Efficient software-based fault isolation
SOSP '93 Proceedings of the fourteenth ACM symposium on Operating systems principles
How people revisit web pages: empirical findings and implications for the design of history systems
International Journal of Human-Computer Studies - Special issue: World Wide Web usability
Proceedings of the 7th ACM conference on Computer and communications security
A lattice model of secure information flow
Communications of the ACM
Model-Carrying Code (MCC): a new paradigm for mobile-code security
Proceedings of the 2001 workshop on New security paradigms
IEEE Internet Computing
Java Security: From HotJava to Netscape and Beyond
SP '96 Proceedings of the 1996 IEEE Symposium on Security and Privacy
From Sandbox to Playground: Dynamic Virtual Environments in the Grid
GRID '04 Proceedings of the 5th IEEE/ACM International Workshop on Grid Computing
A Safety-Oriented Platform for Web Applications
SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Noxes: a client-side solution for mitigating cross-site scripting attacks
Proceedings of the 2006 ACM symposium on Applied computing
Puppetnets: misusing web browsers as a distributed attack infrastructure
Proceedings of the 13th ACM conference on Computer and communications security
Subspace: secure cross-domain communication for web mashups
Proceedings of the 16th international conference on World Wide Web
A secure environment for untrusted helper applications confining the Wily Hacker
SSYM'96 Proceedings of the 6th conference on USENIX Security Symposium, Focusing on Applications of Cryptography - Volume 6
Protection and communication abstractions for web browsers in MashupOS
Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles
Protecting browsers from dns rebinding attacks
Proceedings of the 14th ACM conference on Computer and communications security
The ghost in the browser analysis of web-based malware
HotBots'07 Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets
MashupOS: operating system abstractions for client mashups
HOTOS'07 Proceedings of the 11th USENIX workshop on Hot topics in operating systems
SS'08 Proceedings of the 17th conference on Security symposium
Characterizing insecure javascript practices on the web
Proceedings of the 18th international conference on World wide web
XCS: cross channel scripting and its impact on web applications
Proceedings of the 16th ACM conference on Computer and communications security
Browser protection against cross-site request forgery
Proceedings of the first ACM workshop on Secure execution of untrusted code
Reining in the web with content security policy
Proceedings of the 19th international conference on World wide web
An architecture for enforcing end-to-end access control over web applications
Proceedings of the 15th ACM symposium on Access control models and technologies
Protecting browsers from cross-origin CSS attacks
Proceedings of the 17th ACM conference on Computer and communications security
System security, platform security and usability
Proceedings of the fifth ACM workshop on Scalable trusted computing
Strengthening XSRF defenses for legacy web applications using whitebox analysis and transformation
ICISS'10 Proceedings of the 6th international conference on Information systems security
Toward secure embedded web interfaces
SEC'11 Proceedings of the 20th USENIX conference on Security
App isolation: get the security of multiple browsers with just one
Proceedings of the 18th ACM conference on Computer and communications security
A server- and browser-transparent CSRF defense for web 2.0 applications
Proceedings of the 27th Annual Computer Security Applications Conference
A measurement study of insecure javascript practices on the web
ACM Transactions on the Web (TWEB)
| Hi-index | 0.00 |
Unrestricted information flows are a key security weakness of current web design. Cross-site scripting, cross-site request forgery, and other attacks typically require that information be sent or retrieved from arbitrary, often malicious, web servers. In this paper we propose Same Origin Mutual Approval (SOMA), a new policy for controlling information flows that prevents common web vulnerabilities. By requiring site operators to specify approved external domains for sending or receiving information, and by requiring those external domains to also approve interactions, we prevent page content from being retrieved from malicious servers and sensitive information from being communicated to an attacker. SOMA is compatible with current web applications and is incrementally deployable, providing immediate benefits for clients and servers that implement it. SOMA has an overhead of one additional HTTP request per domain accessed and can be implemented with minimal effort by application and web browser developers. To evaluate our proposal, we have developed a Firefox SOMA add-on.