security for access to device apis
play

Security for access to device APIs Stewart Brodie ANT Galio Browser - PowerPoint PPT Presentation

Aug 19, 2023 •149 likes •233 views

Security for access to device APIs Stewart Brodie ANT Galio Browser Software Team Leader ANT Software Ltd. WAFERs: Overview An application model for HTML + JavaScript content Requires no changes to an existing HTML document Only

  1. Security for access to device APIs Stewart Brodie ANT Galio Browser Software Team Leader ANT Software Ltd.

  2. WAFERs: Overview » An application model for HTML + JavaScript content » Requires no changes to an existing HTML document » Only difference is how they are launched » Supports multiple simultaneous applications » Foreground and background applications » Independent browsing contexts » Main features: » Support for visible applications (UI applications) » Support for invisible applications (services) » Applications can overlap on screen (and do by default) » Enables consistent event delivery across multiple apps » Applications are notified when system state changes » Privileged access to extended APIs » Does not cover application signalling

  3. WAFERs in action

  4. Protecting privileged APIs » Privileged browsing contexts have additional properties and fewer restrictions: » e.g. XMLHttpRequest same-origin checks are bypassed » Windows may be resized without regard to the minimum dimensions » Access to a set of API objects (one per-context, like the Navigator, Screen objects) » Built-in C code can add to the set of API objects, knowing that: » only privileged browsing contexts can access these properties » this provides a level of security to separate applications & untrusted content » there is no need to perform any security checks when methods are invoked » Simple ... » Easy to audit the permissions » Easy to enforce the permissions » No impact on performance » OK when the service operator's system is closed » ... too simplistic when applications are sourced from different providers

  5. Drawbacks of current approach » All-or-nothing approach is inflexible » Hard to grant restricted set of permissions to an unprivileged application » Hard to grant restricted set of permissions to a privileged application, too! » One rogue application can hijack the system » Privileged applications can break the security model deliberately ... » e.g. Careful applications can store closures in the global objects of unprivileged contexts » ... but really should not. » Careless applications can store the API objects, granting full access to those APIs! » Need a way to grant permissions in a controlled way to unprivileged applications

  6. Key requirements for API security » Definition of permissions » Must be easy to write, easy to audit, easy to verify » Build on MHP/OCAP? » Tamper-protection – digital signatures (and who needs to sign and how much will it cost?) » Define the scope for a set of permissions » a browsing context? » Checking permissions » Must be fast to evaluate - no expensive computation on each method invocation » Define mechanism for handling security violations » Raise a DOM security exception? » Terminate the application? » Typically, prompting the user is not an option !

  7. Security for access to device APIs Stewart Brodie ANT Galio Browser Software Team Leader ANT Software Ltd.

Recommend

Network impact of Web access to device APIs W3C Workshop on Security for Access to Device APIs

Network impact of Web access to device APIs W3C Workshop on Security for Access to Device APIs

Network impact of Web access to device APIs W3C Workshop on Security for Access to Device APIs from the Web December 10-11, 2008 Mat Ford http://www.isoc.org Background ISOC is focused on continued operation of the global Internet

512 views • 12 slides
A New Approach to Online Location Privacy W3C Workshop: Security for Access to Device APIs from

A New Approach to Online Location Privacy W3C Workshop: Security for Access to Device APIs from

A New Approach to Online Location Privacy W3C Workshop: Security for Access to Device APIs from the Web December 10, 2008 John Morris Center for Democracy & Technology 1 Need for New Approach Current failed model for privacy on the web

227 views • 7 slides
Security Assurance for Web Device APIs Maritza Johnson and Steven M. Bellovin

Security Assurance for Web Device APIs Maritza Johnson and Steven M. Bellovin

Security Assurance for Web Device APIs Maritza Johnson and Steven M. Bellovin http://www.cs.columbia.edu/~ { maritzaj,smb } Columbia University December 9, 2008 1 / 7 The Problem Web servers want access to very sensitive The Problem

260 views • 12 slides
Hardware and Device Drivers Device virtualization Device drivers and security Bjrn

Hardware and Device Drivers Device virtualization Device drivers and security Bjrn

Outline Faculty of Computer Science Institute for System Architecture, Operating Systems Group What's so different about device drivers? Hardware access Writing device drivers on L4 Reuse of legacy drivers Hardware and Device

619 views • 12 slides
$ CURRENT STATE FUTURE: STATE DIGITAL ENTERPRISE Access layer (APIs) SECURITY INTEGRATION

$ CURRENT STATE FUTURE: STATE DIGITAL ENTERPRISE Access layer (APIs) SECURITY INTEGRATION

$ CURRENT STATE FUTURE: STATE DIGITAL ENTERPRISE Access layer (APIs) SECURITY INTEGRATION PERF/SCALE STANDARDS HOW: DIGITAL TRANSFORMATION WEB SERVICES REST MICROSERVICES TASKS (PROCESSES) DECISIONS IF IF (RULES) BUSINESS ON

488 views • 30 slides
Overcoming access control in web APIs How to address security concerns using Sanic Adam Hopkins

Overcoming access control in web APIs How to address security concerns using Sanic Adam Hopkins

Overcoming access control in web APIs How to address security concerns using Sanic Adam Hopkins 1 / 39 class Adam: def __init__(self): self.work = PacketFabric("Sr. Software Engineer") self.oss = Sanic("Core Maintainer")

719 views • 50 slides
Analysis of Security APIs (ASA-2) June 26, 2008 Minimizing Threats from Flawed Security APIs:

Analysis of Security APIs (ASA-2) June 26, 2008 Minimizing Threats from Flawed Security APIs:

Minimizing Threats from Flawed Security APIs Analysis of Security APIs (ASA-2) June 26, 2008 Minimizing Threats from Flawed Security APIs: A Banking PIN Example Mohammad Mannan Carleton University Mohammad Mannan June 26, 2008 1/21

543 views • 21 slides
APIs and Mobile and Online Privacy Scene-setting, Regulations and Controversies W3C Device API

APIs and Mobile and Online Privacy Scene-setting, Regulations and Controversies W3C Device API

APIs and Mobile and Online Privacy Scene-setting, Regulations and Controversies W3C Device API Privacy Kasey Chappelle, Global Privacy Counsel July 2010 Vodafone C2 Vast rates of societal change, increasing all the time TECHNOLOGIC SOCIAL

213 views • 6 slides
IT SECURITY INTRODUCTION OVERVIEW Device Connected Devices Connected Networks DEVICE

IT SECURITY INTRODUCTION OVERVIEW Device Connected Devices Connected Networks DEVICE

LECTURE IT SECURITY INTRODUCTION OVERVIEW Device Connected Devices Connected Networks DEVICE Program Runtime Attacks Wireless Security Side Channels CONNECTED DEVICES Thread Intelligence Secure Group Communication

1.04k views • 6 slides
www.unique-project.eu Exchange of security-critical data Computing Device Computing Device

www.unique-project.eu Exchange of security-critical data Computing Device Computing Device

www.unique-project.eu Exchange of security-critical data Computing Device Computing Device generates, stores and processes security-critical information 2 PUFs: Myth, Fact or Busted? CHES 2012 However: Cryptographic secrets can be leaked

443 views • 26 slides
access-list 103 remark VTY Telnet Access ACL access-list 103 permit tcp host <IP address>

access-list 103 remark VTY Telnet Access ACL access-list 103 permit tcp host <IP address>

Router Device Security Lab Configuring Secure Passwords 1. Configure the enable secret and password enable password TRUSTME enable secret letmein Look at the configuration: show config terminal Note the difference between the number 5 and

375 views • 5 slides
Use cases and Requirements of Device API and UI/UX W3C Web on TV Workshop Jinhong Yang,

Use cases and Requirements of Device API and UI/UX W3C Web on TV Workshop Jinhong Yang,

Use cases and Requirements of Device API and UI/UX W3C Web on TV Workshop Jinhong Yang, Sanghong An 2010.09 KAIST 1 Use cases of Device APIs for Web on TV Watching the television channels on the browser with channel changing Checking

339 views • 7 slides
CS 563 Mobile OS & Device Security Advanced Computer Security CS 563 University of Illinois

CS 563 Mobile OS & Device Security Advanced Computer Security CS 563 University of Illinois

CS 563 Mobile OS & Device Security Advanced Computer Security CS 563 University of Illinois at Urbana-Champaign Presentation by: Gliz Seray Tuncay Administrative Announcements : Reaction paper was due today (and all classes)

807 views • 52 slides
Whats wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs Mikhail Egorov /

Whats wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs Mikhail Egorov /

Whats wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs Mikhail Egorov / @0ang3el #DeepSec2019 # whoami Security researcher / full-time bug hunter https://bugcrowd.com/0ang3el https://hackerone.com/0ang3el

989 views • 67 slides
Web on TV with Canon Devices Canon, Inc. Jun Fujisawa Canon Imaging Device Company SVG

Web on TV with Canon Devices Canon, Inc. Jun Fujisawa Canon Imaging Device Company SVG

Web on TV with Canon Devices Canon, Inc. Jun Fujisawa Canon Imaging Device Company SVG Canon cares Image Quality Scalability is the Key to support Higher Resolution W3C SVG Working Group Member since 2000 Device APIs Canon

158 views • 5 slides
Towards a Unified Framework for Mobile Device Security Wayne A. Jansen, NIST Mobile Device

Towards a Unified Framework for Mobile Device Security Wayne A. Jansen, NIST Mobile Device

Towards a Unified Framework for Mobile Device Security Wayne A. Jansen, NIST Mobile Device Background* Mobile Device Background* Mobile Device Background* Mobile Device Background* Inexpensive, ubiquitous, wireless, networked,

478 views • 19 slides
Security Considerations for Mobile Apps and APIs John DiLeo, D.Sc. (@gr4ybeard) OWASP New

Security Considerations for Mobile Apps and APIs John DiLeo, D.Sc. (@gr4ybeard) OWASP New

Security Considerations for Mobile Apps and APIs John DiLeo, D.Sc. (@gr4ybeard) OWASP New Zealand - Auckland August 2019 Wellhow did I get here? Born and raised in northeastern US Straight to university from high school

700 views • 34 slides
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 7 Access Control

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 7 Access Control

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 7 Access Control Fundamentals Objectives Define Access Controls List the four Access Control Models Describe logical Access Control Methods Explain the

128 views • 8 slides
CS 4803 Computer and Network Security Alexandra (Sasha) Boldyreva OS security. Access control.

CS 4803 Computer and Network Security Alexandra (Sasha) Boldyreva OS security. Access control.

Access control Access control determines access to files and processes in OS Old area of security, but not well understood CS 4803 Computer and Network Security Alexandra (Sasha) Boldyreva OS security. Access control. 1 2 System

889 views • 5 slides
About Loxal Security Ltd Specialist access control and vacant property security company Unique

About Loxal Security Ltd Specialist access control and vacant property security company Unique

About Loxal Security Ltd Specialist access control and vacant property security company Unique range of access control technology & temporary physical security products : - Keysafes Locking Bar Void security doors & screens

368 views • 21 slides
Android APIs 2.0, 2.1 & 2.2 Whats new? Markus Junginger droidcon Berlin 27. Mai 2010

Android APIs 2.0, 2.1 & 2.2 Whats new? Markus Junginger droidcon Berlin 27. Mai 2010

Android APIs 2.0, 2.1 & 2.2 Whats new? Markus Junginger droidcon Berlin 27. Mai 2010 Outline Bluetooth Quick Contacts Multitouch Live Wallpaper External Storage Cloud-to-device service Data backup JIT &

749 views • 34 slides
OS Security CS 161: Computer Security Prof. Anthony D. Joseph January 29, 2014 Access Control

OS Security CS 161: Computer Security Prof. Anthony D. Joseph January 29, 2014 Access Control

Access Control and OS Security CS 161: Computer Security Prof. Anthony D. Joseph January 29, 2014 Access Control Some resources (files, web pages, ) are sensitive. How do we limit who can access them? This is called the access

629 views • 27 slides
& PRESENT SECURITY ACCESS POINT SAFETY GATE TO PREVENT THE INFECTION SPREAD SECURITY

& PRESENT SECURITY ACCESS POINT SAFETY GATE TO PREVENT THE INFECTION SPREAD SECURITY

& PRESENT SECURITY ACCESS POINT SAFETY GATE TO PREVENT THE INFECTION SPREAD SECURITY ACCESS POINT SECURITY WAS BORN THANKS TO THE COOPERETION BETWEEN ETS AND BICARJET , TWO ITALIAN LEADERS IN THE AUTOMATION ACCESS INDUSTRY. POINT

151 views • 13 slides
Real-Time Rendering Graphics Programming Graphics Libraries (APIs) Give access to graphics

Real-Time Rendering Graphics Programming Graphics Libraries (APIs) Give access to graphics

Real-Time Rendering Graphics Programming Graphics Libraries (APIs) Give access to graphics hardware Declarative (What, not How) Describe the scene (e.g., scene graphs) SGI Open Inventor, SGI Performer, Renderman, OpenSceneGraph

401 views • 28 slides

More recommend