Control What You Include! Server-Side Protection against Third Party Web Tracking

Third party tracking is the practice by which third parties recognize users accross different websites as they browse the web. Recent studies show that 90% of websites contain third party content that is tracking its users across the web. Website developers often need to include third party content in order to provide basic functionality. However, when a developer includes a third party content, she cannot know whether the third party contains tracking mechanisms. If a website developer wants to protect her users from being tracked, the only solution is to exclude any third-party content, thus trading functionality for privacy. We describe and implement a privacy-preserving web architecture that gives website developers a control over third party tracking: developers are able to include functionally useful third party content, the same time ensuring that the end users are not tracked by the third parties

Type Abstraction for Relaxed Noninterference

Information-flow security typing statically prevents confidential information to leak to public channels. The fundamental information flow property, known as noninterference, states that a public observer cannot learn anything from private data. As attractive as it is from a theoretical viewpoint, noninterference is impractical: real systems need to intentionally declassify some information, selectively. Among the different information flow approaches to declassification, a particularly expressive approach was proposed by Li and Zdancewic, enforcing a notion of relaxed noninterference by allowing programmers to specify declassification policies that capture the intended manner in which public information can be computed from private data. This paper shows how we can exploit the familiar notion of type abstraction to support expressive declassification policies in a simpler, yet more expressive manner. In particular, the type-based approach to declassification---which we develop in an object-oriented setting---addresses several issues and challenges with respect to prior work, including a simple notion of label ordering based on subtyping, support for recursive declassification policies, and a local, modular reasoning principle for relaxed noninterference. This work paves the way for integrating declassification policies in practical security-typed languages

A Taxonomy of Information Flow Monitors

International audienceWe propose a rigorous comparison of information flow monitors with respect to two dimensions: soundness and transparency. For soundness, we notice that the standard information flow security definition called Termination-Insensitive Noninterference (TINI) allows the presence of termination channels, however it does not describe whether the termination channel was present in the original program, or it was added by a monitor. We propose a stronger notion of noninterference, that we call Termination-Aware Noninterference (TANI), that captures this fact, and thus allows us to better evaluate the security guarantees of different monitors. We further investigate TANI, and state its formal relations to other soundness guarantees of information flow monitors. For transparency, we identify different notions from the literature that aim at comparing the behaviour of monitors. We notice that one common notion used in the literature is not adequate since it identifies as better a monitor that accepts insecure executions, and hence may augment the knowledge of the attacker. To discriminate between monitors' behaviours on secure and insecure executions, we factorized two notions that we call true and false transparency. These notions allow us to compare monitors that were deemed to be incomparable in the past. We analyse five widely explored information flow monitors: no-sensitive-upgrade (NSU), permissive-upgrade (PU), hybrid monitor (HM), secure multi-execution (SME), and multiple facets (MF)

Spot the Difference: Secure Multi-Execution and Multiple Facets

International audienceWe propose a rigorous comparison of two widely known dynamic information flow mechanisms: Secure Multi-Execution (SME) and Multiple Facets (MF). Informally, it is believed that MF simulates SME while providing better performance. Formally, it is well known that SME has stronger soundness guarantees than MF. Surprisingly, we discover that even if we approach them to enforce the same soundness guarantees, they are still different. While modeling them in the same language, we are able to precisely identify the features of the semantics that lead to their differences. In the process of comparing them, we also discovered four new mechanisms that share features of MF and SME. We prove that one of them simulates SME, which was falsely believed to be true for MF

Comparaison de la détection des vulnérabilités XSS entre Node.js et un langage JavaScript multi-niveau via le Deep Learning

International audienceCross-site Scripting (XSS) is one of the most common and impactful software vulnerabilities (ranked second in the CWE 's top 25 in 2021). Several approaches have focused on automatically detecting software vulnerabilities through machine learning models. To build a model, it is necessary to have a dataset of vulnerable and non-vulnerable examples and to represent the source code in a computer understandable way. In this work, we explore the impact of predicting XSS using representations based on single-tier and multi-tier languages. We built 144 models trained on Javascript-based multitier code -i.e. which includes server code and HTML, Javascript and CSS as client code - and 144 models trained on single-tier code, which include server code and client-side code as text. Despite the lower precision, our results show a better recall with a multitier language than a single-tier language, implying an insignificant impact on XSS detectors based on deep learning.Le Cross-site Scripting (XSS) est l'une des vulnérabilités logicielles les plus courantes et les plus percutantes (classé deuxième dans le top 25 du CWE en 2021). Plusieurs approches se sont concentrées sur la détection automatique des vulnérabilités logicielles via des modèles d'apprentissage automatique. Pour construire un modèle, il est nécessaire de disposer d'un ensemble de données d'exemples vulnérables et non vulnérables et de représenter le code source de manière compréhensible par ordinateur. Dans ce travail, nous explorons l'impact de la prédiction de XSS à l'aide de représentations basées sur des langages à un ou plusieurs niveaux. Nous avons construit 144 modèles formés sur du code multi-niveau basé sur Javascript - c'est-à-dire, qui inclut le code serveur et HTML, Javascript et CSS comme code client - et 144 modèles formés sur du code à un niveau - qui incluent le code serveur et le code côté client sous forme de texte. Malgré une faible précision, nos résultats montrent un meilleur rappel avec un langage multi-niveaux qu'avec un langage mono-niveau, impliquant un impact insignifiant sur les détecteurs XSS basés sur l'apprentissage en profondeur

Identifier statiquement des failles XSS à l'aide d'apprentissage en profondeur

International audienceCross-site Scripting (XSS) is ranked first in the top 25 Most Dangerous Software Weaknesses (2020) of Common Weakness Enumeration (CWE) and places this vulnerability as the most dangerous among programming errors. In this work, we explore static approaches to detect XSS vulnerabilities using neural networks. We compare two different code representations based on Natural Language Processing (NLP) and Programming Language Processing (PLP) and experiment with models based on different neural network architectures for static analysis detection in PHP and Node.js. We train and evaluate the models using synthetic databases. Using the generated PHP and Node.js databases, we compare our results with a well-known static analyzer for PHP code, ProgPilot, and a known scanner for Node.js, AppScan static mode. Our analyzers using neural networks overcome the results of existing tools in all cases.Cross-site Scripting (XSS) est classé au premier rang des 25 faiblesses logicielles les plus dangereuses (2020) de Common Weakness Enumeration (CWE) et place cette vulnérabilité comme la plus dangereuse parmi les erreurs de programmation. Dans ce travail, nous explorons des approches statiques pour détecter les vulnérabilités XSS à l'aide de réseaux de neurones. Nous comparons deux représentations de code différentes basées sur le traitement du langage naturel (NLP) et le traitement du langage de programmation (PLP) et nous expérimentons des modèles basés sur différentes architectures de réseaux neuronaux pour la détection d'analyse statique en PHP et Node.js. Nous formons et évaluons les modèles à l'aide de bases de données synthétiques. En utilisant les bases de données PHP et Node.js générées, nous comparons nos résultats avec un analyseur statique connu pour le code PHP, nommé Progpilot, et le mode statique d'un scanner connu pour Node.js, AppScan. Dans tous les cas, nos analyseurs utilisant des réseaux de neurones surpassent les résultats des outils existants

SecureJS Compiler: Portable Memory Isolation in JavaScript

International audienceThe memory isolation mechanism plays an essential role to provide security enforcement in JavaScript programs. Existing secure interaction libraries such as Google Caja, SES, and VM2 rely on built-in memory isolation mechanisms provided by Node.js and browsers, yet most of the other engines such as JerryScript and Duktape, which are implementations for IoT devices, do not support such isolation mechanisms.In this paper, we report about the design and implementation of SecureJS, a portable JavaScript-to-JavaScript compiler that enforces memory isolation. As it only uses standard features, the compiled code it generates can be used by any JavaScript engine. We validated empirically the semantics preservation and memory isolation of SecureJS compiled programs by using 10,490 test programs of ECMAScript Test262 test suite. We also developed a novel experiment to evaluate memory isolation property of compiled code by instrumented JavaScript engines

Control What You Include! Server-Side Protection Against Third Party Web Tracking

International audienceThird party tracking is the practice by which third parties recognize users accross different websites as they browse the web. Recent studies show that more than 90% of Alexa top 500 websites [38] contain third party content that is tracking its users across the web. Website developers often need to include third party content in order to provide basic functionality. However, when a developer includes a third party content , she cannot know whether the third party contains tracking mechanisms. If a website developer wants to protect her users from being tracked, the only solution is to exclude any third-party content, thus trading functionality for privacy. We describe and implement a privacy-preserving web architecture that gives website developers a control over third party tracking: developers are able to include functionally useful third party content, the same time ensuring that the end users are not tracked by the third parties

Tracking Information Flow by Mapping Broadcast Encryption Subgroups to Security Lattices

In this paper we consider scenarios in which a server broadcasts messages with different confidentiality levels to nodes subgroups holding the appropriate clearance. We build on IND-CPA broadcast encryption schemes to preserve the message's confidentiality over a network. Our proposal is that, to verify that information in the server flows to nodes with the appropriate clearances (e.g. verify the use of the correct encryption keys), we can map broadcast subgroups of nodes to levels in information flow security lattices. We implement this idea via a type system and provide a soundness proof with respect to a formally defined secure information flow property for server code