1 Subspace: Secure Cross Domain Communication for Web Mashups Collin Jackson and Helen J. Wang Mamadou H. Diallo.

Slides:

Advertisements

Similar presentations

Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.

Advertisements

PHP I.

The OWASP Foundation Web Application Security Host Apps Firewall Host Apps Database Host Web serverApp serverDB server Securing the.

Copyright © 2012 Certification Partners, LLC -- All Rights Reserved Lesson 4: Web Browsing.

Presented by Vaibhav Rastogi.  Advent of Web 2.0 and Mashups  Inclusion of untrusted third party content a necessity  Need to restrict the functionality.

An Evaluation of the Google Chrome Extension Security Architecture

Site and user security concerns for real time content serving Chris Mejia, IAB Sean Snider, Yahoo! Prabhakar Goyal, Microsoft.

Lesson 4: Web Browsing.

Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.

A problem in IMS Learning Design To promote interoperability, few services Local tool frameworks like LAMS have much richer tool environment –Easy provisioning.

Does Ajax suck? CS575 Spring 2007 Chanwit Suebsureekul.

4.01B Authoring Languages and Web Authoring Software 4.01 Examine webpage development and design.

More APIs: Web Services CMPT 281. Announcements Project milestone Lab: – Web services examples.

Frame isolation and the same origin policy Collin Jackson CS 142 Winter 2009.

Phu H. Phung Chalmers University of Technology JSTools’ 12 June 13, 2012, Beijing, China Joint work with Lieven Desmet (KU Leuven)

Subspace: Secure Cross-Domain Communication for Web Mashups Collin Jackson Stanford University Helen J. Wang Microsoft Research ACM WWW, May, 2007 Presenter:

Subspace: Secure Cross-Domain Communication for Web Mashups In Proceedings of the 16th International World Wide Web Conference. (WWW), 2007 Collin Jackson,

Web Services & Widgets Godmar Back. Mash-Ups Applications that combine information from different sources in one web page Different architectural choices.

D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.

M. Taimoor Khan * Java Server Pages (JSP) is a server-side programming technology that enables the creation of dynamic,

_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications1.

JavaScript & jQuery the missing manual Chapter 11

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Design Extensions to Google+ CS6204 Privacy and Security.

Chapter 16 The World Wide Web Chapter Goals Compare and contrast the Internet and the World Wide Web Describe general Web processing Describe several.

AJAX Without the “J” George Lawniczak. What is Ajax?

16-1 The World Wide Web The Web An infrastructure of distributed information combined with software that uses networks as a vehicle to exchange that information.

JavaScript, Fourth Edition Chapter 12 Updating Web Pages with AJAX.

JavaScript, Fourth Edition

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

1 rfXcel Confidential Copyright 2007 Web Technology JavaScript 12/10/07.

Integrating JavaScript and HTML5 HTML5 & CSS 7 th Edition.

PUBLISHING ONLINE Chapter 2. Overview Blogs and wikis are two Web 2.0 tools that allow users to publish content online Blogs function as online journals.

Web Mashups -Nirav Shah.

OMash: Enabling Secure Web Mashups via Object Abstractions Steven Crites, Francis Hsu, Hao Chen UC Davis.

Joseph Smarr - Cross-Site Ajax 1 Cross-Site Ajax Challenges and Techniques for Building Rich Web 2.0 Mashups Joseph Smarr Plaxo, Inc.

OMash: Enabling Secure Web Mashups via Object Abstractions Steven Crites, Francis Hsu, Hao Chen (UC Davis) ACM Conference on Computer and Communications.

Secure Credential Manager Claes Nilsson - Sony Ericsson

Cross Site Integration “mashups” cross site scripting.

Extending HTML CPSC 120 Principles of Computer Science April 9, 2012.

1 Geospatial and Business Intelligence Jean-Sébastien Turcotte Executive VP San Francisco - April 2007 Streamlining web mapping applications.

AfterCollege Self-Service Scrape Configuration & Posting Utility Kai Hu Haiyan Wu May 14, Harney 235.

SMash : Secure Component Model for Cross- Domain Mashups on Unmodified Browsers WWW 2008 Frederik De Keukelaere et al. Presenter : SJ Park.

Fall 2006 Florida Atlantic University Department of Computer Science & Engineering COP 4814 – Web Services Dr. Roy Levow Part 2 – Ajax Fundamentals.

14.1/21 Part 5: protection and security Protection mechanisms control access to a system by limiting the types of file access permitted to users. In addition,

PwC New Technologies New Risks. PricewaterhouseCoopers Technology and Security Evolution Mainframe Technology –Single host –Limited Trusted users Security.

M. Alexander Helen J. Wang Yunxin Liu Microsoft Research 1 Presented by Zhaoliang Duan.

University of Central Florida The Postman Always Rings Twice: Attacking & Defending postMessage in HTML5 Websites Ankur Verma University of Central Florida,

Vaibhav Rastogi and Yi Yang.  SOP is outdated  Netscape introduced this policy when most content on the Internet was static  Differences amongst different.

Web Design and Development. World Wide Web  World Wide Web (WWW or W3), collection of globally distributed text and multimedia documents and files 

HTML Overview Part 5 – JavaScript 1. Scripts 2  Scripts are used to add dynamic content to a web page.  Scripts consist of a list of commands that execute.

Introduction Program File Authorization Security Theorem Active Code Authorization Authorization Logic Implementation considerations Conclusion.

Introduction to HTML. _______________________________________________________________________________________________________________ 2 Outline Key issues.

4.01B Authoring Languages and Web Authoring Software 4.01 Examine webpage development and design.

No Escape From Reality: Security and Privacy of Augmented Reality Browsers WWW '15.

AJAX and REST. Slide 2 What is AJAX? It’s an acronym for Asynchronous JavaScript and XML Although requests need not be asynchronous It’s not really a.

Rendering Syndicated Library Content in an Institutional Portal: Integrating MyLibrary into uPortal John Fereira: Cornell University Eric Lease Morgan:

Cloud Environment Spring  Microsoft Research Browser (2009)  Multi-Principal Environment with Browser OS  Next Step Towards Secure Browser 

 AJAX technology  Rich User Experience  Characteristics  Real live examples  JavaScript and AJAX  Web application workflow model – synchronous vs.

Browser code isolation John Mitchell CS 155 Spring 2016.

The Postman Always Rings Twice: Attacking and Defending postMessage in HTML5 Websites Paper by Sooel Son and Vitaly Shmatikov, The University of Texas.

Open Solutions for a Changing World™ Eddy Kleinjan Copyright 2005, Data Access WordwideNew Techniques for Building Web Applications June 6-9, 2005 Key.

Arklio Studija 2007 File: / / Page 1 Automated web application testing using Selenium

Google’s Gruyere1 : An XSS Example Presented by: Terry Gregory

Web Mashups -Nirav Shah.

Lesson 4: Web Browsing.

Cross-Site Request Forgeries: Exploitation and Prevention

Lesson 4: Web Browsing.

Web Application Development Using PHP

Presentation transcript:

1 Subspace: Secure Cross Domain Communication for Web Mashups Collin Jackson and Helen J. Wang Mamadou H. Diallo

2 Overview Motivation  Mashups: Websites or web applications that combine content from multiple sources  Example: Google Personalized Homepage, Windows Live  Issues: current web mashups don’t address security issues  Same origin security model Existing approaches  tags: uncontrolled cross domain execution - high security risks  Browser plugins: cross domain interaction - inconvenient for users  Gadget aggregators: inline or sandbox  Proposals for cross-domain communication mechanisms Approach: Subspace  A cross-domain communication mechanism  Allows efficient and secure communication across domains  Provides a communication channel between the aggregator and each gadget  Channel: JavaScript objects passed across the frames  Protect aggregators against malicious web services and gadgets Implementation  Subspace implemented using JavaScript

3 Mashups: Communication across domains Current Practice Same-origin policies  Sandbox model  Same-origin principle: only the site that stores some information in the browser may read or modify that information  Applied loosely: same-origin policies  JavaScript restrictions (policies): regulate access to inline frames (IFRAMEs) and XMLHttpRequest  Protects the secrecy of HTML documents and the integrity of a page Proxies Cross-domain tags Browser plugins Fragment identifier messaging

4 Subspace Cross-subdomain communication  Site:  Example: Cross-domain code authorization  Dynamic authorization  Static authorization Cross-domain frame access  Permissive  Restrictive  Configurable  Permissive, but restrict location

5 Single Web Service Technique  Add a throwaway subdomain  Example: Set-up phase  1. Create a mediator frame (hidden frame)  2. Create untrusted frame  3. Pass JavaScript communication object

6 Single Web Service Data Exchange  Static authorization model for closures Provides easy communication mechanism between the top frame and the untrusted frame Untrusted frame: adds data request closure to the JavaScript object Argument: data response callback tag: inserted dynamically into the untrusted frame Tag points to some JavaScript format hosted by the web service After loading data from the remote web service, the tag invokes the data response callback  Dynamic authorization model for closures Does not support callback system Workaround catch the security exception that is thrown when an unauthorized access occurs

7 Multiple Web Service Challenges  Protecting mashup domain  Protecting web services from each other Restrictive frame access  The scheme for single web service can be directly adopted  Use nested frame structure Permissive frame access  Examples: Firefox, Safari, IE7  Separating is much more difficult  Configuration: any frame anywhere on the page can be reached by any other frame  Solution: use a new throwaway domain for each web service

8 Multiple Web Service Procedure  1. Create mediator frame  2. Create untrusted frame  3. Create access frame  4. Pass JavaScript communication object  5. Cleanup  6. Repeat for every gadget  7. Load untrusted content

9 Evaluation: Mashup Measurements Performance Example mashup  Web service 1: Flickr  Web service 2: del.icio.us  Mashup: KittenMark: allows posting the 20 most recent kitten photos from the Flickr to del.icio.us Three architectures  Proxy  Unsafe  Subsapce Measurements  Built an automated timing framework  Measured the time to load the initial page and  Measured the time to download the latest list of kittens from Flickr

10 Evaluation: Gadget Aggregator Measurements Application  Simple gadget aggregator  Allows the user to customize the font color of all his or her gadgets Three gadget aggregator architectures  Sandboxed  Unsafe  Subspace Time Measurement  Used the automated timing framework  Measured the setup time  Measure the time it took to change the font color

11 Related Work XML access-control instruction  W3C working draft  : authorization of read access to XML content JSONRequest (JavaScript Object Notation Request)  Can perform cross-domain data requests  Accept only data with a mime type application/json BrowserShield  preprocess the gadget’s JavaScript code to ensure that it can only perform actions within a set of acceptable guidelines  Developing these policies is a challenging problem  could prevent some denial-of-service Cross-document messages  Proposal for a browser standard  allow frames to send string messages to each other regardless of their source domain

12 Comments Motivation Spatio-Temporal Predicates

13 Questions?