The web has brought exciting new functionality while simultaneously requiring new mechanisms to make it secure. We've repeatedly discovered that these mechanisms are not good enough, as clever hackers and academics have figured out how to circumvent and misuse them to compromise security.
We now live in a world in which viewing an advertisement might compromise your bank account. In the following paper, "Securing Frame Communication in Browsers," researchers Adam Barth, Collin Jackson, and John Mitchell not only illustrate how subtle some of these security vulnerabilities can be, they show how to solve them in a principled way. This paper has had a real impact: their solutions have already been widely adopted.
Why is Web security difficult? It's because the Web browser is a place where programs and data from different sources interact. Each source may control resources whose security can be affected by the programs and data from other sources. In fact, there is a deep, underlying problem that has never been satisfactorily solved: how to securely permit fine-grained sharing and communication between programs from mutually distrusting sources. Conventionally, security was considered the job of the operating system. But the granularity of operating system enforcement is far too coarse for Web applications, whose security depends on the precise details of the interactions between application-level data structures such as frames, cookies, and interpreted application code.
Web security forces us to think anew about the problem of fine-grained sharing across trust domains because many exciting new applications and services require this sharing. Some of the techniques developed for operating system security, such as controlled communication between processes, can be adapted to the Web. But Web security poses new challenges as well. For example, Web security violations can occur within the context of a single Web page, which often comprises multiple frames controlled by code from different sources. These frames may be third-party advertisements or integrated content from multiple parties who do not trust each other; the many mashups based on Google Maps are examples of the latter. The absence of effective solutions to the problem of fine-grained interaction between trust domainscoexisting on the very same Web pagehas left Web applications vulnerable.
Fortunately, researchers like Barth, Jackson, and Mitchell are applying principled methods to identify and eliminate these vulnerabilities. The vulnerabilities they address arise from the feature of frame navigation in Web browsers. Code running in one frame (that is, one trust domain) can control where another frame loads its content from. The authors use elegant reasoning to identify the most permissive secure policy for controlling frame navigation. This argument is so simple and convincing that the policy they identify has been adopted by most major browsers.
The paper is a great example of research that has impact precisely because it offers principled solutions.
In itself, this would be a significant contribution, but the paper goes farther. It newly identifies vulnerabilities in two important mechanisms for communication between different frames; one of these mechanisms is in the HTML 5 standard. The paper gives a thoughtful and principled analysis of each communication mechanism and identifies a fix for each. These fixes have also been adopted by current browsers and communication libraries.
The paper is a great example of research that has impact precisely because it offers principled solutions. Too often, proposed computer security mechanisms merely raise the bar against attacks, starting the next phase of an arms race. This is a different kind of workwork that clearly identifies and convincingly solves a real security problem. The work described in this paper makes our lives more secure and helps the next generation of applications to be built securely. And their work also helps us understand how to think about the new security challenges that lie ahead.
©2009 ACM 0001-0782/09/0600 $10.00
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee.
The Digital Library is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
No entries found