Holey? COWL! Boffins build boxes to hold sketchy JavaScript libs

Worried password_leak_hehe.js is going to spill your precious beans? Well, never fear...

Brute force

Researchers have developed what they say is a new web privacy system for Google Chrome and Mozilla Firefox: we're told it blocks dodgy JavaScript code from funneling sensitive information to crooks.

The Confinement with Origin Web Labels (COWL) system tries to protect websites that rely on JavaScript libraries written by third parties – libraries that could be secretly copying passwords and other vital data from webpages to crims.

These errant libs could have been badly designed, poorly implemented, deliberately written to be malicious, or compromised by hackers tampering with the source code.

In a paper [PDF] published this week in Proceedings of the 11th USENIX Symposium on Operating Systems Design and Implementation, the COWL team notes that 59 per cent of the top one million web sites, and 77 per cent of the top 10,000 web sites, ranked by monthly traffic in the US, incorporate jQuery – the official site for which was just infiltrated by miscreants, although the library code was not altered.

Perhaps developers simply shouldn't use unaudited or sketchy-sourced code in production, but the team's point is that the use of third-party libraries is prevalent – and this is a security risk. There's also the irony of third-party software protecting coders from third-party software.

COWL, which will be available as a free download from October 15, adds a DOM-level API to Firefox and Chrome. This software interface is then used by web developers to ensure that data is only shared with servers behind named domains – and thus not with any other machines.

Third-party JavaScript code is loaded into contexts, which exchange blobs of data via messages; when the receiving context reads the contents of a blob marked as sensitive to some origin (e.g., sensitive to bank.com), the receiving context is thereafter forbidden from communicating with any other origin.

An example is given here. The team reckons its API is easy to use, and claims it doesn't reduce the browser's processing speed in an appreciable way.

To test this the team built four web apps using the COWL API: an encrypted document editor, a third-party mashup application, a password manager, and a website that includes jQuery. Using COWL did not slow the browser significantly beyond 16 milliseconds, we're told.

How it works

"We don’t change the JIT compiler or the JavaScript runtime at all," Brad Karp, professor of computer systems and networks at University College London (UCL) told The Register.

"What our system does is not check while the system is executing, but at the boundaries between browsing contexts. COWL's checks only happen when there is communication between these contexts."

COWL was developed by Karp and a PhD student at UCL, who is now working at Google, along with Professor David Mazières from Stanford University's computer science department and two of his PhD students working in collaboration with Mozilla Research.

Karp said Mozilla and Chromium were targeted by COWL because they are both open source. Safari, which uses Webkit in the same way as Chrome, should also be usable with COWL, but couldn't speculate on Internet Explorer's internals for COWL.

"What we've achieved in COWL is a system that lets web developers build feature-rich applications that combine data from different web sites without requiring that users share their login details directly with third-party web applications, all while ensuring that the user's sensitive data seen by such an application doesn't leave the browser," said Deian Stefan, lead PhD student on the project at Stanford.

"Both web developers and users win."

Only once the code is released, scrutinized, and others cannot find ways of leaking data from COWL's contexts, can we be so sure. ®

Biting the hand that feeds IT © 1998–2017