Advertisement

CrowdFlow: Efficient Information Flow Security

  • Christoph Kerschbaumer
  • Eric Hennigan
  • Per Larsen
  • Stefan Brunthaler
  • Michael Franz
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7807)

Abstract

The widespread use of JavaScript (JS) as the dominant web programming language opens the door to attacks such as Cross Site Scripting that steal sensitive information from users. Information flow tracking successfully addresses current browser security shortcomings, but current implementations incur a significant runtime overhead cost that prevents adoption.

We present a novel approach to information flow security that distributes the tracking workload across all page visitors by probabilistically switching between two JavaScript execution modes. Our framework reports attempts to steal information from a user’s browser to a third party that maintains a blacklist of malicious URLs. Participating users can then benefit from receiving warnings about blacklisted URLs, similar to anti-phishing filters.

Our measurements indicate that our approach is both efficient and effective. First, our technique is efficient because it reduces performance impact by an order of magnitude. Second, our system is effective, i.e., it detects 99.45 % of all information flow violations on the Alexa Top 500 pages using a conservative 5 % sampling rate. Most sites need fewer samples in practice; and will therefore incur even less overhead.

Keywords

Information Flow Malicious Code Runtime Overhead False Allegation Document Object Model 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Notes

Acknowledgements

This material is based upon work partially supported by the Defense Advanced Research Projects Agency (DARPA) under contract No. D11PC20024, by the National Science Foundation (NSF) under grant No. CCF-1117162, and by a gift from Google.

Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the Defense Advanced Research Projects Agency (DARPA) or its Contracting Agent, the U.S. Department of the Interior, National Business Center, Acquisition Services Directorate, Sierra Vista Branch, the National Science Foundation, or any other agency of the U.S. Government.

Thanks to Michael Bebenita, Stephen Crane, Andrei Homescu, Christopher Horn, Mark Murphy, Mathias Payer, Codrut Stancu, Gregor Wagner, Christian Wimmer, and Wei Zhang for their feedback and insightful comments.

References

  1. 1.
    OWASP: The open web application security project (2012). https://www.owasp.org/. Accessed April 2013
  2. 2.
    The MITRE Corporation: Common weakness enumeration: A community-developed dictionary of software weakness types (2012). http://cwe.mitre.org/top25/. Accessed April 2013
  3. 3.
    Microsoft: Microsoft Security Intelligence Report, vol. 13, January–June 2012 (2012). http://www.microsoft.com/security/sir/default.aspx. Accessed April 2013
  4. 4.
    Jang, D., Jhala, R., Lerner, S., Shacham, H.: An empirical study of privacy-violating information flows in JavaScript web applications. In: Proceedings of the ACM Conference on Computer and Communications Security, pp. 270–283. ACM (2010)Google Scholar
  5. 5.
    Vogt, P., Nentwich, F., Jovanovic, N., Kruegel, C., Kirda, E., Vigna, G.: Cross site scripting prevention with dynamic data tainting and static analysis. In: Proceedings of the Annual Network and Distributed System Security Symposium. The Internet Society (2007)Google Scholar
  6. 6.
    Groef, W.D., Devriese, D., Nikiforakis, N., Piessens, F.: FlowFox: a web browser with flexible and precise information flow control. In: Proceedings of the ACM Conference on Computer and Communications Security, pp. 748–759. ACM (2012)Google Scholar
  7. 7.
    Just, S., Cleary, A., Shirley, B., Hammer, C.: Information flow analysis for JavaScript. In: Proceedings of the ACM SIGPLAN International Workshop on Programming Language and Systems Technologies for Internet Clients, pp. 9–18. ACM (2011)Google Scholar
  8. 8.
    Austin, T.H., Flanagan, C.: Multiple facets for dynamic information flow. In: Proceedings of the ACM SIGPLAN-SIGACT Symposium on Principals of Programming Languages, pp. 165–178. ACM (2012)Google Scholar
  9. 9.
    Kerschbaumer, C., Hennigan, E., Larsen, P., Brunthaler, S., Franz, M.: Towards precise and efficient information flow control in web browsers. In: [42]Google Scholar
  10. 10.
    Enck, W., Gilbert, P., Chun, B.G., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N.: TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In: Proceedings of the USENIX Symposium on Operating Systems Design and Implementation, pp. 393–407 (2010)Google Scholar
  11. 11.
    Provos, N.: Safe browsing - protecting web users for 5 years and counting (2012). http://googleonlinesecurity.blogspot.com/2012/06/safe-browsing-protecting-web-users-for.html. Accessed April 2013
  12. 12.
  13. 13.
    WebKit: The webkit open source project (2012). http://www.webkit.org. Accessed April 2013
  14. 14.
    SunSpider: SunSpider JavaScript benchmark (2012). http://www2.webkit.org/perf/sunspider-0.9/sunspider.html. Accessed April 2013
  15. 15.
    Google: V8 Benchmark Suite (2013). https://developers.google.com/v8/benchmarks. Accessed April 2013
  16. 16.
    Alexa: Alexa Global Top Sites. http://www.alexa.com/topsites. Accessed April 2013
  17. 17.
    W3C - World Wide Web Consortium: Document object model (DOM) level 3 core specification (2004). http://www.w3.org/TR/2004/REC-DOM-Level-3-Core-20040407/DOM3-Core.pdf. Accessed April 2013
  18. 18.
    Russo, A., Sabelfeld, A., Chudnov, A.: Tracking information flow in dynamic tree structures. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 86–103. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  19. 19.
    Nikiforakis, N., Invernizzi, L., Kapravelos, A., Acker, S.V., Joosen, W., Kruegel, C., Piessens, F., Vigna, G.: You are what you include: large-scale evaluation of remote javascript inclusions. In: Proceedings of the ACM Conference on Computer and Communications Security, pp. 736–747. ACM (2012)Google Scholar
  20. 20.
    Mozilla Foundation: Same origin policy for JavaScript (2008). https://developer.mozilla.org/En/Same_origin_policy_for_JavaScript. Accessed April 2013
  21. 21.
    W3C: Content security policy 1.0 (2013). http://www.w3.org/TR/CSP/. Accessed July 2013
  22. 22.
    Myers, A.C., Liskov, B.: Protecting privacy using the decentralized label model. ACM Trans. Softw. Eng. Methodol. 9, 410–442 (2000)CrossRefGoogle Scholar
  23. 23.
    Myers, A.C., Zheng, L., Zdancewic, S., Chong, S., Nystrom, N.: Jif: Java information flow (2001). http://www.cs.cornell.edu/jif. Accessed April 2013
  24. 24.
    Hennigan, E., Kerschbaumer, C., Larsen, P., Brunthaler, S., Franz, M.: First-class labels: using information flow to debug security holes. In: [42]Google Scholar
  25. 25.
    Sabelfeld, A., Myers, A.C.: Language-based information-flow security. IEEE J. Sel. Areas Commun. 21, 5–19 (2003)CrossRefGoogle Scholar
  26. 26.
    Ecma International: Standard ECMA-262. The ECMAScript language specification (2009). http://www.ecma-international.org/publications/standards/Ecma-262.htm. Accessed April 2013
  27. 27.
    Anonymous: Web statistics when crawling the alexa top 500 web pages. Technical report, Anonymous (2013)Google Scholar
  28. 28.
    Jim, T., Swamy, N., Hicks, M.: Defeating script injection attacks with browser-enforced embedded policies. In: Proceedings of the ACM International Conference on World Wide Web. ACM (2007)Google Scholar
  29. 29.
    Myers, A.C.: Jflow: practical mostly-static information flow control. In: Proceedings of the ACM SIGPLAN-SIGACT Symposium on Principals of Programming Languages, pp. 228–241. ACM (1999)Google Scholar
  30. 30.
    Zdancewic, S.A.: Programming Languages for information security. Ph.D. thesis, Cornell University (2002)Google Scholar
  31. 31.
    The Tor Project: Tor: Anonymity Online (2013). https://www.torproject.org/. Accessed April 2013
  32. 32.
    Greathouse, J.L., LeBlanc, C., Austin, T., Bertacco, V.: Highly scalable distributed dataflow analysis. In: Proceedings of the IEEE/ACM International Symposium on Code Generation and Optimization, pp. 277–288. IEEE (2011)Google Scholar
  33. 33.
    Greathouse, J.L., Austin, T.: The potential of sampling for dynamic analysis. In: Proceedings of the ACM SIGPLAN Workshop on Programming Languages and Analysis for Security, pp. 3.1–3.6. ACM (2011)Google Scholar
  34. 34.
    Austin, T.H., Flanagan, C.: Permissive dynamic information flow analysis. In: Proceedings of the ACM SIGPLAN Workshop on Programming Languages and Analysis for Security, pp. 1–12. ACM (2010)Google Scholar
  35. 35.
    Devriese, D., Peissens, F.: Noninterference through secure multi-execution. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 109–124. IEEE (2010)Google Scholar
  36. 36.
    Hedin, D., Sabelfeld, A.: Information-flow security for a core of JavaScript. In: Proceedings of the IEEE Computer Security Foundations Symposium, pp. 3–18. IEEE (2012)Google Scholar
  37. 37.
    Austin, T.H., Flanagan, C.: Efficient purely-dynamic information flow analysis. In: Proceedings of the ACM SIGPLAN Workshop on Programming Languages and Analysis for Security, pp. 113–124. ACM (2009)Google Scholar
  38. 38.
    Chugh, R., Meister, J.A., Jhala, R., Lerner, S.: Staged information flow for JavaScript. In: Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation, pp. 50–62. ACM (2009)Google Scholar
  39. 39.
    Nadji, Y., Saxena, P., Song, D.: Document structure integrity: a robust basis for cross-site scripting defense. In: Proceedings of the Annual Network and Distributed System Security Symposium. The Internet Society (2009)Google Scholar
  40. 40.
    Canali, D., Cova, M., Vigna, G., Kruegel, C.: Prophiler: a fast filter for the large-scale detection of malicious web pages. In: Proceedings of the ACM International Conference on World Wide Web, pp. 197–206. ACM (2011)Google Scholar
  41. 41.
    Thomas, K., Grie, C., Ma, J., Paxson, V., Song, D.: Design and evaluation of a real-time url spam filtering service. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 447–462. IEEE (2011)Google Scholar
  42. 42.
    Proceedings of the 6th International Conference on Trust and Trustworthy Computing, TRUST 2013, London, UK, June 17–19. Springer (2013)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Christoph Kerschbaumer
    • 1
  • Eric Hennigan
    • 1
  • Per Larsen
    • 1
  • Stefan Brunthaler
    • 1
  • Michael Franz
    • 1
  1. 1.University of CaliforniaIrvineUSA

Personalised recommendations