360 likes | 503 Views
TL29. Live Labs Web Sandbox: Securing Mash-Ups, Site Extensibility, And Gadgets. Scott Isaacs Software Architect Microsoft Corporation. Dragos Manolescu Program Manager Microsoft Corporation. Agenda. Web security – overview and history Introducing the Web Sandbox
E N D
TL29 Live Labs Web Sandbox: Securing Mash-Ups, Site Extensibility, And Gadgets Scott Isaacs Software Architect Microsoft Corporation Dragos Manolescu Program Manager Microsoft Corporation
Agenda • Web security – overview and history • Introducing the Web Sandbox • Kicking the tires • Getting involved • and lots of demos
How The Web Works <div id="sitemeter" class="plain"> <!--WEBBOT bot="HTMLMarkup" startspan ALT="Site Meter" --> <script type="text/javascript" language="JavaScript">var site="s15gizmodo"</script> <script type="text/javascript" language="JavaScript1.2" src="http://s15.sitemeter.com/js/counter.js?site=s15gizmodo"> </script>
announcing Web SandboxA Tech Preview
History • Technology dates back to the 90s • Started with hit counters (images) • Transition to affiliate programs • Web 2.0 mash-ups: low-cost innovation • Sites want to become “platforms” • All suffer the same fate
A Scary Problem • Mashing up third-party content • What does this mean for the site? • What does this mean for the user? • but everyone wants a “partner” • A challenging environment • Only as reliable as the weakest link • Users pay the cost
This is one of the most damaging problems on the Web – security expert RSnake
State Of The Art (Before Today) • Ignore the problem • IFrame the problem • Too much isolation without security • Redirects, installers, history, clickjacking, etc • First Generation Solutions (FBJS…) • A new programming model • None address Quality of Service (QoS)
Where Do We Need To Go? • Think outside the box – literally • Beyond gadgets • Site extensibility • Componentization model • Richer advertising • Control the trust model • Protect the overall experience
The Opportunity • Goal: Secure Web 2.0 • Industry-wide focus • ECMA Security Working Group • AdSafe, Caja… • Work together to define the standard • Enter the Live Labs Web Sandbox
demo Web Sandbox 101
Architecture 101 – The Big Picture Trusted Host Requested Content(untrusted) Virtual Machine Sandboxed Execution Sandboxed Execution TransformationPipeline Untrusted Content Virtualized Code
The Browser Challenge • Support for all modern browsers • No browser extensions required • Provides cross-browser consistency • Why not develop a plug-in? • Users must not opt-into security • Ubiquity versus deployment
The Philosophy • Change function: Success= Customer Pain Total Perceived Pain of Adoption • Use the materials in the room • No new APIs or language • No gadget SDK required
demo Web Sandbox 201
Going Beyond Security • Standards – based • JavaScript “good” and “bad” parts • Processing Model • Automatic multi-instancing • Code throttling • QoS monitoring
demo Web Sandbox:Graduation
Why Is QoS Hard? • Lack of isolation • Increased surface area • Testing challenges • Unintentional conflicts • No feedback loop • Single point of failure
demo Grad School:Infinite Is A Big Number…
The Fine Print • Goal: Support 99% of the language • Work in progress • HTML must be well-formed • document.write • JavaScript with statement • XML Proxy is not yet enabled • Dynamic loading of external scripts • Silverlight and Flash Support
The Finer Print • Trade-offs • Performance: 1.5 – 4x • Intermediate transformation step • More difficult debugging (?debug=true flag) • The 1%: API Limitations • No arbitrary code “eval”uation • Addressable with native support
demo Privacy:It’s My History
Architecture 101 – The Big Picture Trusted Host Requested Content(untrusted) Virtual Machine Sandboxed Execution Sandboxed Execution TransformationPipeline Untrusted Content Virtualized Code
Transformation Pipeline Ready to Run! Untrusted Content HTML to JSON CSS to JSON Transform all Scripts Package With Script
Sandbox Execution Ready to Run! Sandbox Instance Sandbox Instance Sandbox Instance Code Invocations Monitor QoS Interception Layer Type and Apply Rule
demo We Rule!
Runtime Communication Trusted Host Requested Content(untrusted) Runtime Virtual Machine Sandboxed Execution Sandboxed Execution TransformationPipeline Untrusted Content Virtualized Code
Easy Hosting <div id="putContentHere"></div><script src="websandbox.js"></script><!-- Use Server Transform --><script src="http://websandbox-code.org/transform.aspx?url=UrlToUntrustedCode&guid=ContentID"></script> <script> // Create a Sandbox instancevarsb = new $Sandbox(document.getElementById("putContentHere"), $Policy.Gadget, "ContentID") sb.initialize(); </script>
demo Web Sandbox: DIY
Getting Involved • An Open Project • http://websandbox.livelabs.com • Interactive Documentation • Playground and Samples • Hack us! Break us! Make us feel pain • Community Forums • We want all feedback • Public Full Disclosure Forum • Join us in defining the standard
Evals & Recordings Please fill out your evaluation for this session at: This session will be available as a recording at: www.microsoftpdc.com
Q&A Please use the microphones provided
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.