Martin Georgiev
ABSTRACT
Many modern desktop and mobile platforms, including Ubuntu, Google Chrome, Windows, and Firefox OS, support so called Web-based system applications that run outside the Web browser and enjoy direct access to native objects such as files, camera, and geolocation. We show that the access-control models of these platforms are (a) incompatible and (b) prone to unintended delegation of native-access rights: when applications request native access for their own code, they unintentionally enable it for untrusted third-party code, too. This enables malicious ads and other third-party content to steal users' OAuth authentication credentials, access camera on their devices, etc.
We then design, implement, and evaluate PowerGate, a new access-control mechanism for Web-based system applications. It solves two key problems plaguing all existing platforms: security and consistency. First, unlike the existing platforms, PowerGate correctly protects native objects from unauthorized access. Second, PowerGate provides uniform access-control semantics across all platforms and is 100% backward compatible. PowerGate enables application developers to write well-defined native-object access policies with explicit principals such as "application's own local code" and "third-party Web code," is easy to configure, and incurs negligible performance overhead.
- Abusing WebView JavaScript bridges. http://50.56.33.56/blog/?p=314.Google Scholar
- D. Akhawe, P. Saxena, and D. Song. Privilege separation in HTML5 applications. In USENIX Security, 2012. Google ScholarDigital Library
- AppArmor. http://developer.ubuntu.com/publish/apps/security-policy-for-click-packages/, 2014.Google Scholar
- A. Barth. The Web origin concept. http://tools.ietf.org/html/rfc6454.Google Scholar
- A. Barth, C. Jackson, and J. Mitchell. Securing frame communication in browsers. In USENIX Security, 2009. Google ScholarDigital Library
- E. Chin, A. Felt, K. Greenwood, and D. Wagner. Analyzing inter-application communication in Android. In MobiSys, 2011. Google ScholarDigital Library
- E. Chin and D. Wagner. Bifocals: Analyzing WebView vulnerabilities in Android applications. In WISA, 2013. Google ScholarDigital Library
- Chrome app samples. https://github.com/GoogleChrome/chrome-app-samples, 2014.Google Scholar
- Permissions in Chrome apps and extensions. https://developer.chrome.com/apps/declare_permissions, 2014.Google Scholar
- Cordova platform support. http://cordova.apache.org/docs/en/3.4.0/guide_support_index.md.html, 2014.Google Scholar
- L. Davi, A. Dmitrienko, A. Sadeghi, and M. Winandy. Privilege escalation attacks on Android. In ISC, 2010. Google ScholarDigital Library
- D. DeFreez, B. Shastry, H. Chen, and J. Seifert. A first look at Firefox OS security. In MoST, 2014.Google Scholar
- M. Dietz, S. Shekhar, Y. Pisetsky, A. Shu, and D. Wallach. QUIRE: Lightweight provenance for smart phone operating systems. In USENIX Security, 2011. Google ScholarDigital Library
- A. Felt, H. Wang, A. Moshchuk, S. Hanna, and E. Chin. Permission re-delegation: Attacks and defenses. In USENIX Security, 2011. Google ScholarDigital Library
- Firefox OS app permissions. https://developer.mozilla.org/en-US/Apps/Build/App_permissions, 2014.Google Scholar
- Firefox OS security model. https://developer.mozilla.org/en-US/Firefox_OS/Security/Security_model, 2014.Google Scholar
- M. Finifter, J. Weinberger, and A. Barth. Preventing capability leaks in secure JavaScript subsets. In NDSS, 2010.Google Scholar
- B. Ford and R. Cox. Vx32: Lightweight user-level sandboxing on the x86. In USENIX ATC, 2008. Google ScholarDigital Library
- T. Garfinkel, B. Pfaff, and M. Rosenblum. Ostia: A delegating architecture for secure system call interposition. In NDSS, 2004.Google Scholar
- M. Georgiev, S. Jana, and V. Shmatikov. Breaking and fixing origin-based access control in hybrid Web/mobile application frameworks. In NDSS, 2014.Google ScholarCross Ref
- I. Goldberg, D. Wagner, R. Thomas, and E. Brewer. A secure environment for untrusted helper applications: Confining the wily hacker. In USENIX Security, 1996. Google ScholarDigital Library
- M. Grace, W. Zhou, X. Jiang, and A. Sadeghi. Unsafe exposure analysis of mobile in-app advertisements. In WiSec, 2012. Google ScholarDigital Library
- M. Grace, Y. Zhou, Z. Wang, and X. Jiang. Systematic detection of capability leaks in stock Android smartphones. In NDSS, 2012.Google Scholar
- N. Hardy. The Confused Deputy: (or why capabilities might have been invented). ACM SIGOPS Operating Systems Review, 1988. Google ScholarDigital Library
- S. Jana, D. Porter, and V. Shmatikov. TxBox: Building secure, efficient sandboxes with system transactions. In S&P, 2011. Google ScholarDigital Library
- X. Jin, X. Hu, K. Ying, W. Du, Y. Heng, and G. Peri. Code injection attacks on HTML5-based mobile apps: Characterization, detection and mitigation. In CCS, 2014. Google ScholarDigital Library
- X. Jin, T. Luo, D. Tsui, and W. Du. Code injection attacks on HTML5-based mobile apps. In MoST, 2014.Google ScholarDigital Library
- K. Lin, D. Chu, J. Mickens, L. Zhuang, F. Zhao, and J. Qiu. Gibraltar: Exposing hardware devices to Web pages using AJAX. In WebApps, 2012. Google ScholarDigital Library
- M. Louw, K. Ganesh, and V. Venkatakrishnan. AdJail: Practical enforcement of confidentiality and integrity policies on Web advertisements. In USENIX Security, 2010. Google ScholarDigital Library
- L. Lu, Z. Li, Z. Wu, W. Lee, and G. Jiang. Chex: Statically vetting Android apps for component hijacking vulnerabilities. In CCS, 2012. Google ScholarDigital Library
- T. Luo, H. Hao, W. Du, Y. Wang, and H. Yin. Attacks on WebView in the Android system. In ACSAC, 2011. Google ScholarDigital Library
- S. Maffeis and A. Taly. Language-based isolation of untrusted javascript. In CSF, 2009. Google ScholarDigital Library
- M. Miller, M. Samuel, B. Laurie, I. Awad, and M. Stay. Caja: Safe active content in sanitized JavaScript. http://google-caja.googlecode.com, 2008.Google Scholar
- WebView addJavascriptInterface remote code execution. https://labs.mwrinfosecurity.com/blog/2013/09/24/webview-addjavascriptinterface-remote-code-execution/.Google Scholar
- NSA. Security-enhanced linux. http://www.nsa.gov/research/selinux/.Google Scholar
- Ubuntu OnlineAccounts API. http://developer.ubuntu.com/api/html5/sdk-14.04/OnlineAccounts.OnlineAccounts/, 2014.Google Scholar
- J. Politz, S. Eliopoulos, A. Guha, and S. Krishnamurthi. ADsafety: Type-based verification of JavaScript sandboxing. In USENIX Security, 2011. Google ScholarDigital Library
- N. Provos. Improving host security with system call policies. In USENIX Security, 2003. Google ScholarDigital Library
- E. Shapira. Analyzing an Android WebView exploit. http://blogs.avg.com/mobile/analyzing-android-webview-exploit/.Google Scholar
- S. Shekhar, M. Dietz, and D. Wallach. AdSplit: Separating smartphone advertising from applications. USENIX Security, 2012. Google ScholarDigital Library
- K. Singh. Practical context-aware permission control for hybrid mobile applications. In RAID, 2013.Google ScholarDigital Library
- K. Singh, A. Moshchuk, H. Wang, and W. Lee. On the incoherencies in Web browser access control policies. In S&P, 2010. Google ScholarDigital Library
- S. Son and V. Shmatikov. The postman always rings twice: Attacking and defending post Message in HTML5 websites. In NDSS, 2013.Google Scholar
- R. Stevens, C. Gibler, J. Crussell, J. Erickson, and H. Chen. Investigating user privacy in Android ad libraries. In MoST, 2012.Google Scholar
- W. Sun, Z. Liang, V. Venkatakrishnan, and R. Sekar. One-way isolation: An effective approach for realizing safe execution environments. In NDSS, 2005.Google Scholar
- SUSE. AppArmor Linux application security. https://www.suse.com/support/security/apparmor/.Google Scholar
- System applications working group charter. http://www.w3.org/2012/09/sysapps-wg-charter, 2014.Google Scholar
- A. Taly, U. Erlingsson, J. Mitchell, M. Miller, and J. Nagra. Automated analysis of security-critical JavaScript APIs. In S&P, 2011. Google ScholarDigital Library
- Ubuntu Unity Web API. http://developer.ubuntu.com/api/devel/ubuntu-13.10/javascript/web-docs/, 2014.Google Scholar
- R. Wang, L. Xing, X. Wang, and S. Chen. Unauthorized origin crossing on mobile platforms: Threats and mitigation. In CCS, 2013. Google ScholarDigital Library
- App capability declarations (Windows Runtime apps). http://msdn.microsoft.com/en-us/library/windows/apps/hh464936.aspx, 2014.Google Scholar
- M. Zalewski. Browser security handbook. https://code.google.com/p/browsersec/wiki/Main.Google Scholar
Index Terms
- Rethinking Security of Web-Based System Applications
Recommendations
Fortifying web-based applications automatically
CCS '11: Proceedings of the 18th ACM conference on Computer and communications securityBrowser designers create security mechanisms to help web developers protect web applications, but web developers are usually slow to use these features in web-based applications (web apps). In this paper we introduce Zan, a browser-based system for ...
Security vulnerabilities and mitigation techniques of web applications
SIN '13: Proceedings of the 6th International Conference on Security of Information and NetworksWeb applications contain vulnerabilities, which may lead to serious security breaches such as stealing of confidential information. To protect against security breaches, it is necessary to understand the detailed steps of attacks and the pros and cons ...
Secure Integration of Web Content and Applications on Commodity Mobile Operating Systems
ASIA CCS '17: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications SecurityA majority of today's mobile apps integrate web content of various kinds. Unfortunately, the interactions between app code and web content expose new attack vectors: a malicious app can subvert its embedded web content to steal user secrets; on the ...
Comments