research-article

SMash: secure component model for cross-domain mashups on unmodified browsers

Authors:

Frederik De Keukelaere,

Michael Steiner,

Sachiko YoshihamaAuthors Info & Claims

WWW '08: Proceedings of the 17th international conference on World Wide Web

Pages 535 - 544

https://doi.org/10.1145/1367497.1367570

Published: 21 April 2008 Publication History

Abstract

Mashup applications mix and merge content (data and code) from multiple content providers in a user's browser, to provide high-value web applications that can rival the user experience provided by desktop applications. Current browser security models were not designed to support such applications and they are therefore implemented with insecure workarounds. In this paper, we present a secure component model, where components are provided by different trust domains, and can interact using a communication abstraction that allows ease of specification of a security policy. We have developed an implementation of this model that works currently in all major browsers, and addresses challenges of communication integrity and frame-phishing. An evaluation of the performance of our implementation shows that this approach is not just feasible but also practical.

References

[1]

OpenAjax Alliance Open Source Project. http://openajaxallianc.sourceforge.net.

[2]

A. Barth and C. Jackson. Protecting browsers from frame hijacking attacks. http://crypto.stanford.edu/frames/.

[3]

M. Y. Becker, C. Fournet, and A. D. Gordon. SecPAL: Design and semantics of a decentralized authorization language. Technical Report MSR-TR-2006-120, Microsoft Research, Sept. 2006.

[4]

J. Burke. Cross domain frame communication with fragment identifiers. http://tagneto.blogspot.com/2006/06/cross-domain-frame-communication-with.html, June 2006.

[5]

D. Crockford. The (module) tag. http://www.json.org/module.html, Oct. 2006.

[6]

R. Dhamija, J. Tygar, and M. Hearst. Why phishing works. In Conference on Human Factors in Computing Systems (CHI 2006), 2006.

Digital Library

[7]

Dojo Foundation. Dojo javascript toolkit. http://www.dojotoolkit.org/.

[8]

Google. Gadget-to-gadget communication. http://www.google.com/apis/gadgets/pubsub.html.

[9]

Google. Google account authentication (AuthSub). http://code.google.com/apis/accounts/AuthForWebApps.html.

[10]

I. Hickson (Editor). HTML 5. Technical report, Web Hypertext Application Technology Working Group HTML 5, 2007. Working Draft, http://www.whatwg.org/specs/web-apps/current-work.

[11]

J. Howell, C. Jackson, H. J. Wang, and X. Fan. MashupOS: Operating system abstractions for client mashups. In Proceedings of HotOS XI: The 11th Workshop on Hot Topics in Operating Systems. USENIX, May 2007.

Digital Library

[12]

C. Jackson and H. Wang. Subspace: Secure cross-domain communication for web mashups. In 16th International Conference on the World-Wide Web, 2007.

Digital Library

[13]

G. Lee. Personal communication on XDDE. http://www.openspot.com, 2007.

[14]

B. McLaughlin. Mastering Ajax. IBM developerWorks, 2005 - 2007. http://www-128.ibm.com/developerworks/views/web/libraryview.jsp?search_by=Mastering+Ajax+Part.

[15]

Microsoft. Windows cardspace. http://cardspace.netfx3.com, http://www.identityblog.com.

[16]

M. S. Miller, M. Samuel, B. Laurie, I. Awad, and M. Stay. Caja - safe active content in sanitized Javascript. http://google-caja.googlecode.com/files/caja-spec-2007-10-11.pdf, Oct. 2007.

[17]

Mozilla.org. The same origin policy. http://www.mozilla.org/projects/security/components/same-origin.html.

[18]

D. Parnas. On the criteria to be used in decomposing systems into modules. Communications of the ACM, 15(12):1053--1058, Dec. 1972.

Digital Library

[19]

D. Raggett, H. Le Arnaud, and I. Jacobs (Editors). HyperText Markup Language (HTML). W3C Recommendation 4.01, W3C, Dec, Dec. 1999.

[20]

C. Reis, J. Dunagan, H. J. Wang, O. Dubrovsky, and S. Esmeir. BrowserShield: Vulnerability-driven filtering of dynamic HTML. In Proceedings of the Sixth Symposium on Operating Systems Design and Implementation, Nov. 2006.

Digital Library

[21]

A. Russel, D. Davis, G. Wilkins, and M. Nesbitt. Bayeux protocol. Technical Report 1.0draft0, Dojo Foundation, 2007.

[22]

J. H. Saltzer and M. D. Schroeder. The protection of information in computer systems. Proceedings of the IEEE, 63(9):1278--1308, Sept. 1975.

[23]

K. Spett. Cross-site scripting - are your web applications vulnerable? Technical report, SPI Dynamics, 2005. http://www.spidynamics.com/whitepapers/SPIcross-sitescripting.pdf.

[24]

Teknikill, Shadowcat Systems, and SitePen, Inc. Cometd. http://www.cometd.com/.

[25]

K. Vikram and M. Steiner. Mashup component isolation via server-side analysis and instrumentation. In Web 2.0 Security & Privacy Workshop. IEEE Computer Society, Technical Committee on Security and Privacy, 2007.

[26]

World Wide Web Consortium. Document Object Model. http://www.w3.org/DOM/.

[27]

Yahoo! Browser-based authentication (BBAuth). http://developer.yahoo.com/auth/.

[28]

K.-P. Yee and K. Sitaker. Passpet: Convenient password management and phishing protection. In Symposium On Usable Privacy and Security, 2006.

Digital Library

[29]

D. Yu, A. Chander, N. Islam, and I. Serikov. JavaScript instrumentation for browser security. In 34st ACM Symposium on Principles of Programming Languages (POPL), pages 237--249, 2007.

Digital Library

[30]

K. Zyp. CrossSafe. http://code.google.com/p/crosssafe/.

Cited By

Heim SBaur LWittges HKrcmar H(2023)Teaching Business Skills in the Cloud: A Process Model for Cloud-Based Enterprise Software Integration in Higher Education2023 IEEE Global Engineering Education Conference (EDUCON)10.1109/EDUCON54358.2023.10125159(1-9)Online publication date: 1-May-2023
https://doi.org/10.1109/EDUCON54358.2023.10125159
Sprecher SKerschbaumer CKirda E(2022)SoK: All or Nothing - A Postmortem of Solutions to the Third-Party Script Inclusion Permission Model and a Path Forward2022 IEEE 7th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP53844.2022.00021(206-222)Online publication date: Jun-2022
https://doi.org/10.1109/EuroSP53844.2022.00021
Zhang MMeng WSpinellis DGousios GChechik MDi Penta M(2021)JSISOLATE: lightweight in-browser JavaScript isolationProceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3468264.3468577(193-204)Online publication date: 20-Aug-2021
https://dl.acm.org/doi/10.1145/3468264.3468577
Show More Cited By

Index Terms

SMash: secure component model for cross-domain mashups on unmodified browsers
1. Security and privacy
  1. Software and application security
    1. Software security engineering
2. Software and its engineering
  1. Software notations and tools
    1. Context specific languages
      1. Domain specific languages
  2. Software organization and properties
    1. Software functional properties
      1. Correctness
        Access protection
    2. Software system structures
      1. Software architectures

Recommendations

OMash: enabling secure web mashups via object abstractions
CCS '08: Proceedings of the 15th ACM conference on Computer and communications security

The current security model used by web browsers, the Same Origin Policy (SOP), does not support secure cross-domain communication desired by web mashup developers. The developers have to choose between no trust, where no communication is allowed, and ...
W3C user agent accessibility guidelines 1.0 for graphical Web browsers

Web browsers and multimedia players play a critical role in making Web content accessible to people with disabilities. Access to Web content requires that Web browsers provide users with final control over the styling of rendered content, the type of ...
Getting Started with IBM WebSphere sMash

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

WWW '08: Proceedings of the 17th international conference on World Wide Web

April 2008

1326 pages

ISBN:9781605580852

DOI:10.1145/1367497

General Chairs:
Jinpeng Huai
Beihang University, China
,
Robin Chen
AT&T Labs, USA
,
Hsiao-Wuen Hon
Microsoft Research Asia, China
,
Yunhao Liu
HK University of Science and Technology, Hong Kong
,
Program Chairs:
Wei-Ying Ma
Microsoft Research Asia, China
,
Andrew Tomkins
Yahoo! Research, USA
,
Xiaodong Zhang
The Ohio State University, USA

Copyright © 2008 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

ACM: Association for Computing Machinery

In-Cooperation

SIGWEB: ACM Special Interest Group on Hypertext, Hypermedia, and Web

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 21 April 2008

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

WWW '08

Sponsor:

ACM

WWW '08: The 17th International World Wide Web Conference

April 21 - 25, 2008

Beijing, China

Acceptance Rates

Overall Acceptance Rate 1,899 of 8,196 submissions, 23%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

46
Total Citations
View Citations
836
Total Downloads

Downloads (Last 12 months)5
Downloads (Last 6 weeks)0

Reflects downloads up to 27 Jul 2024

Other Metrics

View Author Metrics

Citations

Cited By

Heim SBaur LWittges HKrcmar H(2023)Teaching Business Skills in the Cloud: A Process Model for Cloud-Based Enterprise Software Integration in Higher Education2023 IEEE Global Engineering Education Conference (EDUCON)10.1109/EDUCON54358.2023.10125159(1-9)Online publication date: 1-May-2023
https://doi.org/10.1109/EDUCON54358.2023.10125159
Sprecher SKerschbaumer CKirda E(2022)SoK: All or Nothing - A Postmortem of Solutions to the Third-Party Script Inclusion Permission Model and a Path Forward2022 IEEE 7th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP53844.2022.00021(206-222)Online publication date: Jun-2022
https://doi.org/10.1109/EuroSP53844.2022.00021
Zhang MMeng WSpinellis DGousios GChechik MDi Penta M(2021)JSISOLATE: lightweight in-browser JavaScript isolationProceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3468264.3468577(193-204)Online publication date: 20-Aug-2021
https://dl.acm.org/doi/10.1145/3468264.3468577
Van Acker SHausknecht DJoosen WSabelfeld APark JSquicciarini A(2015)Password Meters and Generators on the WebProceedings of the 5th ACM Conference on Data and Application Security and Privacy10.1145/2699026.2699118(253-262)Online publication date: 2-Mar-2015
https://dl.acm.org/doi/10.1145/2699026.2699118
Herrero Agustin J(2015)Model-driven web applications2015 Science and Information Conference (SAI)10.1109/SAI.2015.7237258(954-964)Online publication date: Jul-2015
https://doi.org/10.1109/SAI.2015.7237258
Borle SPotgantwar A(2015)QFL for the Web Data Extraction from Multiple Data SourcesProceedings of the 2015 International Conference on Computing Communication Control and Automation10.1109/ICCUBEA.2015.90(432-436)Online publication date: 26-Feb-2015
https://dl.acm.org/doi/10.1109/ICCUBEA.2015.90
Colin JTien H(2015)Securing a Loosely-Coupled Web-Based eLearning Ecosystem Combining Open StandardsWeb Information Systems and Technologies10.1007/978-3-319-27030-2_4(48-62)Online publication date: 16-Dec-2015
https://doi.org/10.1007/978-3-319-27030-2_4
Yan DTian YYang F(2015)Privacy-preserving authorization method for mashupsSecurity and Communication Networks10.1002/sec.13228:18(4421-4435)Online publication date: 1-Dec-2015
https://dl.acm.org/doi/10.1002/sec.1322
Mickens J(2014)PivotProceedings of the 2014 IEEE Symposium on Security and Privacy10.1109/SP.2014.24(261-275)Online publication date: 18-May-2014
https://dl.acm.org/doi/10.1109/SP.2014.24
Al-Haj Hassan ORamaswamy LHamad FAbu Taleb A(2014)Cooperative distributed architecture for mashupsEnterprise Information Systems10.1080/17517575.2013.8390548:3(406-444)Online publication date: 1-May-2014
https://dl.acm.org/doi/10.1080/17517575.2013.839054
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents