1 / 22

User Interface Toolkit Mechanisms For Securing Interface Elements

User Interface Toolkit Mechanisms For Securing Interface Elements. Franziska Roesner , James Fogarty, Tadayoshi Kohno Computer Science & Engineering DUB Group, Security & Privacy Research Lab University of Washington. User Interface Toolkits. Ease interface design and implementation.

morrie
Download Presentation

User Interface Toolkit Mechanisms For Securing Interface Elements

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. User Interface Toolkit Mechanisms For Securing Interface Elements Franziska Roesner, James Fogarty, Tadayoshi Kohno Computer Science & Engineering DUB Group, Security & Privacy Research Lab University of Washington

  2. User Interface Toolkits • Ease interface design and implementation. • Provide developers with flexibility and expressivity. Assumption: Developers have full control of an interface. Ad from ad library Like us on Facebook! Map from Google library New Challenge: Modern interfaces include elements implemented by different developers. Social button from Facebook library

  3. Attack #1: Programmatic Click Fraud Ad Server User Click Programmatic Click Like us on Facebook! App Developer

  4. Attack #2: Size Manipulation Android requires applications to display a camera previewin order to take a photo. Like us on Facebook! 1 pixel X 1 pixel camera preview

  5. Attack #3: Eavesdropping Terminology: Code from different developers is in different trust groups. Background {App} Background {App} NEW! Login with your Google account! Text {App} Text {App} LoginBox {Google} LoginBox {Google} Interface Layout Tree Interface Layout Tree

  6. Attack #3: Eavesdropping Background {App} App Developer NEW! Login with your Google account! p@ssw0rd Text {App} LoginBox {Google} p@ssw0rd Interface Layout Tree ******** p@ssw0rd

  7. Attack #4: Display Takeover Ad Library Code Widget parent = adWidget.getParent(); parent.removeChildren(); Like us on Facebook! parent.addChild(fullScreenAd);

  8. An Opportunity for Toolkits • These vulnerabilities are in the user interface. • Existing solutions come at the expense of interface usability and flexibility. Addressing these vulnerabilities in the user interface toolkit provides better security and enables new interfaces.

  9. Desired Security Properties • Display Integrity • Input Integrity • Intent Integrity • Data Isolation • UI-to-API Links

  10. Desired Security Properties • Display Integrity • Input Integrity • Intent Integrity • Data Isolation • UI-to-API Links

  11. Desired Security Properties Protect the display of interface elements across trust groups. • Display Integrity • Input Integrity • Intent Integrity • Data Isolation • UI-to-API Links Recall the attacks: Size Manipulation Display Takeover Like us on Facebook!

  12. Desired Security Properties • Display Integrity • Input Integrity • Intent Integrity • Data Isolation • UI-to-API Links Prevent programmatic interaction with interface elements across trust groups. Recall the attack: Programmatic Click Fraud Like us on Facebook!

  13. Desired Security Properties NEW! Login with your Google account! • Display Integrity • Input Integrity • Intent Integrity • Data Isolation • UI-to-API Links Recall the attack: Eavesdropping Protect displayed content and input across trust groups.

  14. Architecting a Toolkit for Security Goals: (1) Achieve our desired security properties. (2) Maintain usability and developer flexibility. Techniques: • Isolating trust groups • Interface layout tree invariants • Model-level event listeners • Composition across trust groups • Flexible feedback (for drag-and-drop, lenses)

  15. Architecting a Toolkit for Security Goals: (1) Achieve our desired security properties. (2) Maintain usability and developer flexibility. Techniques: • Isolating trust groups • Interface layout tree invariants • Model-level event listeners • Composition across trust groups • Flexible feedback (for drag-and-drop, lenses)

  16. Interface Layout Tree Vulnerabilities Problem: In a traditional layout tree, there is no guarantee of a trusted path to every node. (1) Insecure Layout: Parent elements can manipulate the layout of the child elements. Recall the attack: Size Manipulation Size Request

  17. Interface Layout Tree Vulnerabilities NEW! Login with your Google account! Problem: In a traditional layout tree, there is no guarantee of a trusted path to every node. Recall the attack: Eavesdropping (2) Insecure Input: Parents can eavesdrop on or modify events intended for children. Input Events

  18. Interface Layout Tree Invariants Solution: Introduce new invariants: • The root node of an application’s layout tree must be a system node. • Only system nodes may have children of a different trust group. system Input Events system Size Request

  19. Interface Layout Tree Invariants NEW! Login with your Google account! How to do visual embedding? Solution: Introduce a system-trusted proxy node into the layout tree. Root {System} Root {System} The proxy node is introduced automatically and can be transparent to the developer. Proxy {System} Background {App} Background {App} Text {App} LoginBox {Google} LoginBox {Google} Text {App}

  20. More in the paper! • Techniques for flexibility • Exposing model-level APIs across trust groups • Composing trust groups in one interface element • Supporting feedback (drag-and-drop, lenses) NEW! Login with your Google account! Login token Like us on Facebook! • Prototype implementations for Android and a web browser

  21. Conclusion • Questions for future work and discussions: • What are appropriate defaults for access to APIs across trust groups? • What new interfaces will a secure toolkit enable? A security-aware toolkit architecture can achieve security properties while maintaining developer flexibility.

  22. User Interface Toolkit Mechanisms For Securing Interface Elements This work was supported by the NSF under Graduate Research Fellowship award DGE-0718124 as well as awards CNS-0846065 and IIS-1053868. Franziska Roesner, James Fogarty, Tadayoshi Kohno Computer Science & Engineering DUB Group, Security & Privacy Research Lab University of Washington franzi@cs.washington.edu

More Related