DOCSLIB.ORG

App Isolation: Get the Security of Multiple Browsers with Just One

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
App Isolation: Get the Security of Multiple Browsers with Just One App Isolation: Get the Security of Multiple Browsers with Just One Eric Y. Chen Jason Bau Carnegie Mellon University Stanford University Mountain View, CA Stanford, CA [email protected] [email protected] Charles Reis Adam Barth Collin Jackson Google, Inc. Google, Inc. Carnegie Mellon University Seattle, WA Mountain View, CA Mountain View, CA [email protected] [email protected] [email protected] ABSTRACT 1. INTRODUCTION Many browser-based attacks can be prevented by using sepa- Security experts often advise users to use more than one rate browsers for separate web sites. However, most users browser: one for surfing the wild web and others for visit- access the web with only one browser. We explain the secu- ing \sensitive" web sites, such as online banking web sites rity benefits that using multiple browsers provides in terms [1, 2]. This advice raises a number of questions. Can us- of two concepts: entry-point restriction and state isolation. ing more than one browser actually improve security? If We combine these concepts into a general app isolation mech- so, which properties are important? Can we realize these anism that can provide the same security benefits in a single security benefits without resorting to the use of more than browser. While not appropriate for all types of web sites, one browser? many sites with high-value user data can opt in to app In this paper, we seek to answer these questions by crystal- isolation to gain defenses against a wide variety of browser- lizing two key security properties of using multiple browsers, based attacks. We implement app isolation in the Chromium which we refer to as entry-point restriction and state isola- browser and verify its security properties using finite-state tion. We find that these two properties are responsible for model checking. We also measure the performance overhead much of the security benefit of using multiple browsers, and of app isolation and conduct a large-scale study to evaluate we show how to achieve these security benefits in a single its adoption complexity for various types of sites, demon- browser by letting web sites opt in to these behaviors. strating how the app isolation mechanisms are suitable for Consider a user who diligently uses two browsers for secu- protecting a number of high-value Web applications, such as rity. This user designates one browser as \sensitive" and one online banking. as \non-sensitive". She uses the sensitive browser only for accessing her online bank (through known URLs and book- Categories and Subject Descriptors marks) and refrains from visiting the general Web with the sensitive browser. Meanwhile, she uses only the non-sensitive H.4.3 [Information Systems Applications]: Communica- browser for the rest of the Web and does not use it to visit tions Applications|Information browsers; K.6.5 [Management high-value sites. of Computing and Information Systems]: Security and Using two browsers in this manner does have security Protection benefits. For example, consider the case of reflected cross-site scripting (XSS). In a reflected XSS attack, the attacker crafts General Terms a malicious URL containing an attack string and navigates the user's browser to that URL, tricking the honest web site Security, Design, Verification into echoing back the attack string in a dangerous context. The attack has more difficulty succeeding if the user runs Keywords more than one browser because the attack relies on which of Web Browser Architecture, Isolation, Web Application Secu- the user's browsers the attacker navigates. If the attacker rity, Security Modeling, Cross-Site Request Forgery, Cross- navigates the user's non-sensitive browser to a maliciously Site Scripting crafted URL on the user's bank, the attack will have no access to the user's banking-related state, which resides in another browser. From this discussion, one might conclude that isolation Permission to make digital or hard copies of all or part of this work for of credentials and other state is the essential property that personal or classroom use is granted without fee provided that copies are makes using two browsers more secure. However, another not made or distributed for profit or commercial advantage and that copies security property provided by using multiple browsers is bear this notice and the full citation on the first page. To copy otherwise, to equally important: entry-point restriction. To illustrate republish, to post on servers or to redistribute to lists, requires prior specific entry-point restriction by its absence, imagine if the attacker permission and/or a fee. could arbitrarily coordinate navigation of the users' two CCS’11, October 17–21, 2011, Chicago, Illinois, USA. Copyright 2011 ACM 978-1-4503-0948-6/11/10 ...$10.00. browsers and open an arbitrary bank URL in the sensitive browser. Now, the attacker's maliciously crafted URL and • We provide a security mechanism that grants a sin- attack string can be transplanted from the non-sensitive gle browser the security benefits of multiple browsers, browser to the sensitive browser, leading to disaster. compatible with certain types of existing sites. In reality, it is extremely difficult for Web attackers to coordinate the navigation of two different browsers on the • We validate the security of our mechanism using formal users' computer. This isolation between the two browsers modeling, adjusting our design to patch uncovered provides the entry-point restriction property. Namely, ses- vulnerabilities. sions in the sensitive browser with an honest web site always • We evaluate the compatibility of our mechanism using begin with a fixed set of entry points (e.g., the site's home Mozilla's Test Pilot platform. We are the first to utilize page or a set of bookmarks) and then proceed only to URLs this platform to conduct an academic study. chosen by the web site itself, not those chosen by a third party. Because the bank's entry points are restricted, the 1.1 Organization. attacker is unable to inject the attack string into the user's The rest of this paper is organized as follows. Section 2 session with the bank. presents related app isolation work. Section 3 identifies the State isolation, in turn, augments the security provided key security benefits of using multiple browsers. Section 4 by entry-point restriction when using two browsers. State discusses how browsers can identify apps that have opted isolation plays a critical role, for example, in preventing in to our proposal. Section 5 and Section 6 describe our history sniffing [3, 4] and cache timing attacks [4, 5] because design in detail. Section 7 evaluates our proposal in terms of these attacks do not rely upon the attacker navigating the its security, complexity to adopt, and performance, and we user's browser to a maliciously crafted URL. State isolation conclude in Section 8. between browsers can even protect a user's high-value session data against exploits of browser vulnerabilities that give the 2. BACKGROUND attacker control of the rendering process [6, 7]. In concert, In this section, we examine how the security properties of entry-point restriction and state isolation provide the lion's using multiple browsers have surfaced in related work and share of the security benefits of using two browsers. compare them to our proposal. In our example above, we use a single high-value site to illustrate the security benefit of isolation using two browsers, 2.1 Isolation with multiple browsers but the isolation benefits extend naturally to accessing mul- For users who choose to browse the web using multiple tiple sites, each in their own browser. In this paper, we show browsers, site-specific browsers (SSBs) can make the brows- that we can realize these security benefits within a single ing experience simpler and more convenient. SSBs provide browser by allowing web sites to whitelist their entry points customized browsers that are each dedicated to accessing and request isolated storage. This is not a pinpoint defense pages from a single web application. Examples of SSBs against a specific attack but rather a general approach that include Prism [10] and Fluid [11]. has benefits in a number of attack scenarios. SSBs are simply special-purpose browsers and can pro- The security benefits of our mechanism do come with a vide the security benefits of using multiple general-purpose compatibility cost for certain types of web sites, as it places browsers. However, SSBs can become difficult to manage some limitations on deep links and third-party cookies. To when users interact with and navigate between a large num- avoid disrupting existing web sites, we advocate deploying ber of different web applications. We show that a single our mechanism as an opt in feature. Furthermore, we hy- browser can realize the security benefits of SSBs without the pothesize and experimentally verify the types of web sites management burden on the user. For example, our proposal that are suitable for our mechanism. Our experiments mea- allows users to seamlessly and securely follow a link from sured the number of entry points used by popular sites in a one app to another, even in a single browser tab. study of 10,551 browsers running Mozilla's Test Pilot plat- form [8]. Over 1 million links were included in our study. 2.2 Isolation within a single browser We discovered that many security sensitive sites such as on- The concept of finer-grained isolation inside a single browser line banking applications can easily deploy our mechanisms. has been explored by many researchers. However, prior work However, highly social or content-driven applications such as has not identified the essential factors needed for a single Facebook and New York Times will have difficulties adopting browser to achieve the same security benefits as using multi- our proposal.
Load more

Recommended publications
  • Draft SP 800-125A Rev. 1, Security Recommendations for Server
    The attached DRAFT document (provided here for historical purposes), released on April 11, 2018, has been superseded by the following publication: Publication Number: NIST Special Publication (SP) 800-125A Rev. 1 Title: Security Recommendations for Server-based Hypervisor Platforms Publication Date: June 2018 • Final Publication: https://doi.org/10.6028/NIST.SP.800-125Ar1 (which links to https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-125Ar1.pdf). • Related Information on CSRC: Final: https://csrc.nist.gov/publications/detail/sp/800-125a/rev-1/final 1 Draft NIST Special Publication 800-125A 2 Revision 1 3 4 Security Recommendations for 5 Hypervisor Deployment on 6 ServersServer-based Hypervisor 7 Platforms 8 9 10 11 12 Ramaswamy Chandramouli 13 14 15 16 17 18 19 20 21 22 23 C O M P U T E R S E C U R I T Y 24 25 Draft NIST Special Publication 800-125A 26 Revision 1 27 28 29 30 Security Recommendations for 31 Server-based Hypervisor Platforms 32 33 Hypervisor Deployment on Servers 34 35 36 37 Ramaswamy Chandramouli 38 Computer Security Division 39 Information Technology Laboratory 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 April 2018 56 57 58 59 60 61 U.S. Department of Commerce 62 Wilbur L. Ross, Jr., Secretary 63 64 National Institute of Standards and Technology 65 Walter Copan, NIST Director and Under Secretary of Commerce for Standards and Technology 66 67 Authority 68 69 This publication has been developed by NIST in accordance with its statutory responsibilities under the 70 Federal Information Security Modernization Act (FISMA) of 2014, 44 U.S.C.
    [Show full text]
  • Ideal Spaces OS-Platform-Browser Support
    z 4.9 OS-Platform-Browser Support v1.4 2020spaces.com 4.9 Table of Contents Overview....................................................................................................... 3 System Requirements ................................................................................... 4 Windows .................................................................................................................................................... 4 Mac ............................................................................................................................................................ 4 Support Criteria ............................................................................................ 5 OS Platform ................................................................................................................................................ 5 OS Version .................................................................................................................................................. 5 Web Browser and Operating System Combinations ..................................... 6 Current Platform / Web Browser Support ................................................................................................. 6 Out of Scope Browsers and Operating Systems ............................................ 7 Opera ..................................................................................................................................................... 7 Linux ......................................................................................................................................................
    [Show full text]
  • Preview Dart Programming Tutorial
    Dart Programming About the Tutorial Dart is an open-source general-purpose programming language. It is originally developed by Google and later approved as a standard by ECMA. Dart is a new programming language meant for the server as well as the browser. Introduced by Google, the Dart SDK ships with its compiler – the Dart VM. The SDK also includes a utility -dart2js, a transpiler that generates JavaScript equivalent of a Dart Script. This tutorial provides a basic level understanding of the Dart programming language. Audience This tutorial will be quite helpful for all those developers who want to develop single-page web applications using Dart. It is meant for programmers with a strong hold on object- oriented concepts. Prerequisites The tutorial assumes that the readers have adequate exposure to object-oriented programming concepts. If you have worked on JavaScript, then it will help you further to grasp the concepts of Dart quickly. Copyright & Disclaimer © Copyright 2017 by Tutorials Point (I) Pvt. Ltd. All the content and graphics published in this e-book are the property of Tutorials Point (I) Pvt. Ltd. The user of this e-book is prohibited to reuse, retain, copy, distribute or republish any contents or a part of contents of this e-book in any manner without written consent of the publisher. We strive to update the contents of our website and tutorials as timely and as precisely as possible, however, the contents may contain inaccuracies or errors. Tutorials Point (I) Pvt. Ltd. provides no guarantee regarding the accuracy, timeliness or completeness of our website or its contents including this tutorial.
    [Show full text]
  • What Is Dart?
    1 Dart in Action By Chris Buckett As a language on its own, Dart might be just another language, but when you take into account the whole Dart ecosystem, Dart represents an exciting prospect in the world of web development. In this green paper based on Dart in Action, author Chris Buckett explains how Dart, with its ability to either run natively or be converted to JavaScript and coupled with HTML5 is an ideal solution for building web applications that do not need external plugins to provide all the features. You may also be interested in… What is Dart? The quick answer to the question of what Dart is that it is an open-source structured programming language for creating complex browser based web applications. You can run applications created in Dart by either using a browser that directly supports Dart code, or by converting your Dart code to JavaScript (which happens seamlessly). It is class based, optionally typed, and single threaded (but supports multiple threads through a mechanism called isolates) and has a familiar syntax. In addition to running in browsers, you can also run Dart code on the server, hosted in the Dart virtual machine. The language itself is very similar to Java, C#, and JavaScript. One of the primary goals of the Dart developers is that the language seems familiar. This is a tiny dart script: main() { #A var d = “Dart”; #B String w = “World”; #C print(“Hello ${d} ${w}”); #D } #A Single entry point function main() executes when the script is fully loaded #B Optional typing (no type specified) #C Static typing (String type specified) #D Outputs “Hello Dart World” to the browser console or stdout This script can be embedded within <script type=“application/dart”> tags and run in the Dartium experimental browser, converted to JavaScript using the Frog tool and run in all modern browsers, or saved to a .dart file and run directly on the server using the dart virtual machine executable.
    [Show full text]
  • Maelstrom Web Browser Free Download
    maelstrom web browser free download 11 Interesting Web Browsers (That Aren’t Chrome) Whether it’s to peruse GitHub, send the odd tweetstorm or catch-up on the latest Netflix hit — Chrome’s the one . But when was the last time you actually considered any alternative? It’s close to three decades since the first browser arrived; chances are it’s been several years since you even looked beyond Chrome. There’s never been more choice and variety in what you use to build sites and surf the web (the 90s are back, right?) . So, here’s a run-down of 11 browsers that may be worth a look, for a variety of reasons . Brave: Stopping the trackers. Brave is an open-source browser, co-founded by Brendan Eich of Mozilla and JavaScript fame. It’s hoping it can ‘save the web’ . Available for a variety of desktop and mobile operating systems, Brave touts itself as a ‘faster and safer’ web browser. It achieves this, somewhat controversially, by automatically blocking ads and trackers. “Brave is the only approach to the Web that puts users first in ownership and control of their browsing data by blocking trackers by default, with no exceptions.” — Brendan Eich. Brave’s goal is to provide an alternative to the current system publishers employ of providing free content to users supported by advertising revenue. Developers are encouraged to contribute to the project on GitHub, and publishers are invited to become a partner in order to work towards an alternative way to earn from their content. Ghost: Multi-session browsing.
    [Show full text]
  • Google Security Chip H1 a Member of the Titan Family
    Google Security Chip H1 A member of the Titan family Chrome OS Use Case [email protected] Block diagram ● ARM SC300 core ● 8kB boot ROM, 64kB SRAM, 512kB Flash ● USB 1.1 slave controller (USB2.0 FS) ● I2C master and slave controllers ● SPI master and slave controllers ● 3 UART channels ● 32 GPIO ports, 28 muxed pins ● 2 Timers ● Reset and power control (RBOX) ● Crypto Engine ● HW Random Number Generator ● RD Detection Flash Memory Layout ● Bootrom not shown ● Flash space split in two halves for redundancy ● Restricted access INFO space ● Header fields control boot flow ● Code is in Chrome OS EC repo*, ○ board files in board/cr50 ○ chip files in chip/g *https://chromium.googlesource.com/chromiumos/platform/ec Image Properties Chip Properties 512 byte space Used as 128 FW Updates INFO Space Bits 128 Bits Bitmap 32 Bit words Board ID 32 Bit words Bitmap Board ID ● Updates over USB or TPM Board ID Board ID ~ Board ID ● Rollback protections Board ID mask Version Board Flags ○ Header versioning scheme Board Flags ○ Flash map bitmap ● Board ID and flags Epoch ● RO public key in ROM Major ● RW public key in RO Minor ● Both ROM and RO allow for Timestamp node locked signatures Major Functions ● Guaranteed Reset ● Battery cutoff ● Closed Case Debugging * ● Verified Boot (TPM Services) ● Support of various security features * https://www.chromium.org/chromium-os/ccd Reset and power ● Guaranteed EC reset and battery cutoff ● EC in RW latch (guaranteed recovery) ● SPI Flash write protection TPM Interface to AP ● I2C or SPI ● Bootstrap options ● TPM
    [Show full text]
  • Designing and Implementing the OP and OP2 Web Browsers
    Designing and Implementing the OP and OP2 Web Browsers CHRIS GRIER, SHUO TANG and SAMUEL T. KING, University of Illinois at Urbana-Champaign Current web browsers are plagued with vulnerabilities, providing hackers with easy access to computer systems via browser-based attacks. Browser security efforts that retrofit existing browsers have had lim- ited success because the design of modern browsers is fundamentally flawed. To enable more secure web browsing, we design and implement a new browser, called the OP web browser, that attempts to improve the state-of-the-art in browser security. We combine operating system design principles with formal methods to design a more secure web browser by drawing on the expertise of both communities. Our design philosophy is to partition the browser into smaller subsystems and make all communication between subsystems sim- ple and explicit. At the core of our design is a small browser kernel that manages the browser subsystems and interposes on all communications between them to enforce our new browser security features. To show the utility of our browser architecture, we design and implement three novel security features. First, we develop flexible security policies that allow us to include browser plugins within our security framework. Second, we use formal methods to prove useful security properties including user interface invariants and browser security policy. Third, we design and implement a browser-level information-flow tracking system to enable post-mortem analysis of browser-based attacks. In addition to presenting the OP browser architecture, we discuss the design and implementation of a second version of OP, OP2, that includes features from other secure web browser designs to improve on the overall security and performance of OP.
    [Show full text]
  • Natickfoss Online Meetings Page 1 of 4
    NatickFOSS Online Meetings Page 1 of 4 During April and perhaps beyond, meetings at the Community/Senior Center are not possible. We are going to try to provide an online live meeting alternative. TO VIEW the meeting live at 3PM or at later date, use a browser for YouTube. It’s that simple! For April 2nd the link is: https://www.youtube.com/watch?v=C8ZTmk4uXH4 -------------------------Do not try to view and participate at the same time!--------------------- TO PARTICIPATE: We will use a service called Jitsi Meet. It is open source and runs in a browser. Use open source Chromium browser which is our choice. Or use Chrome, the commercial version from Google, also works fine. We are sad to report that Firefox performs worse. It is less stable at this time. (DO NOT USE Firefox for our Meetings, please!) We want to avoid problems. Linux users can install Chromium from their distribution’s software repositories. Windows: probably best to use Chrome unless you are adventurous. Edge does not work at this time. Macintosh: install Chrome, please. We have heard Safari does not work. Once your browser is installed, launch it and enter (copy from here, paste in browser) this link: https://meet.jit.si/natickfoss ...or just use any browser to go to the YouTube channel to just watch. The first time you use Chromium or Chrome with Jitsi Meet you will be asked if you want to install an extension. The extension is optional. We will NOT need the features for our meetings. Just close if you want.
    [Show full text]
  • Isolation, Resource Management, and Sharing in Java
    Processes in KaffeOS: Isolation, Resource Management, and Sharing in Java Godmar Back, Wilson C. Hsieh, Jay Lepreau School of Computing University of Utah Abstract many environments for executing untrusted code: for example, applets, servlets, active packets [41], database Single-language runtime systems, in the form of Java queries [15], and kernel extensions [6]. Current systems virtual machines, are widely deployed platforms for ex- (such as Java) provide memory protection through the ecuting untrusted mobile code. These runtimes pro- enforcement of type safety and secure system services vide some of the features that operating systems pro- through a number of mechanisms, including namespace vide: inter-application memory protection and basic sys- and access control. Unfortunately, malicious or buggy tem services. They do not, however, provide the ability applications can deny service to other applications. For to isolate applications from each other, or limit their re- example, a Java applet can generate excessive amounts source consumption. This paper describes KaffeOS, a of garbage and cause a Web browser to spend all of its Java runtime system that provides these features. The time collecting it. KaffeOS architecture takes many lessons from operating To support the execution of untrusted code, type-safe system design, such as the use of a user/kernel bound- language runtimes need to provide a mechanism to iso- ary, and employs garbage collection techniques, such as late and manage the resources of applications, analogous write barriers. to that provided by operating systems. Although other re- The KaffeOS architecture supports the OS abstraction source management abstractions exist [4], the classic OS of a process in a Java virtual machine.
    [Show full text]
  • Responsive Web Design (RWD) Building a Single Web Site for the Desktop, Tablet and Smartphone
    Responsive Web Design (RWD) Building a single web site for the desktop, tablet and smartphone An Infopeople Webinar November 13, 2013 Jason Clark Head of Digital Access & Web Services Montana State University Library pinboard.in tag pinboard.in/u:jasonclark/t:rwd/ twitter as channel (#hashtag) @jaclark #rwd Terms: HTML + CSS Does everybody know what these elements are? CSS - style rules for HTML documents HTML - markup tags that structure docs - browsers read them and display according to rules Overview • What is Responsive Web Design? • RWD Principles • Live RWD Redesign • Getting Started • Questions http://www.w3.org/History/19921103-hypertext/hypertext/WWW/Link.html Responsive design = 3 techniques 1. Media Queries 2. A Fluid Grid 3. Flexible Images or Media Objects RWD Working Examples HTML5 Mobile Feed Widget www.lib.montana.edu/~jason/files/html5-mobile-feed/ Mobilize Your Site with CSS (Responsive Design) www.lib.montana.edu/~jason/files/responsive-design/ www.lib.montana.edu/~jason/files/responsive-design.zip Learn more by viewing source OR Download from jasonclark.info & github.com/jasonclark Media Queries • switch stylesheets based on width and height of viewport • same content, new view depending on device @media screen and (max-device- width:480px) {… mobile styles here… } * note “em” measurements based on base sizing of main body font are becoming standard (not pixels) Media Queries in Action <link rel="stylesheet" type="text/css” media="screen and (max-device-width:480px) and (resolution: 163dpi)” href="shetland.css" />
    [Show full text]
  • Coast Guard Cutter Seamanship Manual
    U.S. Department of Homeland Security United States Coast Guard COAST GUARD CUTTER SEAMANSHIP MANUAL COMDTINST M3120.9 November 2020 Commandant US Coast Guard Stop 7324 United States Coast Guard 2703 Martin Luther King Jr. Ave SE Washington, DC 20593-7324 Staff Symbol: (CG-751) Phone: (202) 372-2330 COMDTINST M3120.9 04 NOV 2020 COMMANDANT INSTRUCTION M3120.9 Subj: COAST GUARD CUTTER SEAMANSHIP MANUAL Ref: (a) Risk Management (RM), COMDTINST 3500.3 (series) (b) Rescue and Survival Systems Manual, COMDTINST M10470.10 (series) (c) Cutter Organization Manual, COMDTINST M5400.16 (series) (d) Naval Engineering Manual, COMDTINST M9000.6 (series) (e) Naval Ships' Technical Manual (NSTM), Wire and Fiber Rope and Rigging, Chapter 613 (f) Naval Ships’ Technical Manual (NSTM), Mooring and Towing, Chapter 582 (g) Cutter Anchoring Operations Tactics, Techniques, and Procedures (TTP), CGTTP 3-91.19 (h) Cutter Training and Qualification Manual, COMDTINST M3502.4 (series) (i) Shipboard Side Launch and Recovery Tactics, Techniques, and Procedures (TTP), CGTTP 3-91.25 (series) (j) Shipboard Launch and Recovery: WMSL 418’ Tactics, Techniques, and Procedures (TTP), CGTTP 3-91.7 (series) (k) Naval Ships’ Technical Manual (NSTM), Boats and Small Craft, Chapter 583 (l) Naval Ship’s Technical Manual (NSTM), Cranes, Chapter 589 (m) Cutter Astern Fueling at Sea (AFAS) Tactics, Techniques, and Procedures (TTP), CGTTP 3-91.20 (n) Helicopter Hoisting for Non-Flight Deck Vessels, Tactics, Techniques, and Procedures (TTP), CGTTP 3-91.26 (o) Flight Manual USCG Series
    [Show full text]
  • 05192020 Build M365 Rajesh Jha
    05192020 Build M365 Rajesh Jha Build 2020 Microsoft 365 Rajesh Jha Monday, May 19, 2020 [Music.] (Video segment.) RAJESH JHA (EVP, Experiences & Devices): Hello, everyone. Thank you for being a part of Build 2020. It is such a pleasure to connect with you all virtually today. The fact that this conference can happen right now when we are all working and living apart is really remarkable. We are truly living in an era of remote everything, and it's clear that this is an inflection point for productivity. Microsoft 365 is the world's productivity cloud, and we aspire to make it the best platform for developers to build productivity solutions for work, life and learning. But we can't do it alone, we need you, and today, you're going to see how we can partner together to create the future of productivity. Our session today is for every developer, from ISVs building their own apps, to corporate developers creating custom solutions, to citizen developers using Teams and Power Platform. As an integrated security and productivity solution, Microsoft 365 is a one-stop shop for everything that people need right now, from remote work to telemedicine to learning. But it's not just a set of finished apps and services. It's also a rich developer platform. This stack diagram summarizes the key components. Our foundation is built on the Microsoft Graph. The Microsoft Graph is the container for all rich data and signals that describe how people and teams work together in an organization to get things done.
    [Show full text]