Better Security and Privacy for Web Browsers: A Survey of Techniques, and a New Implementation

摘要

The web browser is one of the most security critical software components today. It is used to interact with a variety of important applications and services, including social networking services, e-mail services, and e-commerce and e-health applications. But the same browser is also used to visit less trustworthy sites, and it is unreasonable to make it the end-user's responsibility to "browse safely". So it is an important design goal for a browser to provide adequate privacy and security guarantees, and to make sure that potentially malicious content from one web site can not compromise the browser, violate the user's privacy, or interfere with other web sites that the user interacts with. Hence, browser security has been a very active topic of research over the past decade, and many proposals have been made for new browser security techniques or architectures. In the first part of this paper, we provide a survey of some important problems and some proposed solutions. We start with a very broad view on browser security problems, and then zoom in on the issues related to the security of JavaScript scripts on the Web. We discuss three important classes of techniques: fine-grained script access control, capability-secure scripting and information flow security for scripts, focusing on techniques with a solid formal foundation. In the second part of the paper, we describe a novel implementation of one information flow security technique. We discuss how we have implemented the technique of secure multi-execution in the Mozilla Firefox browser, and we report on some preliminary experiments with this implementation.