Researchers unveil COWL, a new system to protect web surfers’ privacy

Web developers will “turn their backs on privacy in favor of flexibility” because the browser won’t let them “opt for both.” But computer scientists from University College London, Stanford Engineering, Google, Chalmers, and Mozilla Research took on this problem, described as “one of the central challenges in computer systems security research,” and came up with a system that changes that. Confinement with Origin Web Labels, dubbed COWL, “achieves both privacy for the user and flexibility for the web application developer.”

Today they will present “Protecting Users by Confining JavaScript with COWL” (pdf) at the 11th USENIX Symposium on Operating Systems Design and Implementation. COWL works with Firefox and Chromium web browsers and “prevents malicious code in a website from leaking sensitive information to unauthorized parties,” while still allowing “code in a website to display content drawn from multiple websites.”

The researchers found that “jQuery, a widely used JavaScript library, is included in and used by over 77% of the Quantcast top 10,000 websites, and 59% of the Quantcast top million websites.” The average user surfing the web can have their privacy “compromised by malicious JavaScript code hidden in seemingly legitimate websites.” The site could be using JavaScript library “code obtained elsewhere without realizing it contains bugs or is malicious. Such code can access sensitive data within the same or other browser tabs, allowing unauthorized parties to obtain or modify data without the user’s knowledge.”

University College London Professor Brad Karp explained:

“The new system provides a property known as ‘confinement’ which has been known since the 1970s, but proven difficult to achieve in practical systems like web browsers. COWL confines JavaScript programs that run within the browser, such as in separate tabs. If a JavaScript program embedded within one web site reads information provided by another web site – legitimately or otherwise – COWL permits the data to be shared, but thereafter restricts the application receiving the information from communicating it to unauthorized parties. As a result, the site that shares data maintains control over it, even after sharing the information within the browser.”

They gave examples of four “web applications—a password strength-checker, an application that imports the (untrusted) jQuery library, an encrypted cloud-based document editor, and a third-party mashup, none of which can be implemented in a way that preserves the user’s privacy in the status-quo web security architecture.” Although it was previously unachievable, they showed how to use COWL, “a mandatory access control (MAC) system that confines untrusted JavaScript in web browsers” to build the apps and maintain strong privacy.

COWL allows untrusted code to compute over sensitive data and display results to the user, but prohibits the untrusted code from exfiltrating sensitive data (e.g., by sending it to an untrusted remote origin). It thus allows web developers to opt for both flexibility and privacy.

In the password strength-checker example, the researchers suggested that “a developer at Facebook might re-use password-checking functionality provided in a JavaScript library by a third party,” such as “sketch.ru.” Then “the referenced script will have unfettered access to both the user’s password (provided by the Facebook page, which the library must see to do its job) and to write to the network via XHR.” COWL uses labels, labeled compartmentalization, so that the sketchy code can’t access sensitive data.

The password checker would still work, but be confined “without privileges or the ability to talk to the network.” That communication would happen in a separate Document Object Model (DOM) worker that “holds both privileges and can freely modify the DOM of the main context as well as communicate with the wider web. One may view this DOM worker as firewall between the page proper (with the untrusted library) and the rest of the world.”

A “COWL application consists of multiple labeled contexts” that “specify the security policy for all data within the context, which COWL enforces by restricting the flow of information to and from other contexts and servers.” The researchers then gave an example of how COWL could use labeled browsing contexts to correct the problems presented by a third-party mashup, such as mint.com asking for passwords to Amazon and Chase to check purchases against bank statements.

In an example for an encrypted cloud-based document editor, the researchers used Google Docs and a JavaScript plugin, such as that from EFF for encryption. The fact that the “two origins may be mutually distrusting” highlights “the need for symmetric confinement: when two mutually distrusting scripts from different origins communicate, each must be able to confine the other’s further use of data it provides.” COWL provides a solution for such a problem.

In order for a new browser feature to be widely accepted, there can’t be a big hit to performance. With COWL, there isn’t; the researchers implemented COWL in Firefox 31.0a1 and Chromium 31.0.1612.0 and said there was “virtually imperceptible increase in page-load latency.” In fact, “testing of COWL prototypes for the Chrome and Firefox web browsers shows the system provides strong security without perceptibly slowing the loading speed of web pages.” They “conducted all measurements on a 4-core i7-2620M machine with 16GB of RAM running GNU/Linux 3.13.”

There are some things COWL can’t fix, such as if a user whitelists a malicious site. COWL also does not protect against covert channel attacks, but it does not introduce new covert channels either.

You can download COWL starting on October 15. For now, you can find more information in the UCL press release and details in the research paper (pdf). The researchers hope COWL is widely accepted by developers for its flexibility so that users can have both security and privacy while surfing.