Lenin Singaravelu, Bernhard Kauer, Alexander Boettcher, Hermann Hertig, Calton Pu, Gueyoung Jung, Carsten Weinhold,
Enforcing Configurable Trust in Client-side Software Stacks by Splitting Information Flow
Current client-server applications such as online banking employ the same client-side software stack to handle information with differing
security and functionality requirements, thereby increasing the size and complexity of software that needs to be trusted. While the high
complexity of existing software is a significant hindrance to testing and analysis, existing software and interfaces are too widely used to
be entirely abandoned. We present a proxy-based approach called FlowGuard to address the problem of large and complex client-side software
stacks. FlowGuard's proxy employs mappings from sensitiveness of information to trustworthiness of software stacks to demultiplex incoming
messages amongst multiple client-side software stacks. One of these stacks is a fully-functional legacy software stack and another is a small
and simple stack designed to handle sensitive information. In contrast to previous approaches, FlowGuard not only reduces the complexity of
software handling sensitive information but also minimizes modifications to legacy software stacks. By allowing users and service providers to define the
mappings, FlowGuard also provides flexibility in determining functionality-security tradeoffs.
We demonstrate the feasibility of our approach by implementing a FlowGuard, called BLAC, for https-based applications. BLAC relies on text
patterns to identify sensitive information in HTTP responses and redirects such responses to a small and simple TrustedViewer, with an
unmodified legacy software stack handling the rest of the responses. We developed a prototype implementation that works with a prominent
bank's online banking site. Our evaluation shows that BLAC reduces size and complexity of software that needs to be trusted by an order of
magnitude, with a manageable overhead of few tens of milliseconds per HTTP response.