ABSTRACT
We propose a novel and simple approach for securing access to sensitive content on the web. The approach automates the best manual compartmentalization practices for accessing different kinds of content with different browser instances. The automation is transparent to the user and does not require any modification of how non-sensitive content is accessed. For sensitive content, a Fresh Browser Instance (FBI) is automatically created to access the content. Our prototype system Auto-FBI can provide support for novice users with predefined sensitive content sites as well as for more experienced users who can define conflict of interest (COI) classes which allows content from sites in the same user-defined class to coexist in a browser instance. Our initial performance evaluation of Auto-FBI shows that the overhead introduced by the approach is acceptable (less than 160 ms for sites that already have fast load time, but for slow sites the overhead can be as high as 750 ms).
- A. Barth, C. Jackson, and J. C. Mitchell. Robust defenses for cross-site request forgery. In Proceedings of the 2008 ACM conference on Computer and Communications Security, CCS'08, pages 75--88, 2008. Google ScholarDigital Library
- N. Bielova, D. Devriese, F. Massacci, and F. Piessens. Reactive non-interference for a browser model. In Proceedings of the 2011 international conference on Network and System Security, NSS'11, pages 97--104, 2011.Google ScholarCross Ref
- D. F. C. Brewer and M. J. Nash. The chinese wall security policy. In Security and Privacy, 1989. Proceedings., 1989 IEEE Symposium on, pages 206--214. IEEE, 1989.Google ScholarCross Ref
- R. Capizzi, A. Longo, V. N. Venkatakrishnan, and A. P. Sistla. Preventing information leaks through shadow executions. In Annual Computer Security Applications Conference, 2008, ACSAC'08, pages 322--331, 2008. Google ScholarDigital Library
- E. Y. Chen, J. Bau, C. Reis, A. Barth, and C. Jackson. App isolation: get the security of multiple browsers with just one. In Proceedings of the 18th ACM conference on Computer and communications security, CCS '11, pages 227--238, 2011. Google ScholarDigital Library
- W. De Groef, D. Devriese, N. Nikiforakis, and F. Piessens. Flowfox: a web browser with flexible and precise information flow control. In Proceedings of the 2012 ACM conference on Computer and Communications Security, CCS'12, pages 748--759, 2012. Google ScholarDigital Library
- D. Devriese and F. Piessens. Noninterference through secure multi-execution. In Proceedings of the 2010 IEEE Symposium on Security and Privacy, SP'10, pages 109--124, 2010. Google ScholarDigital Library
- D. Flanagan. JavaScript: the definitive guide. O'Reilly Media, 2011.Google Scholar
- T. Garfinkel. Traps and pitfalls: Practical problems in system call interposition based security tools. In Proceedings of the 2003 Network and Distributed Systems Security Symposium, volume 33 of NDSS'03, 2003.Google Scholar
- B. Hicks, S. Rueda, D. King, T. Moyer, J. Schiffman, Y. Sreenivasan, P. McDaniel, and T. Jaeger. An architecture for enforcing end-to-end access control over web applications. In Proceedings of the 15th ACM symposium on Access control models and technologies, SACMAT'10, pages 163--172, 2010. Google ScholarDigital Library
- Internet Engineering Task Force (IETF). Request for Comments: 6265.Google Scholar
- Internet Engineering Task Force (IETF). Request for Comments: 6454, 2011.Google Scholar
- C. Jackson, A. Barth, A. Bortz, W. Shao, and D. Boneh. Protecting browsers from dns rebinding attacks. ACM Transactions on the Web (TWEB), 3(1):2, 2009. Google ScholarDigital Library
- D. Jang, R. Jhala, S. Lerner, and H. Shacham. An empirical study of privacy-violating information flows in javascript web applications. In Proceedings of the 2010 ACM conference on Computer and Communications Security, CCS'10, pages 270--283, 2010. Google ScholarDigital Library
- M. Johns. On javascript malware and related threats. Journal in Computer Virology, 4(3):161--178, 2008.Google ScholarCross Ref
- E. Kirda and C. Kruegel. Protecting users against phishing attacks. The Computer Journal, 49(5):554--561, 2006. Google ScholarDigital Library
- N. Provos, P. Mavrommatis, M. A. Rajab, and F. Monrose. All your iframes point to us. In Proceedings of the 2008 Security Symposium, SS'08, pages 1--15, 2008. Google ScholarDigital Library
- G. Rydstedt, E. Bursztein, D. Boneh, and C. Jackson. Busting frame busting: a study of clickjacking vulnerabilities at popular sites. IEEE Oakland Web, 2, 2010.Google Scholar
- Z. Weinberg, E. Y. Chen, P. R. Jayaraman, and C. Jackson. I still know what you visited last summer: Leaking browsing history via user interaction and side channel attacks. In Proceedings of the 2011 IEEE Symposium on Security and Privacy, SP'11, pages 147--161, 2011. Google ScholarDigital Library
Index Terms
- Auto-FBI: a user-friendly approach for secure access to sensitive content on the web
Recommendations
Content-aware auto-soundtracks for personal photo music slideshows
ICME '11: Proceedings of the 2011 IEEE International Conference on Multimedia and ExpoWe present a novel slideshow generation concept based on content-aware photo-music mapping. Current technologies for automated personal photo slideshow generation primarily focus on photo presentations and visual effects. These solutions utilize either ...
An auto-delegation mechanism for access control systems
STM'10: Proceedings of the 6th international conference on Security and trust managementDelegation is a widely used and widely studied mechanism in access control systems. Delegation enables an authorized entity to nominate another entity as its authorized proxy for the purposes of access control. Existing delegation mechanisms tend to ...
Auto-update: a concept for automatic downloading of web content to a mobile device
Mobility '07: Proceedings of the 4th international conference on mobile technology, applications, and systems and the 1st international symposium on Computer human interaction in mobile technologyInternet content is increasingly available for mobile users. Mobile devices are capable of delivering not only full Web pages but also other Web content such as podcasts and RSS feeds. Today, cost, speed of data transfer, and network coverage are among ...
Comments