Vaibhav Rastogi and Yi Yang. SOP is outdated Netscape introduced this policy when most content on...
-
Upload
valentine-oliver-flynn -
Category
Documents
-
view
216 -
download
0
Transcript of Vaibhav Rastogi and Yi Yang. SOP is outdated Netscape introduced this policy when most content on...
A Framework for Fine Grained Origins
Vaibhav Rastogi and Yi Yang
Objective
SOP is outdated Netscape introduced this policy when
most content on the Internet was static Differences amongst different resources
leads to vulnerabilities Design a new framework to capture
finer grained origins and sharing
Motivation
Web 2.0 – rich applications An abstraction that solves many
problems with one shot A simple change that provides a
solution to many problems
Separation
Third party JavaScript Ads, gadgets, widgets, Facebook
Applications Restrict interaction with the host website
Problem Essentially of maintaining different
origins
Separation
Solution SOP assigns the same origin WebSandbox, AdSafe.▪ Complex solutions▪ Performance problems
More natural solution Have a different origin
Sharing
Current solutions Either unsafe or complex
document.domain Used by several websites for cross
domain sharing Unsafe; attacks studied in class Some websites confirmed to be using
document.domain▪ cnn.com, sina.com.cn, yandex.ru
Sharing
document.domain Wrote a script to find sites which
explicitly set document.domain in source Post Message channel
Achieve arbitrary requirements of security
May be complex to program
Coexisting Web Sessions
Opening two Gmail accounts in one browser without hassle Current solutions are tricky
Current sharing mechanisms
Cookies play an important role
Cross domain sharing Eg. google.com and mail.google.com
Cross site sharing Eg. cnn.com and twitter.com
Resources to be secured
DOM
Cookies
AJAX
Others, like history, display…
Related Work
Secure browser designs Gazelle and OP Criticize SOP but stick to it
MashupOS Propose a new origin policy: VOP sandbox tag provides separation Does not generalize for collaboration Origins may not be changed dynamically
Related work
On the Incoherencies in Web Browser Access Control Policies Current SOP mechanisms thoroughly
criticized ConScript
Controlling JavaScript functionality Solves the separation problem to some extent
Object Views Finer grained sharing for JavaScript objects Cookies and other resources still a problem
Approach
Two approaches for representing origins1. A four tuple
<proto, domain, port, originID>
2. A random stringoriginID = “20-9fkd9kw9j3030d9g0425d“▪ analogous to session cookies
Approaches are lightweight
Approach
Resources to be shared are placed in the same origin
Approach
Resources to be separated are placed in different origins
Approach
If no origins are specified the default is the prevalent Same Origin Policy Current websites do not break
Security Analysis
Approach 1 at least as secure as the SOP
Approach 2: a new attack Sniff the originID on the wire Send malicious content with the same
originID The same attack also exists with cookies
Security Analysis
Attacks by using legacy origins
Solution: Disallow interaction of pages with origin with pages using legacy SOP
Implementation
Allowing Specification of origin in HTML
<html originid=“93681056194027”> HTTP headers
originID : 93681056194027 Disabled document.domain
Implementation
WebKit Implementation
Document
HTML Parser
Frame / Frame Loader
Security Origin (DOM/Ajax)
Cookie Origins
HTTP Request/Response
handler
Implementation
Modified the origin policy itself to work using originIDs (approach 1)
Cookies Origin specified with a URL (domain +
path) Work ongoing
Evaluation
Used test pages to allow collaboration of DOM from different origins
Real pages: cnn.com Uses document.domain to allow
cooperation between different frames Disabled document.domain▪ Parts of page missing
Used proxy to add originID headers on the fly▪ Page loading fine again
Future plans
Thoughts about implementation in another browser like Chromium
Completing the implementation
Evaluating each of the applications of the work