Fortifying Web Protocols via Browser-Side Security Monitoring
Description
We present a novel browser-side security enforcement technique for web protocols. The core idea of our approach is to extend the browser with a monitor, which given the protocol specification enforces the required confidentiality and integrity properties, as well as the intended protocol flow. WPSE is Google Chrome extension implementing our enforcement technique, which exploits the webRequest
API to intercept all the HTTP(S) messages that are sent or received by the browser.
Download
- wpse-0.4.tar.gz (
sha256 c4170a6f9a78725a4f4a853cc8da49ac219efc88910c2bd548c3f62e3b12ec1f
)
Installation
- Download the the WPSE tar.gz package and decompress the folder
$ tar -xzvf wpse-<version>.tar.gz
- Start the browser (either Google Chrome or Chromium) and point it to
chrome://extensions/
(or More tools > Extensions) - Load WPSE by clicking on the "Load unpacked extension..." button and select the
wpse
decompressed folder
Usage
WPSE is automatically enforced after installation. Follow the instructions below if you want to debug the extension or alter the protocol specifications.
- Debugging
Under the extension page of your browser, click on the "background page" button of the WPSE extension. A new window will be opened listing all the allowed and blocked HTTP requests along with information on the protocol execution. - Edit a protocol specification
Edit one of the XML protocol files under thewpse/resources/protocols/
directory, then reload the extension by clicking on "Reload (Ctrl+R)" under the extensions window. - Add a new protocol specification
Create a new XML protocol file under thewpse/resources/protocols/
directory. Add the newly created specification to the list of theenforced protocols inwpse/main.js
and reload the extension.
Technical Report
For a detailed discussion of the mechanics of WPSE and the theory behind it, have a look at the technical report: