FlowSafe: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
No edit summary
Line 19: Line 19:
# Add <code>JSTrustLabel</code> to the JS API, a union of <code>JSPrincipals</code> (trust labels replace principals)
# Add <code>JSTrustLabel</code> to the JS API, a union of <code>JSPrincipals</code> (trust labels replace principals)
# Add policy JS API that allows custom assignment, control flow branching, and input/output policy decision points
# Add policy JS API that allows custom assignment, control flow branching, and input/output policy decision points
# Add a <code>JSTrustLabeledValue</code> <code>jsval</code> pseudo-boolean variant
# Support sparse labeling by associating an implicit label with each GC arena footer (JSGCArenaInfo)
# Add a <code>JSTLValue</code> <code>jsval</code> pseudo-boolean variant for overriding the implicit label
# <code>JSScript</code> has a <code>JSTrustLabel</code>
# <code>JSScript</code> has a <code>JSTrustLabel</code>
# Interpreter <code>pc</code> has a <code>JSTrustLabel</code>
# Interpreter <code>pc</code> has a <code>JSTrustLabel</code>
# Variable objects (even those optimized away) have a <code>JSTrustLabel</code>
# Variable objects (even those optimized away) have a <code>JSTrustLabel</code>
# Add shell functions for testing and write tests
# DOM, other host objects have trust labels
# DOM, other host objects have trust labels
# Exceptions, etc.
# Exceptions, etc.


   struct JSTrustLabeledValue {
   struct JSTLValue {
       jsval     value;
       jsval       value;
       TrustLabel *label;
       JSTrustLabel *label;
   };
   };


--[[User:Brendan|Brendan]] 02:07, 6 August 2009 (UTC)
--[[User:Brendan|Brendan]] 02:07, 6 August 2009 (UTC)

Revision as of 04:30, 6 August 2009

FlowSafe: Information Flow Security for the Browser

The central idea is to improve the default browser security model, which is "stuck" since 1995 at the Same-Origin Policy with its underlying and conflicting DOM access control and JavaScript object-capability security layers.

We aim to do this without breaking the web, and indeed with measurable improvements to safety property enforcement and security policy expressiveness.

Goals

  • Improve default cross-site script integrity (ads, analytics)
  • Systematically enforce the Same-Origin Policy and better security policies by pervasive mediation
  • Reduce existing "caps", DOM, and JavaScript engine patch-work / leaky reference monitor code
  • Guarantee termination-insensitive non-interference for better confidentiality
  • Explore timing and termination channel mitigations

To-do

Implement dynamic-only, fail-stop "no sensitive upgrade" or better, information flow security for JS, the DOM, and other parts of the browser. See this paper on part of the work.

  1. Add JSTrustLabel to the JS API, a union of JSPrincipals (trust labels replace principals)
  2. Add policy JS API that allows custom assignment, control flow branching, and input/output policy decision points
  3. Support sparse labeling by associating an implicit label with each GC arena footer (JSGCArenaInfo)
  4. Add a JSTLValue jsval pseudo-boolean variant for overriding the implicit label
  5. JSScript has a JSTrustLabel
  6. Interpreter pc has a JSTrustLabel
  7. Variable objects (even those optimized away) have a JSTrustLabel
  8. Add shell functions for testing and write tests
  9. DOM, other host objects have trust labels
  10. Exceptions, etc.
 struct JSTLValue {
     jsval        value;
     JSTrustLabel *label;
 };

--Brendan 02:07, 6 August 2009 (UTC)

Retrieved from "https://wiki.mozilla.org/index.php?title=FlowSafe&oldid=160300"