Run-time Monitoring and Formal Analysis of Information Flows in Chromium Lujo Bauer Shaoying Cai? Limin Jia Timothy Passaro Michael Stroucken Yuan Tian Carnegie Mellon University ?Institute for Infocomm Research flbauer,liminjia,tpassaro,mxs,[email protected] [email protected] Abstract—Web browsers are a key enabler of a wide range and permissions to process isolation and isolated worlds. of online services, from shopping and email to banking and Despite all these mechanisms, however, risks to users’ data health services. Because these services frequently involve handling remain. Dangerous new attacks and vulnerabilities are regu- sensitive data, a wide range of web browser security policies and larly demonstrated. For example, page scripts and extensions mechanisms has been implemented or proposed to mitigate the can track user browsing behavior [14], [24], capture user input dangers posed by malicious code and sites. in web forms [36], steal cookies and confidential web page This paper describes an approach for specifying and en- content [3], [12], and even hijack user sessions and make web forcing flexible information-flow policies on the Chromium web service requests on behalf of the user [9]. browser. Complementing efforts that focus on information-flow enforcement on JavaScript, our approach focuses on an existing A promising recent development is the emergence of browser and encompasses a broad range of browser features, information-flow control as an approach for preventing many from pages and scripts to DOM elements, events, persistent state, such script misbehaviors [19], [27], [42], [48], [49]. Some and extensions. In our approach, which is a coarse-grained, such approaches are more heavy-weight; they enforce fine- light-weight implementation of taint tracking, entities in the grained policies, but require implementing a new JavaScript browser are annotated with information-flow labels that specify interpreter [19], [27]. In contrast, BFlow and COWL compart- policy and track information flows. We develop a detailed formal model of our approach, for which we prove noninterference. We mentalize scripts and assign policies at the granularity of com- also develop a corresponding prototype system built on top of partments that encapsulate content from a single origin [42], Chromium. We demonstrate, and experimentally confirm, that [49]. They enforce coarse-grained policies on communication the system can enforce many existing browser policies, as well as across compartments and build on existing JavaScript engines. practically useful policies beyond those enforceable in standard web browsers. Complementing existing research on information flow in web browsers, in this paper we pursue a light-weight, dynamic, I. INTRODUCTION taint-tracking-based approach to constrain information flows within a browser and to prevent secrets from leaving the Web browsers are used to access a wide range of services— browser. We provide a formal accounting of information flows from shopping and email to banking, health services, and among the many entities, both static and dynamic, which document editing. While bringing about increased convenience inhabit browsers. These include dynamic entities such as page and productivity, the continuing rise in popularity of web scripts and extension scripts; ephemeral ones like browser services also causes users to incur significant risks. Using these tabs, loaded web pages, and events (e.g., a button click); and services causes users’ confidential data—such as passwords, persistent entities like cookies, history, and bookmarks. We bank account numbers, and emails—to be exposed to the web explore whether an information-flow enforcement system can browser, to scripts running in pages loaded in the browser, encompass all the above entities and implement useful policies and to browser extensions and plugins. Scripts and extensions without unduly impacting regular browsing functionality and are particularly difficult to trust: even simple web pages com- with reasonable run-time overhead. monly load multiple page scripts of often dubious provenance; similarly, tens of thousands of extensions are available to be More specifically, we develop an approach for speci- installed on browsers like Firefox and Chrome, and popular fying and enforcing flexible information-flow policies for extensions are downloaded by tens of millions of users. Chromium. Compared to other successes in applying formal information-flow reasoning to web browsers, we believe our To reduce the dangers posed by scripts and extensions, approach is novel in the combination of richness of policy today’s browsers use numerous security mechanisms, from the specification it allows and breadth of the space it encompasses. same origin policy (SOP), content security policies (CSPs), In our approach, all entities in a browser are described using information-flow labels. For web pages, extensions, and Permission to freely reproduce all or part of this paper for noncommercial some APIs, these labels express the policy of the author or purposes is granted provided that copies bear this notice and the full citation on the first page. Reproduction for commercial purposes is strictly prohibited user, or built-in browser policies, e.g., a superset of a web without the prior written consent of the Internet Society, the first-named author page’s CSP or variants of the SOP. For other entities in the (for reproduction of an entire paper only), and the author’s employer if the browser, including ephemeral ones like button-click events and paper was prepared within the scope of employment. persistent ones like cookies and browser history, labels are NDSS ’15, 8-11 February 2015, San Diego, CA, USA Copyright 2015 Internet Society, ISBN 1-891562-38-X created automatically and serve to track information flows and http://dx.doi.org/10.14722/ndss.2015.23295 prevent those that violate specified policies. Our information-flow labels are based on entity origin: background and closely related work. Section III gives an domains in URLs, extension IDs, and the browser’s user. overview of our approach, including describing how labels Labels can express declassification and endorsement policies, are specified and used to enforce policies. We describe the permitting controlled flow of information to untrusted compo- formal model and analysis in Section IV and the prototype nents when this is required to achieve specific functionality implementation in Section V. Section VI discusses how our (e.g., a password stored by a password manager is allowed to approach can be used to implement existing browser security be sent to a web site if the user clicks the page’s login button). mechanisms. Our approach is sufficiently expressive to encompass poli- cies that are currently explicitly specified in the browser, A. Motivating Example such as specific CSP, domain relaxation, and cross-origin We use a password manager extension as a motivating resource-sharing policies; and policies expressed via exten- scenario to demonstrate the features of our approach. The sion permissions. Our approach also explicitly exposes policy password manager, ext , collects usernames and pass- composition, e.g., between the CSP of a web page, the CSP of pwdMgr words entered into login forms and saves them for future use. content loaded in iframes, and policies specified by developers On subsequent visits to previously visited pages, the password of extensions whose content scripts are active in the page. manager automatically fills in usernames and passwords. This enables our approach to represent both the ad-hoc ways in which browsers currently handle policy composition (e.g., Suppose that a page for which extpwdMgr has saved the conflicts between policies of web pages and extension content user’s password is cnn.com. Several other extensions, including scripts) and more principled and fine-grained ways of resolving exteve—a malicious extension masquerading as a web page policy conflicts. translation extension—are installed in the browser and have We precisely define our approach by means of a formal access to cnn.com. cnn.com loads advertising content, which model, which we show obeys trace-based noninterference. We includes page scripts, from ad sites like ad.com. concretely demonstrate through a prototype implementation on Given currently deployed browser security mechanisms, Chromium that our system can be used to enforce practically exteve and scripts from ad.com may be able to interfere with useful policies, including those that prevent malicious exten- the password manager in a number of ways, including: sions from stealing user input or other extensions’ secrets and colluding via explicit shared state. We also discuss inherent • Once extpwdMgr fills in a login form with previously tradeoffs between security and functionality via case studies saved passwords, these can be read by exteve and ad.com that expose the need for a semi-trusted script or extension to scripts and communicated to other sites. have dangerous declassification privileges in order to imple- • exteve can collect saved passwords even for sites that the ment seemingly innocuous functionality. user does not herself visit by opening new tabs that load In summary, this paper makes the following contributions: arbitrary web pages; if extpwdMgr has saved passwords for those web pages, it may automatically fill them in. • An approach for specifying and enforcing information- • exteve and page scripts can automatically cause the user flow polices that encompasses the full range