ABSTRACT
The standard approach for privilege separation in web applications is to execute application components in different web origins. This limits the practicality of privilege separation since each web origin has financial and administrative cost. In this paper, we propose a new design for achieving effective privilege separation in HTML5 applications that shows how applications can cheaply create arbitrary number of components. Our approach utilizes standardized abstractions already implemented in modern browsers. We do not advocate any changes to the underlying browser or require learning new high-level languages, which contrasts prior approaches. We empirically show that we can retrofit our design to real-world HTML5 applications (browser extensions and rich client-side applications) and achieve reduction of 6x to 10000x in TCB for our case studies. Our mechanism requires less than 13 lines of application-specific code changes and considerably improves auditability.
References
- Google Inc., "Google chrome webstore." https: //chrome.google.com/webstore/.Google Scholar
- HTTP Archive, "JS Transfer Size and JS Requests." http://httparchive.org/trends.php#bytesJS&reqJS.Google Scholar
- Google Inc., "Chromium os." http://www. chromium.org/chromium-os.Google Scholar
- "Mozilla boot2gecko." https://wiki.mozilla.org/B2G.Google Scholar
- Microsoft, "Metro style app development," 2012. http://msdn.microsoft.com/en-us/windows/apps/.Google Scholar
- H. Wang, A. Moshchuk, and A. Bush, "Convergence of desktop and web applications on a multiservice os," in Proceedings of the 4th USENIX conference on Hot topics in security, 2009. Google Scholar
- N. Carlini, A. P. Felt, and D. Wagner, "An evaluation of the google chrome extension security architecture," in Proceedings of the 21st USENIX Conference on Security, 2012. Google Scholar
- P. Saxena, D. Akhawe, S. Hanna, F. Mao, S. Mc-Camant, and D. Song, "A symbolic execution framework for javascript," in Proceedings of the 2010 IEEE Symposium on Security and Privacy, pp. 513-528. Google Scholar
- S. Bandhakavi, S. T. King, P. Madhusudan, and M. Winslett, "Vex: vetting browser extensions for security vulnerabilities," in Proceedings of the 19th USENIX conference on Security, 2010. Google Scholar
- M. Dhawan and V. Ganapathy, "Analyzing information flow in javascript-based browser extensions," in Proceedings of the Computer Security Applications Conference, pp. 382-391, IEEE, 2009. Google Scholar
- S. Guarnieri and B. Livshits, "Gatekeeper: mostly static enforcement of security and reliability policies for JavaScript code," in Usenix Security, 2009. Google Scholar
- K. Jayaraman, W. Du, B. Rajagopalan, and S. Chapin, "Escudo: A fine-grained protection model for web browsers," in Proceedings of the 30th International Conference on Distributed Computing Systems, pp. 231-240, IEEE, 2010. Google Scholar
- J. Saltzer and M. Schroeder, "The protection of information in computer systems," Proceedings of the IEEE, vol. 63, no. 9, pp. 1278-1308, 1975.Google Scholar
- "lxc linux containers." http://lxc. sourceforge.net/.Google Scholar
- "Google seccomp sandbox for linux." http:// code.google.com/p/seccompsandbox/.Google Scholar
- N. Provos, "Improving host security with system call policies," in Proceedings of the 12th USENIX Security Symposium, 2003. Google Scholar
- N. Provos, M. Friedl, and P. Honeyman, "Preventing privilege escalation," in Proceedings of the 12th USENIX Security Symposium, 2003. Google Scholar
- D. J. Bernstein, "Some thoughts on security after ten years of qmail 1.0," in Proceedings of the 2007 ACM workshop on Computer security architecture. Google Scholar
- A. Barth, C. Jackson, C. Reis, and T. G. C. Team, "The security architecture of the chromium browser," 2008.Google Scholar
- E. Y. Chen, J. Bau, C. Reis, A. Barth, and C. Jackson, "App isolation: get the security of multiple browsers with just one," in Proceedings of the 18th ACM conference on Computer and communications security, pp. 227-238, 2011. Google Scholar
- A. Guha, M. Fredrikson, B. Livshits, and N. Swamy, "Verified security for browser extensions," in Proceedings of the IEEE Symposium on Security and Privacy, pp. 115-130, 2011. Google Scholar
- "Html5 privilege separation: Source code release." http://github.com/devd/html5privsep.Google Scholar
- A. Barth, A. Felt, P. Saxena, and A. Boodman, "Protecting browsers from extension vulnerabilities," in Proceedings of the 17th Network and Distributed System Security Symposium, 2010.Google Scholar
- A. P. Felt, K. Greenwood, and D. Wagner, "The effectiveness of application permissions," in Proceedings of the 2nd USENIX conference onWeb application development, 2011. Google Scholar
- K. W. Y. Au, Y. F. Zhou, Z. Huang, P. Gill, and D. Lie, "Short paper: A look at smartphone permission models," in Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices, 2011. Google Scholar
- A. P. Felt, "Advertising and android permissions," Nov 2011. http://www.adrienneporterfelt. com/blog/?p=357.Google Scholar
- Google Inc., "Google chrome extensions: chrome.* apis." http://code.google.com/chrome/ extensions/api_index.html.Google Scholar
- S. Maffeis, J. C. Mitchell, and A. Taly, "Object capabilities and isolation of untrusted web applications," in Proceedings of the 2010 IEEE Symposium on Security and Privacy, pp. 125-140. Google Scholar
- Google Inc., "Issues: google-caja: A source-to-source translator for securing Javascript-based web content." http://code.google.com/p/ google-caja.Google Scholar
- M. Finifter, J. Weinberger, and A. Barth, "Preventing capability leaks in secure JavaScript subsets," in Proc. of Network and Distributed System Security Symposium, 2010.Google Scholar
- G. Tan and J. Croft, "An empirical security study of the native code in the jdk," in Proceedings of the 17th Usenix Conference on Security, pp. 365-377, 2008. Google Scholar
- A. Barth, "Rfc 6454: The web origin concept." http://tools.ietf.org/html/rfc6454.Google Scholar
- [email protected], "Bug 341604 - (framesand-box) implement html5 sandbox attribute for iframes." https://bugzilla.mozilla.org/ show_bug.cgi?id=341604.Google Scholar
- B. Sterne and A. Barth, "Content security policy: W3c editor's draft," 2012. https://dvcs. w3.org/hg/content-security-policy/ raw-file/tip/csp-specification.dev. html.Google Scholar
- diigo.com, "Awesome screenshot : Capture annotate share." http://www.awesomescreenshot.com/.Google Scholar
- Dropbox Inc., "Dropbox developer reference." http://www.dropbox.com/developers/ reference.Google Scholar
- "Ace - ajax.org cloud9 editor." http://ace. ajax.org/.Google Scholar
- The Dojo Foundation, "The dojo toolkit." http: //dojotoolkit.org/.Google Scholar
- GitHub Inc., "Edit like an ace." https://github. com/blog/905-edit-like-an-ace.Google Scholar
- "Oauth." http://oauth.net/.Google Scholar
- D. Brumley and D. Song, "Privtrans: automatically partitioning programs for privilege separation," in Proceedings of the 13th on USENIX Conference on Security, 2004. Google Scholar
- P. Josling, "dropbox-js: A javascript library for the dropbox api." http://code.google.com/p/ dropbox-js/.Google Scholar
- A. van Kesteren (Ed.), "Cross-origin resource sharing." http://www.w3.org/TR/cors/.Google Scholar
- "pynarcissus : The narcissus javascript interpreter ported to python." http://code.google.com/ p/pynarcissus/.Google Scholar
- A. Bittau, P. Marchenko, M. Handley, and B. Karp, "Wedge: splitting applications into reduced-privilege compartments," in Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation, pp. 309-322, 2008. Google Scholar
- H. J. Wang, X. Fan, J. Howell, and C. Jackson, "Protection and communication abstractions for web browsers in mashupos," SIGOPS Oper. Syst. Rev., vol. 41, pp. 1-16, Oct. 2007. Google Scholar
- H. Wang, C. Grier, A. Moshchuk, S. King, P. Choudhury, and H. Venter, "The multiprincipal os construction of the gazelle web browser," in Proceedings of the 18th USENIX security symposium, pp. 417-432, 2009. Google Scholar
- C. Grier, S. Tang, and S. King, "Designing and implementing the op and op2 web browsers," ACM Transactions on the Web (TWEB), 2011. Google Scholar
- A. P. Felt, H. J. Wang, A. Moshchuk, S. Hanna, and E. Chin, "Permission re-delegation: Attacks and defenses," in Proceedings of the 20th USENIX conference on Security, 2011. Google Scholar
- B. Parno, J. M. McCune, D. Wendlandt, D. G. Andersen, and A. Perrig, "Clamp: Practical prevention of large-scale data leaks," in Proceedings of the 30th IEEE Symposium on Security and Privacy, pp. 154-169, 2009. Google Scholar
- A. Barth, C. Jackson, and W. Li, "Attacks on javascript mashup communication," in Workshop on Web 2.0 Security and Privacy (W2SP), 2009.Google Scholar
- M. T. Louw, K. T. Ganesh, and V. N. Venkatakrishnan, "Adjail: practical enforcement of confidentiality and integrity policies on web advertisements," in Proceedings of the 19th USENIX conference on Security, 2010. Google Scholar
- L. Ingram and M. Walfish, "Treehouse: Javascript sandboxes to help web developers help themselves," in Proceedings of the USENIX annual technical conference, 2012. Google Scholar
- "AdSafe: Making JavaScript Safe for Advertising." http://www.adsafe.org/.Google Scholar




Comments