1 / 57

Building Secure Web Mashups

2. Outline. Browser Security OverviewWeb MashupsBrowser Security DetailsMashup Frameworks: MashupOS, Subspace, SMash, CajaFramework Evaluation and ComparisonRelated Work. Browser Security Overview. . . . 4. Layers of Browser Code. Default browser behaviorBinary plug-ins for embedded contentEx

unity
Télécharger la présentation

Building Secure Web Mashups

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. Building Secure Web Mashups

    2. 2 Outline Browser Security Overview Web Mashups Browser Security Details Mashup Frameworks: MashupOS, Subspace, SMash, Caja Framework Evaluation and Comparison Related Work

    3. Browser Security Overview

    4. 4 Layers of Browser Code Default browser behavior Binary plug-ins for embedded content Extensions that modify browser behavior Scripts that make web pages active

    5. 5 Extensions vs. Scripts Theoretical perspective: the only difference is that web page scripts disappear after you leave a page and extensions don't Firefox reality: Extensions are completely unrestricted Web page scripts are restricted unless digitally signed

    6. 6 Security in Web Browsers Browsers simultaneously handle documents and scripts from multiple sources Scripts may attempt to interact with: Other web pages The browser Files and processes on the user's computer Remote hosts

    7. 7 A Security Failure Example The user is viewing a page with a secret confirmation code, which can be traded in person for some good or service A web page in another window reads the code and sends it to a remote host, where it can be accessed by an unscrupulous third party

    8. 8 Real-World Defense Same-origin policy: active content from different trust domains shouldn't interact SOP mostly succeeds for pages that want complete isolation SOP has inconsistencies and gaps that make partial isolation difficult or impossible

    9. Web Mashups

    10. 10 Mashup Examples housingmaps.com Wii Finder Clockr popurls.com Yahoo vs. Google Google Gadgets

    11. 11 Web Mashup Definitions Mashup: A web application that performs browser-side integration of content or services from multiple sources Integrator: site that hosts the web application Provider: site the provides content to the mashup Component: a piece of active content from a provider

    12. 12 Sorts of Mashups Directly interacting with a web service from inside a browser script (e.g., reading an RSS feed) Display control delegation (Google gadgets: Google as integrator) Display control delegation + two-way browser-side communication (Google maps, Google search: Google as provider)

    13. 13 Mashup Techniques Simulated mashup: server-side data collection Frames + proxy server Frames + fragment-identifier messaging Browser plug-ins for relaying information Dynamically generated script requests

    14. 14 Mashup Security Concern If you include a Google Search control on your page, you give Google the ability to: read arbitrary information send it to an arbitrary recipient execute arbitrary code

    15. Browser Security Details

    16. 16 Browser State: Documents DOM: mutable tree structure model Metadata: domain property cookie property referrer property etc.

    17. 17 Browser State: Frames Can be nested with <iframe> tag Metadata: document property location property history property parent property frames property

    18. 18 Scripts in Documents JavaScript: dynamically typed, object-oriented, first-class functions, reflection, eval Two primary methods Inline: <script>var x=3;</script> External: <script src="xyz.com/abc.js"/> Each frame has one global environment

    19. 19 Web Scripting Event handling Browser data structure access and DOM manipulation Script environment access Opening, closing, and navigating frames HTTP transactions (XMLHttpRequest) Also: cookie access, plug-in scripting

    20. 20 Dynamic Script Request <html> <head><title>Script Request</title> <script> function doIt() { var s = document.createElement("script"); s.setAttribute("src", "http://www.xyz.com/code.js") document.body.appendChild(s); } </script> </head> <body> <p><button onclick="doIt()">Do it!</button></p> </body> </html>

    21. 21 SOP Origins Origin = domain name + port + protocol Assigned to content and scripts according to document URL (source of script irrelevant) Domain promotion: xyz.com < abc.xyz.com Accomplished by setting domain property

    22. 22 SOP Restrictions A script cannot read or write data associated with a frame of a different origin -- exceptions: Scripts can write the location property Scripts may be able to read the frames property A script cannot access the JavaScript environment of a frame of a different origin A script cannot use XMLHttpRequest to interact with a site of a different origin

    23. MashupOS

    24. 24 MashupOS Concept Keep the same-origin policy around for frames Add new frame-like structures to HTML with variations on the same-origin policies

    25. 25 Sandboxes <Sandbox> like a frame References from outside the sandbox can never be passed in Scripts can access <OpenSandbox> without SOP restrictions Nesting raises some complex issues

    26. 26 Service Instances <ServiceInstance> loads code from an external site <Friv> sections can be controlled by service instances Browser-side messaging using new JS: CommServer() and CommRequest()

    27. Subspace

    28. 28 Subspace Concept Use browser's same-origin policy to enforce isolation of providers' content Use domain promotion to allow each provider to share a single JavaScript object with the integrator for communication

    29. 29 Subspace

    30. 30 Subspace (Multiple Providers)

    31. SMash

    32. 32 SMash Concept Use browser's same-origin policy to enforce isolation of providers' content Implement a robust message-passing system based on setting fragment identifiers

    33. 33 SMash

    34. 34 SMash Challenges Fragment-identifier size limit Synchronization Message authenticity Message integrity

    35. 35 SMash: Direct Style

    36. Caja

    37. 37 Caja Concept Use a scripting language with stronger guarantees Make it as similar to JavaScript as possible for backwards compatibility

    38. 38 Object-Capability Languages Objects can only change the world through the references they hold Objects can only receive references through method calls Objects never start with references Encapsulation is used and enforced

    39. 39 Difficulties with JavaScript Object properties can be enumerated, updated, added, and removed Code abstractions can be called as functions, as methods, as constructors, or via reflection Dynamic evaluation Code in a frame shares an environment

    40. 40 Caja Overview Caja is a subset of JavaScript: syntax, semantics, and libraries Caja code is elaborated into sanitized JavaScript Caja modules have their own global envrionment Dynamic evaluation is restricted

    41. 41 Caja Restrictions Properties ending in underscores are private Use of functions as constructors only allowed in a restricted way Objects may be "frozen" Restricted use of functions as objects eval only offered for Cajita (no this)

    42. Framework Evaluation and Comparison

    43. 43 Some Key Issues Browser modification? Necessary provider cooperation vs. backwards compatibility Flexibility of component interaction Amount of trust providers must have in the integrator

    44. 44 MashupOS: Service Instances Browser modification necessary Providers must conform to specification Authenticity is lightweight and guaranteed by browser Flexible message-passing framework but data-only messages Flexible display delegation but security behavior of <Friv> tags a bit unclear Providers' privacy not fully protected

    45. 45 MashupOS: Sandboxes Permit backward compatibility with current APIs Seem redundant with service instances Awkward interaction with SOP Terribly complicates browser security, especially in combination with service instances

    46. 46 Subspace and SMash Both accommodate script-based APIs Both restricted to data-only messages Dynamically loaded components only possible in SMash Higher message throughput in Subspace

    47. 47 Direct Use of SMash Provider can use XMLHttpRequest Providers can authenticate other parties Providers have full privacy Providers must conform to a standard based on fragment-identifier messaging

    48. 48 Caja Does not guarantee any particular security properties Can be used to program very fine-grained access control For direct applicability to mashups, providers would have to use Caja Secure messaging easy to implement Providers can safely exchange closures Providers must trust the integrator

    49. 49 Conclusions Subspace a nice short-term solution Browser modification inevitable Message-passing popular for clean access control Information flow analysis more appropriate Language support would be tremendously helpful

    50. Related Work

    51. 51 Browser-Side Messaging Douglas Crockford. The <module> tag. http://www.json.org/module.html, October 2006. Ian Hickson and David Hyatt (editors). HTML 5. http://www.w3.org/html/wg/html/, June 2008.

    52. 52 Fragment-Identifier Messaging XDDE Google. PubSub: Gadget-to-gadget communication. http://code.google.com/apis/gadgets/docs/pubsub.html, June 2008.

    53. 53 Unexpected Attacks Shou Chen, David Ross, and Yi-Min Wang. An analysis of browser domain-isolation bugs and a light-weight transparent defense mechanism. In CCS '07. Collin Jackson, Andrew Bortz, Dan Boneh, and John C. Mitchell. Protecting browser state from web privacy attacks. In WWW '06.

    54. 54 Safer JavaScript Dachuan Yu, Ajay Chander, Nayeem Islam, and Igor Serikov: JavaScript instrumentation for browser security. In POPL '07. K. Vikram and Michael Steiner: Mashup component isolation via server-side analysis and instrumentation. W2SP 2007. Charles Reis, John Dunagan, Helen J. Wang, Opher Dubrovsky, and Saher Esmeir. BrowserShield: Vulnerability-driven filtering of dynamic HTML. ACM TWEB. 1(3):11, 2007.

    55. 55 Blocking Scripts Trevor Jim, Nikhil Swamy, and Michael Hicks. Defeating script injection attacks with browser-enforced embedded policies. In WWW '07. Mozilla. Site security policy. http://people.mozilla.org/~bsterne/site-security-policy/, June 2008.

    56. 56 Browser Implementation Design Richard S. Cox, Steven D. Gribble, Henry M. Levy, and Jacob Gorm Hansen. A safety-oriented platform for web applications. In SP '06. Chris Grier, Shuo Tang, and Samuel T. King. Secure web browsing with the OP web browser. In SP '08. Sotiris Ioannidis and Steven M. Bellovin. Building a secure web browser. In FREENIX '01.

    57. Thank You

More Related