View
1.304
Download
0
Category
Tags:
Preview:
Citation preview
Beyond IFrames:Web Sandboxes
Scott IsaacsSoftware ArchitectMicrosoft
How Web Sites are Built Today
• The Web normally has a Same
Origin Policy – but in practice, “your
script works in my origin”
• All JavaScript code in the page,
regardless of origin, has the same trust
level and permissions
• If one bit of code fails or is
compromised, the entire page/app/site
can be compromised
• Quick Demo…
Youtube
Google Friend
Connect
Youtube
Google News
Error from Amazon
User’s Expectations ≠ Reality
• Mismatch between browser security and expectations• O/S boundaries protected• Cross-domain content protected
• Composite pages have a single policy• Aggregation (mash-ups) not protected
• You need a composite policy for a composite page
• Let’s secure the cookie…
The growing risk…
• Differentiation between Cloud and Local Services is
blurring…
• User Data being aggregated…
• Personal Data (both local and cloud-based)• Storage, Photos, E-Mail, Social Network/ Contacts, IM
• Devices• Phones, GPS, Camera, etc.
• …and exposed to…
• Site Services• Rich Advertising, Analytics, Maps, Affiliate Programs
• Site Extensibility• Gadgets, Libraries, etc.
What about IFrames?
• Still exploitable…• Run-away code…• Navigation…• Click-Jacking…
• And not rich enough…• Designed for content embedding• Established fixed “policies”• Won’t work for display integration (e.g., fly outs)• Fails for tight integration w/ API’s, CSS
• Isolation model, not a Security Architecture
Web Sandbox
• Isolate and secure the boundaries via composite host-defined policies
• Builds on existing knowledge• Embrace existing programming patterns• Provides browser equalization
• Open Source Project (Apache License)
QoS - Going beyond security
• Profiles executing code
• Error tracking and recovery
• Code Throttling
• LifeCycle management
• QoS Demo…
Your Web Page
Creating Secure Containers
Policy and Rules
Web Sandbox Virtual Machine
Untrusted ScriptPolicy and Rules
Web Sandbox Virtual Machine
Untrusted Script
Policy and Rules
Web Sandbox Virtual Machine
Untrusted Script
Web Sandbox: The Big Picture
Untrusted Content
TransformationPipeline
(Server or Client-based)
Virtualize Code
Trusted Host(e.g., Your Site)
Requests Content(untrusted)
Sandboxed ExecutionSandboxed Execution
SandboxVirtual Machine
(JavaScript Library)
Transformation Process
1. Request Resource
2. Parse Resource
3. Output JavaScript for execution within
the Sandbox VM
Let’s take a look….
Sandbox Virtual Machine
• Validates execution against policies
• Supports instancing and lifecycle
• Monitors QoS via profiling & throttling
• Protects external communication
Policies
• Contextually-aware API “tables”
• Allow/Deny/Augment rules
• Cascading model
• Default “Gadget” Policy
• Supports JavaScript/ W3C DOM
• Provides Namespace isolation
• Demo…
Simple Integration…
<script src="sandbox2.js"></script>
<div id="box"></div>
<script src="transform.ashx?
type=script&guid=GadgetGUID&ua=IE8&url=http://
siteexperts.com/untrusted.js"></script>
<script>
var instance = new
$Sandbox(document.getElementById("box"), $Policy.Gadget,
'GadgetGUID');
instance.initialize();
</script>
Closing Thoughts…
• Web Application ecosystem is evolving
• Applications getting richer via aggregation
• More valuable services and personal data are exposed
• The web security model must evolve
• Web-sandbox adds protection across the boundaries
• Sites can properly model and enforce the trust relationship
• Sites can protect themselves and their users
• Possible without redefining the web…
• Go play with it (http://websandbox.livelabs.com)
Learn more at:http://websandbox.livelabs.com
Also don’t miss the panelSecure Mashups: Getting to Safe Web Plug-insWednesday, 10:55am
Questions?
Recommended