FlowSafe

FlowSafe: Information Flow Security for the Browser

The central idea is to improve the default browser security model, which is "stuck" since 1995 at the [Same-Origin Policy] with its underlying and conflicting DOM access control and JavaScript object-capability security layers.

We aim to do this without breaking the web, and indeed with measurable improvements to safety property enforcement and security policy expressiveness.

Goals

• Improve default cross-site script integrity (ads, analytics)
• Systematically enforce the Same-Origin Policy and better security policies by pervasive mediation
• Reduce existing "caps", DOM, and [JS engine] patch-work and leaky reference monitor code
• Guarantee termination-insensitive non-interference for better confidentiality
• Explore timing and termination channel mitigations

To-do

Implement dynamic-only, fail-stop "no sensitive upgrade" or better, information flow security for JS, the DOM, and other parts of the browser. See [[1]] for a paper on part of the work.

1. Add JSTrustLabel to the JS API, a union of JSPrincipals (trust labels replace principals)
2. Add policy JS API that allows custom assignment, control flow branching, and input/output policy decision points
3. Add a JSTrustLabeledValue jsval pseudo-boolean variant
4. JSScript has a JSTrustLabel
5. Interpreter pc has a JSTrustLabel
6. Variable objects (even those optimized away) have a JSTrustLabel
7. DOM, other host objects have trust labels
8. Exceptions, etc.

 struct TrustLabelBox {
     jsval      value;
     TrustLabel *label;
 };

--Brendan 02:07, 6 August 2009 (UTC)