Stanford computer scientists have extended two popular Web browsers to empower Web developers to deliver creative new services while also make surfing safer. The team added a security system called COWL, or Confinement with Origin Web Labels, to Firefox and Chrome to manage how data is shared. It prevents malicious computer code from leaking sensitive information and, at the same time, allows Web applications to display content drawn from multiple sources — an essential function for modern, feature-rich Web applications.
A preliminary version of Firefox with COWL is available for download at the project’s Web site. Researchers are encouraging developers to try it.
“If browsers supported COWL, then we would be able to use that instead of the subpar mix of current technologies and actually feel confident in the security of our environment,” said Pamela Fox a teacher at Khan Academy who was not involved in the new work.
The researchers, led by David Mazieres, an associate professor of computer science at Stanford, and Ph.D. student Deian Stefan, reported on COWL and several case studies in a paper published in the Proceedings of the 11th USENIX Symposium on Operating Systems Design and Implementation. The new security system arose from a collaboration with researchers at University College London (UCL), Chalmers University of Technology in Sweden, Mozilla Research and Google.
Third party code
COWL is a response to an online trend: Web developers using code they didn’t write themselves.
“Reusing existing code is part of the reason the Web is so successful. Unfortunately, using third-party code is also a security and privacy concern. Unless you are on the scale of Google, you can’t afford to rewrite everything to eliminate this concern,” Stefan said. At least 77 percent of the top 10,000 Web sites use code written by third-party developers. This means harmful code could potentially reach our browsers, the team said.
COWL adds a layer of security on top of existing safety mechanisms to ensure that harmful code cannot leak private user data. Specifically, it addresses how data is handled by JavaScript, a common Web programming language that runs right in the browser.
“COWL achieves both better privacy for the user and better flexibility for the Web developer,” said Brad Karp, a computer systems and network professor at UCL and a coauthor of the paper.
A Military Connection
At the heart of this layer of security is the idea of confinement with mandatory access control, or MAC, an idea that has been around since the 1970s. On old military mainframes, MAC meant that users who were allowed to read top secret files could not also edit files with lower clearance. This prevented sensitive information from being spread, intentionally or not.
The Stanford computer scientists embedded MAC into Firefox and Chrome. They also provided a way for Web developers to use the new security system in their JavaScript programs.
The key was figuring out how to make sure JavaScript code didn’t share data with sites it wasn’t supposed to. The team solved this problem by requiring developers to give their data labels specifying which Web sites could read and use the data. The labels follow the data, even when it’s shared, and COWL ensures that no code ignores the labels.
Personal finance case study
To illustrate the practical applications of COWL and the use of labels, the team included four case studies in the paper.
In one, they proposed a Web application that a personal finance site, such as Mint.com, could offer. It would run locally, right in the browser, to automatically reconcile receipts from an online retailer with credit card charges. COWL could make sure that the app didn’t leak sensitive information to Mint or another server.
Currently, personal finance Web apps require users to provide bank usernames and passwords. Then, the applications log in to bank and credit card sites on the user’s behalf.
It means that the app — and all the code it relies on — must be trusted not to share the data. Today’s security mechanisms only give developers control over who they share data with, not what happens to the data once it’s been shared. This is precisely the situation COWL was designed to address.
Imagine that instead of providing the Web app with your username and password, you first separately logged in to your bank and online retailer accounts. The app could recognize that you’ve logged in — for example, through a cookie, which is temporary data stored in your browser that Web sites use to keep users logged in — and request information from the retailer and the bank.
With COWL, the retailer and the bank can send back data with a label that allows only the app to read it. COWL also prevents the app from sharing the data somewhere else.
To inspect the bank statements or purchase history, the finance app must peel off the label. Once this happens, COWL confines the code by restricting it from communicating with any servers. This ensures that the bank and Amazon statements cannot be leaked.
On the road to a standard
The question that remains is how to convince Web developers to start using COWL.
Before gaining widespread adoption, new Web technologies are reviewed by the World Wide Web Consortium, or W3C, a group of companies — including Google, Mozilla, Microsoft and Facebook — academic institutions and public members that recommends new standards for the Web. The W3C specifies many standards, including those for HTML and CSS, two important computer languages for designing Web sites.
The team said the next step is to get COWL through the process of standardization, which takes about a year. The goal is to have the first public draft of the standard ready by January.
“We could put our two modified Web browsers on the Internet, but that wouldn’t change the world,” Mazieres said.
Through Stanford, Stefan has secured a spot for discussing COWL in one of the W3C’s working groups on Web Application Security. This group has worked on a number of other specifications, including Content Security Policy and Mixed Content, which are already improving the state of Web security.
One major plus for COWL is that it’s backward compatible. The team built it so that existing, less secure apps will run without a problem. They are hopeful that the ideas in COWL will catch on.
“Ideally, the general idea of confinement will trickle into other Web standards as well,” said coauthor Alejandro Russo, a computer science professor at Chalmers University of Technology who is currently visiting Stanford.
In addition to Mazieres, Stefan, Karp and Russo, the paper had three other authors: Edward Yang, a PhD student in computer science at Stanford; Petr Marchenko, a researcher at Google; and Dave Herman, the director of strategy at Mozilla Research. John Mitchell, a Computer Science professor at Stanford, is involved with the project but was not an author of the paper.