Bell Labs to secure browsers

Scientists at Bell Labs say they have developed a method of preventing security attacks perpetrated through Web browsers.

Jeff Pelline Staff Writer, CNET News.com
Jeff Pelline is editor of CNET News.com. Jeff promises to buy a Toyota Prius once hybrid cars are allowed in the carpool lane with solo drivers.
Jeff Pelline
3 min read
Bell Labs said today that its scientists have developed a method of preventing security attacks perpetrated through Web browsers that use JavaScript and VBScript languages, such as Microsoft's Internet Explorer and Netscape Communications' Navigator.

The findings by Bell Labs computer scientists Vinod Anupam and Alain Mayer will be presented tomorrow at a security symposium in San Antonio, Texas.

"Through a JavaScript 'safe interpreter,' the security method can be easily implemented in Netscape Navigator and Internet Explorer," according to a statement from Bell Labs. "The 'safe interpreter' assures that scripts have access only to the parts of the browser and window-related data that do not compromise a user's security."

Anupam and Mayer already have studied flaws in scripting languages that are found in browsers such as IE and Navigator. Last summer, they discovered what became known as the "Bell Labs privacy bug," which let hackers monitor Netizens' activity on the Web. (see related story)

Both Netscape and Microsoft have long since posted fixes to the privacy bug. But Anupam says that the specification that he and his colleague will propose provides greater security and flexibility than the current patched model.

"To some extent, the problem has been fixed by Microsoft and Netscape. But we are going beyond what is possible today," Anupam said.

Bell Labs' model for a safe interpreter for scripting languages protects against attacks based on three components: access control, which specifies to what kind of information a script is allowed access; independence of context, which prevents two scripts from accidentally interacting with one another; and trust management, which specifies which scripts are allowed to interact and how.

The current model bases its trust management model on domain, according to Anupam, which means that all scripts from "cnet.com," for example, "trust" each other. But the Bell Labs model allows for the specification of different domains as well as subparts of the same domain.

Anupam said the proposed model is more secure because currently, scripts do not clean out properties as surfers travel from one Web site to another. As a result, information can circulate inappropriately. "Independence of context" means that those script properties are cleaned out before the user moves to the next page.

Bell Labs is the research and development arm of Lucent Technologies. Like other companies, it conducts research in search of ways to tighten Web security at the browser level so e-commerce and Net-related activities can continue to expand.

As Anupam put it: "There are serious implications for Web users who are attacked through their browsers; every piece of information entered, such as a password or credit card number or Web site being visited, is exposed."

A spokesman for Netscape was unable to comment on the specifics of Bell Labs' proposal, but he lauded the laboratory's efforts. "We support any enhancement in security to Internet technologies," he said.

Microsoft was not immediately available for comment.

In October, Bell Labs announced a utility to help users filter spam. It lets people using Lucent's proxy server give a site user an alias, password, and email address, a combination that can combat spam.