Protecting Sensitive Data in Web Browsers with ScriptPolice
Presented as part of the 2013 HCSS conference.
ABSTRACT
The web browser has become an attractive target for attackers who wish to obtain users' sensitive data. The browser is rife with untrusted JavaScript: pages execute scripts, and extensions execute with elevated privilege that entitles them to see content from all origins, and to send data to third-party servers.Two principal threat models apply to a user's sensitive data within a browser. A malicious extension author may write extension code that reads sensitive page content and sends it to a remote server he controls. And a malicious page author may exploit an honest but buggy extension, thus leveraging its elevated privilege to disclose sensitive information from other origins.
In this talk, I will demonstrate zero-day vulnerabilities in real-world extensions for a widely used browser that allow maliciously crafted JavaScript in pages to leak a user's sensitive information. I will then describe two classes of policy that protect sensitive data in web browsers by limiting the privilege of JavaScript code. *Containment* policies block the export of sensitive information from an extension, however obtained. They protect against both malicious extensions and malicious pages. *Prevention* policies, by contrast, stop the misuse of an extension's privileges by a page. Both types of policy are effective for a wide range of extensions, and are thus easy to deploy in browsers. Finally, I will present ScriptPolice, a policy system for the Chrome browser's V8 JavaScript interpreter that supports simple containment and prevention policies. We demonstrate that on a variety of extensions and pages, ScriptPolice effectively protects sensitive data in the browser, while typically incurring added latency indistinguishable by the user.
(Joint work with Petr Marchenko of UCL and Ulfar Erlingsson of Google.)
BIO
Brad Karp is a Reader (in US academic parlance, Associate Professor) in Computer Systems and Networks at the University College London Department of Computer Science. His research interests span computer system and network security (current work includes web browser and JavaScript security; past work includes the Wedge secure OS extensions and the Autograph and Polygraph worm signature generation systems), large-scale distributed systems (current work includes LOUP, a provably loop-free Internet routing protocol; past work includes the Open DHT shared public DHT service), and wireless networks (current work includes techniques for improving capacity at the MAC and PHY layers; past work includes the GPSR and CLDP scalable geographic routing protocols). Prior to taking up his post at UCL in late 2005, Karp held joint appointments at Intel Research and Carnegie Mellon, and as a researcher at ICSI at UC Berkeley. He earned his Ph.D. in Computer Science at Harvard University in 2000, and holds a B.S. in Computer Science from Yale University, earned in 1992.