Knowledge-based Security of Dynamic Secrets for Reactive Programs (CMU-CyLab-18-001)

<div>Scripts on webpages could steal sensitive user</div><div>data. Much work has been done, both in modeling and</div><div>implementation, to enforce information flow control (IFC) of</div><div>webpages to mitigate such attacks. It is common to model</div><div>scripts running in an IFC mechanism as a reactive program.</div><div>However, this model does not account for dynamic script</div><div>behavior such as user action simulation, new DOM element</div><div>generation, or new event handler registration, which could</div><div>leak information. In this paper, we investigate how to secure</div><div>sensitive user information, while maintaining the flexibility of</div><div>declassification, even in the presence of active attackers—those who can perform the aforementioned actions. Our approach extends prior work on secure-multi-execution with stateful declassification by treating script-generated content specially to ensure that declassification policies cannot be manipulated by them. We use a knowledge-based progress-insensitive definition of security and prove that our enforcement mechanism is sound. We further prove that our enforcement mechanism is precise and has robust declassification (i.e. active attackers cannot learn more than their passive counterpart).</div>