OMash : Enabling Secure Web Mashups via Object Abstractions
description
Transcript of OMash : Enabling Secure Web Mashups via Object Abstractions
![Page 1: OMash : Enabling Secure Web Mashups via Object Abstractions](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813ad2550346895da30147/html5/thumbnails/1.jpg)
OMash: Enabling Secure Web Mashups via Object Abstractions
Steven Crites, Francis Hsu, Hao ChenUC Davis
![Page 2: OMash : Enabling Secure Web Mashups via Object Abstractions](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813ad2550346895da30147/html5/thumbnails/2.jpg)
Mashups and the Same Origin Policy
• Mashups integrate content from multiple websites• Content protection relies on Same Origin Policy (SOP)
– Currently, contents get complete or no isolation– MashupOS proposes more flexible trust relationship
[SOSP 07]• Isolated• Open• Access-Controlled• Unauthorized
![Page 3: OMash : Enabling Secure Web Mashups via Object Abstractions](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813ad2550346895da30147/html5/thumbnails/3.jpg)
Same Origin Policy
a.com
a.com a.com b.com
Server
Browser
![Page 4: OMash : Enabling Secure Web Mashups via Object Abstractions](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813ad2550346895da30147/html5/thumbnails/4.jpg)
Problems with SOP –What Domains are of the Same Origin?
web1.acm.org web2.acm.orgyes
cs.ucdavis.edu ece.ucdavis.edumaybe
amazon.co.uk bbc.co.ukno
Same origin?
![Page 5: OMash : Enabling Secure Web Mashups via Object Abstractions](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813ad2550346895da30147/html5/thumbnails/5.jpg)
DNS Insecurity
• Client vulnerabilities– DNS rebinding (Jackson et al, CCS 07)– Dynamic Pharming (Karlof et al, CCS 07)
• Server vulnerabilities– DNS cache poisoning (Kaminsky, BlackHat 08)
![Page 6: OMash : Enabling Secure Web Mashups via Object Abstractions](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813ad2550346895da30147/html5/thumbnails/6.jpg)
Cross-Site Request Forgery
a.com
a.com b.com
Server
Browser
![Page 7: OMash : Enabling Secure Web Mashups via Object Abstractions](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813ad2550346895da30147/html5/thumbnails/7.jpg)
OMash: Object Mashup
• A new browser security model• Use Object-Oriented model
(e.g. Java object model)• Treat each Web page as an object– Encapsulate all scripts and data– Objects declare public interface– Objects communicate only via public interface
![Page 8: OMash : Enabling Secure Web Mashups via Object Abstractions](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813ad2550346895da30147/html5/thumbnails/8.jpg)
Object Abstractions
• Java (analogy) • Web page object
public class FooObject {
public void publicMethod() { }
private int privateData;}
<html><script>function getPublicInterface() { function Interface() { this.publicMethod = function () {…} } return new Interface();}var privateData;</script></html>
![Page 9: OMash : Enabling Secure Web Mashups via Object Abstractions](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813ad2550346895da30147/html5/thumbnails/9.jpg)
Page Objects
• A page consists of – DOM tree– Scripts– Credentials (HTTP auth, cookies)
• A page object can be contained in a– Window– Tab– Frame– Iframe
![Page 10: OMash : Enabling Secure Web Mashups via Object Abstractions](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813ad2550346895da30147/html5/thumbnails/10.jpg)
Public and Private Members
• Public interface– Each object declares getPublicInterface()– Returns a closure of all public methods and data
• Private data– DOM– Scripts– Credentials
![Page 11: OMash : Enabling Secure Web Mashups via Object Abstractions](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813ad2550346895da30147/html5/thumbnails/11.jpg)
Usage Example
• map.html • integrator.html<html>function getPublicInterface() { function Interface() { this.setCenter = function (lat,long) { … } } return new Interface();}</html>
<iframe src="map.html">...var map = win.getPublicInterface();...map.setCenter(lat, long);}
map.html
integrator.html
![Page 12: OMash : Enabling Secure Web Mashups via Object Abstractions](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813ad2550346895da30147/html5/thumbnails/12.jpg)
Trust Relationships
• Can model trust relationships needed for mashups (as identified by MashupOS)– Isolated– Open– Access-Controlled– Unauthorized
![Page 13: OMash : Enabling Secure Web Mashups via Object Abstractions](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813ad2550346895da30147/html5/thumbnails/13.jpg)
• No access between provider and integrator
Isolated
function getPublicInterface() { function Interface() { } return new Interface();}
![Page 14: OMash : Enabling Secure Web Mashups via Object Abstractions](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813ad2550346895da30147/html5/thumbnails/14.jpg)
Open
• Full access between provider and integrator
function getPublicInterface() { function Interface() { this.getDocument = function () { return document; } } return new Interface();}
![Page 15: OMash : Enabling Secure Web Mashups via Object Abstractions](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813ad2550346895da30147/html5/thumbnails/15.jpg)
• Limited access depending on caller
Access-controlled
function getPublicInterface() { function Interface() { this.auth = function(user,pass) { return token; }
this.do = function (token,...) { check(token); } } return new Interface();}
var api = win.getPublicInterface();
token =api.auth(user, pass);
api.do (token,...)
Provider Integrator
![Page 16: OMash : Enabling Secure Web Mashups via Object Abstractions](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813ad2550346895da30147/html5/thumbnails/16.jpg)
Preventing CSRF
a.com
a.com b.com
Server
Browser
![Page 17: OMash : Enabling Secure Web Mashups via Object Abstractions](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813ad2550346895da30147/html5/thumbnails/17.jpg)
Preventing CSRF
a.com
a.com b.com
Server
Browser
![Page 18: OMash : Enabling Secure Web Mashups via Object Abstractions](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813ad2550346895da30147/html5/thumbnails/18.jpg)
Preventing CSRF
a.com
a.com b.com
Server
Browser No cookie!
![Page 19: OMash : Enabling Secure Web Mashups via Object Abstractions](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813ad2550346895da30147/html5/thumbnails/19.jpg)
Browser Sessions under OMash
• Each cookie– belongs to a window– is shared by subsequent pages from the same
domain in that window• Each window has an independent session– Desirable side effect:
Can log in to multiple accounts in different windows in the same browser
![Page 20: OMash : Enabling Secure Web Mashups via Object Abstractions](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813ad2550346895da30147/html5/thumbnails/20.jpg)
Cross-window Sessions
• How to track a session across windows?• Cookie Inheritance– When page P1 loads P2, P2 inherits P1’s cookies– P1 and P2 now belong to the same session
![Page 21: OMash : Enabling Secure Web Mashups via Object Abstractions](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813ad2550346895da30147/html5/thumbnails/21.jpg)
Implementation
• Proof of concept as Firefox add-on– Make an exception to SOP in Mozilla’s
Configurable Security Policy– Change Cookie Manager to make each cookie
private to a window• No changes required on the server
![Page 22: OMash : Enabling Secure Web Mashups via Object Abstractions](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813ad2550346895da30147/html5/thumbnails/22.jpg)
Supporting SOP without DNS
• If application prefers using SOP to allow inter-page communication:
• To implement this under OMash– Server embeds a shared secret in all pages– Pages authenticate each other using this secret
![Page 23: OMash : Enabling Secure Web Mashups via Object Abstractions](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813ad2550346895da30147/html5/thumbnails/23.jpg)
Supporting SOP without DNS
secret = “1234”;function getPublicInterface() { function Interface() { this.foo=function (secret, … ) { check(secret); … } } return new Interface();}
<script>secret = “1234”api = win.getPublicInterface()api.foo(secret, …)</script>
Provider Integrator
![Page 24: OMash : Enabling Secure Web Mashups via Object Abstractions](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813ad2550346895da30147/html5/thumbnails/24.jpg)
Related Work
• MashupOS (Wang et al, SOSP 07)
• SMash (Keukelaere WWW 07)
• Google’s Caja
![Page 25: OMash : Enabling Secure Web Mashups via Object Abstractions](https://reader036.fdocuments.in/reader036/viewer/2022062422/56813ad2550346895da30147/html5/thumbnails/25.jpg)
Conclusion
• OMash a new browser security model– Allows flexible trust relation– Simple– Familiar, easy to understand
• Don’t rely on Same Origin Policy– Prevent CSRF attacks– Allows programmers to define “Same Origin”
flexibly based on shared secrets