首页> 外文OA文献 >WebPol: Fine-grained Information Flow Policies for Web Browsers
【2h】

WebPol: Fine-grained Information Flow Policies for Web Browsers

机译:Webpol:Web浏览器的细粒度信息流策略

代理获取
本网站仅为用户提供外文OA文献查询和代理获取服务,本网站没有原文。下单后我们将采用程序或人工为您竭诚获取高质量的原文,但由于OA文献来源多样且变更频繁,仍可能出现获取不到、文献不完整或与标题不符等情况,如果获取不到我们将提供退款服务。请知悉。

摘要

In the standard web browser programming model, third-party scripts includedin an application execute with the same privilege as the application's owncode. This leaves the application's confidential data vulnerable to theft andleakage by malicious code and inadvertent bugs in the third-party scripts.Security mechanisms in modern browsers (the same-origin policy, cross-originresource sharing and content security policies) are too coarse to suit thisprogramming model. All these mechanisms (and their extensions) describe whetheror not a script can access certain data, whereas the meaningful requirement isto allow untrusted scripts access to confidential data that they need and toprevent the scripts from leaking data on the side. Motivated by this gap, wepropose WebPol, a policy mechanism that allows a website developer to includefine-grained policies on confidential application data in the familiar syntaxof the JavaScript programming language. The policies can be associated with anywebpage element, and specify what aspects of the element can be accessed bywhich third-party domains. A script can access data that the policy allows itto, but it cannot pass the data (or data derived from it) to other scripts orremote hosts in contravention of the policy. To specify the policies, we exposea small set of new native APIs in JavaScript. Our policies can be enforcedusing any of the numerous existing proposals for information flow tracking inweb browsers. We have integrated our policies into one such proposal that weuse to evaluate performance overheads and to test our examples.
机译:在标准的Web浏览器编程模型中,应用程序中包含的第三方脚本以与应用程序自己的代码相同的特权执行。这使应用程序的机密数据容易受到恶意代码和第三方脚本中无意错误的窃取和泄漏。现代浏览器中的安全机制(同源策略,跨域资源共享和内容安全策略)过于粗糙,无法适应此编程模型。所有这些机制(及其扩展)描述了脚本是否可以访问某些数据,而有意义的要求是允许不受信任的脚本访问其所需的机密数据,并防止脚本从侧面泄漏数据。出于这种差距,我们提出了WebPol这一策略机制,该机制允许网站开发人员以熟悉的JavaScript编程语言语法对机密应用程序数据包含细粒度的策略。该策略可以与任何网页元素相关联,并指定可以通过哪个第三方域访问该元素的哪些方面。脚本可以访问该策略允许的数据,但是它不能将数据(或从该数据派生的数据)传递给其他脚本或违反策略的远程主机。为了指定策略,我们在JavaScript中公开了一小组新的本机API。我们可以使用众多现有建议在网络浏览器中跟踪信息流来实施我们的政策。我们已经将我们的策略集成到一个这样的提案中,用于评估性能开销和测试示例。

著录项

相似文献

  • 外文文献
  • 中文文献
  • 专利
代理获取

客服邮箱:kefu@zhangqiaokeyan.com

京公网安备:11010802029741号 ICP备案号:京ICP备15016152号-6 六维联合信息科技 (北京) 有限公司©版权所有
  • 客服微信

  • 服务号