security assurance for web device apis
play

Security Assurance for Web Device APIs Maritza Johnson and Steven M. - PowerPoint PPT Presentation

Nov 04, 2022 •131 likes •260 views

Security Assurance for Web Device APIs Maritza Johnson and Steven M. Bellovin http://www.cs.columbia.edu/~ { maritzaj,smb } Columbia University December 9, 2008 1 / 7 The Problem Web servers want access to very sensitive The Problem

  1. Security Assurance for Web Device APIs Maritza Johnson and Steven M. Bellovin http://www.cs.columbia.edu/~ { maritzaj,smb } Columbia University December 9, 2008 1 / 7

  2. The Problem Web servers want access to very sensitive The Problem ■ Usability Principles devices Isolation Principles Device Categories High-Assurance There is a history of trouble in this space ■ Implementation Failures. . . We need a high-assurance guarantee that the ■ implementation is correct We need a high-assurance guarantee that the ■ user understands what is happening What are the design principles for any API ■ spec, given that we cannot rely on bug-free code or bug-free users? 2 / 7

  3. Usability Principles 1. The Problem The user must explicitly authorize any and all Usability Principles Isolation Principles accesses to devices Device Categories High-Assurance Implementation Failures. . . 3 / 7

  4. Usability Principles 1. The Problem The user must explicitly authorize any and all Usability Principles Isolation Principles accesses to devices Device Categories High-Assurance Permission request cannot be generated Implementation Failures. . . implicitly; users ignore warnings and click through pop-up boxes 3 / 7

  5. Usability Principles 1. The Problem The user must explicitly authorize any and all Usability Principles Isolation Principles accesses to devices Device Categories High-Assurance Permission request cannot be generated Implementation Failures. . . implicitly; users ignore warnings and click through pop-up boxes 2. The user must understand the consequences of any change 3 / 7

  6. Usability Principles 1. The Problem The user must explicitly authorize any and all Usability Principles Isolation Principles accesses to devices Device Categories High-Assurance Permission request cannot be generated Implementation Failures. . . implicitly; users ignore warnings and click through pop-up boxes 2. The user must understand the consequences of any change Stream receive must be at same host as permission request; requests cannot come from IFRAMEs unless the URLs match 3 / 7

  7. Usability Principles 1. The Problem The user must explicitly authorize any and all Usability Principles Isolation Principles accesses to devices Device Categories High-Assurance Permission request cannot be generated Implementation Failures. . . implicitly; users ignore warnings and click through pop-up boxes 2. The user must understand the consequences of any change Stream receive must be at same host as permission request; requests cannot come from IFRAMEs unless the URLs match 3. The state of the system must be visible at all times 3 / 7

  8. Usability Principles 1. The Problem The user must explicitly authorize any and all Usability Principles Isolation Principles accesses to devices Device Categories High-Assurance Permission request cannot be generated Implementation Failures. . . implicitly; users ignore warnings and click through pop-up boxes 2. The user must understand the consequences of any change Stream receive must be at same host as permission request; requests cannot come from IFRAMEs unless the URLs match 3. The state of the system must be visible at all times User must see what access is authorized 3 / 7

  9. Isolation Principles The Problem Must give implementors (and users) confidence ■ Usability Principles Isolation Principles that the system will behave properly Device Categories High-Assurance Secure across software upgrades ■ Implementation Failures. . . Secure against new, unforeseen devices ■ System must “fail secure” ■ 4 / 7

  10. Device Categories Devise categories: physical world , The Problem ■ Usability Principles privacy , etc. Isolation Principles Device Categories High-Assurance Assign each device to a category ■ Implementation Failures. . . New devices must be in a category to be used; ■ forces a decision Grant or withhold permission based on at least ■ category; simplifies user decision process 5 / 7

  11. High-Assurance Implementation The Problem (Unix-style solution; Windows is similar) ■ Usability Principles Isolation Principles Create a group for each category; assign ■ Device Categories High-Assurance devices to the proper group with permission Implementation Failures. . . 060 (group read/write; no others) To enable a � category,device � , create a setgid ■ program executable by only that user but setgid to the category’s group No page interpretation failure can access an ■ unauthorized device (though erroneous web pages can) 6 / 7

  12. Failures. . . The Problem Usability Principles Isolation Principles Device Categories High-Assurance Implementation Failures. . . 7 / 7

Recommend

Network impact of Web access to device APIs W3C Workshop on Security for Access to Device APIs

Network impact of Web access to device APIs W3C Workshop on Security for Access to Device APIs

Network impact of Web access to device APIs W3C Workshop on Security for Access to Device APIs from the Web December 10-11, 2008 Mat Ford http://www.isoc.org Background ISOC is focused on continued operation of the global Internet

512 views • 12 slides
ykpang@beyondsecurity.com Fuzz Testing for Embedded Device Security Assurance (EDSA) ISASecure

ykpang@beyondsecurity.com Fuzz Testing for Embedded Device Security Assurance (EDSA) ISASecure

Empowering Security Teams ykpang@beyondsecurity.com Fuzz Testing for Embedded Device Security Assurance (EDSA) ISASecure EDSA Certification Communication/Network Robustness Testing (CRT) CRT examines the capability of the device to

859 views • 33 slides
A New Approach to Online Location Privacy W3C Workshop: Security for Access to Device APIs from

A New Approach to Online Location Privacy W3C Workshop: Security for Access to Device APIs from

A New Approach to Online Location Privacy W3C Workshop: Security for Access to Device APIs from the Web December 10, 2008 John Morris Center for Democracy & Technology 1 Need for New Approach Current failed model for privacy on the web

227 views • 7 slides
Security for access to device APIs Stewart Brodie ANT Galio Browser Software Team Leader ANT

Security for access to device APIs Stewart Brodie ANT Galio Browser Software Team Leader ANT

Security for access to device APIs Stewart Brodie ANT Galio Browser Software Team Leader ANT Software Ltd. WAFERs: Overview An application model for HTML + JavaScript content Requires no changes to an existing HTML document Only

233 views • 7 slides
Analysis of Security APIs (ASA-2) June 26, 2008 Minimizing Threats from Flawed Security APIs:

Analysis of Security APIs (ASA-2) June 26, 2008 Minimizing Threats from Flawed Security APIs:

Minimizing Threats from Flawed Security APIs Analysis of Security APIs (ASA-2) June 26, 2008 Minimizing Threats from Flawed Security APIs: A Banking PIN Example Mohammad Mannan Carleton University Mohammad Mannan June 26, 2008 1/21

543 views • 21 slides
ASSURANCE AND ACCOUNTABILITY ASSURANCE AND ACCOUNTABILITY GENERAL INFO / ANNOUNCEMENTS

ASSURANCE AND ACCOUNTABILITY ASSURANCE AND ACCOUNTABILITY GENERAL INFO / ANNOUNCEMENTS

ADVANCED COMPUTER SECURITY ASSURANCE AND ACCOUNTABILITY ASSURANCE AND ACCOUNTABILITY GENERAL INFO / ANNOUNCEMENTS Reminder : read and post response to Enforceable Security Policies by tomorrow afternoon. Please send me your talk

524 views • 41 slides
Information Assurance Information Assurance for Defense Security for Defense Security Prof.

Information Assurance Information Assurance for Defense Security for Defense Security Prof.

Information Assurance Information Assurance for Defense Security for Defense Security Prof. Paul A. Strassmann George Mason University, March 27, 2007 1 Prof. Strassmann, GMU March 27, 2007 Lecture, REPRODUCED BY PERMISSION ONLY Elements of

662 views • 49 slides
APIs and Mobile and Online Privacy Scene-setting, Regulations and Controversies W3C Device API

APIs and Mobile and Online Privacy Scene-setting, Regulations and Controversies W3C Device API

APIs and Mobile and Online Privacy Scene-setting, Regulations and Controversies W3C Device API Privacy Kasey Chappelle, Global Privacy Counsel July 2010 Vodafone C2 Vast rates of societal change, increasing all the time TECHNOLOGIC SOCIAL

213 views • 6 slides
Introduction to Assurance Chapter 19 Computer Security: Art and Science , 2 nd Edition Version

Introduction to Assurance Chapter 19 Computer Security: Art and Science , 2 nd Edition Version

Introduction to Assurance Chapter 19 Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 19-1 Overview Trust Problems from lack of assurance Types of assurance Life cycle and assurance Waterfall life cycle

825 views • 27 slides
Census Data Quality Assurance 17 May 2010 Types of Quality Assurance (QA) Quality assurance of

Census Data Quality Assurance 17 May 2010 Types of Quality Assurance (QA) Quality assurance of

Census Data Quality Assurance 17 May 2010 Types of Quality Assurance (QA) Quality assurance of captured and coded data Quality assurance of downstream processes (including data security and integrity) Quality assurance of population counts,

129 views • 12 slides
Hardware and Device Drivers Device virtualization Device drivers and security Bjrn

Hardware and Device Drivers Device virtualization Device drivers and security Bjrn

Outline Faculty of Computer Science Institute for System Architecture, Operating Systems Group What's so different about device drivers? Hardware access Writing device drivers on L4 Reuse of legacy drivers Hardware and Device

619 views • 12 slides
IT SECURITY INTRODUCTION OVERVIEW Device Connected Devices Connected Networks DEVICE

IT SECURITY INTRODUCTION OVERVIEW Device Connected Devices Connected Networks DEVICE

LECTURE IT SECURITY INTRODUCTION OVERVIEW Device Connected Devices Connected Networks DEVICE Program Runtime Attacks Wireless Security Side Channels CONNECTED DEVICES Thread Intelligence Secure Group Communication

1.04k views • 6 slides
Session 13 INFM 603 Bugs, process, assurance Software assurance: quality assurance for

Session 13 INFM 603 Bugs, process, assurance Software assurance: quality assurance for

Software Assurance Session 13 INFM 603 Bugs, process, assurance Software assurance: quality assurance for software Particularly assurance of security Bad (buggy, insecure software) comes not from discrete, unpredictable,

561 views • 18 slides
www.unique-project.eu Exchange of security-critical data Computing Device Computing Device

www.unique-project.eu Exchange of security-critical data Computing Device Computing Device

www.unique-project.eu Exchange of security-critical data Computing Device Computing Device generates, stores and processes security-critical information 2 PUFs: Myth, Fact or Busted? CHES 2012 However: Cryptographic secrets can be leaked

443 views • 26 slides
Outline OS trust and assurance CSci 5271 Introduction to Computer Security Announcements

Outline OS trust and assurance CSci 5271 Introduction to Computer Security Announcements

Outline OS trust and assurance CSci 5271 Introduction to Computer Security Announcements intermission Day 11: OS security: higher assurance Stephen McCamant Unix access control University of Minnesota, Computer Science & Engineering

401 views • 6 slides
information security and cybercrime; To grant awards, scholarships or sponsorships to people

information security and cybercrime; To grant awards, scholarships or sponsorships to people

RAISA Romanian Association for Information Security Assurance is a profes - sional, non-governmental, non-partisan political, nonprofit and public benefit association. PURPOSE The aim of Romanian Association for Information Security Assurance

84 views • 6 slides
Use cases and Requirements of Device API and UI/UX W3C Web on TV Workshop Jinhong Yang,

Use cases and Requirements of Device API and UI/UX W3C Web on TV Workshop Jinhong Yang,

Use cases and Requirements of Device API and UI/UX W3C Web on TV Workshop Jinhong Yang, Sanghong An 2010.09 KAIST 1 Use cases of Device APIs for Web on TV Watching the television channels on the browser with channel changing Checking

339 views • 7 slides
CS 563 Mobile OS & Device Security Advanced Computer Security CS 563 University of Illinois

CS 563 Mobile OS & Device Security Advanced Computer Security CS 563 University of Illinois

CS 563 Mobile OS & Device Security Advanced Computer Security CS 563 University of Illinois at Urbana-Champaign Presentation by: Gliz Seray Tuncay Administrative Announcements : Reaction paper was due today (and all classes)

807 views • 52 slides
Whats wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs Mikhail Egorov /

Whats wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs Mikhail Egorov /

Whats wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs Mikhail Egorov / @0ang3el #DeepSec2019 # whoami Security researcher / full-time bug hunter https://bugcrowd.com/0ang3el https://hackerone.com/0ang3el

989 views • 67 slides
Web on TV with Canon Devices Canon, Inc. Jun Fujisawa Canon Imaging Device Company SVG

Web on TV with Canon Devices Canon, Inc. Jun Fujisawa Canon Imaging Device Company SVG

Web on TV with Canon Devices Canon, Inc. Jun Fujisawa Canon Imaging Device Company SVG Canon cares Image Quality Scalability is the Key to support Higher Resolution W3C SVG Working Group Member since 2000 Device APIs Canon

158 views • 5 slides
The Bureau of Diplomatic Security Diplomatic Security Training Center(DSTC) Information Assurance

The Bureau of Diplomatic Security Diplomatic Security Training Center(DSTC) Information Assurance

U.S. DEPARTMENT OF STATE The Bureau of Diplomatic Security Diplomatic Security Training Center(DSTC) Information Assurance (IA) and Cybersecurity Training Program UNCLASSIFIED CyberSec_Training@state.gov Information Assurance Training

142 views • 11 slides
Towards a Unified Framework for Mobile Device Security Wayne A. Jansen, NIST Mobile Device

Towards a Unified Framework for Mobile Device Security Wayne A. Jansen, NIST Mobile Device

Towards a Unified Framework for Mobile Device Security Wayne A. Jansen, NIST Mobile Device Background* Mobile Device Background* Mobile Device Background* Mobile Device Background* Inexpensive, ubiquitous, wireless, networked,

478 views • 19 slides
Xen Security Modules (XSM) George Coker National Information Assurance Research Lab National

Xen Security Modules (XSM) George Coker National Information Assurance Research Lab National

Xen Security Modules (XSM) George Coker National Information Assurance Research Lab National Security Agency (NSA) gscoker@alpha.ncsc.mil National Information Assurance Research Lab 1 UNCLASSIFIED What is XSM? A generalized

342 views • 33 slides
Security Considerations for Mobile Apps and APIs John DiLeo, D.Sc. (@gr4ybeard) OWASP New

Security Considerations for Mobile Apps and APIs John DiLeo, D.Sc. (@gr4ybeard) OWASP New

Security Considerations for Mobile Apps and APIs John DiLeo, D.Sc. (@gr4ybeard) OWASP New Zealand - Auckland August 2019 Wellhow did I get here? Born and raised in northeastern US Straight to university from high school

700 views • 34 slides

More recommend