Nataliia Bielova

Web browser fingerprinting analysis and protection mechanisms

Third-party tracking on the web has gathered much attention but there are few studies that discuss the technologies behind these complicated mechanisms. These techniques are into stateful and stateless. Stateful techniques are storing identifying information in the user's browser (e.g., in cookies), while stateless techniques are able to identify the user from accessing different browser and operating system properties. Stateless technologies are often called "device fingerprinting".

We propose a novel approach to hybrid information flow monitoring by tracking the knowledge about the user web browser using logical formulae. We define a generic hybrid monitor parametrised by a static analysis and derive sufficient conditions on the static analysis for soundness and relative precision of hybrid monitors.

We then proposed a randomisation technique that helps the users to randomise their browser fingerprints in order to have a provable guarantee of privacy - a guarantee that the probability of being identified is bounded by a certain threshold.

Publications

• F. Besson, N. Bielova and T. Jensen. Hybrid Information Flow Monitoring Against Web Tracking.
  Computer Security Foundations Symposium (CSF 2013). [Local PDF] [BIB]


• F. Besson, N. Bielova and T. Jensen. Browser Randomisation against Fingerprinting: a Quantitative Information Flow Approach.
  Nordic Security Conference (NordSec 2014). Springer LNCS, 2014. [PDF] [BIB]


• F. Besson, N. Bielova and T. Jensen. Hybrid Monitoring of Attacker Knowledge.
  Computer Security Foundations Symposium (CSF 2016). To appear. [PDF]

---

JavaScript security by runtime monitors and information flow control

In this survey we compare the security enforcement mechanisms developed for JavaScript security and implemented in web browsers. First, we analyse browser security-relevant APIs, and identify useful security policies for JavaScript. Second, we group the existing enforcement mechanisms in two groups: dynamic mechanisms based on runtime monitoring and information flow control techniques. For each mechanism we define a class of security policies it enforces, formal guarantees it provides and compare its implementation strategy.

This survey targets two groups of readers: 1) for computer security researchers we propose an overview of security-relevant components of the web browser and the security policies based on these components, we also show how well-known enforcement techniques are applied in a web browser setting; 2) for web developers we propose a classification of security policies, comparison of existing enforcement mechanisms proposed in the literature and explanation of formal guarantees that they provide.

Publications

• N. Bielova. Survey on JavaScript Security Policies and their Enforcement Mechanisms in a Web Browser.
  Special Issue on Automated Specification and Verification of Web Systems of Journal of Logic and Algebraic Programming (JLAP) [PDF] [BIB]

---

Information flow security for a web browser model

In this project we investigate the suitability of non-interference as a replacement for the baseline security policy of a browser, the same-origin-policy. We propose an enforcement mechanism based on secure multi-execution that can enforce non-interference with respect to a broad class of security level lattices for the full browser. We prove the security and precision of the enforcement mechanism, and implement it for the Featherweight Firefox browser model.

Next, we analyse the security level posets that are useful in a web context, and how inputs and outputs to the browser should be labelled. Our analysis shows that useful policies (which approximate but improve the current same-origin-policy) can be defined without any support for declassification.

Publications

• N. Bielova, D. Devriese, F. Massacci and F. Piessens. Reactive non-interference for a Browser Model.
  In Proceedings of the 5th International Conference on Network and System Security (NSS 2011). [PDF] [BIB]
  
  
• N. Bielova, D. Devriese, F. Massacci and F. Piessens. Reactive non-interference for the browser: extended version.
  Department of Computer Science, K.U.Leuven, Tech. Rep. CW602, February 2011. [Online] [BIB]
  

---

Predictability of enforcement and error-toleration

We have proposed how to go beyond the (only) two classical prop- erties used to evaluate an enforcement mechanism: soundness and transparency. Soundness specifies that the output is always good and transparency guarantees that good input is not changed. However those two characteristics alone are not sucient to discriminate between enforcement mechanisms. The key issue is to specify how bad input is fixed into good output. We have introduced several notions that could describe predictable behavior and checked them against the industrial case study on e-Health. The idea behind the notion of predictability is that there are "no surprises on bad inputs".

Having introduced the notion of predictability, we propose a practical approach for enforcement error-tolerant policies. In a e-health scenario, the clinician only specifies the default policy and marks for each protocol step the venial errors and their possible corrections. Given a global bound on the amount of errors in a trace that can be tolerated for each workflow execution, we automatically generate an enforcement mechanism based on edit-automata that can provably enforce the policy with a sufficient degree of predictability. We illustrate our approach with a concrete e-health work-flow from the Italian region of Lombardy.

This work has been done within the EU-IP-MASTER project (Managing Assurance, Security and Trust for Services).

Publications

• N. Bielova and F. Massacci. Computer-Aided Generation of Enforcement Mechanisms for Error-Tolerant Policies.
  In Proceedings of IEEE International Symposium on Policies for Distributed Systems and Networks (POLICY'11), IEEE Computer Society Press, 2011. [PDF] [BIB]
  
  
• N. Bielova and F. Massacci. Predictability of Enforcement.
  In Proceedings of the International Symposium on Engineering Secure Software and Systems (ESSoS'11). Springer LNCS, 2011. [PDF] [BIB]
  

---

Constuctive enforcement by iterative suppression automata

Edit automata are powerful theoretical models of runtime enforcement mechanisms, but they have never been applied in practice because an automatic edit automaton construction from a given security policy has not been devised. While collaborating with Hospital San Raffaele of Milan, which is one of the most renowned Italian hospitals, we used edit automata model to build an enforcement mechanism for their business process.

We then developed a specific kind of edit automaton, called iterative suppression automaton, that enforces a specific class of policies called iterative properties. We provided an automatic construction of an iterative suppression automata from a given security policy and proved its formal guarantees.

This work has been done within the EU-IP-MASTER project (Managing Assurance, Security and Trust for Services).

Publications

• N. Bielova, F. Massacci and A. Micheletti. Towards Practical Enforcement Theories.
  In Proceedings of The 14th Nordic Conference on Secure IT Systems (NordSec'09). Springer LNCS, 2009. [PDF] [BIB]
  
  
• N. Bielova and F. Massacci. Do you really mean what you actually enforced? Edit Automata revisited.
  International Journal of Information Security (IJIS), 2011, DOI: 10.1007/s10207-011-0137-2. [LINK] [Local PDF] [BIB]
  
  
• N. Bielova and F. Massacci. Iterative Enforcement by Suppression: Towards Practical Enforcement Theories.
  Journal of Computer Security (JCS), 2012. [Local PDF] [BIB]
  

---

Security-by-contract for mobile code security

A novel security-by-contract framework has been proposed. Its key idea is to augment mobile code with a claim on its security behavior (a contract) that could be matched against a mobile platform policy before downloading the code. Thanks to security-by-contract a digital signature does not just certify the origin of the code but rather binds together the code with a contract. The mobile device is assumed to contain a security policy that describes the desired behavior of the applications to be installed.

Publications

• N. Bielova and I. Siahaan. Testing Decision Procedures for Security-by-Contract.
  In Proceedings of Joint Workshop on Foundations of Computer Security, Automated Reasoning for Security Protocol Analysis and Issues in the Theory of Security (FCS-ARSPA-WITS'08), 2008. [PDF] [BIB]
  
  
• N. Bielova, M. Dalla Tore, N. Dragoni, and I. Siahaan. Matching Policies with Security Claims of Mobile Applications.
  In Proceedings of The 3rd International Conference on Availability, Reliability and Security (ARES'08). IEEE Computer Society Press, 2008. [PDF] [BIB]
  
  
• N. Bielova, N. Dragoni, F. Massacci, K. Naliuka and I. Siahaan. Matching in Security-by-Contract for Mobile Code.
  Journal of Logic and Algebraic Programming (JLAP), 2009, DOI: 10.1016/j.jlap.2009.02.013. [LINK] [BIB]
  

This work has been done within the EU-IST-STREP-S3MS project (Security and Services for Mobile Systems).