570 likes | 822 Views
2. Outline. Browser Security OverviewWeb MashupsBrowser Security DetailsMashup Frameworks: MashupOS, Subspace, SMash, CajaFramework Evaluation and ComparisonRelated Work. Browser Security Overview. . . . 4. Layers of Browser Code. Default browser behaviorBinary plug-ins for embedded contentEx
E N D
1. Building Secure Web Mashups
2. 2 Outline Browser Security Overview
Web Mashups
Browser Security Details
Mashup Frameworks: MashupOS, Subspace, SMash, Caja
Framework Evaluation and Comparison
Related Work
3. Browser Security Overview
4. 4 Layers of Browser Code Default browser behavior
Binary plug-ins for embedded content
Extensions that modify browser behavior
Scripts that make web pages active
5. 5 Extensions vs. Scripts Theoretical perspective: the only difference is that web page scripts disappear after you leave a page and extensions don't
Firefox reality:
Extensions are completely unrestricted
Web page scripts are restricted unless digitally signed
6. 6 Security in Web Browsers Browsers simultaneously handle documents and scripts from multiple sources
Scripts may attempt to interact with:
Other web pages
The browser
Files and processes on the user's computer
Remote hosts
7. 7 A Security Failure Example The user is viewing a page with a secret confirmation code, which can be traded in person for some good or service
A web page in another window reads the code and sends it to a remote host, where it can be accessed by an unscrupulous third party
8. 8 Real-World Defense Same-origin policy: active content from different trust domains shouldn't interact
SOP mostly succeeds for pages that want complete isolation
SOP has inconsistencies and gaps that make partial isolation difficult or impossible
9. Web Mashups
10. 10 Mashup Examples housingmaps.com
Wii Finder
Clockr
popurls.com
Yahoo vs. Google
Google Gadgets
11. 11 Web Mashup Definitions Mashup: A web application that performs browser-side integration of content or services from multiple sources
Integrator: site that hosts the web application
Provider: site the provides content to the mashup
Component: a piece of active content from a provider
12. 12 Sorts of Mashups Directly interacting with a web service from inside a browser script (e.g., reading an RSS feed)
Display control delegation (Google gadgets: Google as integrator)
Display control delegation + two-way browser-side communication (Google maps, Google search: Google as provider)
13. 13 Mashup Techniques Simulated mashup: server-side data collection
Frames + proxy server
Frames + fragment-identifier messaging
Browser plug-ins for relaying information
Dynamically generated script requests
14. 14 Mashup Security Concern If you include a Google Search control on your page, you give Google the ability to:
read arbitrary information
send it to an arbitrary recipient
execute arbitrary code
15. Browser Security Details
16. 16 Browser State: Documents DOM: mutable tree structure model
Metadata:
domain property
cookie property
referrer property
etc.
17. 17 Browser State: Frames Can be nested with <iframe> tag
Metadata:
document property
location property
history property
parent property
frames property
18. 18 Scripts in Documents JavaScript: dynamically typed, object-oriented, first-class functions, reflection, eval
Two primary methods
Inline: <script>var x=3;</script>
External: <script src="xyz.com/abc.js"/>
Each frame has one global environment
19. 19 Web Scripting Event handling
Browser data structure access and DOM manipulation
Script environment access
Opening, closing, and navigating frames
HTTP transactions (XMLHttpRequest)
Also: cookie access, plug-in scripting
20. 20 Dynamic Script Request <html>
<head><title>Script Request</title>
<script>
function doIt() {
var s = document.createElement("script");
s.setAttribute("src", "http://www.xyz.com/code.js")
document.body.appendChild(s);
}
</script>
</head>
<body>
<p><button onclick="doIt()">Do it!</button></p>
</body>
</html>
21. 21 SOP Origins Origin = domain name + port + protocol
Assigned to content and scripts according to document URL (source of script irrelevant)
Domain promotion:
xyz.com < abc.xyz.com
Accomplished by setting domain property
22. 22 SOP Restrictions A script cannot read or write data associated with a frame of a different origin -- exceptions:
Scripts can write the location property
Scripts may be able to read the frames property
A script cannot access the JavaScript environment of a frame of a different origin
A script cannot use XMLHttpRequest to interact with a site of a different origin
23. MashupOS
24. 24 MashupOS Concept Keep the same-origin policy around for frames
Add new frame-like structures to HTML with variations on the same-origin policies
25. 25 Sandboxes <Sandbox> like a frame
References from outside the sandbox can never be passed in
Scripts can access <OpenSandbox> without SOP restrictions
Nesting raises some complex issues
26. 26 Service Instances <ServiceInstance> loads code from an external site
<Friv> sections can be controlled by service instances
Browser-side messaging using new JS: CommServer() and CommRequest()
27. Subspace
28. 28 Subspace Concept Use browser's same-origin policy to enforce isolation of providers' content
Use domain promotion to allow each provider to share a single JavaScript object with the integrator for communication
29. 29 Subspace
30. 30 Subspace (Multiple Providers)
31. SMash
32. 32 SMash Concept Use browser's same-origin policy to enforce isolation of providers' content
Implement a robust message-passing system based on setting fragment identifiers
33. 33 SMash
34. 34 SMash Challenges Fragment-identifier size limit
Synchronization
Message authenticity
Message integrity
35. 35 SMash: Direct Style
36. Caja
37. 37 Caja Concept Use a scripting language with stronger guarantees
Make it as similar to JavaScript as possible for backwards compatibility
38. 38 Object-Capability Languages Objects can only change the world through the references they hold
Objects can only receive references through method calls
Objects never start with references
Encapsulation is used and enforced
39. 39 Difficulties with JavaScript Object properties can be enumerated, updated, added, and removed
Code abstractions can be called as functions, as methods, as constructors, or via reflection
Dynamic evaluation
Code in a frame shares an environment
40. 40 Caja Overview Caja is a subset of JavaScript: syntax, semantics, and libraries
Caja code is elaborated into sanitized JavaScript
Caja modules have their own global envrionment
Dynamic evaluation is restricted
41. 41 Caja Restrictions Properties ending in underscores are private
Use of functions as constructors only allowed in a restricted way
Objects may be "frozen"
Restricted use of functions as objects
eval only offered for Cajita (no this)
42. Framework Evaluation and Comparison
43. 43 Some Key Issues Browser modification?
Necessary provider cooperation vs. backwards compatibility
Flexibility of component interaction
Amount of trust providers must have in the integrator
44. 44 MashupOS: Service Instances Browser modification necessary
Providers must conform to specification
Authenticity is lightweight and guaranteed by browser
Flexible message-passing framework but data-only messages
Flexible display delegation but security behavior of <Friv> tags a bit unclear
Providers' privacy not fully protected
45. 45 MashupOS: Sandboxes Permit backward compatibility with current APIs
Seem redundant with service instances
Awkward interaction with SOP
Terribly complicates browser security, especially in combination with service instances
46. 46 Subspace and SMash Both accommodate script-based APIs
Both restricted to data-only messages
Dynamically loaded components only possible in SMash
Higher message throughput in Subspace
47. 47 Direct Use of SMash Provider can use XMLHttpRequest
Providers can authenticate other parties
Providers have full privacy
Providers must conform to a standard based on fragment-identifier messaging
48. 48 Caja Does not guarantee any particular security properties
Can be used to program very fine-grained access control
For direct applicability to mashups, providers would have to use Caja
Secure messaging easy to implement
Providers can safely exchange closures
Providers must trust the integrator
49. 49 Conclusions Subspace a nice short-term solution
Browser modification inevitable
Message-passing popular for clean access control
Information flow analysis more appropriate
Language support would be tremendously helpful
50. Related Work
51. 51 Browser-Side Messaging Douglas Crockford. The <module> tag. http://www.json.org/module.html, October 2006.
Ian Hickson and David Hyatt (editors). HTML 5. http://www.w3.org/html/wg/html/, June 2008.
52. 52 Fragment-Identifier Messaging XDDE
Google. PubSub: Gadget-to-gadget communication. http://code.google.com/apis/gadgets/docs/pubsub.html, June 2008.
53. 53 Unexpected Attacks Shou Chen, David Ross, and Yi-Min Wang. An analysis of browser domain-isolation bugs and a light-weight transparent defense mechanism. In CCS '07.
Collin Jackson, Andrew Bortz, Dan Boneh, and John C. Mitchell. Protecting browser state from web privacy attacks. In WWW '06.
54. 54 Safer JavaScript Dachuan Yu, Ajay Chander, Nayeem Islam, and Igor Serikov: JavaScript instrumentation for browser security. In POPL '07.
K. Vikram and Michael Steiner: Mashup component isolation via server-side analysis and instrumentation. W2SP 2007.
Charles Reis, John Dunagan, Helen J. Wang, Opher Dubrovsky, and Saher Esmeir. BrowserShield: Vulnerability-driven filtering of dynamic HTML. ACM TWEB. 1(3):11, 2007.
55. 55 Blocking Scripts Trevor Jim, Nikhil Swamy, and Michael Hicks. Defeating script injection attacks with browser-enforced embedded policies. In WWW '07.
Mozilla. Site security policy. http://people.mozilla.org/~bsterne/site-security-policy/, June 2008.
56. 56 Browser Implementation Design Richard S. Cox, Steven D. Gribble, Henry M. Levy, and Jacob Gorm Hansen. A safety-oriented platform for web applications. In SP '06.
Chris Grier, Shuo Tang, and Samuel T. King. Secure web browsing with the OP web browser. In SP '08.
Sotiris Ioannidis and Steven M. Bellovin. Building a secure web browser. In FREENIX '01.
57. Thank You