protection and communication abstractions for web browsers in mashupos
DESCRIPTION
Protection and Communication Abstractions for Web Browsers in MashupOS. Helen J. Wang, Xiaofeng Fan, Jon Howell (MSR) Collin Jackson (Stanford) February, 2008. OMash: Enabling Secure Web Mashups via Object Abstractions. Steven Crites, Francis Hsu , Hao Chen UC Davis. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Protection and Communication Abstractions for Web Browsers in MashupOS](https://reader036.vdocument.in/reader036/viewer/2022070415/56814eef550346895dbc7f53/html5/thumbnails/1.jpg)
Protection and Communication Abstractions for Web Browsers
in MashupOS
Helen J. Wang, Xiaofeng Fan, Jon Howell (MSR)Collin Jackson (Stanford)
February, 2008
1
![Page 2: Protection and Communication Abstractions for Web Browsers in MashupOS](https://reader036.vdocument.in/reader036/viewer/2022070415/56814eef550346895dbc7f53/html5/thumbnails/2.jpg)
OMash: Enabling Secure Web Mashups via Object
AbstractionsSteven Crites, Francis Hsu, Hao
Chen
UC Davis
![Page 3: Protection and Communication Abstractions for Web Browsers in MashupOS](https://reader036.vdocument.in/reader036/viewer/2022070415/56814eef550346895dbc7f53/html5/thumbnails/3.jpg)
3
![Page 4: Protection and Communication Abstractions for Web Browsers in MashupOS](https://reader036.vdocument.in/reader036/viewer/2022070415/56814eef550346895dbc7f53/html5/thumbnails/4.jpg)
4
… but most of all, Samy is my hero
![Page 5: Protection and Communication Abstractions for Web Browsers in MashupOS](https://reader036.vdocument.in/reader036/viewer/2022070415/56814eef550346895dbc7f53/html5/thumbnails/5.jpg)
5
![Page 6: Protection and Communication Abstractions for Web Browsers in MashupOS](https://reader036.vdocument.in/reader036/viewer/2022070415/56814eef550346895dbc7f53/html5/thumbnails/6.jpg)
Outline
• The problem
• The MashupOS project
• Protection
• Communication
• Implementation and demo
• Evaluation
• Related work
• Conclusions6
![Page 7: Protection and Communication Abstractions for Web Browsers in MashupOS](https://reader036.vdocument.in/reader036/viewer/2022070415/56814eef550346895dbc7f53/html5/thumbnails/7.jpg)
Client Mashups• Web content has evolved from single-principal services
to multi-principal services, rivaling that of desktop PCs.• Principal is domain
7
![Page 8: Protection and Communication Abstractions for Web Browsers in MashupOS](https://reader036.vdocument.in/reader036/viewer/2022070415/56814eef550346895dbc7f53/html5/thumbnails/8.jpg)
Browsers Remain Single-Principal Systems
• The Same Origin Policy (SOP), an all-or-nothing trust model:– No cross-domain interactions allowed– (External) scripts run with the privilege of the enclosing page
8
http://integrator.com/
<iframe src=“http://provider.com/p.html”></iframe>
http://integrator.com/
<scriptsrc=“http://provider.com/p.js”></script>
X
![Page 9: Protection and Communication Abstractions for Web Browsers in MashupOS](https://reader036.vdocument.in/reader036/viewer/2022070415/56814eef550346895dbc7f53/html5/thumbnails/9.jpg)
Same Origin Policy
a.com
a.com a.com b.com
Server
Browser
![Page 10: Protection and Communication Abstractions for Web Browsers in MashupOS](https://reader036.vdocument.in/reader036/viewer/2022070415/56814eef550346895dbc7f53/html5/thumbnails/10.jpg)
What Domains are of the Same Origin?
web1.acm.org web2.acm.orgyes
cs.ucdavis.edu ece.ucdavis.edumaybe
amazon.co.uk bbc.co.ukno
Same origin?
![Page 11: Protection and Communication Abstractions for Web Browsers in MashupOS](https://reader036.vdocument.in/reader036/viewer/2022070415/56814eef550346895dbc7f53/html5/thumbnails/11.jpg)
Insufficiency of the SOP
• Sacrifice security for functionality when including an external script without fully trusting it
• E.g., iGoogle, Live gadget aggregators’ inline gadget
11
![Page 12: Protection and Communication Abstractions for Web Browsers in MashupOS](https://reader036.vdocument.in/reader036/viewer/2022070415/56814eef550346895dbc7f53/html5/thumbnails/12.jpg)
Insufficiency of the SOP, Cont.• Third-party content
sanitization is hard– Cross site scripting
(XSS): • Unchecked user input in a
generated page • E.g., Samy worm: infected
1 million MySpace.com users in 20 hours
• Root cause:– The injected scripts run
with the page’s privilege
12
Samy is my hero
![Page 13: Protection and Communication Abstractions for Web Browsers in MashupOS](https://reader036.vdocument.in/reader036/viewer/2022070415/56814eef550346895dbc7f53/html5/thumbnails/13.jpg)
Insufficiency of the SOP, Cont.
• Sacrifice functionality for security when denying scripts in third-party content
• E.g., MySpace.com disallows scripts in user profiles
13
![Page 14: Protection and Communication Abstractions for Web Browsers in MashupOS](https://reader036.vdocument.in/reader036/viewer/2022070415/56814eef550346895dbc7f53/html5/thumbnails/14.jpg)
DNS Insecurity
• Client vulnerabilities– DNS rebinding (Jackson et al, CCS 07)– Dynamic Pharming (Karlof et al, CCS 07)
• Server vulnerabilities– DNS cache poisoning (Kaminsky, BlackHat
08)
![Page 15: Protection and Communication Abstractions for Web Browsers in MashupOS](https://reader036.vdocument.in/reader036/viewer/2022070415/56814eef550346895dbc7f53/html5/thumbnails/15.jpg)
Cross-Site Request Forgery
a.com
a.com b.com
Server
Browser
![Page 16: Protection and Communication Abstractions for Web Browsers in MashupOS](https://reader036.vdocument.in/reader036/viewer/2022070415/56814eef550346895dbc7f53/html5/thumbnails/16.jpg)
The MashupOS Project• Enable browser to be a multi-principal OS• Focus of this paper: protection and
communication abstractions• Protection:
– Provide default isolation boundaries
• Communications: – Allow service-specific, fine-grained access control
across isolation boundaries
16
![Page 17: Protection and Communication Abstractions for Web Browsers in MashupOS](https://reader036.vdocument.in/reader036/viewer/2022070415/56814eef550346895dbc7f53/html5/thumbnails/17.jpg)
Design Principles• Match all common trust levels to balance
ease-of-use and security– Goal: enable programmers to build robust
services– Non-goal: make it impossible for programmers
to shoot themselves in the foot
• Easy adoption and no unintended behaviors
17
![Page 18: Protection and Communication Abstractions for Web Browsers in MashupOS](https://reader036.vdocument.in/reader036/viewer/2022070415/56814eef550346895dbc7f53/html5/thumbnails/18.jpg)
Outline
The problemThe MashupOS project
• Protection
• Communication
• Implementation and demo
• Evaluation
• Related work
• Conclusions18
![Page 19: Protection and Communication Abstractions for Web Browsers in MashupOS](https://reader036.vdocument.in/reader036/viewer/2022070415/56814eef550346895dbc7f53/html5/thumbnails/19.jpg)
A Principal’s Resources
• Memory: – heap of script objects including DOM objects
that control the display
• Persistent state: – cookies, etc.
• Remote data access: – XMLHttpRequest
19
![Page 20: Protection and Communication Abstractions for Web Browsers in MashupOS](https://reader036.vdocument.in/reader036/viewer/2022070415/56814eef550346895dbc7f53/html5/thumbnails/20.jpg)
Trust Relationship between Providers and Integrators
i.com
i.com
ContentSemantics
Abstraction Run-as
20
p.com i.com
Internet
http://i.com/
HTML
XHR
X
XXHR
No No Isolated <Frame> p.com
<iframe src=“http://p.com/c.html”></iframe>
X
![Page 21: Protection and Communication Abstractions for Web Browsers in MashupOS](https://reader036.vdocument.in/reader036/viewer/2022070415/56814eef550346895dbc7f53/html5/thumbnails/21.jpg)
Trust Relationship between Providers and Integrators
i.com
i.com
ContentSemantics
Abstraction Run-as
21
p.com i.com
Internet
http://i.com/
Script
XHR
No No Isolated <Frame> p.com
Yes Yes Open <Script> i.com
<script src=“http://p.com/c.js”></script>
![Page 22: Protection and Communication Abstractions for Web Browsers in MashupOS](https://reader036.vdocument.in/reader036/viewer/2022070415/56814eef550346895dbc7f53/html5/thumbnails/22.jpg)
Trust Relationship between Providers and Integrators
i.com
i.com
ContentSemantics
Abstraction Run-as
22
p.com i.com
Internet
http://i.com/
No No Isolated <Frame> p.com
Yes Yes Open <Script> i.com
No Yes
X
![Page 23: Protection and Communication Abstractions for Web Browsers in MashupOS](https://reader036.vdocument.in/reader036/viewer/2022070415/56814eef550346895dbc7f53/html5/thumbnails/23.jpg)
Trust Relationship between Providers and Integrators
23
p.com i.com
Internet
http://i.com/
X
XXHR
NoneYes No <Sandbox><OpenSandbox>
Unauthorized
Unauth
XXHR
i.com
i.com
ContentSemantics
Abstraction Run-as
No No Isolated <Frame> p.com
Yes Yes Open <Script> i.com
No Yes
Unauthorized content is not authorized to access any principal’s resources.
<sandboxsrc=“http://p.com/c.html”></sandbox>
![Page 24: Protection and Communication Abstractions for Web Browsers in MashupOS](https://reader036.vdocument.in/reader036/viewer/2022070415/56814eef550346895dbc7f53/html5/thumbnails/24.jpg)
Properties of Sandbox• Asymmetric access
– Access: reading/writing script global objects, function invocations, modifying/creating DOM elements inside the sandbox
• Invoking a sandbox’s function is done in the context of the sandbox– setuid (“unauthorized”) before invocation and setuid
(“enclosingPagePrincipal) upon exit
• The enclosing page cannot pass non-sandbox object references into the sandbox.– Programmers can put needed objects inside the sandbox
• Private vs. Open sandboxes
24
![Page 25: Protection and Communication Abstractions for Web Browsers in MashupOS](https://reader036.vdocument.in/reader036/viewer/2022070415/56814eef550346895dbc7f53/html5/thumbnails/25.jpg)
Private Sandbox<sandbox src=“file”>
Content if tag not supported</sandbox>
• Belongs to a domain and can only be accessed by that domain– E.g., private location history marked on a map
• Private sandboxes cannot access one another even when nested– Otherwise, a malicious script can nest another
private sandbox and access its private content
25
![Page 26: Protection and Communication Abstractions for Web Browsers in MashupOS](https://reader036.vdocument.in/reader036/viewer/2022070415/56814eef550346895dbc7f53/html5/thumbnails/26.jpg)
Open Sandbox<OpenSandbox src=“file”>
Content if tag not supported</OpenSandbox>
• Can be accessed by any domain• Can access its descendant open sandboxes
--- important for third party service composition– E.g., e-mail containing a map; don’t want an e-mail
to tamper hotmail.com; don’t want the map library to tamper the e-mail
26
![Page 27: Protection and Communication Abstractions for Web Browsers in MashupOS](https://reader036.vdocument.in/reader036/viewer/2022070415/56814eef550346895dbc7f53/html5/thumbnails/27.jpg)
Provider-Browser Protocol for Unauthorized Content
• Unauthorized content must be sandboxed and must not be renderable by frames– Otherwise, unauthorized content would run as the principal of the frame
• MIME protocol seems to be what we want: – Require providers to prefix unauthorized content subtype with
x-privateUnauthorized+ or x-openUnauthorized+– E.g., text/html text/x-privateUnauthorized+html– Verified that Firefox cannot render these content types with <frame> and
<script>– But, IE’s MIME sniffing allows rendering sometimes
• Alternative: encraption (e.g., Base64 encoding)• Prevent providers from unintentionally publishing unauthorized
content as other types of content: – Constrain sandbox to take only unauthorized content
27
![Page 28: Protection and Communication Abstractions for Web Browsers in MashupOS](https://reader036.vdocument.in/reader036/viewer/2022070415/56814eef550346895dbc7f53/html5/thumbnails/28.jpg)
Key Benefits of Sandbox
• Safe mashups with ease
• Beneficial to host third-party content as unauthorized content
28
![Page 29: Protection and Communication Abstractions for Web Browsers in MashupOS](https://reader036.vdocument.in/reader036/viewer/2022070415/56814eef550346895dbc7f53/html5/thumbnails/29.jpg)
Sandbox for Safe Mashups with Ease
29
http://Mashup.com/index.htm
<script src=“a.com/a.js”> </script>
<script src=“b.com/b.js”> </script>
<script>// local script to Mashup.com // calling functions in a.js and b.js</script>
<div id=“displayAreaForA”> … </div>
X
X
![Page 30: Protection and Communication Abstractions for Web Browsers in MashupOS](https://reader036.vdocument.in/reader036/viewer/2022070415/56814eef550346895dbc7f53/html5/thumbnails/30.jpg)
Hosting Third-Party Content as Unauthorized Content
• Combats cross site scripting attacks in a fundamental way– Put user input into a sandbox– Does not have to sacrifice functionality
• Helps with Web spam– Discount the score of hyperlinks in third party
content
30
![Page 31: Protection and Communication Abstractions for Web Browsers in MashupOS](https://reader036.vdocument.in/reader036/viewer/2022070415/56814eef550346895dbc7f53/html5/thumbnails/31.jpg)
Outline
The problemThe MashupOS projectProtection
• Communication
• Implementation & demo
• Evaluation
• Related work
• Conclusions31
![Page 32: Protection and Communication Abstractions for Web Browsers in MashupOS](https://reader036.vdocument.in/reader036/viewer/2022070415/56814eef550346895dbc7f53/html5/thumbnails/32.jpg)
Communications
• Message passing across the isolation boundaries enable custom, fine-grained access control
32
Isolated Isolated
a.com b.com
CommRequest
Unauthorized
![Page 33: Protection and Communication Abstractions for Web Browsers in MashupOS](https://reader036.vdocument.in/reader036/viewer/2022070415/56814eef550346895dbc7f53/html5/thumbnails/33.jpg)
CommRequest• Server:
server = new CommServer();server.listenTo(“aPort”,
requestHandlerFunction);• Client:
req = new CommRequest();req.open (“INVOKE”,
“local:http://bob.com//aPort”, isSynchronous);
req.send (requestData);req.onreadystatechange = function ()
{ …}33
![Page 34: Protection and Communication Abstractions for Web Browsers in MashupOS](https://reader036.vdocument.in/reader036/viewer/2022070415/56814eef550346895dbc7f53/html5/thumbnails/34.jpg)
CommRequest vs. XMLHttpRequest
• Cross domain
• Source labeled
• No cookies sent
• “Server” can be on client
• Reply from remote server tagged with special MIME type
• Syntax similar to socket API and XHR
34
![Page 35: Protection and Communication Abstractions for Web Browsers in MashupOS](https://reader036.vdocument.in/reader036/viewer/2022070415/56814eef550346895dbc7f53/html5/thumbnails/35.jpg)
Outline
The problemThe MashupOS projectProtectionCommunication
• Implementation & demo
• Evaluation
• Related work
• Conclusions35
![Page 36: Protection and Communication Abstractions for Web Browsers in MashupOS](https://reader036.vdocument.in/reader036/viewer/2022070415/56814eef550346895dbc7f53/html5/thumbnails/36.jpg)
Implementation
• Use frames as our building blocks, but we apply our access control
36
ScriptEngine
MashupOSScript Engine
Proxy
MashupOSMIMEFilter
Script executionDOM object access
DOM object update
Original HTML
MashupOS transformed HTML
HTML Layout Engine
![Page 37: Protection and Communication Abstractions for Web Browsers in MashupOS](https://reader036.vdocument.in/reader036/viewer/2022070415/56814eef550346895dbc7f53/html5/thumbnails/37.jpg)
Evaluation: Showcase Application
• PhotoLoc, a photo location service– Mash up Google’s map service and Flickr’s
geo-tagged photo gallery service– Map out the locations of photographs taken
• PhotoLoc doesn’t trust flickr nor gmap
37
![Page 38: Protection and Communication Abstractions for Web Browsers in MashupOS](https://reader036.vdocument.in/reader036/viewer/2022070415/56814eef550346895dbc7f53/html5/thumbnails/38.jpg)
PhotoLoc/index.htm<script>
function setPhotoLoc(request) { var coordinate = request.body; var latitude = getLatitude (coordinate); var longitude = getLongitude (coordinate); G.map.setCenter(new GLatLng(latitude, longitude), 6);}var svr = new CommServer();svr.listenTo(“recvLocationPort”, setPhotoLoc);
</script>
<Sandbox src=”f.uhtml” id=F> </Sandbox>
<Sandbox src=”g.uhtml” id=G> </Sandbox>
38
Direct access
CommRequest
![Page 39: Protection and Communication Abstractions for Web Browsers in MashupOS](https://reader036.vdocument.in/reader036/viewer/2022070415/56814eef550346895dbc7f53/html5/thumbnails/39.jpg)
Demo
39
![Page 40: Protection and Communication Abstractions for Web Browsers in MashupOS](https://reader036.vdocument.in/reader036/viewer/2022070415/56814eef550346895dbc7f53/html5/thumbnails/40.jpg)
Evaluation:Prototype Performance
• Microbenchmarking for script engine proxy– Negligible overhead for no or moderate DOM
manipulations– 33%--82% overhead with heavy DOM manipulations
• Macrobenchmark measures overall page-loading time using top 500 pages from the top click-through search results of MSN search from 2005– shows no impact
• Anticipate in-browser implementation to have low overhead
40
![Page 41: Protection and Communication Abstractions for Web Browsers in MashupOS](https://reader036.vdocument.in/reader036/viewer/2022070415/56814eef550346895dbc7f53/html5/thumbnails/41.jpg)
Outline
The problemThe MashupOS projectProtectionCommunicationImplementation & demoEvaluation
• Related work
• Conclusions41
![Page 42: Protection and Communication Abstractions for Web Browsers in MashupOS](https://reader036.vdocument.in/reader036/viewer/2022070415/56814eef550346895dbc7f53/html5/thumbnails/42.jpg)
Related work• Crockford’s <Module>
– Symmetric isolation with socket-like communication with the enclosing page
• Wahbe et al’s Software Fault Isolation– Asymmetric access though never leveraged
– Primary goal was to avoid context switches for untrusted code in a process
• Cox et al’s Tahoma browser operating system uses VM to– Protect the host system from browser and web services
– Protect web applications (a set of web sites) from one another
42
![Page 43: Protection and Communication Abstractions for Web Browsers in MashupOS](https://reader036.vdocument.in/reader036/viewer/2022070415/56814eef550346895dbc7f53/html5/thumbnails/43.jpg)
OMash: Object Mashup
• A new browser security model
• Use Object-Oriented model (e.g. Java object model)
• Treat each Web page as an object– Encapsulate all scripts and data– Objects declare public interface– Objects communicate only via public interface
![Page 44: Protection and Communication Abstractions for Web Browsers in MashupOS](https://reader036.vdocument.in/reader036/viewer/2022070415/56814eef550346895dbc7f53/html5/thumbnails/44.jpg)
Object Abstractions
• Java (analogy) • Web page object
public class FooObject {
public void publicMethod() { }
private int privateData;}
<html><script>function getPublicInterface() { function Interface() { this.publicMethod = function () {…} } return new Interface();}var privateData;</script></html>
![Page 45: Protection and Communication Abstractions for Web Browsers in MashupOS](https://reader036.vdocument.in/reader036/viewer/2022070415/56814eef550346895dbc7f53/html5/thumbnails/45.jpg)
Page Objects
• A page consists of – DOM tree– Scripts– Credentials (HTTP auth, cookies)
• A page object can be contained in a– Window– Tab– Frame– Iframe
![Page 46: Protection and Communication Abstractions for Web Browsers in MashupOS](https://reader036.vdocument.in/reader036/viewer/2022070415/56814eef550346895dbc7f53/html5/thumbnails/46.jpg)
Public and Private Members
• Public interface– Each object declares getPublicInterface()– Returns a closure of all public methods and
data
• Private data– DOM– Scripts– Credentials
![Page 47: Protection and Communication Abstractions for Web Browsers in MashupOS](https://reader036.vdocument.in/reader036/viewer/2022070415/56814eef550346895dbc7f53/html5/thumbnails/47.jpg)
Usage Example
• map.html • integrator.html<html>function getPublicInterface() { function Interface() { this.setCenter = function (lat,long) { … } } return new Interface();}</html>
<iframe src="map.html">...var map = win.getPublicInterface();...map.setCenter(lat, long);}
map.html
integrator.html
![Page 48: Protection and Communication Abstractions for Web Browsers in MashupOS](https://reader036.vdocument.in/reader036/viewer/2022070415/56814eef550346895dbc7f53/html5/thumbnails/48.jpg)
Trust Relationships
• Can model trust relationships needed for mashups (as identified by MashupOS)– Isolated– Open– Access-Controlled– Unauthorized
![Page 49: Protection and Communication Abstractions for Web Browsers in MashupOS](https://reader036.vdocument.in/reader036/viewer/2022070415/56814eef550346895dbc7f53/html5/thumbnails/49.jpg)
• No access between provider and integrator
Isolated
function getPublicInterface() { function Interface() { } return new Interface();}
![Page 50: Protection and Communication Abstractions for Web Browsers in MashupOS](https://reader036.vdocument.in/reader036/viewer/2022070415/56814eef550346895dbc7f53/html5/thumbnails/50.jpg)
Open
• Full access between provider and integrator
function getPublicInterface() { function Interface() { this.getDocument = function () { return document; } } return new Interface();}
![Page 51: Protection and Communication Abstractions for Web Browsers in MashupOS](https://reader036.vdocument.in/reader036/viewer/2022070415/56814eef550346895dbc7f53/html5/thumbnails/51.jpg)
• Limited access depending on caller
Access-controlled
function getPublicInterface() { function Interface() { this.auth = function(user,pass) { return token; }
this.do = function (token,...) { check(token); } } return new Interface();}
var api = win.getPublicInterface();
token =api.auth(user, pass);
api.do (token,...)
Provider Integrator
![Page 52: Protection and Communication Abstractions for Web Browsers in MashupOS](https://reader036.vdocument.in/reader036/viewer/2022070415/56814eef550346895dbc7f53/html5/thumbnails/52.jpg)
Preventing CSRF
a.com
a.com b.com
Server
Browser
![Page 53: Protection and Communication Abstractions for Web Browsers in MashupOS](https://reader036.vdocument.in/reader036/viewer/2022070415/56814eef550346895dbc7f53/html5/thumbnails/53.jpg)
Preventing CSRF
a.com
a.com b.com
Server
Browser
![Page 54: Protection and Communication Abstractions for Web Browsers in MashupOS](https://reader036.vdocument.in/reader036/viewer/2022070415/56814eef550346895dbc7f53/html5/thumbnails/54.jpg)
Preventing CSRF
a.com
a.com b.com
Server
Browser No cookie!
![Page 55: Protection and Communication Abstractions for Web Browsers in MashupOS](https://reader036.vdocument.in/reader036/viewer/2022070415/56814eef550346895dbc7f53/html5/thumbnails/55.jpg)
Browser Sessions under OMash
• Each cookie– belongs to a window– is shared by subsequent pages from the
same domain in that window
• Each window has an independent session– Desirable side effect:
Can log in to multiple accounts in different windows in the same browser
![Page 56: Protection and Communication Abstractions for Web Browsers in MashupOS](https://reader036.vdocument.in/reader036/viewer/2022070415/56814eef550346895dbc7f53/html5/thumbnails/56.jpg)
Cross-window Sessions
• How to track a session across windows?
• Cookie Inheritance– When page P1 loads P2, P2 inherits P1’s
cookies– P1 and P2 now belong to the same session
![Page 57: Protection and Communication Abstractions for Web Browsers in MashupOS](https://reader036.vdocument.in/reader036/viewer/2022070415/56814eef550346895dbc7f53/html5/thumbnails/57.jpg)
Implementation
• Proof of concept as Firefox add-on– Make an exception to SOP in Mozilla’s
Configurable Security Policy– Change Cookie Manager to make each
cookie private to a window
• No changes required on the server
![Page 58: Protection and Communication Abstractions for Web Browsers in MashupOS](https://reader036.vdocument.in/reader036/viewer/2022070415/56814eef550346895dbc7f53/html5/thumbnails/58.jpg)
Supporting SOP without DNS
• If application prefers using SOP to allow inter-page communication:
• To implement this under OMash– Server embeds a shared secret in all pages– Pages authenticate each other using this
secret
![Page 59: Protection and Communication Abstractions for Web Browsers in MashupOS](https://reader036.vdocument.in/reader036/viewer/2022070415/56814eef550346895dbc7f53/html5/thumbnails/59.jpg)
Supporting SOP without DNS
secret = “1234”;function getPublicInterface() { function Interface() { this.foo=function (secret, … ) { check(secret); … } } return new Interface();}
<script>secret = “1234”api = win.getPublicInterface()api.foo(secret, …)</script>
Provider Integrator
![Page 60: Protection and Communication Abstractions for Web Browsers in MashupOS](https://reader036.vdocument.in/reader036/viewer/2022070415/56814eef550346895dbc7f53/html5/thumbnails/60.jpg)
Related Work
• MashupOS (Wang et al, SOSP 07)
• SMash (Keukelaere WWW 07)
• Google’s Caja
![Page 61: Protection and Communication Abstractions for Web Browsers in MashupOS](https://reader036.vdocument.in/reader036/viewer/2022070415/56814eef550346895dbc7f53/html5/thumbnails/61.jpg)
Conclusion
• OMash a new browser security model– Allows flexible trust relation– Simple– Familiar, easy to understand
• Don’t rely on Same Origin Policy– Prevent CSRF attacks– Allows programmers to define “Same Origin”
flexibly based on shared secrets
![Page 62: Protection and Communication Abstractions for Web Browsers in MashupOS](https://reader036.vdocument.in/reader036/viewer/2022070415/56814eef550346895dbc7f53/html5/thumbnails/62.jpg)
Future Work
• Robust implementation of the protection model
• Tools to detect whether a browser extension violates the browser’s protection model
• Tools for ensuring proper segregation of different content types
• Resource management, OS facilities
62
![Page 63: Protection and Communication Abstractions for Web Browsers in MashupOS](https://reader036.vdocument.in/reader036/viewer/2022070415/56814eef550346895dbc7f53/html5/thumbnails/63.jpg)
Conclusions
• Web content involves multiple principals• Browsers remain a single principal platform• The missing protection abstraction: Unauthorized
content and <sandbox>– Enable safe mashups with ease– Combats cross-site scripting in a fundamental way
• CommRequest allows fine-grained access control across isolation boundaries
• Practical for deployment
63
![Page 64: Protection and Communication Abstractions for Web Browsers in MashupOS](https://reader036.vdocument.in/reader036/viewer/2022070415/56814eef550346895dbc7f53/html5/thumbnails/64.jpg)
Thank you!
64