Protection and Communication Abstractions for Web Browsers in Mashupos
Total Page:16
File Type:pdf, Size:1020Kb
Protection and Communication Abstractions for Web Browsers in MashupOS Helen J. Wang Xiaofeng Fan Jon Howell Collin Jackson Microsoft Research Microsoft Research Microsoft Research Stanford University Redmond, WA, USA Redmond, WA, USA Redmond, WA, USA Palo Alto, CA, USA [email protected] [email protected] [email protected] [email protected] ABSTRACT evolved to be a multi-principal operating environment where mu- Web browsers have evolved from a single-principal platform on tually distrusting Web sites (as principals) interact programmati- which one site is browsed at a time into a multi-principal plat- cally in a single page on the client side, sharing the underlying form on which data and code from mutually distrusting sites in- browser resources. This resembles the PC operating environment teract programmatically in a single page at the browser. Today’s where mutually distrusting users share host resources. “Web 2.0” applications (or mashups) offer rich services, rivaling However, unlike PCs that utilize multi-user operating systems for those of desktop PCs. However, the protection and communication resource sharing, protection, and management, today’s browsers do abstractions offered by today’s browsers remain suitable only for not employ any operating system abstractions, but provide just a a single-principal system—either no trust through complete isola- limited all-or-nothing trust model and protection abstractions suit- tion between principals (sites) or full trust by incorporating third able only for a single-principal system: There is either no trust party code as libraries. In this paper, we address this deficiency across principals through complete isolation or full trust through by identifying and designing the missing abstractions needed for incorporating third party code as libraries. Consequently, Web pro- a browser-based multi-principal platform. We have designed our grammers are forced to make tradeoffs between security and func- abstractions to be backward compatible and easily adoptable. We tionality, and oftentimes sacrifice security for functionality. have built a prototype system that realizes almost all of our abstrac- In the MashupOS project, we aim to design and build a browser- tions and their associated properties. Our evaluation shows that our based multi-principal operating system. Among the myriad of op- abstractions make it easy to build more secure and robust client- erating system issues, we focus on the most imminent needs of side Web mashups and can be easily implemented with negligible today’s browsers: abstractions for protection and communication. performance overhead. The goal of protection is to prevent one principal from compro- mising the confidentiality and integrity of other principals, while communication allows them to interact in a controlled manner. Categories and Subject Descriptors We follow the principles below in designing our abstractions for D.4.6 [Operating Systems]: Security and Protection Web programmers: • Match all common trust levels: We must understand all the General Terms common trust levels between Web content providers and in- Design, Security, Standardization tegrators and aim to provide abstractions matching these lev- els of trust. Otherwise, Web programmers would face mak- Keywords ing tradeoffs among trust levels, either trusting more, and sacrificing security, or trusting less, and losing functionality. Browser, Web, same-origin policy, protection, communications, se- curity, multi-principal OS, abstractions • Strike a balance between ease-of-use and security: One might argue that a system is either secure or insecure and 1. INTRODUCTION there should be no middle ground. This may be true for designing a security system like an authentication system, Web browsers are becoming the single stop for everyone’s com- but not true when designing abstractions for programmers. puting needs including information access, personal communica- A rigid set of abstractions that tie programmers’ hands and tions, office tasks, and e-commerce. Today’s Web applications syn- limit flexibility for the purpose of better security often has thesize the world of data and code, offering rich services through a short life span, since programmers can build up libraries Web browsers and rivaling those of desktop PCs. Browsers have on the rigid interfaces to make their lives easy, resulting in a de facto abstraction for all programmers. It would be bet- ter for abstraction designers to design those abstractions with security in mind. Our goal here is to provide a full set of ab- Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are stractions and enable programmers to build robust and secure not made or distributed for profit or commercial advantage and that copies services that match their trust expectations (see above bullet), bear this notice and the full citation on the first page. To copy otherwise, to rather than to make it impossible for programmers to shoot republish, to post on servers or to redistribute to lists, requires prior specific themselves in the foot. permission and/or a fee. SOSP’07, October 14–17, 2007, Stevenson, Washington, USA. • Easy adoption and no unintended behaviors: Allowing easy Copyright 2007 ACM 978-1-59593-591-5/07/0010 ...$5.00. adoption is paramount in our abstraction design. We must ensure that our abstractions allow programmers to provide then describe a new access control policy that mashup authors are fallback mechanisms when Web pages using them are ren- demanding through existing proposals. dered by legacy browsers. We also must ensure that there are no undesirable interactions between new services and old 2.1 The Same-Origin Policy and the services in the new browser environment where our abstrac- All-or-Nothing Trust Model tions are supported. The same-origin Policy (SOP) governs the access control on to- day’s browsers. The SOP prevents documents or scripts loaded By analyzing the trust relationship between content providers from one origin from getting or setting properties of documents and integrators, we identify four types of content that require sup- from a different origin [38]. (The origin that a script is loaded is port from the Web and browsers: (1) isolated content that is in- the origin of the document that contains the script rather than the tended to be completely isolated from other sites (domains), (2) origin that hosts the script.) Two pages have the same origin if access-controlled content that is isolated but allows message pass- the protocol, port (if given), and host are the same for both pages. ing across domains to give mediated access to the content, (3) open Each browser window, <frame>, or <iframe> is a separate doc- content that allows any domain to access and integrate as the do- ument, and each document is associated with an origin. The SOP main’s own content, and (4) unauthorized content that assumes no policy concerns three browser resources: cookies, the HTML doc- privileges of any domain. Existing browser abstractions support ument tree, and remote store access. In more detail, a site can only only isolated content with the <frame> abstraction and open con- sets its own cookie and a cookie is sent to only the site that sets tent with the <script> abstraction, resulting in an all-or-nothing the cookie along with HTTP requests to that site. Two documents trust model. from different origins cannot access each other’s HTML document We propose abstractions for the missing content types and trust using the Document Object Model (DOM) which is a platform- relationships. We advocate unauthorized content to be a funda- and language-neutral interface that will allow programs and scripts mental addition to today’s Web content provisioning. We introduce to dynamically access and update the content, structure and style <Sandbox> and <OpenSandbox> abstractions and a provider- of documents [13]. A script can access its document origin’s re- browser protocol to enable content providers to publish and in- mote data store using the XMLHttpRequest object, which issues tegrators to consume unauthorized content without liability and an asynchronous HTTP request to the remote server [43]. (XML- overtrusting, providing both security and ease in creating client HttpRequest is the cornerstone of the AJAX programming.) The mashups. Such support can also fundamentally combat Cross Site SOP requires a script to issue XMLHttpRequest to only its docu- Scripting attacks (a prominent threat in today’s Web and a con- ment origin. sequence of the all-or-nothing trust model) while allowing the For example, an <iframe> sourced with ØØÔ»»º Ó Ñ can- richest possible third party content. We have also proposed the not access any HTML DOM elements from another <iframe> <ServiceInstance> abstraction for isolation, fault containment, sourced with ØØÔ»» Ó Ñ and vice versa. a.com’s scripts can and as the unit of resource allocation and CommRequest for cross- issue XMLHttpRequests to only a.com, but not to b.com. HTTP domain communications unifying recent proposals. requests to a.com send only cookies that are set by a.com. We have designed these new abstractions to be backward com- A document may contain <script> elements from different patible and free of undesirable interactions with legacy browsers domains. Such third party scripts are treated as libraries that run as and legacy content. Our prototype implementation and evaluation the document’s origin rather than the scripts’ origins and can access demonstrate that the abstractions can be practically integrated into all of the document’s resources. For example, ×ÖÚ º modern browser software with negligible overhead. ØÑÐ may contain the markup <script src=‘http://b.com/lib.js’>, For the rest of the paper, we first give background in Section 2. which allows Ðº× to access a.com’s HTML DOM objects, In Section 3, we describe browser resources and define MashupOS cookies and data through XMLHttpRequest.