Content-based isolation: rethinking isolation policy design on client systems

Modern client platforms, such as iOS, Android, Windows Phone, and Windows 8, have progressed from a per-user isolation policy, where users are isolated but a user's applications run in the same isolation container, to an application isolation policy, where different applications are isolated from one another. However, this is not enough because mutually distrusting content can interfere with one another inside a single application. For example, an attacker-crafted image may compromise a photo editor application and steal other images processed by the editor. In this paper, we advocate a content-based principal model in which the OS treats content owners as its principals and isolates content of different owners from one another. Our key contribution is to generalize the content-based principal model from web browsers, namely, the same-origin policy, into an isolation policy that is suitable for all applications. The key challenge we faced is to support flexible isolation granularities while remaining compatible with the web. In this paper, we present the design, implementation, and evaluation of our prototype system that tackles this challenge.

[1]  Stephen Smalley,et al.  Integrating Flexible Support for Security Policies into the Linux Operating System , 2001, USENIX Annual Technical Conference, FREENIX Track.

[2]  Trent Jaeger,et al.  PinUP: Pinning User Files to Known Applications , 2008, 2008 Annual Computer Security Applications Conference (ACSAC).

[3]  Eddie Kohler,et al.  Making information flow explicit in HiStar , 2006, OSDI '06.

[4]  Robert Wahbe,et al.  Efficient software-based fault isolation , 1994, SOSP '93.

[5]  Collin Jackson Improving browser security policies , 2009 .

[6]  Yan Chen,et al.  Redefining web browser principals with a Configurable Origin Policy , 2013, 2013 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[7]  Steven D. Gribble,et al.  A safety-oriented platform for Web applications , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[8]  Jon Howell,et al.  Embassies: Radically Refactoring the Web , 2013, NSDI.

[9]  Helen J. Wang,et al.  User-Driven Access Control: Rethinking Permission Granting in Modern Operating Systems , 2012, 2012 IEEE Symposium on Security and Privacy.

[10]  Helen J. Wang,et al.  On the Incoherencies in Web Browser Access Control Policies , 2010, 2010 IEEE Symposium on Security and Privacy.

[11]  Ian Goldberg,et al.  A Secure Environment for Untrusted Helper Applications ( Confining the Wily Hacker ) , 1996 .

[12]  Nickolai Zeldovich,et al.  Making Linux Protection Mechanisms Egalitarian with UserFS , 2010, USENIX Security Symposium.

[13]  Donald E. Porter,et al.  Rethinking the library OS from the top down , 2011, ASPLOS XVI.

[14]  Christian S. Collberg,et al.  SLINKY: Static Linking Reloaded , 2005, USENIX Annual Technical Conference, General Track.

[15]  Helen J. Wang,et al.  Convergence of desktop and web applications on a multi-service OS , 2009 .

[16]  Samuel T. King,et al.  Secure Web Browsing with the OP Web Browser , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[17]  David A. Wagner,et al.  Dynamic pharming attacks and locked same-origin policies for web browsers , 2007, CCS '07.

[18]  Neha Narula,et al.  Native Client: A Sandbox for Portable, Untrusted x86 Native Code , 2009, IEEE Symposium on Security and Privacy.

[19]  C. Jackson,et al.  Beware of Finer-Grained Origins , 2008 .

[20]  Adam Barth,et al.  The Web Origin Concept , 2011, RFC.

[21]  Collin Jackson,et al.  Robust defenses for cross-site request forgery , 2008, CCS.

[22]  Sotiris Ioannidis,et al.  Sub-operating systems: a new approach to application security , 2002, EW 10.

[23]  Jon Howell,et al.  Leveraging Legacy Code to Deploy Desktop Applications on the Web , 2008, OSDI.

[24]  James R. Larus,et al.  Singularity: rethinking the software stack , 2007, OPSR.

[25]  Helen J. Wang,et al.  The Multi-Principal OS Construction of the Gazelle Web Browser , 2009, USENIX Security Symposium.

[26]  David A. Wagner,et al.  A Secure Environment for Untrusted Helper Applications , 1996, USENIX Security Symposium.

[27]  Eddie Kohler,et al.  Information flow control for standard OS abstractions , 2007, SOSP.

[28]  Sotiris Ioannidis,et al.  Building a Secure Web Browser , 2001, USENIX Annual Technical Conference, FREENIX Track.

[29]  Ion Stoica,et al.  HTTP as the narrow waist of the future internet , 2010, Hotnets-IX.

[30]  Martín Abadi,et al.  Authorizing applications in singularity , 2007, EuroSys '07.

[31]  Samuel T. King,et al.  Trust and Protection in the Illinois Browser Operating System , 2010, OSDI.

[32]  Helen J. Wang,et al.  Protection and communication abstractions for web browsers in MashupOS , 2007, SOSP.

[33]  Sam Weber,et al.  Verifying the EROS confinement mechanism , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.