data. Much work has been done, both in modeling and
implementation, to enforce information flow control (IFC) of
webpages to mitigate such attacks. It is common to model
scripts running in an IFC mechanism as a reactive program.
However, this model does not account for dynamic script
behavior such as user action simulation, new DOM element
generation, or new event handler registration, which could
leak information. In this paper, we investigate how to secure
sensitive user information, while maintaining the flexibility of
declassification, even in the presence of active attackers—those who can perform the aforementioned actions. Our approach extends prior work on secure-multi-execution with stateful declassification by treating script-generated content specially to ensure that declassification policies cannot be manipulated by them. We use a knowledge-based progress-insensitive definition of security and prove that our enforcement mechanism is sound. We further prove that our enforcement mechanism is precise and has robust declassification (i.e. active attackers cannot learn more than their passive counterpart).
Funding
National Science Foundation CNS1704542 and CNS1320470