellon University, 5000 Forbes Ave, 15213, Pittsburgh, PA, USA
Jonathan M. McCune & Adrian Perrig &
Hewlett-Packard Labs, Long Down Ave, BS34 8QZ, Stoke Gifford, Bristol, UK
Boris Balacheff
TU Darmstadt / Fraunhofer SIT, Mornewegstr.32, 64293, Darmstadt, Germany
Ahmad-Reza Sadeghi
University College London, Gower Street, WC1E 6BT, London, UK
Angela Sasse
Hewlett Packard Labs, Long Down Ave, BS34 8QZ, Stoke Gifford, Bristol, UK
Yolanta Beres

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Luo, T., Du, W. (2011). Contego: Capability-Based Access Control for Web Browsers. In: McCune, J.M., Balacheff, B., Perrig, A., Sadeghi, AR., Sasse, A., Beres, Y. (eds) Trust and Trustworthy Computing. Trust 2011. Lecture Notes in Computer Science, vol 6740. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-21599-5_17

Download citation

DOI: https://doi.org/10.1007/978-3-642-21599-5_17
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-21598-8
Online ISBN: 978-3-642-21599-5
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics