object capabilities and isolation of untrusted web
play

Object Capabilities and Isolation of Untrusted Web Applications - PowerPoint PPT Presentation

Dec 02, 2022 •564 likes •1.01k views

Isolation problem for Web Mashups Formal definition of Capability Safe languages Solving the Isolation problem using Capabilit Object Capabilities and Isolation of Untrusted Web Applications Ankur Taly Dept. of Computer Science, Stanford

  1. Isolation problem for Web Mashups Formal definition of Capability Safe languages Solving the Isolation problem using Capabilit Object Capabilities and Isolation of Untrusted Web Applications Ankur Taly Dept. of Computer Science, Stanford University Joint work with Sergio Maffeis (Imperial College London) and John C. Mitchell (Stanford University) Ankur Taly Object Capabilities and Isolation of Untrusted Web Applications

  2. Isolation problem for Web Mashups Formal definition of Capability Safe languages Solving the Isolation problem using Capabilit Outline 1 Isolation problem for Web Mashups 2 Formal definition of Capability Safe languages 3 Solving the Isolation problem using Capability Safe languages 4 Application: JavaScript Mashups Ankur Taly Object Capabilities and Isolation of Untrusted Web Applications

  3. Isolation problem for Web Mashups Formal definition of Capability Safe languages Solving the Isolation problem using Capabilit What are Mashups ? Mashup : Applications obtained by mixing content from multiple providers Individual contents being mixed - Components . Publisher of the mashup- Host . Execution environment- Web Browser. Web page (DOM) - Shared resource. Example: iGoogle, Facebook, Yelp Ankur Taly Object Capabilities and Isolation of Untrusted Web Applications

  4. Isolation problem for Web Mashups Formal definition of Capability Safe languages Solving the Isolation problem using Capabilit Example: iGoogle Ankur Taly Object Capabilities and Isolation of Untrusted Web Applications

  5. Isolation problem for Web Mashups Formal definition of Capability Safe languages Solving the Isolation problem using Capabilit Security Issue? Ankur Taly Object Capabilities and Isolation of Untrusted Web Applications

  6. Isolation problem for Web Mashups Formal definition of Capability Safe languages Solving the Isolation problem using Capabilit This study: Basic Mashups Mashup with non-interacting components. Language: JavaScript ( or any sequential imperative language ). Small-step Operational Semantics. Components: Programs t 1 ; . . . ; t n in JavaScript. Mashup: Sequential composition - t 1 ; . . . ; t n . Shared Resource: Program heap. Ankur Taly Object Capabilities and Isolation of Untrusted Web Applications

  7. Isolation problem for Web Mashups Formal definition of Capability Safe languages Solving the Isolation problem using Capabilit Mashup Isolation Problem Verify/Enforce the following: Host Isolation: No component must access any security-critical 1 resources of the hosting page. Eg: window.location. Inter-component Isolation: For all i , j , component i and j must 2 access disjoint set of heap resources. Our Previous Research (CSF’09, ESORICS’09): Enforces host isolation. Inter-component isolation is tricky: Library functions are implicitly shared by components. Need complete privilege separation. Ankur Taly Object Capabilities and Isolation of Untrusted Web Applications

  8. Isolation problem for Web Mashups Formal definition of Capability Safe languages Solving the Isolation problem using Capabilit Mashup Isolation Problem Verify/Enforce the following: Host Isolation: No component must access any security-critical 1 resources of the hosting page. Eg: window.location. Inter-component Isolation: For all i , j , component i and j must 2 access disjoint set of heap resources. Our Previous Research (CSF’09, ESORICS’09): Enforces host isolation. Inter-component isolation is tricky: Library functions are implicitly shared by components. Need complete privilege separation. Ankur Taly Object Capabilities and Isolation of Untrusted Web Applications

  9. Isolation problem for Web Mashups Formal definition of Capability Safe languages Solving the Isolation problem using Capabilit Capability Safe Languages Main Idea : Every program carries certain capabilities which are the sole means for designating and accessing resources. Object Capability languages (Mark Miller et al): Capabilities idea applied to Object-oriented languages. Properties: Connectivity begets Connectivtiy, No Authority Amplification, Defensive Consistency. Intuitively sounds very relevant, but we need formal definitions for carrying out rigorous proofs. Ankur Taly Object Capabilities and Isolation of Untrusted Web Applications

  10. Isolation problem for Web Mashups Formal definition of Capability Safe languages Solving the Isolation problem using Capabilit Plan Formally define Capability Systems for Prog. languages: Formally define Capability Safety. Derive a sufficient check for Inter-component isolation using Capability safety. Ankur Taly Object Capabilities and Isolation of Untrusted Web Applications

  11. Isolation problem for Web Mashups Formal definition of Capability Safe languages Solving the Isolation problem using Capabilit Capability Systems: Basic Features Resources ( m 0 , m 1 , . . . ) Smallest granularity of readable/writable locations on the program heap. Typically organized as a graph. Subjects : Entities that access resources . Program expressions t 0 , t 1 , . . . Ankur Taly Object Capabilities and Isolation of Untrusted Web Applications

  12. Isolation problem for Web Mashups Formal definition of Capability Safe languages Solving the Isolation problem using Capabilit Capability Capability ( C ) Unforgeable entity that designates and provides access to a resource . Pair ( m , p ) of resource m and permission p ⊆ { r , w } . Subject-Capability Map tCap Each subject possesses certain capabilities. tCap ( t ) is the set of capabilities associated with subject t . Ankur Taly Object Capabilities and Isolation of Untrusted Web Applications

  13. Isolation problem for Web Mashups Formal definition of Capability Safe languages Solving the Isolation problem using Capabilit Authority Authority of a Capability ( cAuth ) Upper-bound on resources that can be accessed using the capability . cAuth ( H , c ) is the authority of capability c w.r.t heap H . Authority of a Subject ( Auth ) Subjects possess capabilities which in turn provide authority. Auth ( H , t ) = � c ∈ tCap ( t ) cAuth ( H , t ) is the authority of subject t w.r.t heap H Ankur Taly Object Capabilities and Isolation of Untrusted Web Applications

  14. Isolation problem for Web Mashups Formal definition of Capability Safe languages Solving the Isolation problem using Capabilit Authority Authority of a Capability ( cAuth ) Upper-bound on resources that can be accessed using the capability . cAuth ( H , c ) is the authority of capability c w.r.t heap H . Authority of a Subject ( Auth ) Subjects possess capabilities which in turn provide authority. Auth ( H , t ) = � c ∈ tCap ( t ) cAuth ( H , t ) is the authority of subject t w.r.t heap H Ankur Taly Object Capabilities and Isolation of Untrusted Web Applications

  15. Isolation problem for Web Mashups Formal definition of Capability Safe languages Solving the Isolation problem using Capabilit Authority Authority of a Capability ( cAuth ) Upper-bound on resources that can be accessed using the capability . cAuth ( H , c ) is the authority of capability c w.r.t heap H . Authority of a Subject ( Auth ) Subjects possess capabilities which in turn provide authority. Auth ( H , t ) = � c ∈ tCap ( t ) cAuth ( H , t ) is the authority of subject t w.r.t heap H Ankur Taly Object Capabilities and Isolation of Untrusted Web Applications

  16. Isolation problem for Web Mashups Formal definition of Capability Safe languages Solving the Isolation problem using Capabilit Achieving Mashup Isolation using Capabilities Idea: Inter-component isolation can be achieved by allocating capabilities with disjoint authority to Alice and Bob. Authority of a capability depends on the heap. Authorities must be disjoint with respect to what heap ? Auth ( H 1 , Alice ) ∩ Auth ( H 2 , Bob ) = ∅ has to be checked But we don’t know H 2 , we need a check on H 1 ! Next few slides We define capablity safety and show that for safe systems, checking Auth ( H 1 , Alice ) ∩ Auth ( H 1 , Bob ) = ∅ is sufficient. Ankur Taly Object Capabilities and Isolation of Untrusted Web Applications

  17. Isolation problem for Web Mashups Formal definition of Capability Safe languages Solving the Isolation problem using Capabilit Achieving Mashup Isolation using Capabilities Idea: Inter-component isolation can be achieved by allocating capabilities with disjoint authority to Alice and Bob. Authority of a capability depends on the heap. Authorities must be disjoint with respect to what heap ? Auth ( H 1 , Alice ) ∩ Auth ( H 2 , Bob ) = ∅ has to be checked But we don’t know H 2 , we need a check on H 1 ! Next few slides We define capablity safety and show that for safe systems, checking Auth ( H 1 , Alice ) ∩ Auth ( H 1 , Bob ) = ∅ is sufficient. Ankur Taly Object Capabilities and Isolation of Untrusted Web Applications

  18. Isolation problem for Web Mashups Formal definition of Capability Safe languages Solving the Isolation problem using Capabilit Achieving Mashup Isolation using Capabilities Idea: Inter-component isolation can be achieved by allocating capabilities with disjoint authority to Alice and Bob. Authority of a capability depends on the heap. Authorities must be disjoint with respect to what heap ? Auth ( H 1 , Alice ) ∩ Auth ( H 2 , Bob ) = ∅ has to be checked But we don’t know H 2 , we need a check on H 1 ! Next few slides We define capablity safety and show that for safe systems, checking Auth ( H 1 , Alice ) ∩ Auth ( H 1 , Bob ) = ∅ is sufficient. Ankur Taly Object Capabilities and Isolation of Untrusted Web Applications

Recommend

ISOLATION DEFENSES GRAD SEC OCT 03 2017 ISOLATION Running untrusted code in a trusted

ISOLATION DEFENSES GRAD SEC OCT 03 2017 ISOLATION Running untrusted code in a trusted

ISOLATION DEFENSES GRAD SEC OCT 03 2017 ISOLATION Running untrusted code in a trusted environment Possibly with multiple tenants Setting OS: users / processes Browser: webpages / browser extensions Cloud: virtual machines (VMs)

272 views • 25 slides
Language Based isolation of Untrusted JavaScript Ankur Taly Dept. of Computer Science, Stanford

Language Based isolation of Untrusted JavaScript Ankur Taly Dept. of Computer Science, Stanford

Web 2 . 0 and the Isolation Problem Case Study : FBJS Formal Semantics of JavaScript Achieving the Isolation goal Ongoing Language Based isolation of Untrusted JavaScript Ankur Taly Dept. of Computer Science, Stanford University Joint work

650 views • 46 slides
Developing Objects Segregation capabilities and the notion of Object Containment from unlabeled

Developing Objects Segregation capabilities and the notion of Object Containment from unlabeled

Developing Objects Segregation capabilities and the notion of Object Containment from unlabeled natural videos Daniel Harari Joint work with Nimrod Dorfman and Shimon Ullman Object Segregation Object 2 Object 1 Background Object

447 views • 40 slides
Confinement (Running Untrusted Programs) Chester Rebeiro Indian Institute of Technology Madras

Confinement (Running Untrusted Programs) Chester Rebeiro Indian Institute of Technology Madras

Confinement (Running Untrusted Programs) Chester Rebeiro Indian Institute of Technology Madras Untrusted Programs Untrusted Application Entire Application untrusted Part of application untrusted Modules or library untrusted

797 views • 46 slides
Serializable Snapshot Isolation Making ISOLATION LEVEL SERIALIZABLE Provide Serializable

Serializable Snapshot Isolation Making ISOLATION LEVEL SERIALIZABLE Provide Serializable

Serializable Snapshot Isolation Making ISOLATION LEVEL SERIALIZABLE Provide Serializable Isolation Dan Ports Kevin Grittner MIT Wisconsin Court System Saturday, May 21, 2011 1 Overview Serializable isolation makes it easier to reason

922 views • 60 slides
ADAPTED SPAULDING PYRAMID Making Isolation: How does it work? Patient Isolation- Creating

ADAPTED SPAULDING PYRAMID Making Isolation: How does it work? Patient Isolation- Creating

ADAPTED SPAULDING PYRAMID Making Isolation: How does it work? Patient Isolation- Creating auxiliary isolation rooms (CDC) SCRUBBERS - 1 ea to serve patient room, and 1 for Airlock Typically deployed on supplied wheel platform

144 views • 3 slides
Virtual Machine Introspection Isolation Interpretation Interposition Isolation

Virtual Machine Introspection Isolation Interpretation Interposition Isolation

Virtual Machine Introspection Isolation Interpretation Interposition Isolation From in-guest kernel/userspace Provided by Xen Buggy emulation blurres the line From trusted computing base (TCB) Possible via Xen

286 views • 26 slides
Integrating Vision and Haptics for Object Recognition Sibel Toprak Seminar Talk in Intelligent

Integrating Vision and Haptics for Object Recognition Sibel Toprak Seminar Talk in Intelligent

Integrating Vision and Haptics for Object Recognition Sibel Toprak Seminar Talk in Intelligent Robotics November 9, 2015 Motivation Robust object recognition capabilities required in most robot applications However: Object

594 views • 24 slides
2 Fault Isolation & Restoration Manual Fault Isolation & Restoration The

2 Fault Isolation & Restoration Manual Fault Isolation & Restoration The

1 Self Healing Network (Centralized Restoration Gateway) IEEE PES 2015 General Meeting 2 Fault Isolation & Restoration Manual Fault Isolation & Restoration The operator makes switching decisions Automatic Fault Location

724 views • 22 slides
Expressing Security Constraints using capabilities Mark S. Miller and the Cajadores Overview

Expressing Security Constraints using capabilities Mark S. Miller and the Cajadores Overview

Expressing Security Constraints using capabilities Mark S. Miller and the Cajadores Overview This talk The What and Why of object-capabilities (ocaps) My Securing EcmaScript 5 talk tomorrow The How of doing ocaps in JavaScript Patterns

853 views • 67 slides
Object Oriented Object 3 Programming Object 1 Object 2 Object 4 For : COP 3330. Object

Object Oriented Object 3 Programming Object 1 Object 2 Object 4 For : COP 3330. Object

4/13/2017 OOP Object Oriented Object 3 Programming Object 1 Object 2 Object 4 For : COP 3330. Object oriented Programming (Using C++) ht t p: / / www. com pgeom . com / ~pi yush/ t each/ 3330 Objects: State (fields), Behavior (member

632 views • 6 slides
GCC Highlighted Products GSure Gel Extraction kit GSure Soil DNA Isolation kit GSure Sputum DNA

GCC Highlighted Products GSure Gel Extraction kit GSure Soil DNA Isolation kit GSure Sputum DNA

GSure Bacterial genomic DNA isolation kit GCC Highlighted Products GSure Gel Extraction kit GSure Soil DNA Isolation kit GSure Sputum DNA Isolation Kit GSure Stool DNA Isolation Kit GSure Urine DNA Isolation Kit GSure Yeast RNA

455 views • 23 slides
Introduction to pixel track isolation The purpose of track isolation algorithm is an additional

Introduction to pixel track isolation The purpose of track isolation algorithm is an additional

Introduction to pixel track isolation The purpose of track isolation algorithm is an additional improvement of level-1 pixel trigger performance. Procedure of pixel track isolation Reconstructed pixel tracks using kinematic parameters

669 views • 27 slides
#KEEPTHECONVERSATIONGOING Sick pay and self isolation Day one right SSP for up to 14 days

#KEEPTHECONVERSATIONGOING Sick pay and self isolation Day one right SSP for up to 14 days

#KEEPTHECONVERSATIONGOING Sick pay and self isolation Day one right SSP for up to 14 days will be reimbursed Self isolation notes from online 111 Self isolation and pay Working from Home Everyone should be working

398 views • 12 slides
Using technology to reduce social isolation: research on dementia and social isolation Professor

Using technology to reduce social isolation: research on dementia and social isolation Professor

Using technology to reduce social isolation: research on dementia and social isolation Professor Josie Tetley Dr Emma-Reetta Koivunen Ageing and Long Term Conditions Group Faculty of Health, Psychology & Social Care Manchester

338 views • 19 slides
456 457 458 The purpose of shallow trench isolation (STI) is to provide isolation between

456 457 458 The purpose of shallow trench isolation (STI) is to provide isolation between

In this module we would review a typical gate first, poly-Si gate CMOS process flow. 456 457 458 The purpose of shallow trench isolation (STI) is to provide isolation between individual devices in a CMSO chip. Typical process details and the

381 views • 8 slides
W E OFTEN THINK : Isolation is when others leave us alone ( and its often true) B UT WE TEND

W E OFTEN THINK : Isolation is when others leave us alone ( and its often true) B UT WE TEND

W HEN F EELINGS OF I SOLATION B ECOME A R OADBLOCK Joe & Cindi Ferrini Joeferrini.com Cindiferrini.com W E OFTEN THINK : Isolation is when others leave us alone ( and its often true) B UT WE TEND TOWARD ISOLATION PULLING AWAY FROM :

723 views • 18 slides
NGN OAM Capabilities NGN OAM Capabilities Dinesh Mohan CTO S r. Advisor, Nortel I TU-T W

NGN OAM Capabilities NGN OAM Capabilities Dinesh Mohan CTO S r. Advisor, Nortel I TU-T W

I nternational Telecom m unication Union ITU-T NGN OAM Capabilities NGN OAM Capabilities Dinesh Mohan CTO S r. Advisor, Nortel I TU-T W orkshop NGN and its Transport Netw orks Kobe, 2 0 -2 1 April 2 0 0 6 NGN OAM Activities Update

777 views • 15 slides
Redirection Capabilities in SIP Redirection Capabilities in SIP

Redirection Capabilities in SIP Redirection Capabilities in SIP

Redirection Capabilities in SIP Redirection Capabilities in SIP draft-bharatia-sipping-redirect-00.txt Authors: J. Bharatia, S. Sen, R. Yuhanna, S. Orton, M. Watson Presenter: Mark Watson mwatson@nortelnetworks.com General Motivation SIP

478 views • 5 slides
Harmonizing Performance and Isolation in Microkernels with Efficient Intra-kernel Isolation and

Harmonizing Performance and Isolation in Microkernels with Efficient Intra-kernel Isolation and

Harmonizing Performance and Isolation in Microkernels with Efficient Intra-kernel Isolation and Communication Jinyu Gu , Xinyue Wu, Wentai Li, Nian Liu, Zeyu Mi, Yubin Xia, Haibo Chen Monolithic Kernel and Microkernel 2 Monolithic Kernel and

336 views • 23 slides
Derandomizing Isolation in Space-Bounded Settings Dieter van Melkebeek and Gautam Prakriya

Derandomizing Isolation in Space-Bounded Settings Dieter van Melkebeek and Gautam Prakriya

Derandomizing Isolation in Space-Bounded Settings Dieter van Melkebeek and Gautam Prakriya University of Wisconsin-Madison 6 July 2017 Isolation Isolation Computational Problem : instance x set of solutions for x . Eg.:

876 views • 42 slides
Reference Capabilities for Concurrency and Scalability An Experience Report Elias Castegren ,

Reference Capabilities for Concurrency and Scalability An Experience Report Elias Castegren ,

Reference Capabilities for Concurrency and Scalability An Experience Report Elias Castegren , Tobias Wrigstad OCAP, Vancouver October 24th 2017 sa Structured Aliasing What the CAP? Object capability An unforgeable reference to an

857 views • 51 slides
Financial Complexity Physical Capabilities Process Capabilities Other Issues

Financial Complexity Physical Capabilities Process Capabilities Other Issues

Financial Complexity Physical Capabilities Process Capabilities Other Issues Upfront Costs - Financing (PPAs, Tax Credits, ESCOs) Split Incentive Alternatives - Virtual Net Metering Where to start? Intelligent

640 views • 8 slides
Upgrading Transport Protocols using Untrusted Mobile Code Parveen Patel Andrew Whitaker Jay

Upgrading Transport Protocols using Untrusted Mobile Code Parveen Patel Andrew Whitaker Jay

Upgrading Transport Protocols using Untrusted Mobile Code Parveen Patel Andrew Whitaker Jay Lepreau David Wetherall ( Univ. of Washington ) Tim Stack ( Univ. of Utah ) Key Point Untrusted mobile code can allow anybody to build

365 views • 13 slides

More recommend