Once a web application authenticates a user, it loosely associates all resources owned by the user to the web session established. Consequently, any scripts injected into the victim web session attain unfettered access to user-owned resources, including scripts that commit malicious activities inside a web application. In this paper, we establish the first explicit notion of user sub-origins to defeat such attempts. Based on this notion, we propose a new solution called UserPath to establish an end-to-end trusted path between web application users and web servers. To evaluate our solution, we implement a prototype in Chromium, and retrofit it to 20 popular web applications. UserPath reduces the size of client-side TCB that has access to user-owned resources by 8x to 264x, with small developer effort. © 2014 Springer International Publishing.
CITATION STYLE
Budianto, E., Jia, Y., Dong, X., Saxena, P., & Liang, Z. (2014). You can’t be me: Enabling trusted paths and user sub-origins in web browsers. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 8688 LNCS, pp. 150–171). Springer Verlag. https://doi.org/10.1007/978-3-319-11379-1_8
Mendeley helps you to discover research relevant for your work.