Establishing Browser Security Guarantees through Formal Shim Verication Dongseok Jang - PDF document

599 views
Uploaded On 2015-02-27

Establishing Browser Security Guarantees through Formal Shim Verication Dongseok Jang - PPT Presentation

Despite this critical role attackers routinely exploit browser vul nerabilities to ex64257ltrate private data and take over the un derlying system We present Q UARK a browser whose kernel has been implemented and veri64257ed in Coq We give a speci6 ID: 40096

Despite this critical role

Link:

Copy

Embed:

<iframe width="560" height="315" src="https://www.docslides.com/embed/40096" frameborder="0" allowfullscreen></iframe>

Download Presentation from below link

Download Pdf The PPT/PDF document "Establishing Browser Security Guarantees..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.

Presentation Transcript

oftheprogramsweactuallyhaveinmind.Thus,manyresearchersstillconsiderfullformalvericationofreal-istic,browser-scalesystemsanunrealisticfantasy.Fortu-nately,recentadvancesinfullyformalvericationallowustobeginchallengingthispessimisticoutlook.Inthispaperwedemonstratehowformalshimveri-cationradicallyreducesthevericationburdenforlargesystemstothedegreethatwewereabletoformallyverifytheimplementationofamodernWebbrowser,QUARK,withinthedemandingandfoundationalcontextofthemechanicalproofassistantCoq.Atitscore,formalshimvericationaddressesthechallengeofformallyverifyingalargesystembyclev-erlyreducingtheamountofcodethatmustbecon-sidered;insteadofformalizingandreasoningaboutgi-ganticsystemcomponents,allcomponentscommuni-catethroughasmall,lightweightshimwhichensuresthecomponentsarerestrictedtoonlyexhibitallowedbehav-iors.Formalshimvericationonlyrequiresonetorea-sonabouttheshim,thuseliminatingthetremendouslyexpensiveorinfeasibletaskofverifyinglarge,complexcomponentsinaproofassistant.OurWebbrowser,QUARK,exploitsformalshimver-icationandenablesustoverifysecuritypropertiesforamillionlinesofcodewhilereasoningaboutonlyafewhundred.Toachievethisgoal,QUARKisstructuredsim-ilarlytoGoogleChrome[10]orOP[17].Itconsistsofasmallbrowserkernelwhichmediatesaccesstosys-temresourcesforallotherbrowsercomponents.Theseothercomponentsruninsandboxeswhichonlyallowthecomponenttocommunicatewiththekernel.Inthisway,QUARKisabletomakestrongguaranteesaboutamillionlinesofcode(e.g.,therenderer,JavaScriptimplementa-tion,JPEGdecoders,etc.)whileonlyusingaproofas-sistanttoreasonaboutafewhundredlinesofcode(thekernel).BecausetheunderlyingsystemisprotectedfromQUARK'suntrustedcomponents(i.e.,everythingotherthanthekernel)wewerefreetoadoptstate-of-the-artimplementationsandthusQUARKisabletorunpopu-lar,complexWebsiteslikeFacebookandGMail.Byapplyingformalshimvericationtoonlyreasonaboutasmallcoreofthebrowser,weformallyestablishthefollowingsecuritypropertiesinQUARK,allwithinaproofassistant:1.TabNon-Interference:notabcaneveraffecthowthekernelinteractswithanothertab2.CookieCondentialityandIntegrity:cookiesforadomaincanonlybeaccessed/modiedbytabsofthatdomain3.AddressBarIntegrityandCorrectness:thead-dressbarcannotbemodiedbyatabwithouttheuserbeinginvolved,andalwaysdisplaysthecorrectaddressbar.Tosummarize,ourcontributionsareasfollows:Wedemonstratehowformalshimvericationen-abledustoformallyverifytheimplementationofamodernWebbrowser.Wediscussthetechniques,tools,anddesigndecisionsrequiredtoformallyver-ifyQUARKindetail.Weidentifyandformallyprovekeysecurityprop-ertiesforarealisticWebbrowser.Weprovideaframeworkthatcanbeusedtofurtherinvestigateandprovemorecomplexpolicieswithinaworking,formallyveriedbrowser.Therestofthepaperisorganizedasfollows.Section2providesbackgroundonbrowsersecuritytechniquesandformalverication.Section3presentsanoverviewoftheQUARKbrowser.Section4detailsthedesignoftheQUARKkernelanditsimplementation.Section5ex-plainsthetoolsandtechniquesweusedtoformallyver-ifytheimplementationoftheQUARKkernel.Section6evaluatesQUARKalongseveraldimensionswhileSec-tion7discusseslessonslearnedfromourendeavor.2BackgroundandRelatedWorkThissectionbrieydiscussesbothpreviouseffortstoim-provebrowsersecurityandvericationtechniquestoen-sureprogramsbehaveasspecied.BrowserSecurityAsmentionedintheIntroduction,thereisarichliteratureontechniquestoimprovebrowsersecurity[10,42,17,41,31,13,12].Wedistinguishour-selvesfromallprevioustechniquesbyverifyingtheac-tualimplementationofamodernWebbrowserandfor-mallyprovingthatitsatisesoursecurityproperties,allinthecontextofamechanicalproofassistant.Below,wesurveythemostcloselyrelatedwork.PreviousbrowserslikeGoogleChrome[10],Gazelle[42],andOP[17]havebeendesignedusingprivilegeseparation[35],wherethebrowserisdividedintocomponentswhicharethenlimitedtoonlythoseprivilegestheyabsolutelyrequire,thusminimizingthedamageanattackercancausebyexploitinganyonecomponent.Wefollowthisdesignstrategy.Chrome'sdesigncompromisestheprinciplesofpriv-ilegeseparationforthesakeofperformanceandcom-patibility.Unfortunately,itsdesigndoesnotprotecttheuser'sdatafromacompromisedtabwhichisfreetoleakallcookiesforeverydomain.Gazelle[42]adoptsamoreprincipledapproach,implementingthebrowser2 themtoaccessallsensitiveresourcesthroughasmall,simplebrowserkernel.Ourkernel,writteninCoq,runsinitsownprocessandmediatesaccesstoresourcesin-cludingthekeyboard,disk,andnetwork.EachtabrunsamodiedversionofWebKitinitsownprocess.WebKitistheopensourcebrowserengineusedinChromeandSafari.ItprovidesvariouscallbacksforclientsasPythonbindingswhichweusetoimplementtabs.Sincetabpro-cessescannotdirectlyaccessanysystemresources,wehookintothesecallbackstore-routeWebKit'snetwork,screen,andcookieaccessthroughourkernelwritteninCoq.QUARKalsousesseparateprocessesfordisplay-ingtothescreen,storingandaccessingcookies,aswellreadinginputfromtheuser.Throughoutthepaper,weassumethatanattackercancompromiseanyQUARKcomponentwhichisexposedtocontentfromtheInternet,exceptforthekernelwhichweformallyveried.Thisincludesalltabprocesses,cookieprocesses,andthegraphicaloutputprocess.Thus,weprovidestrongformalguaranteesabouttabandcookieisolation,evenwhensomeprocesseshavebeencom-pletelytakenover(e.g.,byabufferoverowattackintherenderingorJavaScriptengineofWebKit).3.1GraphicalUserInterfaceThetraditionalGUIforWebbrowsersmanagesseveralkeyresponsibilities:readingmouseandkeyboardinput,showingrenderedgraphicaloutput,anddisplayingthecurrentURL.Unfortunately,suchamonolithiccompo-nentcannotbemadetosatisfyoursecuritygoals.Ifcompromised,suchaGUIcomponentcouldspoofthecurrentURLorsendarbitraryuserinputstothekernel,which,ifcoordinatedwithacompromisedtab,wouldvi-olatetabisolation.ThusQUARKmustcarefullyseparateGUIresponsibilitiestopreserveoursecurityguaranteeswhilestillprovidingarealisticbrowser.QUARKdividesGUIresponsibilitiesintoseveralcom-ponentswhichthekernelorchestratestoprovideatradi-tionalGUIfortheuser.Themostcomplexcomponentdisplaysrenderedbitmapsonthescreen.QUARKputsthiscomponentinaseparateprocesstowhichthekerneldirectsrenderedbitmapsfromthecurrentlyselectedtab.Becausethekernelneverreadsinputfromthisgraphi-caloutputprocess,anyvulnerabilitiesitmayhavecan-notsubvertthekernelorimpactanyothercomponentinQUARK.Furthermore,treatingthegraphicaloutputcomponentasaseparateprocesssimpliesthekernelandproofsbecauseitallowsthekerneltoemployauniformmechanismforinteractingwiththeoutsideworld:mes-sagesoverchannels.Toformallyreasonabouttheaddressbar,wedesignedourkernelsothatthecurrentURLiswrittendirectlytothekernel'sstdout.Thisgivesrisetoahybridgraphi- Figure2:QUARKScreenshot.ThisscreenshotshowsQUARKrun-ningaGooglesearch,includinganinteractivedrop-downsuggestingquerycompletionsandaninitialsetofsearchresultsfromaJavaScripteventhandlerdispatchingan“instantsearch”aswellasapagepreviewfromasearchresultlink.(Locationblurredfordouble-blindreview.)cal/textoutputasshowninFigure2wherethekernelhascompletecontrolovertheaddressbar.Withthisdesign,thegraphicaloutputprocessisneverabletospooftheaddressbar.QUARKalsousesaseparateinputprocesstosupportricherinputs,e.g.,themouse.TheinputprocessisasimplePythonscriptwhichgrabskeyboardandmouseeventsfromtheuser,encodesthemasuserinputmes-sages,andforwardsthemontothekernel'sstdin.Forkeystrokes,theinputprocesssimplywritescharactersinASCIIformattothekernel'sstdin.Weuseseveral“un-printable”ASCIIvalues(allsmallerthan60andallun-typeablefromthekeyboard)topassspecialinformationfromtheinputprocesstothekernel.Forexample,thein-putprocessmapskeysF1-F12tosuchun-printablechar-acters,whichallowsthekerneltouseF11for“newtab”,andF1-F10forselectingtabs1-10.Mouseclicksarealsosenttothekernelthroughun-printableASCIIvalues.Be-causetheinputprocessonlyreadsfromthekeyboardandmouse,andneverfromthekerneloranyotherQUARKcomponents,itcannotbeexposedanyattacksoriginatingfromthenetwork.3.2ExampleofMessageExchangesToillustratehowthekernelorchestratesallthecom-ponentsinQUARK,wedetailthestepsfromstartuptoatabloadinghttp://www.google.com.TheuseropensQUARKbystartingthekernelwhichinturnstartsthreeprocesses:theinputprocess,thegraph-icaloutputprocess,andatabprocess.Theker-nelestablishesatwo-waycommunicationchannelwitheachprocessitstarts.Next,thekernelthensendsa4 (Go"http://www.google.com")messagetothetabindicatingitshouldloadthegivenURL(fornow,assumethisisnormalbehaviorforallnewtabs).ThetabprocesscomprisesourmodiedversionofWebKitwrappedbyathinlayerofPythontohandlemessagingwiththekernel.AfterrecievingtheGomes-sage,thePythonwrappertellsWebKittostartprocess-inghttp://www.google.com.Sincethetabprocessisrunninginasandbox,WebKitcannotdirectlyaccessthenetwork.Whenitattemptsto,ourPythonwrapperin-tervenesandsendsaGetURLrequesttothekernel.Aslongastherequestisvalid,thekernelrespondswithaResDocmessagecontainingtheHTMLdocumentthetabrequested.Oncethetabprocesshasreceivedthenecessaryre-sourcesfromthekernelandrenderedtheWebpages,itsendsaDisplaymessagetothekernelwhichcontainsabitmaptodisplay.WhenthekernelreceivesaDisplaymessagefromthecurrenttab,itforwardsthemessageontothegraphicaloutputprocess,whichinturndisplaysthebitmaponthescreen.Whenthekernelreadsaprintablecharactercfromstandardinput,itsendsa(KeyPressc)messagetothecurrentlyselectedtab.Uponreceivingsuchamessage,thetabcallstheappropriateinputhandlerinWebKit.Forexample,ifausertypes“a”onGoogle,the“a”characterisreadbythekernel,passedtothetab,andthenpassedtoWebKit,atwhichpointWebKitaddsthe“a”charac-tertoGoogle'ssearchbox.ThisinturncausesWebKit'sJavaScriptenginetorunaneventhandlerthatGooglehasinstalledontheirsearchbox.Theeventhandlerperformsan“instantsearch”,whichinitiatesfurthercommunica-tionwiththeQUARKkerneltoaccessadditionalnetworkresources,followedbyanotherDisplaymessagetore-paintthescreen.Notethattoeaseverication,QUARKcurrentlyhandlesallrequestssynchronously.3.3EfciencyWithafewsimpleoptimizations,weachieveperfor-mancecomparabletoWebKitonaverage(seeSection6formeasurements).FollowingChrome,weadopttwooptimizationscriticalforgoodgraphicsperformance.First,QUARKusessharedmemorytopassbitmapsfromthetabprocessthroughthekerneltotheoutputprocess,sothattheDisplaymessageonlypassesasharedmem-oryIDinsteadofabitmap.Thisdrasticallyreducesthecommunicationcostofsendingbitmaps.Topreventamalicioustabfromaccessinganothertab'ssharedmem-ory,weruneachtabasadifferentuser,andsetaccesscontrolssothatatab'ssharedmemorycanonlybeac-cessedbytheoutputprocess.Second,QUARKusesrectangle-basedrendering:insteadofsendingalargebitmapoftheentirescreeneachtimethedisplaychanges,thetabprocessdetermineswhichpartofthedisplayhaschanged,andsendsbitmapsonlyfortherectangularre-gionsthatneedtobeupdated.Thisdrasticallyreducesthesizeofthebitmapsbeingtransferred,andtheamountofredrawingonthescreen.ForI/Operformance,theoriginalYnotlibraryusedsingle-characterread/writeroutines,imposingsignicantoverhead.WedenedanewI/Olibrarywhichusessizenreads/writes.ThisreducedreadingannbytemessagefromnI/Ocallstojustthree:readinga1bytetag,fol-lowedbya4bytepayloadsize,andthenasinglereadfortheentirepayload.WealsooptimizedsocketconnectionsinQUARK.OuroriginalprototypeopenedanewTCPconnectionforeachHTTPGETrequest,imposingsignicantoverhead.Mod-ernWebserversandbrowsersusepersistentconnectionstoimprovetheefciencyofpageloadingandtherespon-sivenessofWeb2.0applications.Theseconnectionsaremaintainedanywherefromafewsecondstoseveralmin-utes,allowingtheclientandservercanexchangemul-tiplerequest/responsesonasingleconnection.ServiceslikeGoogleChatmakeuseofverylong-livedHTTPcon-nectionstosupportresponsiveinteractionwiththeuser.WesupportsuchpersistentHTTPconnectionsviaUnixdomainsocketswhichallowprocessestosendopenledescriptorsoverchannelsusingthesendmsgandrecvmsgsystemcalls.Whenatabneedstoopenasocket,itsendsaGetSocmessagetothekernelwiththehostandport.Iftherequestisvalid,thekernelopensandconnectsthesocket,andthensendsanopensocketledescriptortothetab.Oncethetabgetsthesocketledescriptor,itcanread/writeonthesocket,butitcannotre-connectthesockettoanotherhost/port.Inthisway,thekernelcontrolsallsocketconnections.Eventhoughweformallyverifyourbrowserkernelinaproofassistant,wewerestillabletoimplementandreasonabouttheselow-leveloptimizations.3.4SocketSecurityPolicyTheGetSocmessagebringsupaninterestingsecurityissue.IfthekernelsatisedallGetSocrequests,thenacompromisedtabcouldopensocketstoanyserverandexchangearbitraryamountsofinformation.Thekernelmustpreventthisscenariobyrestrictingsocketconnec-tions.Toimplementthisrestriction,weintroducetheideaofadomainsufxforatabwhichtheuserenterswhenthetabstarts.Atab'sdomainsufxcontrolsseveralse-curityfeaturesinQUARK,includingwhichsocketcon-nectionsareallowedandhowcookiesarehandled(seeSection3.5).Infact,ouraddressbar,locatedattheverytopofthebrowser(seeFigure2),displaysthedomainsufx,notjustthetab'sURL.Wethereforerefertoitas5 browsercomponent(e.g.,ataborcookieprocess)canneverinuencehowthekernelrespondstoan-othercomponent,andthatthekernelneverallowsuntrustedinput(e.g.,datafromtheweb)toinu-encehowthekernelrespondstoarequest.2.TabNon-Interference:Thekernel'sresponsetoatab'srequestisthesamenomatterhowothertabsinteractwiththekernel.Thisensuresthatthekernelneverprovidesadirectwayforonetabtoattackan-othertaborstealprivateinformationfromanothertab.3.NoCross-domainSocketCreation:Thekerneldisallowsanycross-domainsocketcreation(asde-scribedinSection3.4).4.CookieIntegrity/Condentiality:Thekerneldis-allowsanycross-domaincookiestoresorretrieves(asdescribedinSection3.5).5.DomainBarIntegrityandCorrectness:Thedo-mainbarcannotbecompromisedbyatab,andisalwaysequaltothedomainsufxofthecurrentlyselectedtab.4KernelImplementationinCoqQUARK'smostdistinguishingfeatureisitskernel,whichisimplementedandprovedcorrectinCoq.Inthissectionwepresenttheimplementationofthemainkernelloop.Inthenextsectionweexplainhowweformallyveriedthekernel.Coqenablesuserstowriteprogramsinasmall,simplefunctionallanguageandthenreasonformallyaboutthemusingapowerfullogic,theCalculusofConstructions.Thislanguageisessentiallyaneffect-free(pure)subsetofpopularfunctionallanguageslikeMLorHaskellwiththeadditionalrestrictionthatprogramsmustalwayster-minate.Unfortunately,theselimitationsmakeCoq'sde-faultimplementationlanguageill-suitedforwritingsys-temprogramslikeserversorbrowserswhichmustbeef-fectfultoperformI/Oandbydesignmaynotterminate.ToaddressthelimitationsofCoq'simplementationlanguage,weuseYnot[34].YnotisaCoqlibrarywhichprovidesmonadictypesthatallowustowriteef-fectful,non-terminatingprogramsinCoqwhileretain-ingthestrongguaranteesandreasoningcapabilitiesCoqnormallyprovides.EquippedwithYnot,wecanwriteourbrowserkernelinafairlystraightforwardstylewhoseessenceisshowninFigure3.SingleStepofKernel.QUARK'skernelisessentiallyaloopthatcontinuouslyrespondstorequestsfromtheuserortabs.Ineachiteration,thekernelcallskstepDefinitionkstep(ctab,ctabs):=chaniselect(stdin,tabs);matchchanwith|Stdin&#x--53;က=cread(stdin);matchcwith|"+"&#x--53;က=tmktab();write_msg(t,Render);return(t,t::tabs)|...end|Tabt&#x--53;က=msgread_msg(t);matchmsgwith|GetSoc(host,port)&#x--53;က=if(safe_soc(host,domain_suffix(t))thensend_soc(t,host,port);return(ctab,tabs)elsewrite_msg(t,Error);return(ctab,tabs)|...endendFigure3:BodyforMainKernelLoop.ThisCoqcodeshowshowourQUARKkernelreceivesandrespondstorequestsfromotherbrowsercomponents.ItrstusesaUnix-styleselecttochooseareadyinputchannel,readsarequestfromthatchannel,andrespondstothemessageappropriately.Forexample,iftheuserenters“+”,thekernelcreatesanewtabandsendsittheRendermessage.Ineachcase,thecodereturnsthenewkernelstateresultingfromhandlingthisrequest.whichtakesthecurrentkernelstate,handlesasinglere-quest,andreturnsthenewkernelstateasshowninFig-ure3.Thekernelstateisatupleofthecurrenttab(ctab),thelistoftabs(tabs),andafewothercomponentswhichweomithere(e.g.,thelistofcookieprocesses).Fordetailsregardingtheloopandkernelinitializationcodepleasesee[24].kstepstartsbycallingiselect(the“i”standsforinput)whichperformsaUnix-styleselectoverstdinandalltabinputchannels,returningStdinifstdinisreadyforreadingorTabtiftheinputchanneloftabtisready.iselectisimplementedinCoqusingaselectprimitivewhichisultimatelyjustathinwrap-perovertheUnixselectsystemcall.TheCoqextractionprocess,whichconvertsCoqintoOCamlforexecution,canbecustomizedtolinkourCoqcodewithOCamlim-plementationsofprimitiveslikeselect.ThusselectisexposedtoCoqessentiallyasaprimitiveoftheap-propriatemonadictype.Wehavesimilarprimitivesforreading/writingonchannels,andopeningsockets.RequestfromUser.Ifstdinisreadyforreading,thekernelreadsonecharactercusingthereadprimi-tive,andthenrespondsbasedonthevalueofc.Ifcis“+”,thekerneladdsanewtabtothebrowser.Toachievethis,itrstcallsmktabtostartatabprocess(another7 DefinitionTrace:=listAction.InductiveAction:=|ReadN:chan�-positive�-listascii-�Action|WriteN:chan�-positive�-listascii�-Action|MkTab:tab�-Action|SentSoc:tab�-listascii�-listascii�-Action|...DefinitionReadcb:=ReadNc1[c]Figure4:TracesandActions.ThisCoqcodedenesthetypeofexternallyvisibleactionsourkernelcantake.Atraceissimplyalistofsuchactions.Wereasonaboutourkernelbyprovingpropertiesofthetracesitcanhave.TracesarelikeotherCoqvalues;inparticular,wecanwritefunctionsthatreturntraces.Readisahelperfunctiontoconstructatracefragmentcorrespondingtoreadingasinglebyte.Weusealistofactionstorepresentthetracethekernelproducesbycallingprimitives.Eachactioninatracecorrespondstothekernelinvokingaparticularprimitive.Figure4showsapartialdenitionoftheActiondatatype.Forexample:ReadNfnlisanActionindicatingthatthenbytesinlistlwerereadfrominputchannelf;MkTabtindicatesthattabtwascreated;SentSocthostportindicatesasocketwasconnectedtohost/portandpassedtotabt.WecanmanipulatetracesandActionslikeanyothervaluesinCoq.Forexample,wecandeneafunctionReadcbtoencodethespecialcasethatasinglebytebwasreadoninputchannelc.Thoughnotshownhere,wealsodenesimilarhelperfunctionstobuilduptracefragmentswhichcorrespondtohavingreadorwrittenaparticularmessagetoagivencomponent.Forexam-ple,ReadMsgt(GetSochostport)correspondstothetracefragmentthatresultsfromreadingaGetSocre-questfromtabt.5.2KernelSpecicationFigure5showsasimpliedsnippetofourkernelspec.Thespecisapredicatetcorrectovertraceswithtwoconstructors,statingthetwowaysinwhichtcorrectcanbeestablished:(1)tcorrect_nilstatesthattheemptytracesatisestcorrect(2)tcorrect_stepstatesthatiftrsatisestcorrectandthekerneltakesasinglestep,meaningthataftertritgetsarequestreq,andrespondswithrsp,thenthetracersp++req++tr(where++islistconcatenation)alsosatisestcorrect.Byconventiontherstactioninatraceisthemostrecent.Thepredicatestep_correctdenescorrectnessforasingleiterationofthekernel'smainloop:step_correcttrreqrspholdsifgiventhepasttracetrandarequestreq,theresponseofthekernelshouldbersp.Thepredicatehasseveralconstructors(notallshown)enumeratingthewaysInductivetcorrect:Trace�-Prop:=|tcorrect_nil:tcorrectnil|tcorrect_step:foralltrreqrsp,tcorrecttr�-step_correcttrreqrsp�-tcorrect(rsp++req++tr).Inductivestep_correct:Trace�-Trace�-Trace-�Prop:=|step_correct_add_tab:foralltrt,step_correcttr(MkTabt::Readstdin"+"::nil)(WroteMsgtRender)|step_correct_socket_true:foralltrthostport,is_safe_sochost(domain_suffixt)=true�-step_correcttr(ReadMsgt(GetSochostport))(SentSocthostport)|step_correct_socket_false:foralltrthostport,is_safe_sochost(domain_suffixt)�true�-step_correcttr(ReadMsgt(GetSochostport)++tr)(WroteMsgtError++tr)|...Figure5:KernelSpecication.step correctisapredicateovertriplescontainingapasttrace,arequesttrace,andaresponsetrace;itholdswhentheresponseisvalidforthegivenrequestinthecontextofthepasttrace.tcorrectdenesacorrecttraceforourkerneltobeasequenceofcorrectsteps,i.e.,theconcatenationofvalidrequestandresponsetracefragments.step_correctcanbeestablished.Forexample,step_correct_add_tabstatesthattyping“+”onstdinleadstothecreationofatabandsendingtheRendermessage.Thestep_correct_socket_truecasecapturesthesuccessfulsocketcreationcase,whereasstep_correct_socket_falsecapturestheerrorcase.5.3MonadsinYnotRevisitedIntheprevioussection,weexplainedYnot'sSTmonadasbeingparameterizedoverasingletypeT.Inre-ality,STtakestwoadditionalparametersrepresentingpre-andpost-conditionsforthecomputationencodedbythemonad.Thus,STTPQrepresentsacomputationwhich,ifstartedinastatewherePholds,mayperformsomeI/OandthenreturnavalueoftypeTinastatewhereQholds.Fortechnicalreasons,thesepre-andpost-conditionsareexpressedusingseparationlogic,butwedeferdetailstoatechreport[24].FollowingtheapproachofMalechaetal.[30],wede-neanopaquepredicate(tracedtr)torepresentthefactthatatagivenpointduringexecution,trcapturesallthepastactivities;and(openf)torepresentthefactthatchannelfiscurrentlyopen.Anopaquepredicatecannotbeprovendirectly.Thispropertyallowsustoensurethatnopartofthekernelcanforgeaproofof(tracedtr)foranytraceitindependentlyconstructs.9 Theoremkstate_dep_user:foralltrreqrsp,step_correcttrreqrsp�-proj_user_controltr=proj_user_control(rsp++req++tr)�-kernel_statetr=kernel_state(rsp++req++tr).Theoremkresponse_dep_kstate:foralltr1tr2reqrsp,kernel_statetr1=kernel_statetr2�-step_correcttr1reqrsp�-step_correcttr2reqrsp.Theoremtab_NI:foralltr1tr2treqrsp1rsp2,tcorrecttr1�-tcorrecttr2�-from_tabtreq�-(cur_tabtr1=Somet&#x-000;cur_tabtr2=Somet)&#x-000;-step_correcttr1reqrsp1&#x-000;-step_correcttr2reqrsp2&#x-000;-rsp1=rsp2\/(existsm,rsp1=WroteCMsg(cproc_forttr1)m/\rsp2=WroteCMsg(cproc_forttr2)m).Theoremno_xdom_sockets:foralltrt,tcorrecttr&#x-000;-In(SendSocketthosts)tr&#x-000;-is_safe_sochost(domain_suffict).Theoremno_xdom_cookie_set:foralltr1tr2cproc,tcorrect(tr1++SetCookiekeyvaluecproc::tr2)&#x-000;-existstrt,(tr2=(SetCookieRequesttkeyvalue::tr)/\is_safe_cook(domaincproc)(domain_suffixt))Theoremdom_bar_correct:foralltr,tcorrecttr&#x-000;-dom_bartr=domain_suffix(cur_tabtr).Figure7:KernelSecurityProperties.ThisCoqcodeshowshowtracesallowustoformalizeQUARK'ssecurityproperties.sponsedependssolelyontherequestandthekernelstate.Thisdelineateswhichpartsofatracecanaffecttheker-nel'sbehavior:foragivenrequestreq,thekernelwillproducethesameresponsersp,foranytwotracesthatinducethesamekernelstate,evenifthetwotraceshavecompletelydifferentsetsofrequests/responses(recallthatthekernelstateonlyincludesthecurrenttabandthesetoftabs,andmostrequestresponsesdon'tchangethese).Sincethekernelstatedependsonlytheuser'scontrolkeyinputs,thistheoremimmediatelyestablishesthefactthatourbrowserwillneverallowonecomponenttoinuencehowthekerneltreatsanothercomponentun-lesstheuserintervenes.Notethatkresponse dep kstateshowsthattheker-nelwillproducethesameresponsegiventhesamere-questafteranytwotracesthatinducethesamekernelstate.Thismayseemsurprisingsincemanyoftheker-nel'soperationsproducenondeterministicresults,e.g.,thereisnowaytoguaranteethattwowebfetchesofthesameURLwillproducethesamedocument.However,suchnondeterminismiscapturedintherequest,whichisconsistentwithournotionofrequestsasinputsandresponsesasoutputs.TabNon-Interference.Thesecondsecurityproperty,tab NI,statesthatthekernel'sresponsetoatabisnotaffectedbyanyothertab.Inparticular,tab NIshowsthatifinthecontextofavalidtrace,tr1,thekernelrespondstoarequestreqfromtabtwithrsp1,thenthekernelwillrespondtothesamerequestreqwithanequivalentresponseinthecontextofanyothervalidtracetr2whichalsocontainstabt,irrespectiveofwhatothertabsarepresentintr2orwhatactionstheytake.Notethatthispropertyholdsinparticularforthecasewheretracetr2containsonlytabt,whichleadstothefollow-ingcorollary:thekernel'sresponsetoatabwillbethesameevenifallothertabsdidnotexistTheformalstatementofthetheoreminFigure7ismadeslightlymorecomplicatedbecauseoftwoissues.First,wemustassumethatthefocusedtabattheendoftr1(denotedbycur tabtr1)istifandonlyifthefocusedtabattheendoftr2isalsot.Thisadditionalassumptionisneededbecausethekernelrespondsdiffer-entlybasedonwhetheratabisfocusedornot.Forexam-ple,whenthekernelreceivesaDisplaymessagefromatab(indicatingthatthetabwantstodisplayitsrenderedpagetotheuser),thekernelonlyforwardsthemessagetotheoutputprocessifthetabiscurrentlyfocused.Thesecondcomplicationisthatthecommunicationchannelunderlyingthecookieprocessfort'sdomainmaynotbethesamebetweentr1andtr2.Thus,inthecasethatkernelrespondsbyforwardingavalidre-questfromttoitscookieprocess,weguaranteethatthekernelsendsthesamepayloadtothecookieprocesscor-respondingtot'sdomain.Notethat,unlikekresponse dep kstate,tab NIdoesnotrequiretr1andtr2toinducethesameker-nelstate.Instead,itmerelyrequirestherequestreqtobefromatabt,andtr1andtr2tobevalidtracesthatbothcontaint(indeed,tmustbeonbothtracesother-wisethestep correctassumptionswouldnothold).Otherthantheserestrictions,tr1andtr2maybearbi-trarilydifferent.Theycouldcontaindifferenttabsfromdifferentdomains,havedifferenttabsfocused,differentcookieprocesses,etc.ResponseIntegrityandTabNon-Interferenceprovidedifferent,complimentaryguarantees.ResponseIntegrityensurestheresponsetoanyrequestreqisonlyaffectedbycontrolkeysandreq,whileTabNon-Interferenceguaranteesthattheresponsetoatabrequestdoesnotleakinformationtoanothertab.NotethatResponseIntegritycouldstillholdforakernelwhichmistakenlysendsre-sponsestothewrongtab,butTabNon-Interferencepre-ventsthis.Similarly,TabNon-Interferencecouldholdforakernelwhichallowsatabtoaffecthowthekernelrespondstoacookieprocess,butResponseIntegritypre-11 withthekernel.ImplementingQUARKtookabout6per-sonmonths,whichincludesseveraliterationsredesign-ingthekernel,proofs,andinterfacesbetweencompo-nents.Formalshimvericationsavedsubstantialeffort:weguaranteedoursecuritypropertiesforamillionlinesofcodebyreasoningjust859.TrustedComputingBase.Thetrustedcomputingbase(TCB)consistsofallsystemcomponentsweas-sumetobecorrect.AbugintheTCBcouldinvalidateoursecurityguarantees.QUARK'sTCBincludes:Coq'scorecalculusandtypecheckerOurformalstatementofthesecuritypropertiesSeveralprimitivesusedinYnotSeveralprimitivesuniquetoQUARKTheOcamlcompilerandruntimeTheunderlyingOperatingSystemkernelOurchrootsandboxBecauseCoqexploitstheCurry-HowardIsomor-phism,itstypecheckerisactuallythe“proofchecker”wehavementionedthroughoutthepaper.Weassumethatourformalstatementofthesecuritypropertiescorrectlyreectshowweunderstandthemintuitively.Wealsoas-sumethattheprimitivesfromYnotandthoseweaddedinQUARKcorrectlyimplementthemonadictypetheyareaxiomaticallyassigned.WetrusttheOCamlcompilerandruntimesinceourkernelisextractedfromCoqandrunasanOCamlprogram.Wealsotrusttheoperatingsystemkernelandourtraditionalchrootsandboxtopro-videprocessisolation,specically,ourdesignassumesthesandboxingmechanismrestrictstabstoonlyaccessresourcesprovidedbythekernel,thuspreventingcom-promisedtabsfromcommutingovercovertchannels.OurTCBdoesnotincludeWebKit'slargecodebaseorthePythonimplementation.Thisisbecauseacompro-misedtaborcookieprocesscannotaffectthesecurityguaranteesprovidedbykernel.Furthermore,theTCBdoesnotincludethebrowserkernelcode,sinceithasbeenprovedcorrect.Ideally,QUARKwilltakeadvantageofpreviousfor-mallyveriedinfrastructuretominimizeitsTCB.Forexample,byrunningQUARKinseL4[27],compilingQUARK'sML-likebrowserkernelwiththeMLCom-pCertcompiler[1],andsandboxingotherQUARKcom-ponentswithRockSalt[32],wecoulddrasticallyreduceourTCBbyeliminatingitslargestcomponents.Inthislight,ourworkshowshowtobuildyetanotherpieceofthepuzzle(namelyaveriedbrowser)neededtoforafullyveriedsoftwarestack.However,theseotherver-iedbuildingblocksarethemselvesresearchprototypeswhich,fornow,makesthemverydifculttostitchto-getherasafoundationforarealisticbrowser. Figure9:QUARKPerformance.ThisgraphshowsQUARKloadtimesfortheAlexaTop10Websites,normalizedtostockWebKit'sloadtimes.Ineachgroup,theleftmostbarshowstheunoptimizedloadtime,therightmostbarshowstheloadtimeinthenal,optimizedver-sionofQUARK,andintermediatebarsshowhowadditionaloptimiza-tionsimproveperformance.Smallerisbetter.Performance.Weevaluateourapproach'sperfor-manceimpactbycomparingQUARK'sloadtimestostockWebKit.Figure9showsQUARKloadtimesforthetop10AlexaWebsites,normalizedtostockWe-bKit.QUARK'soverheadisduetofactoringthebrowserintodistinctcomponentswhichruninseparateprocessesandexplicitlycommunicatethroughaformallyveriedbrowserkernel.Byperformingafewsimpleoptimizations,thenalversionofQUARKloadslarge,sophisticatedwebsiteswithonly24%overhead.Thisisasubstantialimprove-mentoverana¨veimplementationofourarchitecture,shownbytheleft-most“not-optimized”barsinFigure9.Passingboundsocketstotabs,whitelistingcontentdistri-butionnetworksformajorwebsites,andcachingcookieaccesses,improvesperformanceby62%onaverage.TheWebKitbaselineinFigure9isafull-featuredbrowserbasedonthePythonbindingstoWebKit.ThesebindingsaresimplyathinlayeraroundWebKit'sC/C++implementationwhichprovideeasyaccesstokeycall-backs.Wemeasure10loadsofeachpageandtaketheaverage.Overall10sites,theaverageslowdowninload-timeis24%(withaminimumof5%forbloggerandamaximumof42%foryahoo).Wealsomeasuredload-timeforthepreviousversionofQUARK,justbeforerectangle-basedrenderingwasadded.Inthispreviousversion,theaverageload-timewasonly12%versus24%forthecurrentversion.Theincreaseinoverheadisduetoadditionalcommunica-tionwiththekernelduringincrementalrendering.De-spitethisadditionaloverheadinloadtime,incrementalrenderingispreferablebecauseitallowsQUARKtodis-playcontenttotheuserasitbecomesavailableinsteadofwaitinguntilanentirepageisloaded.SecurityAnalysis.QUARKprovidesstrong,formalguaranteesforsecuritypolicieswhicharenotfullycom-patiblewithtraditionalwebsecuritypolicies,butstill13 providesomeoftheassurancespopularwebbrowsersseektoprovide.Forthepolicieswehavenotformallyveried,QUARKoffersexactlythesameleveloftraditional,unveriedenforcementWebKitprovides.Thus,QUARKactuallyprovidessecurityfarbeyondthehandfulpolicieswefor-mallyveried.Belowwediscussthegapbetweenthesubsetofpoliciesweveriedandthefullsetofcommonbrowsersecuritypolicies.Thesameoriginpolicy[37](SOP)dictateswhichre-sourcesatabmayaccess.Forexample,atabisallowedtoloadcross-domainimagesusinganimgtag,butnotusinganXMLHttpRequest.Unfortunately,wecannoteasilyverifythispolicysincerestrictinghowaresourcemaybeusedafterithasbeenloaded(e.g.,inanimgtagvs.asaJavaScriptvalue)requiresreasoningacrossabstractionboundaries,i.e.,an-alyzingthelarge,complextabimplementationinsteadoftreatingitasablackbox.TheSOPalsorestrictshowJavaScriptrunningindif-ferentframesonthesamepagemayaccesstheDOM.WecouldformallyreasonaboutthisaspectoftheSOPbymakingframesthebasicprotectiondomainsinQUARKinsteadoftabs.Tosupportthisrenedarchitecture,frameswouldownarectangleofscreenrealestatewhichtheycouldsubdivideanddelegatetosub-frames.Com-municationbetweenframeswouldbecoordinatedbythekernel,whichwouldallowustoformallyguaranteethatallframeaccesstotheDOMconformswiththeSOP.Weonlyformallyproveinter-domaincookieisolation.Eventhiscoarseguaranteeprohibitsabroadclassofat-tacks,e.g.,itprotectsallGooglecookiesfromanynon-Googletab.QUARKdoesenforcerestrictionsoncookieaccessbetweensubdomains;itjustdoessousingWebKitasunveriedcookiehandlingcodewithinourcookieprocesses.Formallyprovingner-grainedcookiepoli-ciesinCoqwouldbepossibleandwouldnotrequiresig-nicantchangestothekernelorproofs.Unfortunately,Quarkdoesnotpreventallcookieexl-trationattacks.Ifasubframeisabletoexploittheentiretab,thenitcouldstealthecookiesofitstop-levelparenttab,andleakthestolencookiesbyencodingtheinforma-tionwithintheURLparameterofGetURLrequests.ThislimitationarisesbecausetabsareprinciplesinQuarkin-steadofframes.Thisproblemcanbepreventedbyren-ingQuarksothatframesthemselvesaretheprinciples.Oursocketsecuritypolicypreventsanimportantsub-setofcross-siterequestforgeryattacks[9].Quarkguar-anteesthatatabusesaGetURLmessagewhenrequest-ingaresourcefromsiteswhosedomainsufxdoesn'tmatchwiththetab'sone.Becauseourimplementa-tionofGetURLdoesnotsendcookies,theresourcesre-questedbyaGetURLmessageareguaranteedtobepub-liclyavailableoneswhichdonottriggeranyprivilegedactionsontheserverside.Thisguaranteeprohibitsalargeclassofattacks,e.g.,cross-siterequestforgeryat-tacksagainstAmazondomainsfromnon-Amazondo-mains.However,thispolicycannotpreventcross-siterequestforgeryattacksagainstsitessharingthesamedomainsufxwiththetab,e.g.,attacksfromatabonwww.ucsd.eduagainstcse.ucsd.edusincethetabonwww.ucsd.educandirectlyconnecttocse.ucsd.eduusingasocketandcookiesoncse.ucsd.eduarealsoavailabletothetab.CompatibilityIssues.QUARKenforcesnon-standardsecuritypolicieswhichbreakcompatibilitywithsomewebapplications.Forexample,Mashupsdonotworkproperlybecauseatabcanonlyaccesscookiesforitsdomainandsubdomains,e.g.,asubframeinatabcan-notproperlyaccessanypagethatneedsusercreden-tialsidentiedbycookiesifthesubframe'sdomainsuf-xdoesnotmatchwiththetab'sone.ThislimitationarisesbecausetabsaretheprinciplesofQuarkasop-posedtosubframesinsidetabs.Unfortunately,tabsaretoocoarsegrainedtoproperlysupportmashupsandre-tainourstrongguarantees.Forthesamereasonasabove,Quarkcannotcurrentlysupportthird-partycookies.Itisworthnotingthatthird-partycookieshavebeenconsideredaprivacy-violatingfeatureoftheweb,andthereareevenpopularbrowserextensionstosuppressthem.However,manywebsitesdependonthirdpartycookiesforfullfunctionality,andourcurrentQuarkbrowserdoesnotallowsuchcookiessincetheywouldviolateournon-interferenceguarantees.Finally,Quarkdoesnotsupportcommunicationslike“postMessage”betweentabs;again,thiswouldviolateourtabnon-interferenceguarantees.Despitetheseincompatibilities,QuarkworkswellonavarietyofimportantsitessuchasGoogleMaps,Amazon,andFacebooksincetheymostlycomplywithQuarks'securitypolicies.Moreimportantly,ourhopeisthatinthefutureQuarkwillprovideafoundationtoexplorealloftheabovefeatureswithinaformallyveriedsetting.Inparticular,addingtheabovefeatureswillrequirefu-tureworkintwobroaddirections.First,framesneedtobecometheprinciplesinQuarkinsteadoftabs.Thischangewillrequirethekerneltosupportparentframesdelegatingresourceslikescreenregiontochildframes.Second,nergrainedpolicieswillberequiredtoretainappropriatenon-interferenceresultsinthefaceofthesenewfeatures,e.g.tosupportinteractionbetweentabsvia”postMessage”.Together,thesechangeswouldpro-videaformof”controlled”interference,whereframesareallowedtocommunicatedirectly,butonlyinasanc-tionedmanner.Evenmoreaggressively,onemayattempttore-implementotherresearchprototypeslikeMashu-pOS[19]withinQuark,goingbeyondthewebstandardsoftoday,andprovepropertiesofitsimplementation.14 [6]ANSEL,J.,MARCHENKO,P.,ERLINGSSON,´U.,TAYLOR,E.,CHEN,B.,SCHUFF,D.L.,SEHR,D.,BIFFLE,C.,ANDYEE,B.Language-independentsandboxingofjust-in-timecompila-tionandself-modifyingcode.InPLDI(2011),pp.355–366.[7]BALL,T.,MAJUMDAR,R.,MILLSTEIN,T.,ANDRAJAMANI,S.K.AutomaticpredicateabstractionofCprograms.InPro-ceedingsoftheACMSIGPLAN2001ConferenceonProgram-mingLanguageDesignandImplementation(Snowbird,Utah,June2001).[8]BARTH,A.,JACKSON,C.,ANDMITCHELL,J.C.Robustde-fensesforcross-siterequestforgery.InACMConferenceonCom-puterandCommunicationsSecurity(2008),pp.75–88.[9]BARTH,A.,JACKSON,C.,ANDMITCHELL,J.C.Robustde-fensesforcross-siterequestforgery.InToappearatthe15thACMConferenceonComputerandCommunicationsSecurity(CCS2008)(2008).[10]BARTH,A.,JACKSON,C.,REIS,C.,ANDTHEGOOGLECHROMETEAM.ThesecurityarchitectureoftheChromiumbrowser.Tech.rep.,Google,2008.[11]BOHANNON,A.,PIERCE,B.C.,SJ¨OBERG,V.,WEIRICH,S.,ANDZDANCEWIC,S.Reactivenoninterference.InProceedingsofthe16thACMconferenceonComputerandcommunicationssecurity(2009).[12]CHEN,E.Y.,BAU,J.,REIS,C.,BARTH,A.,ANDJACKSON,C.Appisolation:getthesecurityofmultiplebrowserswithjustone.InProceedingsofthe18thACMconferenceonComputerandcommunicationssecurity(2011).[13]CHEN,S.,MESEGUER,J.,SASSE,R.,WANG,H.J.,ANDMINWANG,Y.AsystematicapproachtouncoversecurityawsinGUIlogic.InIEEESymposiumonSecurityandPrivacy(2007).[14]CHUGH,R.,MEISTER,J.A.,JHALA,R.,ANDLERNER,S.Stagedinformationowforjavascript.InPLDI(2009).[15]COOK,B.,PODELSKI,A.,ANDRYBALCHENKO,A.Termina-tor:Beyondsafety.InCAV(2006).[16]DAS,M.,LERNER,S.,ANDSEIGLE,M.ESP:Path-sensitiveprogramvericationinpolynomialtime.InPLDI(2002).[17]GRIER,C.,TANG,S.,ANDKING,S.T.SecurewebbrowsingwiththeOPwebbrowser.InIEEESymposiumonSecurityandPrivacy(2008).[18]HENZINGER,T.A.,JHALA,R.,MAJUMDAR,R.,ANDSUTRE,G.Lazyabstraction.InPOPL(2002).[19]HOWELL,J.,JACKSON,C.,WANG,H.J.,ANDFAN,X.MashupOS:operatingsystemabstractionsforclientmashups.InHotOS(2007).[20]HUANG,L.-S.,WEINBERG,Z.,EVANS,C.,ANDJACKSON,C.Protectingbrowsersfromcross-origincssattacks.InACMConferenceonComputerandCommunicationsSecurity(2010),pp.619–629.[21]JACKSON,C.,ANDBARTH,A.Bewareofner-grainedorigins.InInWeb2.0SecurityandPrivacy(W2SP2008)(May2008).[22]JACKSON,C.,BARTH,A.,BORTZ,A.,SHAO,W.,ANDBONEH,D.Protectingbrowsersfromdnsrebindingattacks.InACMConferenceonComputerandCommunicationsSecurity(2007),pp.421–431.[23]JANG,D.,JHALA,R.,LERNER,S.,ANDSHACHAM,H.Anem-piricalstudyofprivacy-violatinginformationowsinJavaScriptWebapplications.InProceedingsoftheACMConferenceCom-puterandCommunicationsSecurity(CCS)(2010).[24]JANG,D.,TATLOCK,Z.,ANDLERNER,S.Establishingbrowsersecurityguaranteesthroughformalshimverication.Tech.rep.,UCSanDiego,2012.[25]JANG,D.,VENKATARAMAN,A.,SAWKA,G.M.,ANDSHACHAM,H.Analyzingthecross-domainpoliciesofashap-plications.InInWeb2.0SecurityandPrivacy(W2SP2011)(May2011).[26]JIM,T.,SWAMY,N.,ANDHICKS,M.Defeatingscriptinjec-tionattackswithbrowser-enforcedembeddedpolicies.InWWW(2007),pp.601–610.[27]KLEIN,G.,ELPHINSTONE,K.,HEISER,G.,ANDRONICK,J.,COCK,D.,DERRIN,P.,ELKADUWE,D.,ENGELHARDT,K.,KOLANSKI,R.,NORRISH,M.,SEWELL,T.,TUCH,H.,ANDWINWOOD,S.seL4:formalvericationofanOSkernel.InSOSP(2009).[28]LEROY,X.Formalcerticationofacompilerback-end,or:pro-grammingacompilerwithaproofassistant.InPLDI(2006).[29]MALECHA,G.,MORRISETT,G.,SHINNAR,A.,ANDWIS-NESKY,R.Towardaveriedrelationaldatabasemanagementsystem.InPOPL(2010).[30]MALECHA,G.,MORRISETT,G.,ANDWISNESKY,R.Trace-basedvericationofimperativeprogramswithI/O.J.Symb.Comput.46(February2011),95–118.[31]MICKENS,J.,ANDDHAWAN,M.Atlantis:robust,extensibleexecutionenvironmentsforwebapplications.InSOSP(2011),pp.217–231.[32]MORRISETT,G.,TAN,G.,TASSAROTTI,J.,TRISTAN,J.-B.,ANDGAN,E.Rocksalt:Better,faster,strongersforthex86.InPLDI(2012).[33]NANEVSKI,A.,MORRISETT,G.,ANDBIRKEDAL,L.Poly-morphismandseparationinHoaretypetheory.InICFP(2006).[34]NANEVSKI,A.,MORRISETT,G.,SHINNAR,A.,GOVEREAU,P.,ANDBIRKEDAL,L.Ynot:Dependenttypesforimperativeprograms.InICFP(2008).[35]PROVOS,N.,FRIEDL,M.,ANDHONEYMAN,P.Preventingprivilegeescalation.InProceedingsofthe12thconferenceonUSENIXSecuritySymposium-Volume12(2003),USENIXAs-sociation.[36]RATANAWORABHAN,P.,LIVSHITS,V.B.,ANDZORN,B.G.Nozzle:Adefenseagainstheap-sprayingcodeinjectionattacks.InUSENIXSecuritySymposium(2009),pp.169–186.[37]RUDERMAN,J.Thesameoriginpolicy,2001.http://www.mozilla.org/projects/security/components/same-origin.html.[38]SAXENA,P.,AKHAWE,D.,HANNA,S.,MAO,F.,MCCA-MANT,S.,ANDSONG,D.Asymbolicexecutionframeworkforjavascript.InIEEESymposiumonSecurityandPrivacy(2010),pp.513–528.[39]SINGH,K.,MOSHCHUK,A.,WANG,H.J.,ANDLEE,W.Ontheincoherenciesinwebbrowseraccesscontrolpolicies.InIEEESymposiumonSecurityandPrivacy(2010),pp.463–478.[40]STAMM,S.,STERNE,B.,ANDMARKHAM,G.Reininginthewebwithcontentsecuritypolicy.InProceedingsofthe19thin-ternationalconferenceonWorldwideweb(2010),WWW'10,pp.921–930.[41]TANG,S.,MAI,H.,ANDKING,S.T.Trustandprotectionintheillinoisbrowseroperatingsystem.InOSDI(2010),pp.17–32.[42]WANG,H.J.,GRIER,C.,MOSHCHUK,A.,KING,S.T.,CHOUDHURY,P.,ANDVENTER,H.Themulti-principalOSconstructionofthegazellewebbrowser.Tech.Rep.MSR-TR-2009-16,MSR,2009.[43]YANG,X.,CHEN,Y.,EIDE,E.,ANDREGEHR,J.FindingandunderstandingbugsinCcompilers.InPLDI(2011).[44]YU,D.,CHANDER,A.,ISLAM,N.,ANDSERIKOV,I.Javascriptinstrumentationforbrowsersecurity.InPOPL(2007),pp.237–249.16