Building Secure Web Mashups Outline I. Browser Security
Building Secure Web Mashups Outline I. Browser Security Overview II. Web Mashups
III. Browser Security Details IV. Mashup Frameworks: MashupOS, Subspace, SMash, Caja
V. Framework Evaluation and Comparison VI. Related Work 2 Browser Security Overview
Layers of Browser Code Default browser behavior Binary plug-ins for embedded content Extensions that modify browser behavior Scripts that make web pages active 4 Extensions vs. Scripts
Theoretical perspective: the only difference is that web page scripts disappear after you leave a page and extensions don't Firefox reality: Extensions are completely unrestricted Web page scripts are restricted unless digitally signed 5
Security in Web Browsers Browsers simultaneously handle documents and scripts from multiple sources Scripts may attempt to interact with: Other web pages The browser Files and processes on the user's computer Remote hosts 6
A Security Failure Example The user is viewing a page with a secret confirmation code, which can be traded in person for some good or service A web page in another window reads the code and sends it to a remote host, where it can be accessed by an unscrupulous third party 7
Real-World Defense Same-origin policy: active content from different trust domains shouldn't interact SOP mostly succeeds for pages that want complete isolation SOP has inconsistencies and gaps that make partial isolation difficult or impossible 8
Web Mashups Mashup Examples housingmaps.com Wii Finder Clockr popurls.com Yahoo vs. Google Google Gadgets
10 Web Mashup Definitions Mashup: A web application that performs browser-side integration of content or services from multiple sources Integrator: site that hosts the web application Provider: site the provides content to the mashup Component: a piece of active content from a
provider 11 Sorts of Mashups Directly interacting with a web service from inside a browser script (e.g., reading an RSS feed) Display control delegation (Google gadgets: Google as integrator) Display control delegation + two-way browserside communication (Google maps, Google
search: Google as provider) 12 Mashup Techniques Simulated mashup: server-side data collection Frames + proxy server Frames + fragment-identifier messaging Browser plug-ins for relaying information Dynamically generated script requests
13 Mashup Security Concern If you include a Google Search control on your page, you give Google the ability to: read arbitrary information send it to an arbitrary recipient execute arbitrary code
14 Browser Security Details Browser State: Documents DOM: mutable tree structure model Metadata: domain property cookie property referrer property
20 SOP Origins Origin = domain name + port + protocol Assigned to content and scripts according to document URL (source of script irrelevant) Domain promotion: xyz.com < abc.xyz.com
environment of a frame of a different origin A script cannot use XMLHttpRequest to interact with a site of a different origin 22 MashupOS Helen J. Wang, Xiaofeng Fan, Jon Howell, and Collin Jackson. Protection and communication abstractions for web browsers in MashupOS.
SIGOPS Oper. Syst. Rev., 41(6):1-16, 2007. MashupOS Concept Keep the same-origin policy around for frames Add new frame-like structures to HTML with variations on the same-origin policies 24
Sandboxes like a frame References from outside the sandbox can never be passed in Scripts can access without SOP restrictions Nesting raises some complex issues 25
Service Instances loads code from an external site sections can be controlled by service instances Browser-side messaging using new JS: CommServer() and CommRequest() 26 Subspace
object with the integrator for communication 28 Subspace www.mashup.com/index.html www.mashup.com/mediate.html www. p1.mashup.com/index.html p1.
p1. p1. p1.mashup.com/access.html 30 SMash Frederik De Keukelaere, Sumeer Bhola, Michael
Steiner, Suresh Chari, and Sachiko Yoshihama. SMash: Secure component model for cross-domain mashups on unmodified browsers. In WWW '08. SMash Concept Use browser's same-origin policy to enforce isolation of providers' content Implement a robust message-passing system based on setting fragment identifiers
www.mashup.com/index.html p1.com/index.html www.mashup.com/tunnel.html 35 Caja Mark S. Miller, Mike Samuel, Ben Laurie, Ihab Awad,
37 Object-Capability Languages Objects can only change the world through the references they hold Objects can only receive references through method calls Objects never start with references Encapsulation is used and enforced 38
Caja Restrictions Properties ending in underscores are private Use of functions as constructors only allowed in a restricted way Objects may be "frozen" Restricted use of functions as objects eval only offered for Cajita (no this) 41
Framework Evaluation and Comparison Some Key Issues Browser modification? Necessary provider cooperation vs. backwards compatibility Flexibility of component interaction Amount of trust providers must have in
the integrator 43 MashupOS: Service Instances Browser modification necessary Providers must conform to specification Authenticity is lightweight and guaranteed by browser Flexible message-passing framework but data-only messages Flexible display delegation but security behavior of
tags a bit unclear Providers' privacy not fully protected 44 MashupOS: Sandboxes Permit backward compatibility with current APIs Seem redundant with service instances Awkward interaction with SOP
Terribly complicates browser security, especially in combination with service instances 45 Subspace and SMash Both accommodate script-based APIs Both restricted to data-only messages Dynamically loaded components only possible in SMash
Higher message throughput in Subspace 46 Direct Use of SMash Provider can use XMLHttpRequest Providers can authenticate other parties Providers have full privacy Providers must conform to a standard based on fragment-identifier messaging
47 Caja Does not guarantee any particular security properties Can be used to program very fine-grained access control For direct applicability to mashups, providers would have to use Caja
Secure messaging easy to implement Providers can safely exchange closures Providers must trust the integrator 48 Conclusions Subspace a nice short-term solution Browser modification inevitable Message-passing popular for clean access control
Information flow analysis more appropriate Language support would be tremendously helpful 49 Related Work Browser-Side Messaging Douglas Crockford. The tag. http://www.json.org/module.html,
October 2006. Ian Hickson and David Hyatt (editors). HTML 5. http://www.w3.org/html/wg/html/, June 2008. 51 Fragment-Identifier Messaging XDDE Google. PubSub: Gadget-to-gadget
communication. http://code.google. com/apis/gadgets/docs/pubsub.html, June 2008. 52 Unexpected Attacks Shou Chen, David Ross, and Yi-Min Wang. An analysis of browser domain-isolation bugs and a light-weight transparent defense
In POPL '07. K. Vikram and Michael Steiner: Mashup component isolation via server-side analysis and instrumentation. W2SP 2007. Charles Reis, John Dunagan, Helen J. Wang, Opher Dubrovsky, and Saher Esmeir. BrowserShield: Vulnerability-driven filtering of dynamic HTML. ACM TWEB. 1(3):11, 2007. 54
Blocking Scripts Trevor Jim, Nikhil Swamy, and Michael Hicks. Defeating script injection attacks with browser-enforced embedded policies. In WWW '07. Mozilla. Site security policy. http://people.mozilla.org/~bsterne/site-se curity-policy/ , June 2008. 55
Browser Implementation Design Richard S. Cox, Steven D. Gribble, Henry M. Levy, and Jacob Gorm Hansen. A safetyoriented platform for web applications. In SP '06. Chris Grier, Shuo Tang, and Samuel T. King. Secure web browsing with the OP web browser. In SP '08. Sotiris Ioannidis and Steven M. Bellovin. Building a secure web browser. In FREENIX '01.
Common Morality Deciding What To Do Bernard Gert, Dartmouth College Harms (evils) and Benefits (goods) Harms (evils) Benefits (goods) Death Consciousness Pain Disability Ability Loss of Freedom Freedom Loss of Pleasure Pleasure Irrationality It is irrational not to avoid harms...
0 Making Inferences Inference Sometimes a writer will leave certain details out of a story to make it more dramatic or funny. In these cases, it is up to the reader to draw his/her own conclusion based on the information...
1Cor 11:17-2217 Now in giving these instructions I do not praise you, since you come together not for the better but for the worse. 18 For first of all, when you come together as a church, I hear that there...
Life organized 'round village. Economy . Decentralized. Every village produce most of its necessities. CAPITAL. Like land- a zero sum commodity* Necessary for control of Production-Labor & Raw materials. Information. Uniquely different from previous key commodities .
OS 2.2 : la production de riz est améliorée de manière substantielle au niveau des groupes cibles du projet OS 2.3 : l'environnement socio économique de la production de riz est amélioré OS 3.1 : du paddy de bonne qualité...
Fixed input. An input for which the level of usage . cannot . be changed and which must be paid even if no output is produced. Quasi-fixed input. A "lumpy" or indivisible input for which a fixed amount must be...
Ready to download the document? Go ahead and hit continue!