10.5555/2362793.2362816guideproceedingsArticle/Chapter ViewAbstractPublication PagesConference Proceedingsacm-pubtype
Article

Privilege separation in HTML5 applications

Online:08 August 2012Publication History

ABSTRACT

The standard approach for privilege separation in web applications is to execute application components in different web origins. This limits the practicality of privilege separation since each web origin has financial and administrative cost. In this paper, we propose a new design for achieving effective privilege separation in HTML5 applications that shows how applications can cheaply create arbitrary number of components. Our approach utilizes standardized abstractions already implemented in modern browsers. We do not advocate any changes to the underlying browser or require learning new high-level languages, which contrasts prior approaches. We empirically show that we can retrofit our design to real-world HTML5 applications (browser extensions and rich client-side applications) and achieve reduction of 6x to 10000x in TCB for our case studies. Our mechanism requires less than 13 lines of application-specific code changes and considerably improves auditability.

References

  1. Google Inc., "Google chrome webstore." https: //chrome.google.com/webstore/.Google ScholarGoogle Scholar
  2. HTTP Archive, "JS Transfer Size and JS Requests." http://httparchive.org/trends.php#bytesJS&reqJS.Google ScholarGoogle Scholar
  3. Google Inc., "Chromium os." http://www. chromium.org/chromium-os.Google ScholarGoogle Scholar
  4. "Mozilla boot2gecko." https://wiki.mozilla.org/B2G.Google ScholarGoogle Scholar
  5. Microsoft, "Metro style app development," 2012. http://msdn.microsoft.com/en-us/windows/apps/.Google ScholarGoogle Scholar
  6. H. Wang, A. Moshchuk, and A. Bush, "Convergence of desktop and web applications on a multiservice os," in Proceedings of the 4th USENIX conference on Hot topics in security, 2009. Google ScholarGoogle Scholar
  7. N. Carlini, A. P. Felt, and D. Wagner, "An evaluation of the google chrome extension security architecture," in Proceedings of the 21st USENIX Conference on Security, 2012. Google ScholarGoogle Scholar
  8. P. Saxena, D. Akhawe, S. Hanna, F. Mao, S. Mc-Camant, and D. Song, "A symbolic execution framework for javascript," in Proceedings of the 2010 IEEE Symposium on Security and Privacy, pp. 513-528. Google ScholarGoogle Scholar
  9. S. Bandhakavi, S. T. King, P. Madhusudan, and M. Winslett, "Vex: vetting browser extensions for security vulnerabilities," in Proceedings of the 19th USENIX conference on Security, 2010. Google ScholarGoogle Scholar
  10. M. Dhawan and V. Ganapathy, "Analyzing information flow in javascript-based browser extensions," in Proceedings of the Computer Security Applications Conference, pp. 382-391, IEEE, 2009. Google ScholarGoogle Scholar
  11. S. Guarnieri and B. Livshits, "Gatekeeper: mostly static enforcement of security and reliability policies for JavaScript code," in Usenix Security, 2009. Google ScholarGoogle Scholar
  12. K. Jayaraman, W. Du, B. Rajagopalan, and S. Chapin, "Escudo: A fine-grained protection model for web browsers," in Proceedings of the 30th International Conference on Distributed Computing Systems, pp. 231-240, IEEE, 2010. Google ScholarGoogle Scholar
  13. J. Saltzer and M. Schroeder, "The protection of information in computer systems," Proceedings of the IEEE, vol. 63, no. 9, pp. 1278-1308, 1975.Google ScholarGoogle Scholar
  14. "lxc linux containers." http://lxc. sourceforge.net/.Google ScholarGoogle Scholar
  15. "Google seccomp sandbox for linux." http:// code.google.com/p/seccompsandbox/.Google ScholarGoogle Scholar
  16. N. Provos, "Improving host security with system call policies," in Proceedings of the 12th USENIX Security Symposium, 2003. Google ScholarGoogle Scholar
  17. N. Provos, M. Friedl, and P. Honeyman, "Preventing privilege escalation," in Proceedings of the 12th USENIX Security Symposium, 2003. Google ScholarGoogle Scholar
  18. D. J. Bernstein, "Some thoughts on security after ten years of qmail 1.0," in Proceedings of the 2007 ACM workshop on Computer security architecture. Google ScholarGoogle Scholar
  19. A. Barth, C. Jackson, C. Reis, and T. G. C. Team, "The security architecture of the chromium browser," 2008.Google ScholarGoogle Scholar
  20. E. Y. Chen, J. Bau, C. Reis, A. Barth, and C. Jackson, "App isolation: get the security of multiple browsers with just one," in Proceedings of the 18th ACM conference on Computer and communications security, pp. 227-238, 2011. Google ScholarGoogle Scholar
  21. A. Guha, M. Fredrikson, B. Livshits, and N. Swamy, "Verified security for browser extensions," in Proceedings of the IEEE Symposium on Security and Privacy, pp. 115-130, 2011. Google ScholarGoogle Scholar
  22. "Html5 privilege separation: Source code release." http://github.com/devd/html5privsep.Google ScholarGoogle Scholar
  23. A. Barth, A. Felt, P. Saxena, and A. Boodman, "Protecting browsers from extension vulnerabilities," in Proceedings of the 17th Network and Distributed System Security Symposium, 2010.Google ScholarGoogle Scholar
  24. A. P. Felt, K. Greenwood, and D. Wagner, "The effectiveness of application permissions," in Proceedings of the 2nd USENIX conference onWeb application development, 2011. Google ScholarGoogle Scholar
  25. K. W. Y. Au, Y. F. Zhou, Z. Huang, P. Gill, and D. Lie, "Short paper: A look at smartphone permission models," in Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices, 2011. Google ScholarGoogle Scholar
  26. A. P. Felt, "Advertising and android permissions," Nov 2011. http://www.adrienneporterfelt. com/blog/?p=357.Google ScholarGoogle Scholar
  27. Google Inc., "Google chrome extensions: chrome.* apis." http://code.google.com/chrome/ extensions/api_index.html.Google ScholarGoogle Scholar
  28. S. Maffeis, J. C. Mitchell, and A. Taly, "Object capabilities and isolation of untrusted web applications," in Proceedings of the 2010 IEEE Symposium on Security and Privacy, pp. 125-140. Google ScholarGoogle Scholar
  29. Google Inc., "Issues: google-caja: A source-to-source translator for securing Javascript-based web content." http://code.google.com/p/ google-caja.Google ScholarGoogle Scholar
  30. M. Finifter, J. Weinberger, and A. Barth, "Preventing capability leaks in secure JavaScript subsets," in Proc. of Network and Distributed System Security Symposium, 2010.Google ScholarGoogle Scholar
  31. G. Tan and J. Croft, "An empirical security study of the native code in the jdk," in Proceedings of the 17th Usenix Conference on Security, pp. 365-377, 2008. Google ScholarGoogle Scholar
  32. A. Barth, "Rfc 6454: The web origin concept." http://tools.ietf.org/html/rfc6454.Google ScholarGoogle Scholar
  33. [email protected], "Bug 341604 - (framesand-box) implement html5 sandbox attribute for iframes." https://bugzilla.mozilla.org/ show_bug.cgi?id=341604.Google ScholarGoogle Scholar
  34. B. Sterne and A. Barth, "Content security policy: W3c editor's draft," 2012. https://dvcs. w3.org/hg/content-security-policy/ raw-file/tip/csp-specification.dev. html.Google ScholarGoogle Scholar
  35. diigo.com, "Awesome screenshot : Capture annotate share." http://www.awesomescreenshot.com/.Google ScholarGoogle Scholar
  36. Dropbox Inc., "Dropbox developer reference." http://www.dropbox.com/developers/ reference.Google ScholarGoogle Scholar
  37. "Ace - ajax.org cloud9 editor." http://ace. ajax.org/.Google ScholarGoogle Scholar
  38. The Dojo Foundation, "The dojo toolkit." http: //dojotoolkit.org/.Google ScholarGoogle Scholar
  39. GitHub Inc., "Edit like an ace." https://github. com/blog/905-edit-like-an-ace.Google ScholarGoogle Scholar
  40. "Oauth." http://oauth.net/.Google ScholarGoogle Scholar
  41. D. Brumley and D. Song, "Privtrans: automatically partitioning programs for privilege separation," in Proceedings of the 13th on USENIX Conference on Security, 2004. Google ScholarGoogle Scholar
  42. P. Josling, "dropbox-js: A javascript library for the dropbox api." http://code.google.com/p/ dropbox-js/.Google ScholarGoogle Scholar
  43. A. van Kesteren (Ed.), "Cross-origin resource sharing." http://www.w3.org/TR/cors/.Google ScholarGoogle Scholar
  44. "pynarcissus : The narcissus javascript interpreter ported to python." http://code.google.com/ p/pynarcissus/.Google ScholarGoogle Scholar
  45. A. Bittau, P. Marchenko, M. Handley, and B. Karp, "Wedge: splitting applications into reduced-privilege compartments," in Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation, pp. 309-322, 2008. Google ScholarGoogle Scholar
  46. H. J. Wang, X. Fan, J. Howell, and C. Jackson, "Protection and communication abstractions for web browsers in mashupos," SIGOPS Oper. Syst. Rev., vol. 41, pp. 1-16, Oct. 2007. Google ScholarGoogle Scholar
  47. H. Wang, C. Grier, A. Moshchuk, S. King, P. Choudhury, and H. Venter, "The multiprincipal os construction of the gazelle web browser," in Proceedings of the 18th USENIX security symposium, pp. 417-432, 2009. Google ScholarGoogle Scholar
  48. C. Grier, S. Tang, and S. King, "Designing and implementing the op and op2 web browsers," ACM Transactions on the Web (TWEB), 2011. Google ScholarGoogle Scholar
  49. A. P. Felt, H. J. Wang, A. Moshchuk, S. Hanna, and E. Chin, "Permission re-delegation: Attacks and defenses," in Proceedings of the 20th USENIX conference on Security, 2011. Google ScholarGoogle Scholar
  50. B. Parno, J. M. McCune, D. Wendlandt, D. G. Andersen, and A. Perrig, "Clamp: Practical prevention of large-scale data leaks," in Proceedings of the 30th IEEE Symposium on Security and Privacy, pp. 154-169, 2009. Google ScholarGoogle Scholar
  51. A. Barth, C. Jackson, and W. Li, "Attacks on javascript mashup communication," in Workshop on Web 2.0 Security and Privacy (W2SP), 2009.Google ScholarGoogle Scholar
  52. M. T. Louw, K. T. Ganesh, and V. N. Venkatakrishnan, "Adjail: practical enforcement of confidentiality and integrity policies on web advertisements," in Proceedings of the 19th USENIX conference on Security, 2010. Google ScholarGoogle Scholar
  53. L. Ingram and M. Walfish, "Treehouse: Javascript sandboxes to help web developers help themselves," in Proceedings of the USENIX annual technical conference, 2012. Google ScholarGoogle Scholar
  54. "AdSafe: Making JavaScript Safe for Advertising." http://www.adsafe.org/.Google ScholarGoogle Scholar

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Sign in
  • Published in

    Guide Proceedings cover image
    Security'12: Proceedings of the 21st USENIX conference on Security symposium
    August 2012
    43 pages

    Publisher

    USENIX Association

    United States

    Publication History

    • Online: 8 August 2012
    • Published: 8 August 2012

    Qualifiers

    • Article
About Cookies On This Site

We use cookies to ensure that we give you the best experience on our website.

Learn more

Got it!