Sanzaru Capability-Based Interactions for Web Applications Raluca Sauciuc Shaunak Chatterjee University of California, Berkeley Motivation Limitations of Single-Origin Policy - Better suited for early client-server web architecture, mostly static web content - Current shift towards more distributed architectures (e.g. P2P systems), RIAs No fine-grained access control - All or nothing! Capabilities are an old and elegant concept but rarely used in real-world applications - Combine designation with authorization More on Capabilities A capability is a communicable, unforgeable token of authority It represents a reference to an object along with an associated set of access rights Example: int fd = open("/etc/passwd", O_RDWR); - File descriptor, fd, is a capability since its presence in the process’s file descriptor table legitimizes access Capabilities can be shared or passed around CS 261: Computer Security, Fall 2008 CS 262A: Advanced Topics in Computer Systems, Fall 2008 CS 261: Computer Security, Fall 2008 CS 262A: Advanced Topics in Computer Systems, Fall Applet Extension White-list Capabilities Identity + op Applet Extension White-list Capabilities Granted Denied Capability Applet Extension White-list Capabilities Granted Denied Capability-2 + Data Capability-1 + Data Match found No match found File-1File-2 Match found Step 1: Transaction Initiation Initiation Request sent - Identity of applet - Intended operation (e.g. read/write) Identity of applet source checked with list of friendly sites (White-list DB table) Step 2: Capability granted Request denied if identity not found Otherwise, request granted - A new capability created from hashing a random number (hence unforgeable) - Also, a read/write stream is opened with the particular file This capability is sent back to the requesting applet as a token of authorization and designation Step 3: Capability-enabled Transaction Transaction is allowed only if accompanied by valid capability Valid transaction can read or write to the file initially requested for Extension acts as File Access Control Manager File-1File-2 File-1File-2 Related Work Protection in Programming Languages - Information hiding based on Abstract Data Types - Modular composition to enable local reasoning - Joe-E: capability-secure subset of Java - CaJa: capability-secure subset of JavaScript Arrows or monads for secure information flow - Abstraction of control flow statically verifiable Conclusion and Future Work: Promising first prototype – A step towards the evolution of the browser as the OS for web apps Asynchronous I/O and a thread-pool in the extension (will result in performance benefits when web apps become I/O bound) Handle more usability issues – GUI improvement for policy management, machine learning for white-list maintenance Limitations Firefox extension APIs impose serialization restrictions on DB access - Effectively single-threaded access because of SQLite caching JavaScript is single-threaded - Synchronous I/O may become a bottleneck - Solution is to have a thread pool for I/O in the extension and use an asynchronous style (“applet waits for completion event”) Project Objectives Overcome the limitations currently imposed on web applications - Single origin policy, local device access, etc. - Accomplish this in a secure manner Use capabilities to implement fine-grained access control Overall design should be able to accommodate various policies for Access Control List (ACL) management Performance optimizations and fault tolerance Schematic for Applet File I/O on Client Machine Implementation A Firefox extension (Sanzaru) was implemented to act as the interface between web apps and native devices - Handles JS library requests (file I/O, network I/O) - Expresses policies with access control lists - Generates capabilities based on ACLs Java Applets were chosen as web applications Alternately, a proxy could have been used instead of the browser extension – but this would have performance limitations Architecture Overview Firefox Extension + Thin JS library Web Apps Java, JS, Flash etc Trusted Browser Components