Object views: fine-grained sharing in browsers

Browsers do not currently support the secure sharing of JavaScript objects between principals. We present this problem as the need for object views, which are consistent and controllable versions of objects. Multiple views can be made for the same object and customized for the recipients. We implement object views with a JavaScript library that wraps shared objects and interposes on all access attempts. The security challenge is to fully mediate access to objects shared through a view and prevent privilege escalation. We discuss how object views can be deployed in two settings: same-origin sharing with rewriting-based JavaScript isolation systems like Google Caja, and inter-origin sharing between browser frames over a message-passing channel. To facilitate simple document sharing, we build a policy system for declaratively defining policies for document object views. Notably, our document policy system makes it possible to hide elements without breaking document structure invariants. Developers can control the fine-grained behavior of object views with an aspect system that accepts programmatic policies.

[1]  Adam Barth,et al.  The Security Architecture of the Chromium Browser , 2009 .

[2]  Hironori Washizaki,et al.  AOJS: aspect-oriented javascript programming framework for web development , 2009, ACP4IS '09.

[3]  Helen J. Wang,et al.  MashupOS: Operating System Abstractions for Client Mashups , 2007, HotOS.

[4]  David Walker,et al.  Harmless advice , 2006, POPL '06.

[5]  Ajay Chander,et al.  JavaScript instrumentation for browser security , 2007, POPL '07.

[6]  Cristina V. Lopes,et al.  Aspect-oriented programming , 1999, ECOOP Workshops.

[7]  Olivier Danvy Back to Direct Style , 1992, ESOP.

[8]  Hao Chen,et al.  OMash: enabling secure web mashups via object abstractions , 2008, CCS.

[9]  Samuel T. King,et al.  Secure Web Browsing with the OP Web Browser , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[10]  Fred Spiessens,et al.  Patterns of safe collaboration , 2007 .

[11]  Alan H. Karp,et al.  Delegating Responsibility in Digital Systems: Horton's "Who Done It?" , 2007, HotSec.

[12]  Shriram Krishnamurthi,et al.  Using static analysis for Ajax intrusion detection , 2009, WWW '09.

[13]  Robert Bruce Findler,et al.  Relationally-parametric polymorphic contracts , 2007, DLS '07.

[14]  Mark S. Miller,et al.  Robust composition: towards a unified approach to access control and concurrency control , 2006 .

[15]  Benjamin C. Pierce,et al.  Updatable Security Views , 2009, 2009 22nd IEEE Computer Security Foundations Symposium.

[16]  Hiroshi Inamura,et al.  JavaScript Instrumentation in Practice , 2008, APLAS.

[17]  B. Bershad,et al.  Using Processes to Improve the Reliability of Browser-based Applications , 2007 .

[18]  Ankur Taly,et al.  Language-Based Isolation of Untrusted JavaScript , 2009, 2009 22nd IEEE Computer Security Foundations Symposium.

[19]  David Sands,et al.  Lightweight self-protecting JavaScript , 2009, ASIACCS '09.

[20]  Michael Hicks,et al.  Defeating script injection attacks with browser-enforced embedded policies , 2007, WWW '07.

[21]  Shriram Krishnamurthi,et al.  Flapjax: a programming language for Ajax applications , 2009, OOPSLA 2009.

[22]  A. Barth,et al.  Attacks on JavaScript Mashup Communication , 2009 .

[23]  Úlfar Erlingsson,et al.  End-to-End Web Application Security , 2007, HotOS.

[24]  Benjamin Livshits,et al.  GATEKEEPER: Mostly Static Enforcement of Security and Reliability Policies for JavaScript Code , 2009, USENIX Security Symposium.

[25]  Helen J. Wang,et al.  The Multi-Principal OS Construction of the Gazelle Web Browser , 2009, USENIX Security Symposium.

[26]  Michael Greenberg Brown Declarative, composable views , 2008 .

[27]  Dawn Xiaodong Song,et al.  Cross-Origin JavaScript Capability Leaks: Detection, Exploitation, and Defense , 2009, USENIX Security Symposium.