FlowSafe: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
Line 17: Line 17:
Implement dynamic-only, fail-stop "no sensitive upgrade" or better, information flow security for JS, the DOM, and other parts of the browser. See [[http://slang.soe.ucsc.edu/cormac/papers/plas09.pdf]] for a paper on part of the work.
Implement dynamic-only, fail-stop "no sensitive upgrade" or better, information flow security for JS, the DOM, and other parts of the browser. See [[http://slang.soe.ucsc.edu/cormac/papers/plas09.pdf]] for a paper on part of the work.


# Add <code>TrustLabel</code> to the JS API, subsuming <code>JSPrincipals</code>
# Add <code>JSTrustLabel</code> to the JS API, a union of <code>JSPrincipals</code> (trust labels replace principals)
# Add policy JS API that allows custom assignment, control flow branching, and input/output policy decision points
# Add policy JS API that allows custom assignment, control flow branching, and input/output policy decision points
# Add a <code>TrustLabelBox</code> <code>jsval</code> pseudo-boolean variant
# Add a <code>JSTrustLabeledValue</code> <code>jsval</code> pseudo-boolean variant
# <code>JSScript</code> has a <code>TrustLabel</code>
# <code>JSScript</code> has a <code>JSTrustLabel</code>
# Interpreter <code>pc</code> has a <code>TrustLabel</code>
# Interpreter <code>pc</code> has a <code>JSTrustLabel</code>
# Variable objects (even those optimized away) have a <code>TrustLabel</code>
# Variable objects (even those optimized away) have a <code>JSTrustLabel</code>
# DOM, other host objects have labels
# DOM, other host objects have trust labels
# Exceptions, etc.
# Exceptions, etc.


Revision as of 02:09, 6 August 2009

FlowSafe: Information Flow Security for the Browser

The central idea is to improve the default browser security model, which is "stuck" since 1995 at the [Same-Origin Policy] with its underlying and conflicting DOM access control and JavaScript object-capability security layers.

We aim to do this without breaking the web, and indeed with measurable improvements to safety property enforcement and security policy expressiveness.

Goals

  • Improve default cross-site script integrity (ads, analytics)
  • Systematically enforce the Same-Origin Policy and better security policies by pervasive mediation
  • Reduce existing "caps", DOM, and [JS engine] patch-work and leaky reference monitor code
  • Guarantee termination-insensitive non-interference for better confidentiality
  • Explore timing and termination channel mitigations

To-do

Implement dynamic-only, fail-stop "no sensitive upgrade" or better, information flow security for JS, the DOM, and other parts of the browser. See [[1]] for a paper on part of the work.

  1. Add JSTrustLabel to the JS API, a union of JSPrincipals (trust labels replace principals)
  2. Add policy JS API that allows custom assignment, control flow branching, and input/output policy decision points
  3. Add a JSTrustLabeledValue jsval pseudo-boolean variant
  4. JSScript has a JSTrustLabel
  5. Interpreter pc has a JSTrustLabel
  6. Variable objects (even those optimized away) have a JSTrustLabel
  7. DOM, other host objects have trust labels
  8. Exceptions, etc.
 struct TrustLabelBox {
     jsval      value;
     TrustLabel *label;
 };

--Brendan 02:07, 6 August 2009 (UTC)

Retrieved from "https://wiki.mozilla.org/index.php?title=FlowSafe&oldid=160288"