Information Flow Control for Event Handling and the DOM in Web Browsers | IEEE Conference Publication | IEEE Xplore

Information Flow Control for Event Handling and the DOM in Web Browsers


Abstract:

Web browsers routinely handle private information. Owing to a lax security model, browsers and JavaScript in particular, are easy targets for leaking sensitive data. Prio...Show More

Abstract:

Web browsers routinely handle private information. Owing to a lax security model, browsers and JavaScript in particular, are easy targets for leaking sensitive data. Prior work has extensively studied information flow control (IFC) as a mechanism for securing browsers. However, two central aspects of web browsers - the Document Object Model (DOM) and the event handling mechanism - have so far evaded thorough scrutiny in the context of IFC. This paper advances the state-of-the-art in this regard. Based on standard specifications and the code of an actual browser engine, we build formal models of both the DOM (up to Level 3) and the event handling loop of a typical browser, enhance the models with fine-grained taints and checks for IFC, prove our enhancements sound and test our ideas through an instrumentation of WebKit, an in-production browser engine. In doing so, we observe several channels for information leak that arise due to subtleties of the event loop and its interaction with the DOM.
Date of Conference: 13-17 July 2015
Date Added to IEEE Xplore: 07 September 2015
ISBN Information:

ISSN Information:

Conference Location: Verona, Italy

References

References is not available for this document.