UC San Diego

Web browsers are one of the most security-critical applications that billions of people use to access their private information ranging from bank statements to medical records. However, we have witnessed numerous browser security vulnerabilities that allow attackers to steal these information or hijack a user's machine in the last decade. Many of these security vulnerabilities are rooted in the lack of security support from programming languages used in browsers. First, JavaScript, the browser -side scripting language, lacks flexible language constructs to isolate code originating from different websites despite the common practice of merging JavaScript programs from untrusted sources into one web page. As a result JavaScript attacks have affected numerous sites. Second, C++, the language in which major browsers are implemented, does not guarantee memory safety. As a result, memory corruption attacks are prevalent in browsers; in the worst scenario, memory corruption attacks can hijack a user's machine. Third, due to the lack of reasoning support, C++ makes it challenging to implement correct and thorough security policies in browsers comprising millions of lines of code. Loopholes in implementations have thus been exploited to circumvent intended security measures. These factors suggest that we can retrofit these languages with security-relevant constructs or incorporate a security-oriented language to address these problems. This dissertation argues that we can adapt language techniques to improve browser security. To support this argument, we present the following contributions. First, we present a dynamic information flow framework for JavaScript to detect and prevent data stealing attacks in JavaScript web applications. Second, we present SafeDispatch, an enhanced C++ compiler that prevents C++ control flow hijacking attacks, a class of attacks that exploit vtable pointers in the browser. Third, we present Quark, a browser with a kernel formally verified to satisfy crucial security properties even when another browser component is compromised. We highlight experimental results showing that each of our contributions is a practical defense mechanism against various browser security problems. We have implemented our proposals in real browsers such as Chromium and Webkit and showed that they successfully run on real websites, including Google, Amazon, and Facebook