securing interaction for sites, apps and extensions in the browser
DESCRIPTION
Securing Interaction for Sites, Apps and Extensions in the Browser. Brad Miller J. D. Tygar. Sharing Information in the Cloud. Many advantages Less control Less flexibility. How will we share information between apps? Web interface dominant Need for robust cross-domain mechanisms. - PowerPoint PPT PresentationTRANSCRIPT
Securing Interaction for Sites, Apps and Extensions in the Browser
Brad MillerJ. D. Tygar
Sharing Information in the Cloud
• How will we share information between apps?• Web interface dominant• Need for robust cross-domain mechanisms
• Many advantages• Less control• Less flexibility
Server A Server B
Cross-Domain XHR postMessage Content Security Policy
Origin AIn Browser
Origin BIn Browser
Same Origin Policy
Evolved Security Mechanisms
Server A Server B
Same Origin Policy
Cross-Domain XHR postMessage Content Security Policy
Origin AIn Browser
Origin BIn Browser
• These features are not enough• Workarounds will emerge
The Chrome Approach
• Chrome merges “apps” and “extensions”– Web apps can be installed from a web store
• Users grant apps privileges at install time– Domain level granularity– Cookies, script injection & cross-domain requests
Fundamental Modifications
– Designs app/extension, writes manifest– Chooses to install app, approves manifest– Unable to participate
• Site designer should help mediate access– Best understanding of data– Best incentive to protect data
• Leverage real-world meaning of data– Policies users can understand
UserApp Developer Site Designer
DOM Node Tags
• Privacy tags: protect read access– address, financial, medical, photo/video, etc.
• Integrity tags: protect write access– Designed on a custom basis per site
= node tagged as “financial”
= inherited “financial” tag from parent
Underlying DOM
Menubar
Summary Transactions
WebsiteMenubar
Individual Account
Transactions
Summaryof
Accounts
Restricting Scripts
• 2 Types of scripts– Requested by site during normal execution– Inserted by browser on behalf of an extension/app
• 4 Types of protection
Requested by site
Inserted by browser
1
3
2
4
Privacy Integrity
Determining Policies
• User sets policy for extensions at install time• Site designer sets policy for web scripts• Site makes recommendation for extensions• Negotiation resolves any conflicts
Requested by site
Inserted by browser
Privacy Integrity
1
3
2
4
1
3
2
4
1
3
2
4
1
3
2
4
1
3
2
4
Policy Negotiation
• Negotiation occurs first time a user visits a site• Can be per extension or across all extensions
• correspondence• photos/videos
• medical• financial• correspondence• photos/videos
Site Recommendation User Settings
Are you sure you want to let extensions access your medical and financial data on this site?
Example: Photo Editing
• Privacy tags restrict access to photos• Cross-Domain XHR more cumbersome– Would require support from Facebook– Not flexible enough for long term success
Facebook Photo Editor
Denied
Allowed
Denied
Contact Info
Wall Posts
Photos
Example: Identity Theft
ShoppingWebsite
BankWebsite
Evil orVulnerable
InstalledApp
Credit Card Info
PurchaseRecord
PurchaseRecord
• Script injection• Credit Card Info• Script Injection• Tag Protection
Improvements over status quo
• Usability– Choices are more natural for humans
• Better policies– Privacy tags leverage semantic meaning of data– Integrity tags allow finer granularity in page access
• Better incentives– Party with most knowledge and stake plays a role
Future Work & Open Questions
• Handling DOM updates– Approved script writes new nodes into DOM– What tags should be assigned to new nodes?
• Privacy tag set– Fixed set could be restrictive– Custom set harder to work with