FlowSafe: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
 
(15 intermediate revisions by 2 users not shown)
Line 1: Line 1:
==FlowSafe: Information Flow Security for the Browser==
==FlowSafe: Information Flow Security for the Browser==


The central idea is to improve the default browser security model, which is "stuck" since 1995 at the [[https://developer.mozilla.org/En/Same_origin_policy_for_JavaScript Same-Origin Policy]] with its underlying and conflicting [[DOM access control]] and [[JavaScript object-capability]] security layers.
The central idea is to improve the default browser security model, which is "stuck" since 1995 at the [https://developer.mozilla.org/En/Same_origin_policy_for_JavaScript Same-Origin Policy] with its underlying and conflicting [[DOM access control]] and [[JavaScript object-capability]] security layers.


We aim to do this without breaking the web, and indeed with measurable improvements to safety property enforcement and security policy expressiveness.
We aim to do this without breaking the web, and indeed with measurable improvements to safety property enforcement and security policy expressiveness.
Line 9: Line 9:
* Improve default cross-site script integrity (ads, analytics)
* Improve default cross-site script integrity (ads, analytics)
* Systematically enforce the Same-Origin Policy and better security policies by pervasive mediation
* Systematically enforce the Same-Origin Policy and better security policies by pervasive mediation
* Reduce existing "caps", DOM, and [[https://wiki.mozilla.org/JavaScript JS engine]] patch-work and leaky reference monitor code
* Reduce existing "caps", DOM, and [[JavaScript]] engine patch-work / leaky reference monitor code
* Guarantee termination-insensitive non-interference for better confidentiality
* Guarantee termination-insensitive non-interference for better confidentiality
* Explore timing and termination channel mitigations
* Explore timing and termination channel mitigations
Line 15: Line 15:
===To-do===
===To-do===


Implement dynamic-only, fail-stop "no sensitive upgrade" or better, information flow security for JS, the DOM, and other parts of the browser. See [[http://slang.soe.ucsc.edu/cormac/papers/plas09.pdf]] for a paper on part of the work.
Implement dynamic-only, fail-stop "no sensitive upgrade" or better, information flow security for JS, the DOM, and other parts of the browser. See [http://slang.soe.ucsc.edu/cormac/papers/plas09.pdf this paper] on part of the work.


# Add <code>JSTrustLabel</code> to the JS API, a union of <code>JSPrincipals</code> (trust labels replace principals)
# Add <code>JSTrustLabel</code> to the JS API, a union of <code>JSPrincipals</code> (trust labels replace principals)
# Add policy JS API that allows custom assignment, control flow branching, and input/output policy decision points
# Add a <code>JSTrustLabeledValue</code> <code>jsval</code> pseudo-boolean variant
# <code>JSScript</code> has a <code>JSTrustLabel</code>
# <code>JSScript</code> has a <code>JSTrustLabel</code>
# Interpreter <code>pc</code> has a <code>JSTrustLabel</code>
# Interpreter <code>pc</code> has a <code>JSTrustLabel</code>
# Variable objects (even those optimized away) have a <code>JSTrustLabel</code>
# Extend <code>JSExtendedClass</code> to delegate <code>typeof</code> so we can build <code>LabeledValue</code> wrappers for primitives
## Also need to rebox results of all primitive operators, e.g. <code>-x</code> for <code>x = new LabeledValue(42)</code> should be a <code>LabeledValue</code> instance, not the number <code>-42</code>
# Have [https://developer.mozilla.org/En/SpiderMonkey/Internals/Property_cache#Shape shapes] imply trust labels so that distinct origins get different shapes for standard objects, equivalent property list patterns, etc.
## So objects have trust labels because objects have shapes
## Beware shapeless objects (dense arrays, certain "host objects")
## Cormac's semantics requires labeled references too, another use-case for <code>LabeledValue</code>
# Add policy JS API that allows custom assignment, control flow branching, and input/output policy decision points -- does this mean SSA in one pass?
# Add shell functions for testing and write tests
# DOM, other host objects have trust labels
# DOM, other host objects have trust labels
# Exceptions, etc.
# Exceptions, etc.
# Declassify primitive TBD, defer for now


  struct TrustLabelBox {
--[[User:Brendan|Brendan]] 01:43, 31 October 2009 (UTC)
      jsval      value;
      TrustLabel *label;
  };


--[[User:Brendan|Brendan]] 02:07, 6 August 2009 (UTC)
===References===
 
[http://slang.soe.ucsc.edu/cormac/papers/plas09.pdf Efficient Purely-Dynamic Information Flow Analysis (PLAS '09)]

Latest revision as of 16:57, 25 March 2010

FlowSafe: Information Flow Security for the Browser

The central idea is to improve the default browser security model, which is "stuck" since 1995 at the Same-Origin Policy with its underlying and conflicting DOM access control and JavaScript object-capability security layers.

We aim to do this without breaking the web, and indeed with measurable improvements to safety property enforcement and security policy expressiveness.

Goals

  • Improve default cross-site script integrity (ads, analytics)
  • Systematically enforce the Same-Origin Policy and better security policies by pervasive mediation
  • Reduce existing "caps", DOM, and JavaScript engine patch-work / leaky reference monitor code
  • Guarantee termination-insensitive non-interference for better confidentiality
  • Explore timing and termination channel mitigations

To-do

Implement dynamic-only, fail-stop "no sensitive upgrade" or better, information flow security for JS, the DOM, and other parts of the browser. See this paper on part of the work.

  1. Add JSTrustLabel to the JS API, a union of JSPrincipals (trust labels replace principals)
  2. JSScript has a JSTrustLabel
  3. Interpreter pc has a JSTrustLabel
  4. Extend JSExtendedClass to delegate typeof so we can build LabeledValue wrappers for primitives
    1. Also need to rebox results of all primitive operators, e.g. -x for x = new LabeledValue(42) should be a LabeledValue instance, not the number -42
  5. Have shapes imply trust labels so that distinct origins get different shapes for standard objects, equivalent property list patterns, etc.
    1. So objects have trust labels because objects have shapes
    2. Beware shapeless objects (dense arrays, certain "host objects")
    3. Cormac's semantics requires labeled references too, another use-case for LabeledValue
  6. Add policy JS API that allows custom assignment, control flow branching, and input/output policy decision points -- does this mean SSA in one pass?
  7. Add shell functions for testing and write tests
  8. DOM, other host objects have trust labels
  9. Exceptions, etc.
  10. Declassify primitive TBD, defer for now

--Brendan 01:43, 31 October 2009 (UTC)

References

Efficient Purely-Dynamic Information Flow Analysis (PLAS '09)

Retrieved from "https://wiki.mozilla.org/index.php?title=FlowSafe&oldid=210984"