FlowSafe: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
(Created page with '==FlowSafe: Information Flow Security for the Browser== The central idea is to improve the default browser security model, which is "stuck" since 1995 at the [[https://developer…')
 
Line 16: Line 16:


Implement dynamic-only, fail-stop "no sensitive upgrade" or better, information flow security for JS, the DOM, and other parts of the browser. See [[http://slang.soe.ucsc.edu/cormac/papers/plas09.pdf]] for a paper on part of the work.
Implement dynamic-only, fail-stop "no sensitive upgrade" or better, information flow security for JS, the DOM, and other parts of the browser. See [[http://slang.soe.ucsc.edu/cormac/papers/plas09.pdf]] for a paper on part of the work.
# Add <code>TrustLabel</code> to the JS API, subsuming <code>JSPrincipals</code>
# Add policy JS API that allows custom assignment, control flow branching, and input/output policy decision points
# Add a <code>TrustLabelBox</code> <code>jsval</code> pseudo-boolean variant
# <code>JSScript</code> has a <code>TrustLabel</code>
# Interpreter <code>pc</code> has a <code>TrustLabel</code>
# Variable objects (even those optimized away) have a <code>TrustLabel</code>
# DOM, other host objects have labels
# Exceptions, etc.
  struct TrustLabelBox {
      jsval      value;
      TrustLabel *label;
  };
--[[User:Brendan|Brendan]] 02:07, 6 August 2009 (UTC)

Revision as of 02:07, 6 August 2009

FlowSafe: Information Flow Security for the Browser

The central idea is to improve the default browser security model, which is "stuck" since 1995 at the [Same-Origin Policy] with its underlying and conflicting DOM access control and JavaScript object-capability security layers.

We aim to do this without breaking the web, and indeed with measurable improvements to safety property enforcement and security policy expressiveness.

Goals

  • Improve default cross-site script integrity (ads, analytics)
  • Systematically enforce the Same-Origin Policy and better security policies by pervasive mediation
  • Reduce existing "caps", DOM, and [JS engine] patch-work and leaky reference monitor code
  • Guarantee termination-insensitive non-interference for better confidentiality
  • Explore timing and termination channel mitigations

To-do

Implement dynamic-only, fail-stop "no sensitive upgrade" or better, information flow security for JS, the DOM, and other parts of the browser. See [[1]] for a paper on part of the work.

  1. Add TrustLabel to the JS API, subsuming JSPrincipals
  2. Add policy JS API that allows custom assignment, control flow branching, and input/output policy decision points
  3. Add a TrustLabelBox jsval pseudo-boolean variant
  4. JSScript has a TrustLabel
  5. Interpreter pc has a TrustLabel
  6. Variable objects (even those optimized away) have a TrustLabel
  7. DOM, other host objects have labels
  8. Exceptions, etc.
 struct TrustLabelBox {
     jsval      value;
     TrustLabel *label;
 };

--Brendan 02:07, 6 August 2009 (UTC)

Retrieved from "https://wiki.mozilla.org/index.php?title=FlowSafe&oldid=160287"