User interface toolkit mechanisms for securing interface elements

User interface toolkit research has traditionally assumed that developers have full control of an interface. This assumption is challenged by the mashup nature of many modern interfaces, in which different portions of a single interface are implemented by multiple, potentially mutually distrusting developers (e.g., an Android application embedding a third-party advertisement). We propose considering security as a primary goal for user interface toolkits. We motivate the need for security at this level by examining today's mashup scenarios, in which security and interface flexibility are not simultaneously achieved. We describe a security-aware user interface toolkit architecture that secures interface elements while providing developers with the flexibility and expressivity traditionally desired in a user interface toolkit. By challenging trust assumptions inherent in existing approaches, this architecture effectively addresses important interface-level security concerns.

[1]  Jeffrey Wong,et al.  Making mashups with marmite: towards end-user programming for the web , 2007, CHI.

[2]  Dan R. Olsen,et al.  Evaluating user interface systems research , 2007, UIST.

[3]  Wendy E. Mackay,et al.  Cracking the cocoa nut: user interface programming at runtime , 2011, UIST.

[4]  Steven D. Gribble,et al.  A safety-oriented platform for Web applications , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[5]  Jeffrey Nichols,et al.  End-user programming of mashups with vegemite , 2009, IUI.

[6]  Lorrie Faith Cranor,et al.  Crying Wolf: An Empirical Study of SSL Warning Effectiveness , 2009, USENIX Security Symposium.

[7]  Charles Reis,et al.  Isolating web programs in modern browser architectures , 2009, EuroSys '09.

[8]  Dan R. Olsen,et al.  Privacy‐aware shared UI toolkit for nomadic environments , 2012, Softw. Pract. Exp..

[9]  Scott R. Klemmer,et al.  Programming by a sample: rapidly creating web applications with d.mix , 2007, UIST.

[10]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[11]  Stuart E. Schechter,et al.  The Emperor's New Security Indicators , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[12]  Adrian Perrig,et al.  Bootstrapping Trust in Commodity Computers , 2010, 2010 IEEE Symposium on Security and Privacy.

[13]  Scott E. Hudson,et al.  Extensible input handling in the subArctic toolkit , 2005, CHI.

[14]  Robert W. Reeder,et al.  Visual vs. compact: a comparison of privacy policy interfaces , 2010, CHI.

[15]  Brad A. Myers,et al.  Past, Present and Future of User Interface Software Tools , 2000, TCHI.

[16]  Kirstie Hawkey,et al.  Do windows users follow the principle of least privilege?: investigating user account control practices , 2010, SOUPS.

[17]  Xuxian Jiang,et al.  Unsafe exposure analysis of mobile in-app advertisements , 2012, WISEC '12.

[18]  Helen J. Wang,et al.  Convergence of desktop and web applications on a multi-service OS , 2009 .

[19]  Tony DeRose,et al.  Toolglass and magic lenses: the see-through interface , 1993, SIGGRAPH.

[20]  Dan Boneh,et al.  Busting frame busting a study of clickjacking vulnerabilities on popular sites , 2010 .

[21]  Helen J. Wang,et al.  The Multi-Principal OS Construction of the Gazelle Web Browser , 2009, USENIX Security Symposium.

[22]  W. Keith Edwards,et al.  Systematic output modification in a 2D user interface toolkit , 1997, UIST '97.

[23]  Henry M. Levy,et al.  Capability-Based Computer Systems , 1984 .

[24]  Morgan Dixon,et al.  Prefab: implementing advanced behaviors using pixel-based reverse engineering of interface structure , 2010, CHI.

[25]  Shashi Shekhar,et al.  QUIRE: Lightweight Provenance for Smart Phone Operating Systems , 2011, USENIX Security Symposium.

[26]  Helen J. Wang,et al.  User-Driven Access Control: Rethinking Permission Granting in Modern Operating Systems , 2012, 2012 IEEE Symposium on Security and Privacy.

[27]  Lorrie Faith Cranor,et al.  You've been warned: an empirical study of the effectiveness of web browser phishing warnings , 2008, CHI.