Securing Interaction for Sites, Apps and Extensions in the Browser

Brad MillerJ. D. Tygar

Sharing Information in the Cloud

• How will we share information between apps?• Web interface dominant• Need for robust cross-domain mechanisms

• Many advantages• Less control• Less flexibility

Server A Server B

Cross-Domain XHR postMessage Content Security Policy

Origin AIn Browser

Origin BIn Browser

Same Origin Policy

Evolved Security Mechanisms

Server A Server B

Same Origin Policy

Cross-Domain XHR postMessage Content Security Policy

Origin AIn Browser

Origin BIn Browser

• These features are not enough• Workarounds will emerge

The Chrome Approach

• Chrome merges “apps” and “extensions”– Web apps can be installed from a web store

• Users grant apps privileges at install time– Domain level granularity– Cookies, script injection & cross-domain requests

Fundamental Modifications

– Designs app/extension, writes manifest– Chooses to install app, approves manifest– Unable to participate

• Site designer should help mediate access– Best understanding of data– Best incentive to protect data

• Leverage real-world meaning of data– Policies users can understand

UserApp Developer Site Designer

DOM Node Tags

• Privacy tags: protect read access– address, financial, medical, photo/video, etc.

• Integrity tags: protect write access– Designed on a custom basis per site

= node tagged as “financial”

= inherited “financial” tag from parent

Underlying DOM

Menubar

Summary Transactions

WebsiteMenubar

Individual Account

Transactions

Summaryof

Accounts

Restricting Scripts

• 2 Types of scripts– Requested by site during normal execution– Inserted by browser on behalf of an extension/app

• 4 Types of protection

Requested by site

Inserted by browser

1

3

2

4

Privacy Integrity

Determining Policies

• User sets policy for extensions at install time• Site designer sets policy for web scripts• Site makes recommendation for extensions• Negotiation resolves any conflicts

Requested by site

Inserted by browser

Privacy Integrity

1

3

2

4

1

3

2

4

1

3

2

4

1

3

2

4

1

3

2

4

Policy Negotiation

• Negotiation occurs first time a user visits a site• Can be per extension or across all extensions

• correspondence• photos/videos

• medical• financial• correspondence• photos/videos

Site Recommendation User Settings

Are you sure you want to let extensions access your medical and financial data on this site?

Example: Photo Editing

• Privacy tags restrict access to photos• Cross-Domain XHR more cumbersome– Would require support from Facebook– Not flexible enough for long term success

Facebook Photo Editor

Denied

Allowed

Denied

Contact Info

Wall Posts

Photos

Example: Identity Theft

ShoppingWebsite

BankWebsite

Evil orVulnerable

InstalledApp

Credit Card Info

PurchaseRecord

PurchaseRecord

• Script injection• Credit Card Info• Script Injection• Tag Protection

Improvements over status quo

• Usability– Choices are more natural for humans

• Better policies– Privacy tags leverage semantic meaning of data– Integrity tags allow finer granularity in page access

• Better incentives– Party with most knowledge and stake plays a role

Future Work & Open Questions

• Handling DOM updates– Approved script writes new nodes into DOM– What tags should be assigned to new nodes?

• Privacy tag set– Fixed set could be restrictive– Custom set harder to work with