User Interface Toolkit Mechanisms For Securing Interface Elements
Franziska Roesner, James Fogarty, Tadayoshi Kohno
Computer Science & EngineeringDUB Group, Security & Privacy Research Lab
University of Washington
2
Like us on Facebook!
User Interface Toolkits
• Ease interface design and implementation.• Provide developers with flexibility and expressivity.
Assumption: Developers have full
control of an interface.
New Challenge: Modern interfaces include elements implemented by
different developers.
Ad from ad library
Social button from Facebook library
Map from Google library
3
Like us on Facebook!
Attack #1: Programmatic Click FraudAd Server
App Developer
User Click
Programmatic Click
4
Like us on Facebook!
Attack #2: Size Manipulation
Android requires applications to display a camera preview in order to take a photo.
1 pixel X 1 pixel camera preview
5
Attack #3: Eavesdropping
NEW! Login with your Google account!
Interface Layout Tree
Background{App}
LoginBox{Google}
Text{App}
Interface Layout Tree
Background{App}
LoginBox{Google}
Text{App}
Terminology:Code from different developers is in different trust groups.
6
Interface Layout Tree
Background{App}
LoginBox{Google}
Text{App}
Attack #3: Eavesdropping
App Developer
p@ssw0rd
p@ssw0rd
p@ssw0rdNEW! Login with your Google account!
********
7
Like us on Facebook!
Attack #4: Display Takeover
Widget parent = adWidget.getParent();parent.removeChildren();parent.addChild(fullScreenAd);
Ad Library Code
8
An Opportunity for Toolkits
• These vulnerabilities are in the user interface.• Existing solutions come at the expense of
interface usability and flexibility.
Addressing these vulnerabilities in the user interface toolkit provides better security and enables new interfaces.
9
Desired Security Properties
1. Display Integrity2. Input Integrity3. Intent Integrity4. Data Isolation5. UI-to-API Links
10
Desired Security Properties
1. Display Integrity2. Input Integrity3. Intent Integrity4. Data Isolation5. UI-to-API Links
11
Desired Security Properties
1. Display Integrity2. Input Integrity3. Intent Integrity4. Data Isolation5. UI-to-API Links
Protect the display of interface elements across trust groups.
Like us on Facebook!
Recall the attacks:Size Manipulation Display Takeover
12
Recall the attack:Programmatic Click Fraud
Like us on Facebook!
Desired Security Properties
1. Display Integrity2. Input Integrity3. Intent Integrity4. Data Isolation5. UI-to-API Links
Prevent programmatic interaction with interface
elements across trust groups.
13
Desired Security Properties
1. Display Integrity2. Input Integrity3. Intent Integrity4. Data Isolation5. UI-to-API Links
Protect displayed content and input across trust groups.
Recall the attack:Eavesdropping
NEW! Login with your Google account!
14
Architecting a Toolkit for Security
Techniques:• Isolating trust groups• Interface layout tree invariants• Model-level event listeners• Composition across trust groups• Flexible feedback (for drag-and-drop, lenses)
Goals: (1) Achieve our desired security properties. (2) Maintain usability and developer flexibility.
15
Architecting a Toolkit for Security
Techniques:• Isolating trust groups• Interface layout tree invariants• Model-level event listeners• Composition across trust groups• Flexible feedback (for drag-and-drop, lenses)
Goals: (1) Achieve our desired security properties. (2) Maintain usability and developer flexibility.
16
Interface Layout Tree Vulnerabilities
(1) Insecure Layout: Parent elements can manipulate the layout of the child elements.
Recall the attack:Size Manipulation Size
Request
Problem: In a traditional layout tree, there is no guarantee of a trusted path to every node.
17
Interface Layout Tree Vulnerabilities
Input Events
(2) Insecure Input: Parents can eavesdrop on or modify events intended for children.
Recall the attack:Eavesdropping
NEW! Login with your Google account!
Problem: In a traditional layout tree, there is no guarantee of a trusted path to every node.
18
Interface Layout Tree Invariants
Solution: Introduce new invariants:1. The root node of an application’s layout tree
must be a system node.2. Only system nodes may have children of a
different trust group.
systemInput Events
Size Request
system
19
Interface Layout Tree InvariantsHow to do visual embedding?
Solution: Introduce a system-trusted proxy node into the layout tree.
The proxy node is introduced automatically and can be transparent to the developer.
NEW! Login with your Google account!
Background{App}
LoginBox{Google}
Text{App}
Proxy{System}
Root{System}
Background{App}
LoginBox{Google}Text
{App}
Root{System}
20
More in the paper!
• Techniques for flexibility– Exposing model-level APIs
across trust groups– Composing trust groups
in one interface element– Supporting feedback (drag-
and-drop, lenses)
NEW! Login with your Google account!
• Prototype implementations for Android and a web browser
Login token
Like us on Facebook!
21
Conclusion
• Questions for future work and discussions:– What are appropriate defaults for access to APIs
across trust groups?– What new interfaces will a secure toolkit enable?
A security-aware toolkit architecture can achieve security properties while maintaining developer flexibility.
User Interface Toolkit Mechanisms For Securing Interface Elements
Franziska Roesner, James Fogarty, Tadayoshi Kohno
Computer Science & EngineeringDUB Group, Security & Privacy Research LabUniversity of Washington
This work was supported by the NSF under Graduate Research Fellowship award DGE-0718124 as well as awards CNS-0846065 and IIS-1053868.