Skip to main content

Information Flow Control for Event Handling and the DOM in Web Browsers

Rajani, Vineet, Bichhawat, Abhishek, Garg, Deepak, Hammer, Christian (2015) Information Flow Control for Event Handling and the DOM in Web Browsers. In: 2015 IEEE 28th Computer Security Foundations Symposium. . pp. 366-379. IEEE ISBN 978-1-4673-7537-5. E-ISBN 978-1-4673-7538-2. (doi:10.1109/CSF.2015.32) (The full text of this publication is not currently available from this repository. You may be able to access a copy if URLs are provided) (KAR id:90595)

The full text of this publication is not currently available from this repository. You may be able to access a copy if URLs are provided. (Contact us about this Publication)
Official URL
https://doi.org/10.1109/CSF.2015.32

Abstract

Web browsers routinely handle private information. Owing to a lax security model, browsers and JavaScript in particular, are easy targets for leaking sensitive data. Prior work has extensively studied information flow control (IFC) as a mechanism for securing browsers. However, two central aspects of web browsers - the Document Object Model (DOM) and the event handling mechanism - have so far evaded thorough scrutiny in the context of IFC. This paper advances the state-of-the-art in this regard. Based on standard specifications and the code of an actual browser engine, we build formal models of both the DOM (up to Level 3) and the event handling loop of a typical browser, enhance the models with fine-grained taints and checks for IFC, prove our enhancements sound and test our ideas through an instrumentation of WebKit, an in-production browser engine. In doing so, we observe several channels for information leak that arise due to subtleties of the event loop and its interaction with the DOM.

Item Type: Conference or workshop item (Paper)
DOI/Identification number: 10.1109/CSF.2015.32
Uncontrolled keywords: Browsers; Instruments; Security; Standards; Lattices; Monitoring; Context; information flow control; event handling; DOM; Web browsers; lax security model; JavaScript; sensitive data leakage; IFC; document object model; event handling mechanism; browser engine; formal models; WebKit; in-production browser engine
Subjects: Q Science > QA Mathematics (inc Computing science) > QA 76 Software, computer programming, > QA76.76 Computer software
Divisions: Divisions > Division of Computing, Engineering and Mathematical Sciences > School of Computing
Depositing User: Amy Boaler
Date Deposited: 05 Oct 2021 10:58 UTC
Last Modified: 06 Oct 2021 13:07 UTC
Resource URI: https://kar.kent.ac.uk/id/eprint/90595 (The current URI for this page, for reference purposes)
  • Depositors only (login required):