You Can’t Be Me: Enabling Trusted Paths and User Sub-origins in Web Browsers

  • Enrico Budianto
  • Yaoqi Jia
  • Xinshu Dong
  • Prateek Saxena
  • Zhenkai Liang
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8688)


Once a web application authenticates a user, it loosely associates all resources owned by the user to the web session established. Consequently, any scripts injected into the victim web session attain unfettered access to user-owned resources, including scripts that commit malicious activities inside a web application. In this paper, we establish the first explicit notion of user sub-origins to defeat such attempts. Based on this notion, we propose a new solution called UserPath to establish an end-to-end trusted path between web application users and web servers. To evaluate our solution, we implement a prototype in Chromium, and retrofit it to 20 popular web applications. UserPath reduces the size of client-side TCB that has access to user-owned resources by 8x to 264x, with small developer effort.


User sub-origins trusted path script injection attacks 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    W3C: Content security policy 1.0,
  2. 2.
    Johns, M.: Preparedjs: Secure script-templates for javascript. In: Detection of Intrusions and Malware & Vulnerability Assessment (2013)Google Scholar
  3. 3.
    Chen, P., Nikiforakis, N., Huygens, C., Desmet, L.: A dangerous mix: Large-scale analysis of mixed-content websites. In: Information Security Conference (2013)Google Scholar
  4. 4.
    Trend Micro: New york times pushes fake av malvertisement,
  5. 5.
    Verizon: 2013 Data breach investigation report,
  6. 6.
    Enigma Group: Facebook profiles can be hijacked by chrome extensions malware,
  7. 7.
    Liu, L., Zhang, X., Yan, G., Chen, S.: Chrome extensions: Threat analysis and countermeasures. In: Network and Distributed System Security Symposium (2012)Google Scholar
  8. 8.
    Akhawe, D., Li, F., He, W., Saxena, P., Song, D.: Data-confined html5 applications. In: European Symposium on Research in Computer Security (2013)Google Scholar
  9. 9.
    Dong, X., Chen, Z., Siadati, H., Tople, S., Saxena, P., Liang, Z.: Protecting sensitive web content from client-side vulnerabilities with cryptons. In: Proceedings of the 20th ACM Conference on Computer and Communications Security (2013)Google Scholar
  10. 10.
    Parno, B., McCune, J.M., Wendlandt, D., Andersen, D.G., Perrig, A.: Clamp: Practical prevention of large-scale data leaks. In: IEEE Symposium on Security and Privacy (2009)Google Scholar
  11. 11.
    Felt, A.P., Finifter, M., Weinberger, J., Wagner, D.: Diesel: Applying privilege separation to database access. In: ACM Symposium on Information, Computer and Communications Security (2011)Google Scholar
  12. 12.
    Chen, E.Y., Gorbaty, S., Singhal, A., Jackson, C.: Self-exfiltration: The dangers of browser-enforced information flow control. In: Web 2.0 Security and Privacy (2012)Google Scholar
  13. 13.
    Dong, X., Patil, K., Mao, J., Liang, Z.: A comprehensive client-side behavior model for diagnosing attacks in ajax applications. In: ICECCS (2013)Google Scholar
  14. 14.
    Projects, T.C.: Per-page suborigins,
  15. 15.
    Roesner, F., Kohno, T., Moshchuk, A., Parno, B., Wang, H.J., Cowan, C.: User-driven access control: Rethinking permission granting in modern operating systems. In: Proceedings of the 2012 IEEE Symposium on Security and Privacy (2012)Google Scholar
  16. 16.
    Roesner, F., Fogarty, J., Kohno, T.: User interface toolkit mechanisms for securing interface elements. In: User Interface Software and Technology (2012)Google Scholar
  17. 17.
    Dong, X., Hu, H., Saxena, P., Liang, Z.: A quantitative evaluation of privilege separation in web browser designs. In: Crampton, J., Jajodia, S., Mayes, K. (eds.) ESORICS 2013. LNCS, vol. 8134, pp. 75–93. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  18. 18.
    Akhawe, D., Saxena, P., Song, D.: Privilege separation in html5 applications. In: USENIX Security (2012)Google Scholar
  19. 19.
    mOiwa, Y., Takagi, H., Watanabe, H., Suzuki, H.: Pake-based mutual http authentication for preventing phishing attacks. In: World Wide Web Conference (2009)Google Scholar
  20. 20.
    Budianto, E., Jia, Y.: Summary of source code modification, chromium patches, and userpath technical report,
  21. 21.
    Budianto, E., Jia, Y.: Url for demo video,
  22. 22.
    Dietz, M., Czeskis, A., Balfanz, D., Wallach, D.S.: Origin-bound certificates: A fresh approach to strong client authentication for the web. In: USENIX Security (2012)Google Scholar
  23. 23.
    Jackson, C., Simon, D.R., Tan, D.S., Barth, A.: An evaluation of extended validation and picture-in-picture phishing attacks. In: Proceedings of 1st USEC (2007)Google Scholar
  24. 24.
    Cao, Y., Yegneswaran, V., Porras, P., Chen, Y.: Pathcutter: Severing the self-propagation path of xss javascript worms in social web networks. In: Network and Distributed System Security Symposium (2012)Google Scholar
  25. 25.
    Hansen, R., Grossman, J.: Clickjacking,
  26. 26.
    YGN Ethical Hacker Group: Elgg 1.7.9 xss vulnerability,
  27. 27.
    Cve-2012-6561, C.V.E.: xss vulnerability in elgg,
  28. 28.
    Barth, A., Jackson, C., Mitchell, J.C.: Robust defenses for cross-site request forgery. In: Conference on Computer and Communications Security (2008)Google Scholar
  29. 29.
    Wu, M., Miller, R.C., Little, G.: Web wallet: Preventing phishing attacks by revealing user intentions. In: Symposium on Usable Privacy and Security (2006)Google Scholar
  30. 30.
    Bhargavan, K., Delignat-Lavaud, A., Maffeis, S.: Language-based defenses against untrusted browser origins. In: USENIX Security (2013)Google Scholar
  31. 31.
    Maffeis, S., Mitchell, J.C., Taly, A.: Object capabilities and isolation of untrusted web application. In: IEEE Symposium on Security and Privacy (2010)Google Scholar
  32. 32.
    Huang, L.S., Moshchuk, A., Wang, H.J., Schechter, S., Jackson, C.: Clickjacking: attacks and defenses. In: USENIX Security (2012)Google Scholar
  33. 33.
    Zhou, Y., Evans, D.: Protecting private web content from embedded scripts. In: European Symposium on Research in Computer Security (2011)Google Scholar
  34. 34.
    Dong, X., Tran, M., Liang, Z., Jiang, X.: Adsentry: comprehensive and flexible confinement of javascript-based advertisements. In: ACSAC (2011)Google Scholar
  35. 35.
    Akhawe, D., Barth, A., Lam, P.E., Mitchell, J., Song, D.: Towards a formal foundation of web security. In: Computer Security Foundations (2010)Google Scholar
  36. 36.
    Barth, A., Felt, A.P., Saxena, P., Boodman, A.: Protecting browsers from extension vulnerabilities. In: Network and Distributed System Security Symposium (2010)Google Scholar
  37. 37.
    Bisht, P., Hinrichs, T., Skrupsky, N., Bobrowicz, R., Venkatakrishnan, V.N.: Notamper: automatic blackbox detection of parameter tampering opportunities in web applications. In: Conference on Computer and Communications Security (2010)Google Scholar
  38. 38.
    Wu, T.: The secure remote password protocol. In: Network and Distributed System Security Symposium (1998)Google Scholar
  39. 39.
    The Spanner: Dom clobbering,
  40. 40.
    pAdida, B., Barth, A., Jackson, C.: Rootkits for javascript environments. In: WOOT (2009)Google Scholar
  41. 41.
    Ye, Z.E., Smith, S.: Trusted paths for browsers. In: USENIX Security (2002)Google Scholar
  42. 42.
    Libonati, A., McCune, J.M., Reiter, M.K.: Usability testing a malware-resistant input mechanism. In: Network and Distributed System Security Symposium (2011)Google Scholar
  43. 43.
    Engler, J., Karlof, C., Shi, E., Song, D.: Is it too late for pake? In: Proceedings of Web 2.0 Security and Privacy (2009)Google Scholar
  44. 44.
    Slack, Q.: Tls-srp in apache mod_ssl,
  45. 45.
    Provos, N., Friedl, M., Honeyman, P.: Preventing privilege escalation. In: USENIX Security (2003)Google Scholar
  46. 46.
    Brumley, D., Song, D.: Privtrans: automatically partitioning programs for privilege separation. In: USENIX Security (2004)Google Scholar
  47. 47.
    Grier, C., Tang, S., King, S.: Designing and implementing the op and op2 web browsers. ACM Transactions on the Web (2011)Google Scholar
  48. 48.
    Wang, H.J., Grier, C., Moshchuk, A., King, S.T., Choudhury, P., Venter, H.: The multi-principal os construction of the gazelle web browser. In: USENIX Security (2009)Google Scholar
  49. 49.
    Barth, A., Jackson, C., Reis, C., Team, T.G.C.: The security architecture of the chromium browser,
  50. 50.
    Papagiannis, I., Pietzuch, P.: Cloudfilter: practical control of sensitive data propagation to the cloud. In: Cloud Computing Security Workshop (2012)Google Scholar
  51. 51.
    Tong, T., Evans, D.: Guardroid: A trusted path for password entry. In: MoST (2013)Google Scholar
  52. 52.
    McCune, J.M., Perrig, A., Reiter, M.K.: Safe passage for passwords and other sensitive data. In: Network and Distributed System Security Symposium (2009)Google Scholar
  53. 53.
    Zhou, Z., Gligor, V.D., Newsome, J., McCune, J.M.: Building verifiable trusted path on commodity x86 computers. In: IEEE Symposium on Security and Privacy (2012)Google Scholar
  54. 54.
    Ter Louw, M., Venkatakrishnan, V.N.: Blueprint: Robust prevention of cross-site scripting attacks for existing browsers. In: IEEE Symposium on Security and Privacy (2009)Google Scholar
  55. 55.
    Nadji, Y., Saxena, P., Song, D.: Document structure integrity: A robust basis for cross-site scripting defense. In: Network and Distributed System Security Symposium (2009)Google Scholar
  56. 56.
    Gundy, M.V., Chen, H.: Noncespaces: Using randomization to enforce information flow tracking and thwart cross-site scripting attacks. In: Network and Distributed System Security Symposium (2009)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Enrico Budianto
    • 1
  • Yaoqi Jia
    • 1
  • Xinshu Dong
    • 2
  • Prateek Saxena
    • 1
  • Zhenkai Liang
    • 1
  1. 1.National University of SingaporeSingapore
  2. 2.Advanced Digital Sciences CenterSingapore

Personalised recommendations