Information Flow Control in Modern Web Browsers
Christoph Kerschbaumer
Abstract:
The widespread use of JavaScript as the dominant web programming language opens the door to attacks such as Cross Site Scripting that steal sensitive information from browsers. The information flow tracking approach promises to overcome the shortcomings of the Same Origin Policy and string filters, currently providing a first line defense to prevent Cross Site Scripting. To date, the implementation of information flow tracking enhancements introduces significant runtime overheads, which make real world browser adoption unlikely.
In this presentation we highlight two techniques to increase performance for information flow tracking in a web browser:
1) A novel approach to information flow security that takes advantage of the correlation between page traffic and its value as a target. Our approach probabilistically switches between two JavaScript interpreters during execution of a web application. This technique distributes the workload for tracking the flow of information within a page across all the visitors to a page. Our modified browser reports all detected information flow violations to a trusted third party aggregator that also verifies suspicious behavior on a web page and warns subsequent visitors to the presence of malicious code. Our measurements indicate that our approach is both efficient: we report an average runtime overhead that is an order of magnitude lower than previous approaches, and effective: detecting 99.45% of all information flow violations on the Alexa Top 500 pages using a conservative sampling rate. Most sites need fewer samples in practice; and will therefore incur even less overhead.
2) We present the first information flow tracking JavaScript engine that is based on a true just-in-time compiler, and that thereby outperforms all previous interpreter-based information flow tracking JavaScript engines by more than a factor of two. Our JIT-based engine (i) has the same coverage as previous interpreter based solutions, (ii) requires reasonable implementation effort, and (iii) introduces new optimizations to achieve acceptable performance. When evaluated against three industry standard JavaScript benchmark suites, there is still an average slowdown of 73% over engines that do not support information flow, but this is now well within the range that many users will find an acceptable price for obtaining substantially increased security.