FSMesh - Flexibly Securing Mashups by User Defined DOM Environment

Yi Wang, Tao Guo, Zhiwei Shi, Zhoujun Li

2012

Abstract

A growing trend of nowadays web sites is to combine active content (applications) from untrusted sources, as in so-called mashups, in order to provide more functionality and expressiveness. Due to the potential risk of leaking sensitive information to these third-party sources, it is urgent to provide a secure “sandbox” for playing the untrusted content and allow developers to apply flexible security policy at the same time. In this paper, we propose and implement a new safe framework to prevent untrusted applications from interfering with each other based on HTML5 technology. By creating a separated fake DOM environment in the background, developers can load untrusted content into the “sandbox” and apply their custom security policy in real window or server side when receiving script generated messages from it. The advantage is that it is very flexible as the security policy is also written in JavaScript and requires minimum learning efforts for web developers. The drawback is that it is based on element “web workers” and method “postMessage” introduced in HTML5 and can’t be run in older browsers without these supports.

References

  1. I. Hickson and D. Hyatt (2011). Html 5 working draft cross document messaging. http://www.w3.org/TR/ html5/comms.html#crossDocumentMessages.
  2. I. Hickson and D. Hyatt (2011). Html 5 working draft cross document messaging. http://www.w3.org/TR/ html5/comms.html#crossDocumentMessages.
  3. I. Hickson and D. Hyatt (2011). Html 5 working draft - the sandbox attribute. http://www.w3.org/TR/html5/theiframe-element.html#attr-iframe-sandbox.
  4. I. Hickson and D. Hyatt (2011). Html 5 working draft - the sandbox attribute. http://www.w3.org/TR/html5/theiframe-element.html#attr-iframe-sandbox.
  5. H. J. Wang, X. Fan, J. Howell, and C. Jackson (2007). Protection and communication abstractions for web browsers in mashupos. ACM SIGOPS Operating Systems Review, 41(6):16.
  6. H. J. Wang, X. Fan, J. Howell, and C. Jackson (2007). Protection and communication abstractions for web browsers in mashupos. ACM SIGOPS Operating Systems Review, 41(6):16.
  7. S. Crites, F. Hsu, and H. Chen (2008). Omash: Enabling secure web mashups via object abstractions. In Proceedings of the 15th ACM conference on Computer and communications security, pages 99- 108. ACM.
  8. S. Crites, F. Hsu, and H. Chen (2008). Omash: Enabling secure web mashups via object abstractions. In Proceedings of the 15th ACM conference on Computer and communications security, pages 99- 108. ACM.
  9. D. Crockford (2011). Adsafe. http://www.adsafe.org/.
  10. D. Crockford (2011). Adsafe. http://www.adsafe.org/.
  11. Facebook (2011). FBJS. http://developers.facebook.com/ docs/fbjs/.
  12. Facebook (2011). FBJS. http://developers.facebook.com/ docs/fbjs/.
  13. M. S. Miller, M. Samuel, B. Laurie, I. Awad, and M. Stay (2008). Caja: Safe active content in sanitized javascript. http://google-caja.googlecode.com/files/ caja-spec-2008-06-07.pdf.
  14. M. S. Miller, M. Samuel, B. Laurie, I. Awad, and M. Stay (2008). Caja: Safe active content in sanitized javascript. http://google-caja.googlecode.com/files/ caja-spec-2008-06-07.pdf.
  15. S. Maffeis and A. Taly (2009). Language-based isolation of untrusted javascript. In 22nd IEEE Computer Security Foundations Symposium, pages 77-91.
  16. S. Maffeis and A. Taly (2009). Language-based isolation of untrusted javascript. In 22nd IEEE Computer Security Foundations Symposium, pages 77-91.
  17. S. Maffeis, J. C. Mitchell, and A. Taly (2010). Object capabilities and isolation of untrusted web applications. In Proceedings of IEEE Security and Privacy'10. IEEE.
  18. S. Maffeis, J. C. Mitchell, and A. Taly (2010). Object capabilities and isolation of untrusted web applications. In Proceedings of IEEE Security and Privacy'10. IEEE.
  19. B. Livshits and L. Meyerovich (2009). Conscript: Specifying and enforcing fine-grained security policies for javascript in the browser. Technical report, Microsoft Research.
  20. B. Livshits and L. Meyerovich (2009). Conscript: Specifying and enforcing fine-grained security policies for javascript in the browser. Technical report, Microsoft Research.
  21. P. H. Phung, D. Sands, and A. Chudnov (2009). Lightweight self-protecting javascript. In Proceedings of the 4th International Symposium on Information, Computer, and Communications Security, pages 47- 60.
  22. P. H. Phung, D. Sands, and A. Chudnov (2009). Lightweight self-protecting javascript. In Proceedings of the 4th International Symposium on Information, Computer, and Communications Security, pages 47- 60.
  23. M. Ter Louw, K. T. Ganesh, and V. N. Venkatakrishnan (2010). Adjail: Practical enforcement of confidentiality and integrity policies on web advertisements. In 19th USENIX Security Symposium.
  24. M. Ter Louw, K. T. Ganesh, and V. N. Venkatakrishnan (2010). Adjail: Practical enforcement of confidentiality and integrity policies on web advertisements. In 19th USENIX Security Symposium.
  25. John Resig (2011). Envjs - Bring the browser to the server. http://www.envjs.com/.
  26. John Resig (2011). Envjs - Bring the browser to the server. http://www.envjs.com/.
  27. Mike Ter Louw and V. N. Venkatakrishnan (2009). Blueprint: Robust prevention of cross-site scripting attacks for existing browsers. In IEEE Symposium on Security and Privacy, Oakland, CA, USA.
  28. Mike Ter Louw and V. N. Venkatakrishnan (2009). Blueprint: Robust prevention of cross-site scripting attacks for existing browsers. In IEEE Symposium on Security and Privacy, Oakland, CA, USA.
  29. Ian Hickson (2011). Web Workers.http://dev.w3.org/ html5/workers/. July 2011
  30. Ian Hickson (2011). Web Workers.http://dev.w3.org/ html5/workers/. July 2011
Download


Paper Citation


in Harvard Style

Wang Y., Shi Z., Guo T. and Li Z. (2012). FSMesh - Flexibly Securing Mashups by User Defined DOM Environment . In Proceedings of the 8th International Conference on Web Information Systems and Technologies - Volume 1: WEBIST, ISBN 978-989-8565-08-2, pages 96-102. DOI: 10.5220/0003899000960102


in Harvard Style

Wang Y., Shi Z., Guo T. and Li Z. (2012). FSMesh - Flexibly Securing Mashups by User Defined DOM Environment . In Proceedings of the 8th International Conference on Web Information Systems and Technologies - Volume 1: WEBIST, ISBN 978-989-8565-08-2, pages 96-102. DOI: 10.5220/0003899000960102


in Bibtex Style

@conference{webist12,
author={Yi Wang and Zhiwei Shi and Tao Guo and Zhoujun Li},
title={FSMesh - Flexibly Securing Mashups by User Defined DOM Environment},
booktitle={Proceedings of the 8th International Conference on Web Information Systems and Technologies - Volume 1: WEBIST,},
year={2012},
pages={96-102},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0003899000960102},
isbn={978-989-8565-08-2},
}


in Bibtex Style

@conference{webist12,
author={Yi Wang and Zhiwei Shi and Tao Guo and Zhoujun Li},
title={FSMesh - Flexibly Securing Mashups by User Defined DOM Environment},
booktitle={Proceedings of the 8th International Conference on Web Information Systems and Technologies - Volume 1: WEBIST,},
year={2012},
pages={96-102},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0003899000960102},
isbn={978-989-8565-08-2},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 8th International Conference on Web Information Systems and Technologies - Volume 1: WEBIST,
TI - FSMesh - Flexibly Securing Mashups by User Defined DOM Environment
SN - 978-989-8565-08-2
AU - Wang Y.
AU - Shi Z.
AU - Guo T.
AU - Li Z.
PY - 2012
SP - 96
EP - 102
DO - 10.5220/0003899000960102


in EndNote Style

TY - CONF
JO - Proceedings of the 8th International Conference on Web Information Systems and Technologies - Volume 1: WEBIST,
TI - FSMesh - Flexibly Securing Mashups by User Defined DOM Environment
SN - 978-989-8565-08-2
AU - Wang Y.
AU - Shi Z.
AU - Guo T.
AU - Li Z.
PY - 2012
SP - 96
EP - 102
DO - 10.5220/0003899000960102