Presentation is loading. Please wait.

Presentation is loading. Please wait.

OMash: Enabling Secure Web Mashups via Object Abstractions Steven Crites, Francis Hsu, Hao Chen (UC Davis) ACM Conference on Computer and Communications.

Published byMarlene Little Modified over 9 years ago

Similar presentations

Presentation on theme: "OMash: Enabling Secure Web Mashups via Object Abstractions Steven Crites, Francis Hsu, Hao Chen (UC Davis) ACM Conference on Computer and Communications."— Presentation transcript:

1 OMash: Enabling Secure Web Mashups via Object Abstractions Steven Crites, Francis Hsu, Hao Chen (UC Davis) ACM Conference on Computer and Communications Security (CCS), 2008 Presenter: Fu-Chi Ao

2 Outline Introduction The Same Origin Policy Design Usage Examples Implementation Related Work Conclusion and Comments 2009/7/172

3 Introduction (1/2) Even before the rise of AJAX and mashups, at any given time a web browser likely contained pages from different domains Same Origin Policy (SOP) – Used by web browsers – Not support secure cross-domain communication desired by web mashup developer – Supports only 2 states Full trust: third-party content runs with full privilege No trust: no communication is allowed 2009/7/173

4 Introduction (2/2) OMash – New abstraction and access control model for writing secure yet flexible mashup applications Provide mashup developers with the ability to allow safe, controlled communication and interaction between web sites, and allow for the various trust models they desire – Does not rely on the SOP – Supports backwards compatibility – Tested on Mozilla Firefox 2.0 2009/7/174

5 The Same Origin Policy (1/2) a.com b.com Server Browser   2009/7/175

6 The Same Origin Policy (2/2) Applied to protect three browser resources: – Documents: Sites from one origin cannot access documents from another origin via the Document Object Model – Cookies: Sites can only set their own cookies and cookies are only sent to their originating site in HTTP requests. – Access to remote services: Only permits XMLHttpRequest to issue requests to the origin of the containing document. allows a script to issue an asynchronous HTTP request to a remote server. 2009/7/176

7 Problems of SOP: DOM Access Extended to Domain Name System (DNS) domains and relies on it DNS Insecurity – Client vulnerabilities DNS rebinding (Jackson et al, CCS 07) Dynamic Pharming (Karlof et al, CCS 07) – Server vulnerabilities DNS cache poisoning (Kaminsky, BlackHat 08) 2009/7/177

8 Problems of SOP: Authentication Credentials Confused Deputy – When a request is made, cookies matching the destination domain are added to the request as well as any other form of HTTP Authentication (e.g. Basic, Digest, NTLM) information for the domain – Regardless of what page caused the browser to initiate this request – Causes Cross-Site Request Forgery (CSRF) attacks 2009/7/178

9 Cross-Site Request Forgery a.com b.com Server Browser 2009/7/179

10 Trust Levels Wang et al. in MashupOS enumerate all the possible trust levels available between integrators and providers – (1) isolated content that should be isolated from other domains – (2) access-controlled content that should be isolated but allows for mediated access via, e.g. message passing – (3) (and (5)) open content that any domain can access and integrate into itself 1 – (4) unauthorized content that has no privileges of any domain. Table 1: The Trust Model on the Web for a provider P and an integrator I as defined in MashupOS 2009/7/1710

11 OMash Design Analog to OOP languages Treat each web page as an object that declares public and private data and methods – A web page can only access its own content and the public content of another page – All data in the page are considered private by default To enable inter-page communication, a page may declare a public interface, getPublicInterface, which all pages can access 2009/7/1711

12 Object Abstractions Java (analogy) Web page object public class FooObject { public void publicMethod() { } private int privateData; } function getPublicInterface() { function Interface() { this.publicMethod = function () {…} } return new Interface(); } var privateData; 2009/7/1712

13 Page Objects A web page consists of – DOM tree – Scripts – Credentials (HTTP authentication token, e.g. cookies) A page object can be contained in a – Window – Frame – Iframe 2009/7/1713

14 Public and Private Members Public interface – Each object declares getPublicInterface() – Returns a closure of all public methods and data An expression (typically a function) that can have free variables together with an environment that binds those variables Using closures, pages can safely get and set information on other pages in a controlled manner Private data – DOM objects (document, etc.) – JavaScript objects and functions – Credentials (HTTP authentication token, e.g. cookies) 2009/7/1714

15 Provider and Integrator Communicate via the Public Interface map.html integrator.html function getPublicInterface() { function Interface() { this.setCenter = function (lat,long){ … } return new Interface(); }... var win = getElementByID(“inner”).conte ntWindow; var map = win.getPublicInterface();... map.setCenter(lat, long); } map.html integrator.html 2009/7/1715

16 Mediate DOM Access By using the getPublicInterface function, a page’s creator can specify what they want other pages to be able to access Using this approach, the mashup developer can model a variety of trust relationships – Isolated content – Access-controlled content – Open content – Unauthorized content 2009/7/1716

17 No access between provider and integrator Isolated function getPublicInterface() { function Interface() { } return new Interface(); } 2009/7/1717

18 Limited access depending on caller Provide methods for the returned interface that only allow access to a site’s content based on the caller’s credentials Access-controlled function getPublicInterface() { function Interface() { this.auth = function(user,pass) { return token; } this.do = function (token,...) { check(token); } } return new Interface(); } var api = win.getPublicInterface(); token = api.auth(user, pass); api.do (token,...) Provider Integrator 2009/7/1718

19 Open Full access between provider and integrator function getPublicInterface() { function Interface() { this.getDocument = function () { return document; } return new Interface(); } 2009/7/1719

20 Unauthorized map.html, which provides a map service outer.html, which uses the service provided by the code in map.html map.html outer.html  isolate the untrusted script library (provided content) within another page 2009/7/1720

21 Mediate Authentication Credentials HTTP authentication (e.g. Basic, Digest, NTLM) – When authentication information (HTTP or a cookie) comes in, the browser associates this information with the page that receives it, page P Cookies – The only cookies we want to treat this way are those that are used for authentication. – Modification : Add extra attribute Authentication Session cookies are associated with a page when they are set Persistent cookies are associated with the first user-opened page XMLHttpRequest – Malicious sites can no longer leverage CSRF – Can logg in with 2 different accounts at the same time – Can accomplish safe cross-domain data exchange by lifting the restriction of XHR 2009/7/1721

22 Browser Sessions under OMash Each cookie – Belongs to a window – Is shared by subsequent pages from the same domain in that window Each window has an independent session – Desirable side effect: Can log in to multiple accounts in different windows in the same browser 2009/7/1722

23 Cross-window Sessions How to track a session across windows? Cookie Inheritance – When page P1 loads P2, P2 inherits P1’s cookies – P1 and P2 now belong to the same session 2009/7/1723

24 Preventing CSRF a.com b.com Server Browser 2009/7/1724

25 Preventing CSRF a.com b.com Server Browser 2009/7/1725

26 Preventing CSRF a.com b.com Server Browser No cookie! 2009/7/1726

27 Backward Compatibility with the Same Origin Policy If application prefers using SOP to allow inter- page communication: To implement this under OMash – Server embeds a shared secret in all pages – Pages authenticate each other using this secret 2009/7/1727

28 Supporting SOP without DNS secret = “1234”; function getPublicInterface() { function Interface() { this.foo=function (secret, … ) { check(secret); … } } return new Interface(); } secret = “1234” api = win.getPublicInterface() api.foo(secret, …) ProviderIntegrator 2009/7/1728

29 (b) outer.html. It authenticates by providing the argument secret in the call to the provider. (a) inner.html. The function foo authenticates the caller by checking the parameter provided Secret against the embedded global variable secret. 2009/7/1729

30 Implementation Implemented and tested on Firefox 2 Proof of concept as Firefox add-on – Use Mozilla’s Configurable Security Policies(CAPS) system to allow the cross-domain access to the getPublicInterface allow users to set up security policies for the browser, and also have different security policies for different Internet sites – Use Firefox 2’s Session store API to make each cookie private to a window No changes required on the server 2009/7/1730

31 Related Work MashupOS (Wang et al, SOSP 07) – Rely on the Same Origin Policy for controlling DOM accesses or cross-domain data exchange – Requires browser writers and application developers to support and use several different abstractions SMash (Keukelaere WWW 07) – Isolates components using the iframe tag, and URL fragment identifiers allow the frames to establish communication links. Google’s Caja – Also allows web applications of different trust domains to directly communicate with JavaScript function calls and reference passing 2009/7/1731

32 Conclusion and Comments OMash is a new browser security model – Allows flexible trust relation – Simple – Familiar, easy to understand – Backward compatible Don’t rely on Same Origin Policy – Prevent CSRF attacks – Allows programmers to define “Same Origin” flexibly based on shared secrets 2009/7/1732

Download ppt "OMash: Enabling Secure Web Mashups via Object Abstractions Steven Crites, Francis Hsu, Hao Chen (UC Davis) ACM Conference on Computer and Communications."

Similar presentations

Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.

Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.
Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Cookies, Sessions. Server Side Includes You can insert the content of one file into another file before the server executes it, with the require() function.

Cookies, Sessions. Server Side Includes You can insert the content of one file into another file before the server executes it, with the require() function.
Java Script Session1 INTRODUCTION.

Java Script Session1 INTRODUCTION.
Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks Yinzhi Cao, Vinod Yegneswaran, Phillip Porras, and Yan Chen.

Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks Yinzhi Cao, Vinod Yegneswaran, Phillip Porras, and Yan Chen.
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
EECS 354 Network Security Cross Site Scripting (XSS)

EECS 354 Network Security Cross Site Scripting (XSS)
1 A Privacy-Preserving Defense Mechanism Against Request Forgery Attacks Ben S. Y. Fung and Patrick P. C. Lee The Chinese University of Hong Kong TrustCom’11.

1 A Privacy-Preserving Defense Mechanism Against Request Forgery Attacks Ben S. Y. Fung and Patrick P. C. Lee The Chinese University of Hong Kong TrustCom’11.
Fast Track to ColdFusion 9. Getting Started with ColdFusion Understanding Dynamic Web Pages ColdFusion Benchmark Introducing the ColdFusion Language Introducing.

Fast Track to ColdFusion 9. Getting Started with ColdFusion Understanding Dynamic Web Pages ColdFusion Benchmark Introducing the ColdFusion Language Introducing.
OCT1 Principles From Chapter One of “Distributed Systems Concepts and Design”

OCT1 Principles From Chapter One of “Distributed Systems Concepts and Design”
Web Same-Origin-Policy Lab Zutao Zhu 11/06/2009. Outline Background Setting SOP.

Web Same-Origin-Policy Lab Zutao Zhu 11/06/2009. Outline Background Setting SOP.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Chapter 6: Hostile Code Guide to Computer Network Security.

Chapter 6: Hostile Code Guide to Computer Network Security.
Phu H. Phung Chalmers University of Technology JSTools’ 12 June 13, 2012, Beijing, China Joint work with Lieven Desmet (KU Leuven)

Phu H. Phung Chalmers University of Technology JSTools’ 12 June 13, 2012, Beijing, China Joint work with Lieven Desmet (KU Leuven)
1 Subspace: Secure Cross Domain Communication for Web Mashups Collin Jackson and Helen J. Wang Mamadou H. Diallo.

1 Subspace: Secure Cross Domain Communication for Web Mashups Collin Jackson and Helen J. Wang Mamadou H. Diallo.
Subspace: Secure Cross-Domain Communication for Web Mashups Collin Jackson Stanford University Helen J. Wang Microsoft Research ACM WWW, May, 2007 Presenter:

Subspace: Secure Cross-Domain Communication for Web Mashups Collin Jackson Stanford University Helen J. Wang Microsoft Research ACM WWW, May, 2007 Presenter:
Subspace: Secure Cross-Domain Communication for Web Mashups In Proceedings of the 16th International World Wide Web Conference. (WWW), 2007 Collin Jackson,

Subspace: Secure Cross-Domain Communication for Web Mashups In Proceedings of the 16th International World Wide Web Conference. (WWW), 2007 Collin Jackson,
Christopher M. Pascucci Basic Structural Concepts of.NET Browser – Server Interaction.

Christopher M. Pascucci Basic Structural Concepts of.NET Browser – Server Interaction.
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
4.1 JavaScript Introduction

4.1 JavaScript Introduction

Similar presentations

Ads by Google