Skip to main content
SpringerLink
Log in
Book cover

Australasian Conference on Information Security and Privacy

ACISP 2017: Information Security and Privacy pp 135–150Cite as

JSFfox: Run-Timely Confining JavaScript for Firefox

  • Conference paper
  • First Online:

  • 1171 Accesses

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10343))

Abstract

Current web applications incorporate third-party content hosted at different origins that offer a series of online services, as well as a suit of reusable libraries. Since those services and libraries constantly demand access to privacy-sensitive data for implementing normal operations, web developers and users must trust them not to induce privacy exfiltration. However, due to a common feature of all-or-nothing fashion, the security mechanisms of present web browsers are essentially insufficient for mitigating the risks caused by third-party code.

This paper presents JSFfox, a JavaScript confinement system which enforces flexible information-flow policies for Firefox. Under JSFfox, not only the compartments but also the transferred message that contains the sensitive data are associated with information-flow labels, which can be tracked for enforcing substantial policies. We characterize a wide range of web applications for demonstrating the motivations and requirements of JSFfox’s design and implement the secure versions of those applications, which guarantees flexibility for developers as well as privacy for users. We develop a functional prototype of JSFfox built on top of Firefox, and the experimental results show that JSFfox has a fully backward-compatibility with current web and introduces a negligible overhead compared with the legacy Firefox.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    An origin is a source of authority encoded by the protocol (e.g., http), domain name (e.g., a.com), and port (e.g., 80) of a resource URL.

  2. 2.

    For clarity, we use a.com as the hostname-based tag; while the complete tag certainly include the scheme and port.

References

  1. Agten, P., Van Acker, S., Brondsema, Y., Phung, P.H., Desmet, L., Piessens, F.: JSand: complete client-side sandboxing of third-party JavaScript without browser modifications. In: Proceedings of the 28th Annual Computer Security Applications Conference, pp. 1–10. ACM (2012)

    Google Scholar 

  2. Alexa: The alexa top 500 sites on the web (2016). http://www.alexa.com/topsites

  3. Barth, A., Jackson, C., Mitchell, J.C.: Robust defenses for cross-site request forgery. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, pp. 75–88. ACM (2008)

    Google Scholar 

  4. Bashir, M.A., Arshad, S., Robertson, W., Wilson, C.: Tracing information flows between ad exchanges using retargeted ads. In: Proceedings of the 25th USENIX Security Symposium, pp. 481–496 (2016)

    Google Scholar 

  5. Bauer, L., Cai, S., Jia, L., Passaro, T., Stroucken, M., Tian, Y.: Run-time monitoring and formal analysis of information flows in chromium. In: Proceedings of the 22nd Annual Network and Distributed System Security Symposium (2015)

    Google Scholar 

  6. Bauer, L., Cai, S., Jia, L., Passaro, T., Tian, Y.: Analyzing the dangers posed by chrome extensions. In: Proceedings of the 2nd IEEE Conference on Communications and Network Security, pp. 184–192. IEEE (2014)

    Google Scholar 

  7. Boda, K., Földes, Á.M., Gulyás, G.G., Imre, S.: User tracking on the web via cross-browser fingerprinting. In: Laud, P. (ed.) NordSec 2011. LNCS, vol. 7161, pp. 31–46. Springer, Heidelberg (2012). doi:10.1007/978-3-642-29615-4_4

    Chapter  Google Scholar 

  8. Caja, G.: A source-to-source translator for securing javascript- based web content (2014). http://code.google.com/p/google-caja/

  9. De Groef, W., Devriese, D., Nikiforakis, N., Piessens, F.: Flowfox: a web browser with flexible and precise information flow control. In: Proceedings of the 19th ACM Conference on Computer and Communications Security, pp. 748–759. ACM (2012)

    Google Scholar 

  10. Devriese, D., Piessens, F.: Noninterference through secure multi-execution. In: Proceedings of the 31st IEEE Symposium on Security and Privacy, pp. 109–124 (2010)

    Google Scholar 

  11. Martani, F.: XSS, passwords theft using JavaScript (2015). http://www.martani.net/2009/08/xss-steal-passwords-using-javascript.html

  12. Hedin, D., Birgisson, A., Bello, L., Sabelfeld, A.: JSFlow: tracking information flow in JavaScript and its APIs. In: Proceedings of the 29th Annual ACM Symposium on Applied Computing, pp. 1663–1671. ACM (2014)

    Google Scholar 

  13. Howell, J., Parno, B., Douceur, J.R.: Embassies: radically refactoring the web. In: Proceedings of the 10th USENIX Symposium on Networked Systems Design and Implementation, pp. 529–545 (2013)

    Google Scholar 

  14. Ingram, L., Walfish, M.: Treehouse: JavaScript sandboxes to help web developers help themselves. In: Proceedings of the 23rd USENIX Conference on Annual Technical Conference, pp. 13–13. USENIX Association (2012)

    Google Scholar 

  15. Meyerovich, L.A., Livshits, B.: Conscript: specifying and enforcing fine-grained security policies for JavaScript in the browser. In: Proceedings of the 31st IEEE Symposium on Security and Privacy, pp. 481–496. IEEE (2010)

    Google Scholar 

  16. Nikiforakis, N., Invernizzi, L., Kapravelos, A., Van Acker, S., Joosen, W., Kruegel, C., Piessens, F., Vigna, G.: You are what you include: large-scale evaluation of remote JavaScript inclusions. In: Proceedings of the 19th ACM Conference on Computer and Communications Security, pp. 736–747. ACM (2012)

    Google Scholar 

  17. Nikiforakis, N., Meert, W., Younan, Y., Johns, M., Joosen, W.: SessionShield: lightweight protection against session hijacking. In: Erlingsson, Ú., Wieringa, R., Zannone, N. (eds.) ESSoS 2011. LNCS, vol. 6542, pp. 87–100. Springer, Heidelberg (2011). doi:10.1007/978-3-642-19125-1_7

    Chapter  Google Scholar 

  18. Resig, J.: Dromaeo JavaScript performance test suite (2016). http://dromaeo.com/

  19. Son, S., Shmatikov, V.: The postman always rings twice: attacking and defending postmessage in html5 websites. In: Proceedings of the 20th Annual Network and Distributed System Security Symposium (2013)

    Google Scholar 

  20. Stefan, D., Yang, E.Z., Marchenko, P., Russo, A., Herman, D., Karp, B., Mazieres, D.: Protecting users by confining JavaScript with cowl. In: Proceedings of the 11th USENIX Symposium on Operating Systems Design and Implementation, pp. 131–146 (2014)

    Google Scholar 

  21. Van Acker, S., De Ryck, P., Desmet, L., Piessens, F., Joosen, W.: WebJail: least-privilege integration of third-party components in web mashups. In: Proceedings of the 27th Annual Computer Security Applications Conference, pp. 307–316. ACM (2011)

    Google Scholar 

  22. W3C: Content security policy level 3 (2016). http://www.w3.org/TR/CSP/

  23. W3C: Cross-origin resource sharing (2014). http://www.w3.org/TR/cors/

  24. W3C: HTML5 web messaging. http://www.w3.org/TR/webmessaging/. Accessed 4 Apr 2015

  25. W3C: Web workers (2015). http://www.w3.org/TR/workers/

  26. Wagner, G., Gal, A., Wimmer, C., Eich, B., Franz, M.: Compartmental memory management in a modern web browser. ACM SIGPLAN Notices 46(11), 119–128 (2011)

    Article  Google Scholar 

  27. Yip, A., Narula, N., Krohn, M., Morris, R.: Privacy-preserving browser-side scripting with BFlow. In: Proceedings of the 4th ACM European Conference on Computer Systems, pp. 233–246. ACM (2009)

    Google Scholar 

Download references

Acknowledgement

This work is supported by National Natural Science Foundation of China under grant No.61370106, and National High-tech R&D Program of China (863 Program) under grant No.2015AA016001.

Author information

Authors and Affiliations

  1. Services Computing Technology and System Lab, Cluster and Grid Computing Lab, Big Data Technology and System Lab, School of Computer Science and Technology, Huazhong University of Science and Technology, Wuhan, 430074, China

    Weizhong Qiang, JiaZhen Guo, Hai Jin & Weifeng Li

Authors
  1. Weizhong Qiang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. JiaZhen Guo
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Hai Jin
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Weifeng Li
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Weizhong Qiang .

Editor information

Editors and Affiliations

  1. Queensland University of Technology, Brisbane, Queensland, Australia

    Josef Pieprzyk

  2. Queensland University of Technology, Brisbane, Queensland, Australia

    Suriadi Suriadi

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Qiang, W., Guo, J., Jin, H., Li, W. (2017). JSFfox: Run-Timely Confining JavaScript for Firefox. In: Pieprzyk, J., Suriadi, S. (eds) Information Security and Privacy. ACISP 2017. Lecture Notes in Computer Science(), vol 10343. Springer, Cham. https://doi.org/10.1007/978-3-319-59870-3_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-59870-3_8

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-59869-7

  • Online ISBN: 978-3-319-59870-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation