Building Secure Web Mashups

1
Building Secure Web Mashups
2
Outline

1. Browser Security Overview
2. Web Mashups
3. Browser Security Details
4. Mashup Frameworks MashupOS, Subspace, SMash,
   Caja
5. Framework Evaluation and Comparison
6. Related Work

3
Browser Security Overview
4
Layers of Browser Code

• Default browser behavior
• Binary plug-ins for embedded content
• Extensions that modify browser behavior
• Scripts that make web pages active

5
Extensions vs. Scripts

• Theoretical perspective the only difference is
  that web page scripts disappear after you leave a
  page and extensions don't
• Firefox reality
• Extensions are completely unrestricted
• Web page scripts are restricted unless digitally
  signed

6
Security in Web Browsers

• Browsers simultaneously handle documents and
  scripts from multiple sources
• Scripts may attempt to interact with
• Other web pages
• The browser
• Files and processes on the user's computer
• Remote hosts

7
A Security Failure Example

• The user is viewing a page with a secret
  confirmation code, which can be traded in person
  for some good or service
• A web page in another window reads the code and
  sends it to a remote host, where it can be
  accessed by an unscrupulous third party

8
Real-World Defense

• Same-origin policy active content from different
  trust domains shouldn't interact
• SOP mostly succeeds for pages that want complete
  isolation
• SOP has inconsistencies and gaps that make
  partial isolation difficult or impossible

9
Web Mashups
10
Mashup Examples

• housingmaps.com
• Wii Finder
• Clockr
• popurls.com
• Yahoo vs. Google
• Google Gadgets

11
Web Mashup Definitions

• Mashup A web application that performs
  browser-side integration of content or services
  from multiple sources
• Integrator site that hosts the web application
• Provider site the provides content to the mashup
• Component a piece of active content from a
  provider

12
Sorts of Mashups

• Directly interacting with a web service from
  inside a browser script (e.g., reading an RSS
  feed)
• Display control delegation (Google gadgets
  Google as integrator)
• Display control delegation two-way browser-side
  communication (Google maps, Google search Google
  as provider)

13
Mashup Techniques

• Simulated mashup server-side data collection
• Frames proxy server
• Frames fragment-identifier messaging
• Browser plug-ins for relaying information
• Dynamically generated script requests

14
Mashup Security Concern

• If you include a Google Search control on your
  page, you give Google the ability to
• read arbitrary information
• send it to an arbitrary recipient
• execute arbitrary code

15
Browser Security Details
16
Browser State Documents

• DOM mutable tree structure model
• Metadata
• domain property
• cookie property
• referrer property
• etc.

17
Browser State Frames

• Can be nested with ltiframegt tag
• Metadata
• document property
• location property
• history property
• parent property
• frames property

18
Scripts in Documents

• JavaScript dynamically typed, object-oriented,
  first-class functions, reflection, eval
• Two primary methods
• Inline ltscriptgtvar x3lt/scriptgt
• External ltscript src"xyz.com/abc.js"/gt
• Each frame has one global environment

19
Web Scripting

• Event handling
• Browser data structure access and DOM
  manipulation
• Script environment access
• Opening, closing, and navigating frames
• HTTP transactions (XMLHttpRequest)
• Also cookie access, plug-in scripting

20
Dynamic Script Request

• lthtmlgt
• ltheadgtlttitlegtScript Requestlt/titlegt
• ltscriptgt
• function doIt()
• var s document.createElement("script")
• s.setAttribute("src", "http//www.xyz.com/
  code.js")
• document.body.appendChild(s)
• lt/scriptgt
• lt/headgt
• ltbodygt
• ltpgtltbutton onclick"doIt()"gtDo
  it!lt/buttongtlt/pgt
• lt/bodygt
• lt/htmlgt

21
SOP Origins

• Origin domain name port protocol
• Assigned to content and scripts according to
  document URL (source of script irrelevant)
• Domain promotion
• xyz.com lt abc.xyz.com
• Accomplished by setting domain property

22
SOP Restrictions

• A script cannot read or write data associated
  with a frame of a different origin -- exceptions
• Scripts can write the location property
• Scripts may be able to read the frames property
• A script cannot access the JavaScript environment
  of a frame of a different origin
• A script cannot use XMLHttpRequest to interact
  with a site of a different origin

23
MashupOS
Helen J. Wang, Xiaofeng Fan, Jon Howell, and
Collin Jackson. Protection and communication
abstractions for web browsers in MashupOS.
SIGOPS Oper. Syst. Rev., 41(6)1-16, 2007.
24
MashupOS Concept

• Keep the same-origin policy around for frames
• Add new frame-like structures to HTML with
  variations on the same-origin policies

25
Sandboxes

• ltSandboxgt like a frame
• References from outside the sandbox can never be
  passed in
• Scripts can access ltOpenSandboxgt without SOP
  restrictions
• Nesting raises some complex issues

26
Service Instances

• ltServiceInstancegt loads code from an external
  site
• ltFrivgt sections can be controlled by service
  instances
• Browser-side messaging using new JS CommServer()
  and CommRequest()

27
Subspace
Collin Jackson and Helen J. Wang. Subspace
Secure cross-domain communications for web
mashups. In WWW '07.
28
Subspace Concept

• Use browser's same-origin policy to enforce
  isolation of providers' content
• Use domain promotion to allow each provider to
  share a single JavaScript object with the
  integrator for communication

29
Subspace
www.mashup.com/index.html
www.mashup.com/mediate.html
www.
p1.mashup.com/index.html
p1.
ltscript src"p1.com/mashup.js" /gt
30
Subspace (Multiple Providers)
www.mashup.com/index.html
www.mashup.com/mediate.html
www.
p1.mashup.com/index.html
p1.
ltscript src"p1.com/mashup.js" /gt
p1.mashup.com/access.html
p1.
31
SMash
Frederik De Keukelaere, Sumeer Bhola, Michael
Steiner, Suresh Chari, and Sachiko Yoshihama.
SMash Secure component model for cross-domain
mashups on unmodified browsers. In WWW '08.
32
SMash Concept

• Use browser's same-origin policy to enforce
  isolation of providers' content
• Implement a robust message-passing system based
  on setting fragment identifiers

33
SMash
www.mashup.com/index.html
p1.mashup.com/index.html
3330walnut
ltscript src"p1.com/mashup.js" /gt
www.mashup.com/tunnel.html
scroll-up
34
SMash Challenges

• Fragment-identifier size limit
• Synchronization
• Message authenticity
• Message integrity

35
SMash Direct Style
www.mashup.com/index.html
p1.com/index.html
www.mashup.com/tunnel.html
36
Caja
Mark S. Miller, Mike Samuel, Ben Laurie, Ihab
Awad, and Mike Stay. Caja Safe active content
in sanitized JavaScript. A Google research
project, June 2008.
37
Caja Concept

• Use a scripting language with stronger guarantees
• Make it as similar to JavaScript as possible for
  backwards compatibility

38
Object-Capability Languages

• Objects can only change the world through the
  references they hold
• Objects can only receive references through
  method calls
• Objects never start with references
• Encapsulation is used and enforced

39
Difficulties with JavaScript

• Object properties can be enumerated, updated,
  added, and removed
• Code abstractions can be called as functions, as
  methods, as constructors, or via reflection
• Dynamic evaluation
• Code in a frame shares an environment

40
Caja Overview

• Caja is a subset of JavaScript syntax,
  semantics, and libraries
• Caja code is elaborated into sanitized JavaScript
• Caja modules have their own global envrionment
• Dynamic evaluation is restricted

41
Caja Restrictions

• Properties ending in underscores are private
• Use of functions as constructors only allowed in
  a restricted way
• Objects may be "frozen"
• Restricted use of functions as objects
• eval only offered for Cajita (no this)

42
Framework Evaluation and Comparison
43
Some Key Issues

• Browser modification?
• Necessary provider cooperation vs. backwards
  compatibility
• Flexibility of component interaction
• Amount of trust providers must have in the
  integrator

44
MashupOS Service Instances

• Browser modification necessary
• Providers must conform to specification
• Authenticity is lightweight and guaranteed by
  browser
• Flexible message-passing framework but data-only
  messages
• Flexible display delegation but security behavior
  of ltFrivgt tags a bit unclear
• Providers' privacy not fully protected

45
MashupOS Sandboxes

• Permit backward compatibility with current APIs
• Seem redundant with service instances
• Awkward interaction with SOP
• Terribly complicates browser security, especially
  in combination with service instances

46
Subspace and SMash

• Both accommodate script-based APIs
• Both restricted to data-only messages
• Dynamically loaded components only possible in
  SMash
• Higher message throughput in Subspace

47
Direct Use of SMash

• Provider can use XMLHttpRequest
• Providers can authenticate other parties
• Providers have full privacy
• Providers must conform to a standard based on
  fragment-identifier messaging

48
Caja

• Does not guarantee any particular security
  properties
• Can be used to program very fine-grained access
  control
• For direct applicability to mashups, providers
  would have to use Caja
• Secure messaging easy to implement
• Providers can safely exchange closures
• Providers must trust the integrator

49
Conclusions

• Subspace a nice short-term solution
• Browser modification inevitable
• Message-passing popular for clean access control
• Information flow analysis more appropriate
• Language support would be tremendously helpful

50
Related Work
51
Browser-Side Messaging

• Douglas Crockford. The ltmodulegt tag.
  http//www.json.org/module.html, October 2006.
• Ian Hickson and David Hyatt (editors). HTML 5.
  http//www.w3.org/html/wg/html/, June 2008.

52
Fragment-Identifier Messaging

• XDDE
• Google. PubSub Gadget-to-gadget communication.
  http//code.google.com/apis/gadgets/docs/pubsub.ht
  ml, June 2008.

53
Unexpected Attacks

• Shou Chen, David Ross, and Yi-Min Wang. An
  analysis of browser domain-isolation bugs and a
  light-weight transparent defense mechanism. In
  CCS '07.
• Collin Jackson, Andrew Bortz, Dan Boneh, and John
  C. Mitchell. Protecting browser state from web
  privacy attacks. In WWW '06.

54
Safer JavaScript

• Dachuan Yu, Ajay Chander, Nayeem Islam, and Igor
  Serikov JavaScript instrumentation for browser
  security. In POPL '07.
• K. Vikram and Michael Steiner Mashup component
  isolation via server-side analysis and
  instrumentation. W2SP 2007.
• Charles Reis, John Dunagan, Helen J. Wang, Opher
  Dubrovsky, and Saher Esmeir. BrowserShield
  Vulnerability-driven filtering of dynamic HTML.
  ACM TWEB. 1(3)11, 2007.

55
Blocking Scripts

• Trevor Jim, Nikhil Swamy, and Michael Hicks.
  Defeating script injection attacks with
  browser-enforced embedded policies. In WWW '07.
• Mozilla. Site security policy. http//people.mozil
  la.org/bsterne/site-security-policy/, June 2008.

56
Browser Implementation Design

• Richard S. Cox, Steven D. Gribble, Henry M. Levy,
  and Jacob Gorm Hansen. A safety-oriented
  platform for web applications. In SP '06.
• Chris Grier, Shuo Tang, and Samuel T. King.
  Secure web browsing with the OP web browser. In
  SP '08.
• Sotiris Ioannidis and Steven M. Bellovin.
  Building a secure web browser. In FREENIX '01.

57
Thank You