Annual Computer Security Applications Conference 2011 Technical Track Papers

Full Program »

WebJail: Least-privilege Integration of Third-party Components in Web Mashups

In the last decade, the Internet landscape has transformed from a mostly static world into Web 2.0, where the use of web applications and mashups has become a daily routine for many Internet users.

Web mashups are web applications that combine data and functionality from several sources or components. Ideally, these components contain benign code from trusted sources. Unfortunately, the reality is very different. Web mashup components can misbehave and perform unwanted actions on behalf of the web mashup's user.

Current mashup integration techniques either impose no restrictions on the execution of a third party component, or simply rely on the Same-Origin Policy. A least-privilege approach, in which a mashup integrator can restrict the functionality available to each component, can not be implemented using the current integration techniques, without ownership over the component's code.

We propose WebJail, a novel client-side security architecture to enable least-privilege integration of components into a web mashup, based on high-level policies that restrict the available functionality in each individual component. The policy language was synthesized from a study and categorization of sensitive operations in the upcoming HTML 5 JavaScript APIs, and full mediation is achieved via the use of deep aspects in the browser.

We have implemented a prototype of WebJail in Mozilla Firefox 4.0, and applied it successfully to mainstream platforms such as iGoogle and Facebook. In addition, micro-benchmarks registered a negligible performance penalty for page load-time (7ms), and the execution overhead in case of sensitive operations (0.1ms).

Author(s):

Steven Van Acker    
IBBT-Distrinet, Katholieke Universiteit Leuven
Belgium

Philippe De Ryck    
IBBT-Distrinet, Katholieke Universiteit Leuven
Belgium

Lieven Desmet    
IBBT-Distrinet, Katholieke Universiteit Leuven
Belgium

Frank Piessens    
IBBT-Distrinet, Katholieke Universiteit Leuven
Belgium

Wouter Joosen    
IBBT-Distrinet, Katholieke Universiteit Leuven
Belgium

 

Powered by OpenConf®
Copyright©2002-2014 Zakon Group LLC