WPSE

Fortifying Web Protocols via Browser-Side Security Monitoring

Description

We present a novel browser-side security enforcement technique for web protocols. The core idea of our approach is to extend the browser with a monitor, which given the protocol specification enforces the required confidentiality and integrity properties, as well as the intended protocol flow. WPSE is Google Chrome extension implementing our enforcement technique, which exploits the webRequest API to intercept all the HTTP(S) messages that are sent or received by the browser.

Download

  • wpse-0.4.tar.gz (sha256 c4170a6f9a78725a4f4a853cc8da49ac219efc88910c2bd548c3f62e3b12ec1f)

Installation

  1. Download the the WPSE tar.gz package and decompress the folder

    $ tar -xzvf wpse-<version>.tar.gz

  2. Start the browser (either Google Chrome or Chromium) and point it to chrome://extensions/ (or More tools > Extensions)

  3. Load WPSE by clicking on the "Load unpacked extension..." button and select the wpse decompressed folder

Usage

WPSE is automatically enforced after installation. Follow the instructions below if you want to debug the extension or alter the protocol specifications.
  • Debugging
    Under the extension page of your browser, click on the "background page" button of the WPSE extension. A new window will be opened listing all the allowed and blocked HTTP requests along with information on the protocol execution.
  • Edit a protocol specification
    Edit one of the XML protocol files under the wpse/resources/protocols/ directory, then reload the extension by clicking on "Reload (Ctrl+R)" under the extensions window.
  • Add a new protocol specification
    Create a new XML protocol file under the wpse/resources/protocols/ directory. Add the newly created specification to the list of theenforced protocols in wpse/main.js and reload the extension.

Technical Report 

For a detailed discussion of the mechanics of WPSE and the theory behind it, have a look at the technical report: