Data-confined HTML5 Applications
Devdatta Akhawe,
Frank Li,
Warren He,
Prateek Saxena,
Dawn Song
European Symposium on Research in Computer Security (ESORICS), London, 2013
@Misc{akhawe13dataconfined,
author = {Devdatta Akhawe and Frank Li and Warren He and Prateek Saxena and Dawn Song},
title = {Data-confined HTML5 Applications},
booktitle = {Computer Security--ESORICS 2013},
year = {2013},
}
Abstract
Rich client-side applications written in HTML5 proliferate on diverse
platforms, access sensitive data, and need to maintain data-confinement
invariants. Applications currently enforce these invariants using implicit,
ad-hoc mechanisms. We propose a new primitive called a data-confined sandbox
or DCS. A DCS enables complete mediation of communication channels with a
small TCB. Our primitive extends currently standardized primitives and has
negligible performance overhead and a modest compatibility cost. We retrofit
our design on four real-world HTML5 applications and demonstrate that a small
amount of effort enables strong data-confinement guarantees.
Source Code Release
Our evaluation case studies are available
here