Deian Stefan: 2014 Security Workshop


Monday, April 14, 2014
Location: Fisher Conference Center, Arrillaga Alumni Center

"Protecting Users by Confining JavaScript with SWAPI"


Modern web applications comprise a conglomeration of JavaScript from multiple authors: third-party libraries included by a site's developer, site-specific scripts by the site developer herself, and third-party extensions installed in the browser by the user. Recent years have seen the continual discovery of practical attacks on web users' privacy---from the leaking of sensitive data within pages by malicious third-party library code, to similar leaks by malicious browser extensions, to more subtle leaks, such as those via image resources. Fundamentally, these privacy violations occur because today's web browsers lack sufficient mechanisms for confining untrusted code. We present SWAPI, a simple but powerful approach to robust confinement of JavaScript in modern web browsers. SWAPI prevents malicious third-party libraries from violating users' privacy. It provides safety to Mashup web applications that previously posed an inherent risk to user data confidentiality. SWAPI's flexible confinement mechanisms furthermore obviate much of the need for privilege in browser extensions, permitting many of today's extensions to be realized instead as untrusted web pages. SWAPI has been implemented in both Firefox and Chromium; measurements of both browsers demonstrate a virtually imperceptible increase in page-load latency.


Deian Stefan is a fourth year Ph.D. student in the Computer Science, at Stanford University. His research interests are in computer and web security, with specific attention to language-based and library-based approaches to enforcing information flow control.