Protecting Private Web Content from Embedded Scripts

  • Yuchen Zhou
  • David Evans
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6879)

Abstract

Many web pages display personal information provided by users. The goal of this work is to protect that content from untrusted scripts that are embedded in host pages. We present a browser modification that provides fine-grained control over what parts of a document are visible to different scripts, and executes untrusted scripts in isolated environments where private information is not accessible. To ease deployment, we present a method for automatically inferring what nodes in a web page contain private content. This paper describes how we modify the Chromium browser to enforce newly defined security policies, presents our automatic policy generation method, and reports on experiments inferring and enforcing privacy policies for a variety of web applications.

Keywords

None None Event Handler Execution Context Attack Vector Private Content 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Barth, A., Felt, A.P., Saxena, P., Boodman, A.: Protecting Browsers from Extension Vulnerabilities. In: 17th Network and Distributed System Security Symposium (2010)Google Scholar
  2. 2.
    Crites, S., Hsu, F., Chen, H.: OMash: Enabling Secure Web Mashups via Object Abstractions. In: 15th ACM Conference on Computer and Communications Security (2008)Google Scholar
  3. 3.
    Crockford, D.: ADsafe: Making JavaScript Safe for Advertising (2007), www.adsafe.org
  4. 4.
    Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., Berners-Lee, T.: RFC2616: Hypertext Transfer Protocol - HTTP/1.1, http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.1.1
  5. 5.
    Fredrikson, M., Livshits, B.: RePriv: Re-Envisioning In-Browser Privacy. In: IEEE Symposium on Security and Privacy (2011)Google Scholar
  6. 6.
    The Chromium Development Group. The Chromium Projects: Notifications of Web Request and Navigation, https://sites.google.com/a/chromium.org/dev/developers/design-documents/extensions/notifications-of-webequest-and-navigation
  7. 7.
    Hickson, I.: HTML5 specification adding Sandbox attribute, http://www.whatwg.org/specs/web-apps/current-work/#attr-iframe-sandbox
  8. 8.
    Hickson, I.: Web Workers in HTML5 standard, http://www.whatwg.org/specs/web-workers/current-work/
  9. 9.
    ECMA International. ECMA JavaScript specification, http://www.ecma-international.org/publications/standards/Ecma-262.htm
  10. 10.
    Jayaraman, K., Du, W., Rajagopalan, B., Chapin, S.J.: ESCUDO: A Fine-Grained Protection Model for Web Browsers. In: 30th IEEE International Conference on Distributed Computing Systems (2010)Google Scholar
  11. 11.
    Jim, T., Swamy, N., Hicks, M.: Defeating Script Injection Attacks with Browser-Enforced Embedded Policies. In: 16th International Conference on World Wide Web (2007)Google Scholar
  12. 12.
    Louw, M.T., Ganesh, K.T., Venkatakrishnan, V.N.: AdJail: Practical Enforcement of Confidentiality and Integrity Policies on Web Advertisements. In: 19th USENIX Security Symposium (2010)Google Scholar
  13. 13.
    Meyerovich, L.A., Livshits, B.: ConScript: Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser. In: IEEE Symposium on Security and Privacy (2010)Google Scholar
  14. 14.
    Miller, M.S., Samuel, M., Laurie, B., Awad, I., Stay, M.: Caja: Safe Active Content in Sanitized Javascript (2007), google-caja.googlecode.com/files/caja-spec-2008-01-15.pdf (revised 2008)
  15. 15.
    Karel Mittig. GreasySpoon, Scripting Factory for Core Network Services, http://greasyspoon.sourceforge.net/
  16. 16.
    Patterson, A.: Nokogiri - An HTML, XML, SAX and Reader parser with the ability to search documents via XPath or CSS3 selectors and much more, http://nokogiri.org/
  17. 17.
    Rogers, M.: Facebook Advertisements Displayed Pictures of User’s Friends and Families (2009), http://endofweb.co.uk/2009/07/facebook_ads_2/
  18. 18.
    Singel, R.: Singel-Minded: Facebook comments are another ’Good News, Bad News’ proposition, http://www.wired.com/epicenter/2011/03/singel-facebook-empire/
  19. 19.
    Stamm, S., Sterne, B., Markham, G.: Reining in the Web with Content Security Policy. In: 19th International Conference on World Wide Web. ACM, New York (2010)Google Scholar
  20. 20.
    Toubiana, V., Nissenbaum, H., Narayanan, A., Barocas, S., Boneh, D.: Adnostic: Privacy Preserving Targeted Advertising. In: 17th Network and Distributed System Security Symposium (2010)Google Scholar
  21. 21.
    W3C. W3C Document Object Model Level 3 Core Specification, http://www.w3.org/TR/DOM-Level-3-Core/
  22. 22.
    Wang, H.J., Fan, X., Howell, J., Jackson, C.: Protection and Communication Abstractions for Web Browsers in MashupOS. In: 21st ACM SIGOPS Symposium on Operating Systems Principles (2007)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Yuchen Zhou
    • 1
  • David Evans
    • 1
  1. 1.University of VirginiaUSA

Personalised recommendations