Postdoctoral Fellow, UC Berkeley
Ph.D., M.S., Stanford, 2008
B.A., Cornell, 2003
Research Interests.
My primary research interest is the security of modern web browsers,
including their security policies, enforcement mechanisms, and security user
interfaces. At Berkeley, I work with Dawn Song and the
WebBlaze group. I am also
interested in privacy issues raised by modern technology, including the
design of languages for expressing privacy policy and mechanisms for
enforcing those policies within an enterprise and on the Internet.
Industry Outreach.
I contribute code to Google
Chrome, the WebKit Project, and Mozilla Firefox. I also
contribute to Web standards as an invited expert to the W3C HTML Working Group, as a
participant in the WHAT Working Group, and
as the editior of two Internet-Drafts: draft-barth-origin
and draft-abarth-mime-sniff.
Publications
-
In Proc. of the 18th USENIX Security
Symposium (USENIX Security 2009)
Abstract.
We identify a class of Web browser implementation vulnerabilities,
cross-origin JavaScript capability leaks, which occur when
the browser leaks a JavaScript pointer from one security origin to
another. We devise an algorithm for detecting these vulnerabilities
by monitoring the "points-to" relation of the JavaScript
heap. Our algorithm finds a number of new vulnerabilities in the
open-sourceWebKit browser engine used by Safari. We propose an
approach to mitigate this class of vulnerabilities by adding access
control checks in browser JavaScript engines. These access control
checks are perfectly backwardscompatible because they do not alter
semantics of the Web platform. Through a application of the
polymorphic inline cache, we implement these checks while incurring an
overhead of only 1–2% on industry standard benchmarks.
-
-
In Proc. of Web 2.0 Security and Privacy
2009 (W2SP 2009)
Abstract.
In a mashup, one principal wishes to communicate with another principal
without necessarily ceding complete control to the other principal. In
this paper, we analyze whether existing and proposed JavaScript mashup
communication mechanisms have this security property. We show that
failure to account for details of JavaScript often lets one communicant
completely compromise the other. We illustrate these vulnerabilities
with proof-of-concept privilege escalation attacks. Based on our
analysis, we recommend that mashup communication mechanisms prevent
privilege escalation by using lexical authorization across a specified
interface that enforces type checks and allows the communicants to
exchange only primitive values. We observe that we can implement such a
mechanism in today's browsers using postMessage as a
primitive. We demonstrate our approach by implementing a version of the
Google Maps gadget that prevents Google from compromising the integrator.
-
In Proc. of the 30th IEEE Symposium on Security
and Privacy (Oakland 2009)
Abstract.
Cross-site scripting defenses often focus on HTML documents,
neglecting attacks involving the browser's content-sniffing algorithm,
which can treat non-HTML content as HTML. Web applications, such as
the one that manages this conference, must defend themselves against
these attacks or risk authors uploading malicious papers that
automatically submit stellar self-reviews. In this paper, we
formulate content-sniffing XSS attacks and defenses. We study
content-sniffing XSS attacks systematically by constructing
high-fidelity models of the content-sniffing algorithms used by four
major browsers. We compare these models with Web site content
filtering policies to construct attacks. To defend against these
attacks, we propose and implement a principled content-sniffing
algorithm that provides security while maintaining compatibility. Our
principles have been adopted, in part, by Internet Explorer 8 and, in
full, by Google Chrome and the HTML 5 working group.
-
Technical Report UCB/EECS-2009-36
Abstract.
Models of security-sensitive code enable reasoning about the security
implications of code. In this paper we present an approach for
extracting models of security-sensitive operations directly from
program binaries, which lets third-party analysts reason about a
program when the source code is not available. Our approach is based
on string-enhanced white-box exploration, a new technique that
improves the effectiveness of current white-box exploration techniques
on programs that use strings, by reasoning directly about string
operations, rather than about the individual byte-level operations
that comprise them. We implement our approach and use it to extract
models of the closed-source content sniffing algorithms of two popular
browsers: Internet Explorer 7 and Safari 3.1. We use the generated
models to automatically find recently studied content-sniffing XSS
attacks, and show the benefits of string-enhanced white-box
exploration over current byte-level exploration techniques.
-
Technical Report 2008
Abstract.
Most current web browsers employ a monolithic architecture that combines
"the user" and "the web" into a single protection
domain. An attacker who exploits an arbitrary code execution
vulnerability in such a browser can steal sensitive files or install
malware. In this paper, we present the security architecture of
Chromium, the open-source browser upon which Google Chrome is built.
Chromium has two modules in separate protection domains: a browser
kernel, which interacts with the operating system, and a rendering
engine, which runs with restricted privileges in a sandbox. This
architecture helps mitigate high-severity attacks without sacrificing
compatibility with existing web sites. We define a threat model for
browser exploits and evaluate how the architecture would have mitigated
past vulnerabilities.
-
In Proc. of the 15th
ACM Conf. on Computer and Communications Security (CCS 2008)
Abstract.
Cross-Site Request Forgery (CSRF) is a widely exploited web site
vulnerability. In this paper, we present a new variation on CSRF
attacks, login CSRF, in which the attacker forges a
cross-site request to the login form, logging the victim into the
honest web site as the attacker. The severity of a login CSRF
vulnerability varies by site, but it can be as severe as a cross-site
scripting vulnerability. We detail three major CSRF defense
techniques and find shortcomings with each technique. Although the
HTTP Referer header could provide an effective defense,
our experimental observation of 283,945 advertisement impressions
indicates that the header is widely blocked at the network layer due
to privacy concerns. Our observations do suggest, however, that the
header can be used today as a reliable CSRF defense over HTTPS, making
it particularly well-suited for defending against login CSRF. For the
long term, we propose that browsers implement the Origin
header, which provides the security benefits of the
Referer header while responding to privacy concerns.
-
In Proc. of the 17th
USENIX Security Symposium (USENIX Security 2008)
Abstract.
Many web sites embed third-party content in frames, relying on the
browser's security policy to protect them from malicious content.
Frames, however, are often insufficient isolation primitives because
most browsers let framed content manipulate other frames through
navigation. We evaluate existing frame navigation policies and
advocate a stricter policy, which we deploy in the open-source
browsers. In addition to preventing undesirable interactions, the
browser's strict isolation policy also hinders communication between
cooperating frames. We analyze two techniques for inter-frame
communication. The first method, fragment identifier messaging,
provides confidentiality without authentication, which we repair using
concepts from a well-known network protocol. The second method,
postMessage, provides authentication, but we discover an
attack that breaches confidentiality. We modify the
postMessage API to provide confidentiality and see our
modifications standardized and adopted in browser implementations.
-
In Proc.
of Web 2.0 Security and Privacy 2008 (W2SP 2008)
Abstract.
The security policy of browsers provides no isolation between
documents from the same origin (scheme, host, and port), even if those
documents have different security characteristics. We show how this
lack of isolation leads to origin contamination vulnerabilities in a
number of browser security features, such as cookies, encryption, and
code signing. A tempting approach to fixing these vulnerabilities is
to refine the browser's notion of origin, leveraging the browser's
built-in isolation between security contexts. We demonstrate that
attackers can circumvent these "finer-grained origins" using
the library import and data export features of browsers. We discuss
several approaches to preventing these attacks.
-
In Proc.
of the 17th International World Wide Web Conference (WWW 2008)
Abstract.
As wireless networks proliferate, web browsers operate in an
increasingly hostile network environment. The HTTPS protocol has the
potential to protect web users from network attackers, but real-world
deployments must cope with misconfigured servers, causing imperfect
web sites and users to compromise browsing sessions inadvertently.
ForceHTTPS is a simple browser security mechanism that web sites or
users can use to opt in to stricter error processing, improving the
security of HTTPS by preventing network attacks that leverage the
browser's lax error processing. By augmenting the browser with a
database of custom URL rewrite rules, ForceHTTPS allows sophisticated
users to transparently retrofit security onto some insecure sites that
support HTTPS. We provide a prototype implementation of ForceHTTPS as
a Firefox browser extension.
-
In Proc. of the 14th ACM Conf. on Computer and
Communications Security (CCS 2007)
Abstract.
DNS rebinding attacks subvert the same-origin policy of browsers,
converting them into open network proxies. Using DNS rebinding, an
attacker can circumvent organizational and personal firewalls, send
spam e-mail, and defraud pay-per-click advertisers. We evaluate the
cost-effectiveness of mounting DNS rebinding attacks, finding that an
attacker requires less than $100 to hijack 100,000 IP addresses. We
analyze defenses to DNS rebinding attacks, including improvements to
the classic "DNS pinning," and recommend changes to browser
plug-in, firewalls, and web servers. Our defenses have been adopted
by plug-in vendors and by a number of open-source firewall
implementations.
-
In Proc. of the
20th IEEE Computer Security Foundations Symposium (CSF 2007)
Abstract.
We propose an abstract model of business processes for the purpose of
(i) evaluating privacy policy in light of the goals of the process and
(ii) developing automated support for privacy policy compliance and
audit. In our model, agents that send and receive tagged personal
information are assigned organizational roles and responsibilities. We
present approaches and algorithms for determining whether a business
process design simultaneously achieves privacy and the goals of the
organization (utility). The model also allows us to develop a notion of
minimal exposure of personal information, for a given process. We
investigate the problem of auditing with inexact information and develop
methods to identify a set of potentially culpable individuals when
privacy is breached. The audit methods draw on traditional causality
concepts to reduce the effort needed to search audit logs for
irresponsible actions.
-
In Proc. of the 2007 Workshop on
Usable Security (USEC 2007)
Abstract.
In this usability study of phishing attacks and browser antiphishing
defenses, 27 users each classified 12 web sites as fraudulent or
legitimate. By dividing these users into three groups, our controlled
study measured both the effect of extended validation
certificates that appear only at legitimate sites and the effect of
reading a help file about security features in Internet Explorer 7.
Across all groups, we found that picture-in-picture attacks
showing a fake browser window were as effective as the best other
phishing technique, the homograph attack. Extended validation
did not help users identify either attack. Additionally, reading the
help file made users more likely to classify both real and fake web
sites as legitimate when the phishing warning did not appear.
-
In Proc. of the 27th
IEEE Symposium on Security and Privacy (Oakland 2006)
Abstract.
Contextual integrity is a conceptual framework for understanding
privacy expectations and their implications developed
in the literature on law, public policy, and political
philosophy. We formalize some aspects of contextual integrity
in a logical framework for expressing and reasoning
about norms of transmission of personal information. In
comparison with access control and privacy policy frameworks
such as RBAC, EPAL, and P3P, these norms focus
on who personal information is about, how it is transmitted,
and past and future actions by both the subject and the
users of the information. Norms can be positive or negative
depending on whether they refer to actions that are
allowed or disallowed. Our model is expressive enough to
capture naturally many notions of privacy found in legislation,
including those found in HIPAA, COPPA, and GLBA.
A number of important problems regarding compliance with
privacy norms, future requirements associated with specific
actions, and relations between policies and legal standards
reduce to standard decision procedures for temporal logic.
-
In Proc. of the 21st Annual IEEE Symposium
on Logic in Computer Science (LICS 2006)
Abstract.
Digital music players protect songs by enforcing licenses that convey
specific rights for individual songs or groups of songs. For licenses
specified in industry, we show that deciding whether a license
authorizes a sequence of actions is NP-complete, with a restricted
version of the problem solvable efficiently using a reduction to
maximum network flow. The authorization algorithm used in industry is
online, deciding which rights to exercise as actions occur, but we
show that all online algorithms are necessarily non-monotonic: each
allows actions under one license that it does not allow under a more
flexible license. In one approach to achieving monotonicity, we
exhibit the unique maximal set of licenses on which there exists a
monotonic online algorithm. This set of well-behaved licenses induces
an approximation algorithm by replacing each license with a
well-behaved license. In a second approach, we consider allowing the
player to revise its past decisions about which rights to exercise
while still ensuring compliance with the license. We propose an
efficient algorithm based on Linear Logic, with linear negation used
to revise past decisions. We prove our algorithm monotonic, live, and
sound with respect to the semantics of licenses.
-
In Proc. of the 10th Financial Cryptography and
Data Security Conference (FC 2006)
Abstract.
In many content distribution systems it is important both to restrict
access to content to authorized users and to protect the identities of
these users. We discover that current systems for encrypting content
to sets of users are subject to attacks on user privacy. We propose a
new mechanism, private broadcast encryption, to protect the privacy of
users of encrypted file systems and content delivery systems. We
construct a private broadcast scheme, with a strong privacy guarantee
against an active attacker, that achieves ciphertext length,
encryption time, and decryption time comparable with the non-private
schemes currently used in encrypted file systems.
-
In ACM Transactions on Graphics (SIGGRAPH
2005)
Abstract.
The advent of inexpensive digital image sensors and the ability to
create photographs that combine information from a number of sensed
images are changing the way we think about photography. In this
paper, we describe a unique array of 100 custom video cameras that we
have built, and we summarize our experiences using this array in a
range of imaging applications. Our goal was to explore the
capabilities of a system that would be inexpensive to produce in the
future. With this in mind, we used simple cameras, lenses, and
mountings, and we assumed that processing large numbers of images
would eventually be easy and cheap. The applications we have explored
include approximating a conventional single center of projection video
camera with high performance along one or more axes, such as
resolution, dynamic range, frame rate, and/or large aperture, and
using multiple cameras to approximate a video camera with a large
synthetic aperture. This permits us to capture a video light field, to
which we can apply spatiotemporal view interpolation algorithms in
order to digitally simulate time dilation and camera motion. It also
permits us to create video sequences using custom non-uniform
synthetic apertures.
-
In Proc. of the 2005 ACM Workshop on Issues
in the Theory of Security (WITS 2005)
Abstract.
Several formal languages have been proposed to encode privacy
policies, ranging from the Platform for Privacy Preferences (P3P),
intended for communicating privacy policies to consumers over the web,
to the Enterprise Privacy Authorization Language (EPAL), intended to
enable policy enforcement within an enterprise. However, current
technology does not allow an enterprise to determine whether its
detailed, internal enforcement policy meets its published privacy
promises. We present a data-centric, unified model for privacy,
equipped with a modal logic for reasoning about permission inheritance
across data hierarchies. We use this model to critique two privacy
preference languages (APPEL and XPref), to justify P3P's policy
summarization algorithm, and to connect privacy policy languages, such
as P3P, with privacy policy enforcement languages, such as EPAL.
Specifically, we characterize when one policy enforces another and
provide an algorithm for generating the most specific privacy
promises, at a given level of detail, guaranteed by a more detailed
enforcement policy.
-
In Proc. of the 2004
ACM Workshop on Privacy in the Electronic Society (WPES 2004)
Abstract.
Many modern enterprises require methods for guaranteeing compliance
with privacy legislation and announced privacy policies. IBM has
proposed a formal language, the Enterprise Privacy Authorization
Language (EPAL), for describing privacy policies rigorously. In this
paper, we identify four desirable properties of a privacy policy
language: guaranteed consistency, guaranteed safety, admitting local
reasoning, and closure under combination. While EPAL achieves only one
of these four goals, an extended language framework allows us to
achieve three out of four, while retaining the basic EPAL framework of
restricting access and imposing obligations on users of confidential
information.
Dissertation
Adam Barth
Ph.D. Dissertation, Stanford University, 2008