Download Manager Architecture

Internet Explorer

DMServer.exe(COM exe singleton)

IFileTransferEx IFileTransferAdmin

DMUser.xml(user

settings, authdomains)

DMTrayApp.exe

DLMonitorPage(HTML/Javascript)

DMControl.dll(ActiveX)

IFileTransfer

<obj ect >

</ obj ect >

Tray app startswhen user logson; holds areference toDMServer.exe

Open Monitor…About…Exit

These interfaces arederived from

IUnknown; notcallable from script

Upon downloadactivity, DMServer

ensures that the trayapp is running;

starting it ifnecessary

SelfCare Web Page

DLStart Web Page(served from client-specific URL)

(pushes install if needed)

DMControl.dll(ActiveX)

IFileTransfer

<obj ect >

</ obj ect >

instantiates

Kicks off file transfer

Monitors andcontrols transfer,

allows browsing oflibrary and playing

from library

Monitors andcontrols transferinstantiates

_IFileTransferEvents

_IFileTransferEvents

_IFileTransferEvents

Java

Scr

ipt

Eve

nts

Last Saved:8/8/2005

Internet Explorer

DMServer.exe(COM exe singleton)

IFileTransferEx IFileTransferAdmin

DMUser.xml(user

settings, authdomains)

DMTrayApp.exe

DLMonitorPage(HTML/Javascript)

DMControl.dll(ActiveX)

IFileTransfer

<obj ect >

</ obj ect >

Tray app startswhen user logson; holds areference toDMServer.exe

Open Monitor…About…Exit

These interfaces arederived from

IUnknown; notcallable from script

Upon downloadactivity, DMServer

ensures that the trayapp is running;

starting it ifnecessary

SelfCare Web Page

DLStart Web Page(served from client-specific URL)

(pushes install if needed)

DMControl.dll(ActiveX)

IFileTransfer

<obj ect >

</ obj ect >

instantiates

Kicks off file transfer

Monitors andcontrols transfer,

allows browsing oflibrary and playing

from library

Monitors andcontrols transferinstantiates

_IFileTransferEvents

_IFileTransferEvents

_IFileTransferEvents

Java

Scr

ipt

Eve

nts

Last Saved:8/8/2005

The Goal of Our Security Measures

Prevent an unauthorized script running in a web browser from using the DMControl ActiveX control

We assume that security is compromised if…– unauthorized (possibly malicious) code can be run on the user’s

machine outside of the browser sandbox– Windows user security is compromised– Physical security is compromised

The Security Threat

DMControl could be used by malicious scripts running in a web browser to:

– Download and write unauthorized files to the user’s system(But not to any arbitrary location; writes are allowed only under a

specific configured folder per customer; sensitive folders--i.e. Windows--are blacklisted)

– Have a downloaded file automatically deleted at a specified future time

– Delete files on demand that have been previously downloaded

Our Solution

Prevent unauthorized scripts from using DMControl– DMControl instantiation must be accompanied by a CustId<object

classid="clsid:80BE7A2F-3C63-4136-A488-F2FF10DAB3CA"id="oDMControl"><param

name="CustId"value="Entriq">

</param></object>

– CustId is validated against DMServer configuration and the host web page’s URL

IE/ActiveX Instantiation Communication

eoDMControl - IUnknowneoDMControl - _IFileTransferEventseoDMControl - IUnknowneoDMControl - IOleControleoDMControl - IPersistStreamIniteoDMControl - IViewObjectExeoDMControl – IObjectWithSite here we determine the host’s urleoDMControl - IConnectionPointContainereoDMControl - IOleControleoDMControl - IDispatcheoDMControl - IOleControleoDMControl – IObjectSafety here we tell the browser whether we’re

safe for scripting and initeoDMControl - IDispatch

IObjectWithSite Interaction

IE Browser DMControl

IObjectWithSite::SetSite(IUnknown*)

IUnknown::QueryInterface(IOleClientSite)

IOleClientSite::GetMoniker()

IMoniker::GetDisplayName()

IE calls component during componentinstantiation

We get the browser’s IOleClientSiteinterface

We get the IOleClientSite’s IMonikerinterface

We get the moniker’s display name whichis the host’s URL

We return from the original SetSite call