Rajani, Vineet, Bichhawat, Abhishek, Garg, Deepak, Hammer, Christian (2015) Information Flow Control for Event Handling and the DOM in Web Browsers. In: 2015 IEEE 28th Computer Security Foundations Symposium. . pp. 366-379. IEEE ISBN 978-1-4673-7537-5. E-ISBN 978-1-4673-7538-2. (doi:10.1109/CSF.2015.32) (The full text of this publication is not currently available from this repository. You may be able to access a copy if URLs are provided) (KAR id:90595)
The full text of this publication is not currently available from this repository. You may be able to access a copy if URLs are provided. | |
Official URL: https://doi.org/10.1109/CSF.2015.32 |
Abstract
Web browsers routinely handle private information. Owing to a lax security model, browsers and JavaScript in particular, are easy targets for leaking sensitive data. Prior work has extensively studied information flow control (IFC) as a mechanism for securing browsers. However, two central aspects of web browsers - the Document Object Model (DOM) and the event handling mechanism - have so far evaded thorough scrutiny in the context of IFC. This paper advances the state-of-the-art in this regard. Based on standard specifications and the code of an actual browser engine, we build formal models of both the DOM (up to Level 3) and the event handling loop of a typical browser, enhance the models with fine-grained taints and checks for IFC, prove our enhancements sound and test our ideas through an instrumentation of WebKit, an in-production browser engine. In doing so, we observe several channels for information leak that arise due to subtleties of the event loop and its interaction with the DOM.
Item Type: | Conference or workshop item (Paper) |
---|---|
DOI/Identification number: | 10.1109/CSF.2015.32 |
Uncontrolled keywords: | Browsers; Instruments; Security; Standards; Lattices; Monitoring; Context; information flow control; event handling; DOM; Web browsers; lax security model; JavaScript; sensitive data leakage; IFC; document object model; event handling mechanism; browser engine; formal models; WebKit; in-production browser engine |
Subjects: | Q Science > QA Mathematics (inc Computing science) > QA 76 Software, computer programming, > QA76.76 Computer software |
Divisions: | Divisions > Division of Computing, Engineering and Mathematical Sciences > School of Computing |
Depositing User: | Amy Boaler |
Date Deposited: | 05 Oct 2021 10:58 UTC |
Last Modified: | 17 Aug 2022 11:02 UTC |
Resource URI: | https://kar.kent.ac.uk/id/eprint/90595 (The current URI for this page, for reference purposes) |
- Export to:
- RefWorks
- EPrints3 XML
- BibTeX
- CSV
- Depositors only (login required):