Privilege Separation in HTML5 Applications

The standard approach for privilege separation in web applications is to execute application components in different web origins. This limits the practicality of privilege separation since each web origin has financial and administrative cost. In this paper, we propose a new design for achieving effective privilege separation in HTML5 applications that shows how applications can cheaply create arbitrary number of components. Our approach utilizes standardized abstractions already implemented in modern browsers. We do not advocate any changes to the underlying browser or require learning new high-level languages, which contrasts prior approaches. We empirically show that we can retrofit our design to real-world HTML5 applications (browser extensions and rich client-side applications) and achieve reduction of 6x to 10000x in TCB for our case studies. Our mechanism requires less than 13 lines of application-specific code changes and considerably improves auditability.

[1]  Benjamin Livshits,et al.  GATEKEEPER: Mostly Static Enforcement of Security and Reliability Policies for JavaScript Code , 2009, USENIX Security Symposium.

[2]  Helen J. Wang,et al.  The Multi-Principal OS Construction of the Gazelle Web Browser , 2009, USENIX Security Symposium.

[3]  Benjamin Livshits,et al.  Verified Security for Browser Extensions , 2011, 2011 IEEE Symposium on Security and Privacy.

[4]  Helen J. Wang,et al.  Protection and communication abstractions for web browsers in MashupOS , 2007, SOSP.

[5]  Helen J. Wang,et al.  Convergence of desktop and web applications on a multi-service OS , 2009 .

[6]  Daniel J. Bernstein,et al.  Some thoughts on security after ten years of qmail 1.0 , 2007, CSAW '07.

[7]  Helen J. Wang,et al.  Permission Re-Delegation: Attacks and Defenses , 2011, USENIX Security Symposium.

[8]  Adam Barth,et al.  Preventing Capability Leaks in Secure JavaScript Subsets , 2010, NDSS.

[9]  Marianne Winslett,et al.  VEX: Vetting Browser Extensions for Security Vulnerabilities , 2010, USENIX Security Symposium.

[10]  Wenliang Du,et al.  ESCUDO: A Fine-Grained Protection Model for Web Browsers , 2010, 2010 IEEE 30th International Conference on Distributed Computing Systems.

[11]  Niels Provos,et al.  Improving Host Security with System Call Policies , 2003, USENIX Security Symposium.

[12]  Eric Yawei Chen,et al.  App isolation: get the security of multiple browsers with just one , 2011, CCS '11.

[13]  Vinod Ganapathy,et al.  Analyzing Information Flow in JavaScript-Based Browser Extensions , 2009, 2009 Annual Computer Security Applications Conference.

[14]  Samuel T. King,et al.  Designing and Implementing the OP and OP2 Web Browsers , 2011, TWEB.

[15]  V. N. Venkatakrishnan,et al.  AdJail: Practical Enforcement of Confidentiality and Integrity Policies on Web Advertisements , 2010, USENIX Security Symposium.

[16]  A. Barth,et al.  Attacks on JavaScript Mashup Communication , 2009 .

[17]  Ankur Taly,et al.  Object Capabilities and Isolation of Untrusted Web Applications , 2010, 2010 IEEE Symposium on Security and Privacy.

[18]  David A. Wagner,et al.  The Effectiveness of Application Permissions , 2011, WebApps.

[19]  Gang Tan,et al.  An Empirical Security Study of the Native Code in the JDK , 2008, USENIX Security Symposium.

[20]  Zhen Huang,et al.  Short paper: a look at smartphone permission models , 2011, SPSM '11.

[21]  Mark Handley,et al.  Wedge: Splitting Applications into Reduced-Privilege Compartments , 2008, NSDI.

[22]  Steve Hanna,et al.  A Symbolic Execution Framework for JavaScript , 2010, 2010 IEEE Symposium on Security and Privacy.

[23]  David Brumley,et al.  Privtrans: Automatically Partitioning Programs for Privilege Separation , 2004, USENIX Security Symposium.

[24]  Adrian Perrig,et al.  CLAMP: Practical Prevention of Large-Scale Data Leaks , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[25]  Adam Barth,et al.  Protecting Browsers from Extension Vulnerabilities , 2010, NDSS.

[26]  Adam Barth,et al.  The Security Architecture of the Chromium Browser , 2009 .

[27]  Adam Barth,et al.  The Web Origin Concept , 2011, RFC.

[28]  Michael Walfish,et al.  Treehouse: Javascript Sandboxes to Help Web Developers Help Themselves , 2012, USENIX Annual Technical Conference.

[29]  Niels Provos,et al.  Preventing Privilege Escalation , 2003, USENIX Security Symposium.

[30]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[31]  David A. Wagner,et al.  An Evaluation of the Google Chrome Extension Security Architecture , 2012, USENIX Security Symposium.