Protecting Sensitive Web Content from Client-side Vulnerabilities with CRYPTONs
- Xinshu Dong ,
- Zhaofeng Chen ,
- Hossein Siaditi ,
- Shruti Tople ,
- Prateek Saxena ,
- Zhenkai Liang
Computer and Communications Security (CCS 2013) |
Web browsers isolate web origins, but do not provide direct abstractions
to isolate sensitive data and control computation over it within
the same origin. As a result, guaranteeing security of sensitive web
content requires trusting all code in the browser and client-side applications
to be vulnerability-free. In this paper, we propose a new
abstraction, called CRYPTON, which supports intra-origin control
over sensitive data throughout its life cycle. To securely enforce
the semantics of CRYPTONs, we develop a standalone component
called CRYPTON-KERNEL, which extensively leverages the functionality
of existing web browsers without relying on their large
TCB. Our evaluation demonstrates that the CRYPTON abstraction
supported by the CRYPTON-KERNEL is widely applicable to popular
real-world applications with millions of users, including webmail,
chat, blog applications, and Alexa Top 50 websites, with low
performance overhead.