Practical Privacy for Web Users with COWL
Modern web applications are conglomerations of JavaScript written by multiple authors: application developers routinely incorporate code from third-party libraries, and mashup applications synthesize data and code hosted at different sites. In current browsers, a web application’s developer and user must trust third-party code in libraries not to leak the user’s sensitive information from within applications. Even worse, in the status quo, the only way to implement some mashups is for the user to give her login credentials for one site to the operator of another site. Fundamentally, today’s browser security model trades privacy for flexibility because it lacks a sufficient mechanism for confining untrusted code.
In this talk, I’ll present COWL (Confinement with Web Origin Labels), a robust JavaScript confinement system for modern web browsers. COWL introduces label-based mandatory access control to browsing contexts in a way that is fully backward-compatible with legacy web content. I’ll use simple case-study applications to motivate COWL’s design and demonstrate how COWL allows both the inclusion of untrusted scripts in applications and the building of mashups that combine sensitive information from multiple distinct origins, all while protecting users’ privacy. Measurements of two COWL implementations, one in Firefox and one in Chromium, demonstrate a virtually imperceptible increase in page-load latency.
(This is joint work with Deian Stefan, Edward Yang, and David Mazieres of Stanford; Petr Marchenko of Google; Alejandro Russo of Chalmers; and Dave Herman of Mozilla.)
Speaker Details
Brad Karp is a Professor of Computer Systems and Networks in the Department of Computer Science at University College London (UCL). His research interests span computer system and network security (current work includes web browser and JavaScript security; past work includes the Wedge secure OS extensions and the Autograph and Polygraph worm signature generation systems), large-scale distributed systems (recent work includes LOUP, a provably loop-free Internet routing protocol; past work includes the Open DHT shared public DHT service), and wireless networks (current work includes techniques for improving capacity at the MAC and PHY layers; past work includes the GPSR and CLDP scalable geographic routing protocols). Prior to taking up his post at UCL in late 2005, Karp held joint appointments at Intel Research and Carnegie Mellon, and as a researcher at ICSI at UC Berkeley. He earned his Ph.D. in Computer Science at Harvard University in 2000, and holds a B.S. in Computer Science from Yale University, earned in 1992.
- Series:
- Microsoft Research Talks
- Date:
- Speakers:
- Brad Karp
- Affiliation:
- University College London (UCL)
-
-
Jeff Running
-
Series: Microsoft Research Talks
-
-
-
-
Galea: The Bridge Between Mixed Reality and Neurotechnology
Speakers:- Eva Esteban,
- Conor Russomanno
-
Current and Future Application of BCIs
Speakers:- Christoph Guger
-
Challenges in Evolving a Successful Database Product (SQL Server) to a Cloud Service (SQL Azure)
Speakers:- Hanuma Kodavalla,
- Phil Bernstein
-
Improving text prediction accuracy using neurophysiology
Speakers:- Sophia Mehdizadeh
-
-
DIABLo: a Deep Individual-Agnostic Binaural Localizer
Speakers:- Shoken Kaneko
-
-
Recent Efforts Towards Efficient And Scalable Neural Waveform Coding
Speakers:- Kai Zhen
-
-
Audio-based Toxic Language Detection
Speakers:- Midia Yousefi
-
-
From SqueezeNet to SqueezeBERT: Developing Efficient Deep Neural Networks
Speakers:- Sujeeth Bharadwaj
-
Hope Speech and Help Speech: Surfacing Positivity Amidst Hate
Speakers:- Monojit Choudhury
-
-
-
-
-
'F' to 'A' on the N.Y. Regents Science Exams: An Overview of the Aristo Project
Speakers:- Peter Clark
-
Checkpointing the Un-checkpointable: the Split-Process Approach for MPI and Formal Verification
Speakers:- Gene Cooperman
-
Learning Structured Models for Safe Robot Control
Speakers:- Ashish Kapoor
-
-