Securing Interaction for Sites, Apps and Extensions in the Browser

1. Securing Interaction for Sites, Apps and Extensions in the Browser Brad Miller J. D. Tygar

2. Sharing Information in the Cloud • Many advantages • Less control • Less flexibility • How will we share information between apps? • Web interface dominant • Need for robust cross-domain mechanisms

3. Evolved Security Mechanisms Same Origin Policy Same Origin Policy Server A Server B Server A Server B Origin A In Browser Origin B In Browser Origin A In Browser Origin B In Browser Cross-Domain XHR postMessage Content Security Policy Cross-Domain XHR postMessage Content Security Policy • These features are not enough • Workarounds will emerge

4. The Chrome Approach • Chrome merges “apps” and “extensions” • Web apps can be installed from a web store • Users grant apps privileges at install time • Domain level granularity • Cookies, script injection & cross-domain requests

5. Fundamental Modifications App Developer User Site Designer • Designs app/extension, writes manifest • Chooses to install app, approves manifest • Unable to participate • Site designer should help mediate access • Best understanding of data • Best incentive to protect data • Leverage real-world meaning of data • Policies users can understand

6. DOM Node Tags • Privacy tags: protect read access • address, financial, medical, photo/video, etc. • Integrity tags: protect write access • Designed on a custom basis per site Underlying DOM Menubar Transactions Summary = node tagged as “financial” = inherited “financial” tag from parent Website Menubar Summary of Accounts Individual Account Transactions

7. Restricting Scripts • 2 Types of scripts • Requested by site during normal execution • Inserted by browser on behalf of an extension/app • 4 Types of protection Privacy Integrity Requested by site 1 2 Inserted by browser 3 4

8. Determining Policies • User sets policy for extensions at install time • Site designer sets policy for web scripts • Site makes recommendation for extensions • Negotiation resolves any conflicts Privacy Integrity Requested by site 1 1 1 1 1 2 2 2 2 2 Inserted by browser 3 3 3 3 3 4 4 4 4 4

9. Policy Negotiation • Negotiation occurs first time a user visits a site • Can be per extension or across all extensions Site Recommendation User Settings • medical • financial • correspondence • photos/videos • correspondence • photos/videos Are you sure you want to let extensions access your medical and financial data on this site?

10. Example: Photo Editing Contact Info • Privacy tags restrict access to photos • Cross-Domain XHR more cumbersome • Would require support from Facebook • Not flexible enough for long term success Facebook Denied Photo Editor Wall Posts Denied Photos Allowed

11. Example: Identity Theft • Script injection • Credit Card Info • Script Injection • Tag Protection Shopping Website Evil or Vulnerable Installed App Credit Card Info Bank Website Purchase Record Purchase Record

12. Improvements over status quo • Usability • Choices are more natural for humans • Better policies • Privacy tags leverage semantic meaning of data • Integrity tags allow finer granularity in page access • Better incentives • Party with most knowledge and stake plays a role

13. Future Work & Open Questions • Handling DOM updates • Approved script writes new nodes into DOM • What tags should be assigned to new nodes? • Privacy tag set • Fixed set could be restrictive • Custom set harder to work with