INFORMATION:
Notes for Editors
For a copy of the paper or to speak to the researchers involved, please contact Dr Rebecca Caygill in the UCL press office, T: +44 (0)20 3108 3846, E: r.caygill@ucl.ac.uk
Stefan, D., Yang, E., Marchenko, P., Russo, A., Herman, D., Karp, B., and Mazières, D., Protecting Users by Confining JavaScript with COWL, to appear in the Proceedings of the 11th USENIX Symposium on Operating Systems Design and Implementation (OSDI 2014), Broomfield, CO, October, 2014.
New web privacy system could revolutionize the safety of surfing
2014-10-06
(Press-News.org) Researchers from UCL, Stanford Engineering, Google, Chalmers and Mozilla Research have built a new system that protects Internet users' privacy whilst increasing the flexibility for web developers to build web applications that combine data from different web sites, dramatically improving the safety of surfing the web.
The system, 'Confinement with Origin Web Labels,' or COWL, works with Mozilla's Firefox and the open-source version of Google's Chrome web browsers and prevents malicious code in a web site from leaking sensitive information to unauthorised parties, whilst allowing code in a web site to display content drawn from multiple web sites – an essential function for modern, feature-rich web applications.
Testing of COWL prototypes for the Chrome and Firefox web browsers shows the system provides strong security without perceptibly slowing the loading speed of web pages. Following its announcement today, COWL will be freely available for download and use on 15th October from http://cowl.ws. The team who developed it, including two PhD students from Stanford (working in collaboration with Mozilla Research) and a recently graduated PhD from UCL (now employed by Google), hope COWL will be widely adopted by web developers.
Currently, web users' privacy can be compromised by malicious JavaScript code hidden in seemingly legitimate web sites. The web site's operator may have incorporated code obtained elsewhere into his or her web site without realising that the code contains bugs or is malicious. Such code can access sensitive data within the same or other browser tabs, allowing unauthorised parties to obtain or modify data without the user's knowledge.
The research team describe COWL in a paper that will appear in the Proceedings of the 11th USENIX Symposium on Operating Systems Design and Implementation, a premier venue for operating systems research.
Co-author Professor Brad Karp (UCL Computer Science), said: "COWL achieves both privacy for the user and flexibility for the web application developer. Achieving both these aims, which are often in opposition in many system designs, is one of the central challenges in computer systems security research.
"The new system provides a property known as 'confinement' which has been known since the 1970s, but proven difficult to achieve in practical systems like web browsers. COWL confines JavaScript programs that run within the browser, such as in separate tabs. If a JavaScript program embedded within one web site reads information provided by another web site – legitimately or otherwise – COWL permits the data to be shared, but thereafter restricts the application receiving the information from communicating it to unauthorised parties. As a result, the site that shares data maintains control over it, even after sharing the information within the browser."
Co-author Professor David Mazières (Stanford University Computer Science), said: "Security mechanisms for the web must keep pace with the web's rapid evolution. Current measures, such as the Same Origin Policy (SOP), work by stopping JavaScript programs embedded within one web site – malicious or otherwise – from reading data hosted by a separate web site. This brittle approach doesn't work for modern so-called 'mashup' applications that combine information from multiple web sites. Essentially, the SOP doesn't fit how many web sites are built today. And prior attempts at weakening the SOP to allow this sort of sharing, such as with Cross-Origin Resource Sharing (CORS), make it trivial for malicious code to leak sensitive data to unauthorised parties."
When building a modern web site, web developers routinely incorporate JavaScript library code written by third-party authors of unknowable intent. The study cites measurements indicating that 59% of the top one million web sites and 77% of the top 10,000 web sites incorporate a JavaScript library written by a third party. The team say such inclusion of JavaScript libraries is dangerous, as although the code includes features the web developers want, it might also contain malicious code that steals the browser user's data. In such cases, the SOP cannot protect sensitive data, as the included library is hosted by the same web site origin (i.e., under the same Internet domain name).
Professor Karp said: "By blocking the building of web applications that synthesize content from multiple web sites, the SOP actually forces web developers to make design choices that put users' privacy at risk. That's a problem we've solved with COWL.
"For example, one useful web application would let users check they're not being overcharged for items they've ordered from Amazon. The app would have to pull in information from the user's bank statement and Amazon, reconcile the two, and present the result in the browser. To do this, a web developer would need to write code that integrated data from the bank's web site with data from Amazon's web site but the SOP would block this, as the two data sources are hosted by different web domain names. Today's web developers get around this by writing an app that asks the user for their bank and Amazon login credentials, so it can log into both services and collect information as if it is the user. This clearly compromises the user's privacy as the provider of the app gains full access to the user's online banking system and Amazon account."
Deian Stefan, lead PhD student on the project at Stanford, said: "What we've achieved in COWL is a system that lets web developers build feature-rich applications that combine data from different web sites without requiring that users share their login details directly with third-party web applications, all while ensuring that the user's sensitive data seen by such an application doesn't leave the browser. Both web developers and users win."
The research team has shown how to use COWL to build four applications previously unachievable with strong privacy, including an encrypted document editor, a third-party mashup application, a password manager, and a web site that safely includes an untrusted third-party library.
ELSE PRESS RELEASES FROM THIS DATE:
First pictures of BRCA2 protein show how it works to repair DNA
2014-10-05
Scientists have taken pictures of the BRCA2 protein for the first time, showing how it works to repair damaged DNA.
Mutations in the gene that encodes BRCA2 are well known for raising the risk of breast cancer and other cancers. Although the protein was known to be involved in DNA repair, its shape and mechanism have been unclear, making it impossible to target with therapies.
Researchers at Imperial College London and the Cancer Research UK London Research Institute purified the protein and used electron microscopy to reveal its structure and how it interacts with ...
A tall story: Great strides in identifying genetic factors in height
2014-10-05
An international collaboration of scientists has identified a fifth of the genetic factors that cause height to vary between individuals.
A study which examined data on DNA from more than 250,000 people, published on October 6 in Nature Genetics, roughly doubles the number of known genome regions involved in height to more than 400. It also revealed that more than half of the factors involved in determining height are explained by simple common genetic variation - the sort of genetic variation that exists in more than 1 in 10 people.
The collaboration, co led by the ...
Scientists discover pain receptor on T-cells
2014-10-05
Researchers at University of California, San Diego School of Medicine have discovered that T-cells – a type of white blood cell that learns to recognize and attack microbial pathogens – are activated by a pain receptor.
The study, reported online Oct. 5 in Nature Immunology, shows that the receptor helps regulate intestinal inflammation in mice and that its activity can be manipulated, offering a potential new target for treating certain autoimmune disorders, such as Crohn's disease and possibly multiple sclerosis.
"We have a new way to regulate T-cell activation ...
'Unsung' cells double the benefits of a new osteoporosis drug
2014-10-05
Experiments in mice with a bone disorder similar to that in women after menopause show that a scientifically overlooked group of cells are likely crucial to the process of bone loss caused by the disorder, according to Johns Hopkins researchers. Their discovery, they say, not only raises the research profile of the cells, called preosteoclasts, but also explains the success and activity of an experimental osteoporosis drug with promising results in phase III clinical trials.
A summary of their work will be published on Oct. 5 in the journal Nature Medicine.
"We didn't ...
GIANT study reveals giant number of genes linked to height
2014-10-05
The largest genome-wide association study (GWAS) to date, involving more than 300 institutions and more than 250,000 subjects, roughly doubles the number of known gene regions influencing height to more than 400. The study, from the international Genetic Investigation of Anthropometric Traits (GIANT) Consortium, provides a better glimpse at the biology of height and offers a model for investigating traits and diseases caused by many common gene changes acting together. Findings were published online October 5 by Nature Genetics.
"Height is almost completely determined ...
Scientists develop barcoding tool for stem cells
2014-10-05
A 7-year-project to develop a barcoding and tracking system for tissue stem cells has revealed previously unrecognized features of normal blood production: New data from Harvard Stem Cell Institute scientists at Boston Children's Hospital suggests, surprisingly, that the billions of blood cells that we produce each day are made not by blood stem cells, but rather their less pluripotent descendants, called progenitor cells. The researchers hypothesize that blood comes from stable populations of different long-lived progenitor cells that are responsible for giving rise to ...
Discovery of a novel heart and gut disease
2014-10-05
This news release is available in French and German. Physicians and researchers at CHU Sainte-Justine, Université de Montréal, CHU de Québec, Université Laval, and Hubrecht Institute have discovered a rare disease affecting both heart rate and intestinal movements. The disease, which has been named "Chronic Atrial Intestinal Dysrhythmia syndrome" (CAID), is a serious condition caused by a rare genetic mutation. This finding demonstrates that heart and guts rhythmic contractions are closely linked by a single gene in the human body, as shown in a study published on October ...
Breakthrough allows researchers to watch molecules 'wiggle'
2014-10-05
A new crystallographic technique developed at the University of Leeds is set to transform scientists' ability to observe how molecules work.
A research paper, published in the journal Nature Methods on October 5, describes a new way of doing time-resolved crystallography, a method that researchers use to observe changes within the structure of molecules.
Although fast time-resolved crystallography (Laue crystallography) has previously been possible, it has required advanced instrumentation that is only available at three sites worldwide. Only a handful of proteins ...
Air pollution increases river-flows
2014-10-05
A study published in Nature Geoscience shows that air pollution has had a significant impact on the amount of water flowing through many rivers in the northern hemisphere.
The paper shows how such pollution, known as aerosols, can have an impact on the natural environment and highlights the importance of considering these factors in assessments of future climate change.
The research resulted from a collaboration between scientists at the Met Office, Centre for Ecology and Hydrology, University of Reading, Laboratoire de Météorologie Dynamique in France, and the University ...
'Programmable' antibiotic harnesses an enzyme to attack drug-resistant microbes
2014-10-05
The multitude of microbes scientists have found populating the human body have good, bad and mostly mysterious implications for our health. But when something goes wrong, we defend ourselves with the undiscriminating brute force of traditional antibiotics, which wipe out everything at once, regardless of the consequences.
Researchers at Rockefeller University and their collaborators are working on a smarter antibiotic. And in research to be published October 5 in Nature Biotechnology, the team describes a 'programmable' antibiotic technique that selectively targets the ...