An Expressive Model for the Web Infrastructure: Definition And
An Expressive Model for the Web Infrastructure: Definition and Application to the BrowserID SSO System Daniel Fett, Ralf Küsters, and Guido Schmitz University of Trier, Germany Email: {fett,kuesters,schmitzg}@uni-trier.de Abstract—The web constitutes a complex infrastructure and, respect to the standards and specifications. As such, our as demonstrated by numerous attacks, rigorous analysis of model constitutes a solid basis for the analysis of a broad standards and web applications is indispensable. range of standards and applications. Inspired by successful prior work, in particular the work by Akhawe et al. as well as Bansal et al., in this work we The standards and specifications that define the web are propose a formal model for the web infrastructure. While spread across many documents, including the HTTP standard unlike prior works, which aim at automatic analysis, our model RFC2616 (with its successor HTTPbis) and the HTML5 so far is not directly amenable to automation, it is much more specification [18], with certain aspects covered in related comprehensive and accurate with respect to the standards and documents, such as RFC6265, RFC6797, RFC6454, the specifications. As such, it can serve as a solid basis for the analysis of a broad range of standards and applications. WHATWG Fetch living standard [32], the W3C Web Storage As a case study and another important contribution of our specification [31], and the W3C Cross-Origin Resource work, we use our model to carry out the first rigorous analysis Sharing specification [12], to name just a few. Specifications of the BrowserID system (a.k.a. Mozilla Persona), a recently de- for the DNS system and communication protocols, such veloped complex real-world single sign-on system that employs as TCP, are relevant as well.
[Show full text]