A Safety-Oriented Platform for Web Applications Richard S. Cox†, Jacob Gorm Hansen‡, Steven D. Gribble†, and Henry M. Levy† †Department of Computer Science & Engineering ‡Department of Computer Science University of Washington University of Copenhagen {rick, gribble, levy}@cs.washington.edu [email protected] Abstract 1 Introduction The 1993 release of the Mosaic browser sparked the on- The Web browser has become the dominant interface to set of the modern Web revolution [24]. The nascent Web a broad range of applications, including online banking, was a hypertext document system for which the browser Web-based email, digital media delivery, gaming, and e- performed two functions: it fetched simple, static content commerce services. Early Web browsers provided simple from Web servers, and it presented that content to the user. access to static hypertext documents. In contrast, modern A key Web feature was the ability for one Web site to link browsers serve as de facto operating systems that must man- to (or embed) content published by other sites. As a result, age dynamic and potentially malicious applications. Unfor- users navigating the early Web perceived it as a vast repos- tunately, browsers have not properly adapted to their new itory of interconnected, passive documents. role. As a consequence, they fail to provide adequate isola- Since that time, the Web has become increasingly com- tion across applications, exposing both users and Web ser- plex in both scale and function. It provides access to an vices to attack. enormous number of services and resources, including fi- This paper describes the architecture and implementa- nancial accounts, Web mail, archival file storage, multime- tion of the Tahoma Web browsing system. Key to Tahoma is dia, and e-commerce services of all types. Users transfer the browser operating system (BOS), a new trusted software funds, purchase tickets, file their taxes, apply for employ- layer on which Web browsers execute. The benefits of this ment, and seek medical advice through the Web. Their per- architecture are threefold. First, the BOS runs the client- ceptions of the Web have evolved, as well. Today’s users side component of each Web application (e.g., on-line bank- see the modern Web as a portal to a collection of indepen- ing, Web mail) in its own virtual machine. This provides dent, dynamic applications interacting with remote servers. strong isolation between Web services and the user’s local Moreover, they expect that Web applications will behave resources. Second, Tahoma lets Web publishers limit the like the applications on their desktops. For example, users scope of their Web applications by specifying which URLs trust that Web applications are sufficiently isolated from and other resources their browsers are allowed to access. one another that tampering or unintended access to sensi- This limits the harm that can be caused by a compromised tive data will not occur. browser. Third, Tahoma treats Web applications as first- To respond to the demands of dynamic services, the class objects that users explicitly install and manage, giv- browser has evolved from a simple document rendering en- ing them explicit knowledge about and control over down- gine to an execution environment for complex, distributed loaded content and code. applications that execute partially on servers and partially within clients’ browsers. Modern Web browsers download We have implemented a prototype of Tahoma using Linux and execute programs that mix passive content with active and the Xen virtual machine monitor. Our security eval- scripts, code, or applets. These programs: effect transac- uation shows that Tahoma can prevent or contain 87% of tions with remote sites; interact with users through menus, the vulnerabilities that have been identified in the widely dialog boxes, and pop-up windows; and access and mod- used Mozilla browser. In addition, our measurements of ify local resources, such as files, registry keys, and browser latency, throughput, and responsiveness demonstrate that components. The browser, then, has transcended its origi- users need not sacrifice performance for the benefits of nal role to become a de facto operating system for executing stronger isolation and safety. client-side components of Web applications. Unfortunately, current browsers are not adequately de- signed for their new role and environment. Despite many Web content being downloaded and executed. Web services attempts to retrofit isolation and security, the browser’s orig- gain the ability to restrict the set of sites with which their ap- inal roots remain evident. Simply clicking on a hyperlink plications can communicate, thereby limiting damage from can cause hostile software to be downloaded and executed hijacked browsers. Active Web content and the browser that on the user’s machine. Such “drive-by downloads” are a interprets and renders it are isolated in a private virtual ma- common cause of spyware infections [23]. Trusted plug-ins chine, protecting the user’s desktop from side-effects, mali- may have security holes that permit content-based attacks. cious or otherwise. Browser extensibility features, such as ActiveX components The idea of sandboxing Web browsers is not new. For and JavaScript, expose users to vulnerabilities that can po- example, VMware has recently release a virtual-machine- tentially result in the takeover of their machines. based “Web browser appliance,” containing a checkpointed Users assume that Web applications cannot interfere image of the Firefox browser on Linux [32]. As another ex- with one another or with the browser itself. However, to- ample, GreenBorder [12] augments Windows with an OS- day’s browsers fail to provide either kind of isolation. For level sandbox mechanism similar to BSD jails [17], in order example, attackers can take advantage of cross-site script- to contain malicious content arriving through Internet Ex- ing vulnerabilities to fool otherwise benign Web applica- plorer or Outlook. Our work uses VMs to provide strong tions into delivering harmful scripted content to users, leak- sandboxes for Web browser instances, but our contribu- ing sensitive data from those services. Other browser flaws tion is much broader than the containment this provides. let malicious Web sites hijack browser windows [26] or Tahoma isolates Web applications from each other, in addi- spoof browser fields, such as the displayed URL [37]. Such tion to isolating Web browsers from the host operating sys- flaws facilitate “phishing” attacks, in which a hostile appli- tem. As well, Tahoma permits Web services to customize cation masquerades as another to capture information from the browsers used to access them, and to control which re- the user. mote sites their browser instances can access. Overall, it is clear that current browsers cannot cope with We have implemented a prototype of the Tahoma brows- the demands and threats of today’s Web. While holes can ing system using Linux and the Xen virtual machine mon- be patched on an ad hoc basis, a thorough re-examination itor [4] and modified the Konqueror browser to execute on of the basic browser architecture is required. To this end, top of it. Our experience shows that the Tahoma architecture we have designed and implemented a new browsing system is straightforward to implement, protects against the major- architecture, called Tahoma. The Tahoma architecture ad- ity of existing threats, and is compatible with existing Web heres to three key principles: services and browsers. We also demonstrate that the ben- efits of our architecture can be achieved without compro- 1. Web applications should not be trusted. Active content mising user-visible performance, even for video-intensive in today’s Internet is potentially dangerous. Both users browsing applications. and Web services must protect themselves against a The remainder of this paper is organized as follows. Sec- myriad of online threats. Therefore, Web applications tion 2 defines Tahoma’s high-level architecture and abstrac- should be contained within appropriate sandboxes to tions. Section 3 describes the implementation, while Sec- mitigate potential damage. tion 4 evaluates our prototype with respect to both function 2. Web browsers should not be trusted. Modern browsers and performance. Section 5 presents related work, and we are complex and prone to bugs and security flaws conclude our discussion in Section 6. that can be easily exploited, making compromised browsers a reality in the modern Internet. Therefore, 2 Architecture browsers should be isolated from the rest of the sys- tem to mitigate potential damage. The Tahoma architecture has six key features: 3. Users should be able to identify and manage down- loaded Web applications. Web applications should be 1. It defines a new trusted system layer, the browser op- user visible and controllable, much like desktop appli- erating system (BOS), on top of which browser imple- cations. Users should be able to list all Web applica- mentations (such as Netscape or IE) can run. tions and associated servers that provide code or data, and ascribe browsing-related windows to the Web ap- 2. It provides explicit support for Web applications.A plications that generated them. Web application consists of a browser instance, which includes a client-side browser executing dynamic Web By following these principles, Tahoma substantially im- content and code, and a Web service, which is a col- proves security and trustworthiness for both users and Web lection of Web sites with which the browser instance is services. Users gain knowledge and control of the active permitted to communicate. browser instance browser instance virtual machine disk screen Web Web client browser doc. browser doc. side CPU Web Browser OS browser doc. mem network network Internet keybd. policy Web service Web service server browser instance reverse firewall site site side mouse site site site site HTTP(S) BOS resources: bookmarks (restricted) Web application 1 Web application 2 downloads Internet fork Figure 1. The Tahoma architecture. A Web applica- tion consists of two components: a client-side browser Figure 2.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages15 Page
-
File Size-